Nuget package is not compiled with security protections

[msftmeason]

As part of our build process, we are linking against the DirectXTex nuget package. Recently, our infrastructure started running binskim to flag security issues (https://github.com/microsoft/binskim). Binskim is flagging the following issues with DirectXTex:

##[warning]1. BinSkim Warning BA2004 - File: Out/UnitTests.exe.  
Tool: BinSkim: Rule: BA2004 (EnableSecureSourceCodeHashing). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2004EnableSecureSourceCodeHashing
'UnitTests.exe' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:
Microsoft (R) Optimizing Compiler : cxx : 19.16.27035.0 : DirectXTex.lib (BC.obj,BC4BC5.obj,BC6HBC7.obj,DirectXTexCompress.obj,DirectXTexConvert.obj,DirectXTexD3D12.obj,DirectXTexDDS.obj,DirectXTexImage.obj,DirectXTexMipmaps.obj,DirectXTexUtil.obj)

##[warning]2. BinSkim Warning BA2024 - File: Out/UnitTests.exe.  
Tool: BinSkim: Rule: BA2024 (EnableSpectreMitigations). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2024EnableSpectreMitigations
'UnitTests.exe' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.
The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:
DirectXTex.lib,cxx,19.16.27035.0 (BC.obj,BC4BC5.obj,BC6HBC7.obj,DirectXTexCompress.obj,DirectXTexConvert.obj,DirectXTexD3D12.obj,DirectXTexDDS.obj,DirectXTexImage.obj,DirectXTexMipmaps.obj,DirectXTexUtil.obj)

Could we get a nuget release with these compiler switches added? Specifically, we need these flags for the ARM64 release.

In addition, I want to make sure the libs are compiled with the /SDL flag (in case our scan process did not get far enough along in the process to catch this in DirectXTex.lib). This was flagged on some of our other components. For more info, see BA2026 (https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-ba2026enablemicrosoftcompilersdlswitch).

[walbourn]

A better solution than NuGet is to use the VCPKG manager so you can better control/match which toolset is used to build the code. The VCPKG port for directxtex also includes a build feature to enable Spectre mitigation.

That said, recent NuGet packages for DirectXTex already include variants of the library built with Spectre, and I have been using /ZH:SHA_256 for a while, so try a more recent build.

[walbourn]

For reference, see https://github.com/microsoft/DirectXTex/pull/295

[walbourn]

Also, note that this project is for DirectX Tool Kit, not DirectXTex. See https://github.com/microsoft/DirectXTex/