Closed msftmeason closed 5 months ago
A better solution than NuGet is to use the VCPKG manager so you can better control/match which toolset is used to build the code. The VCPKG port for directxtex also includes a build feature to enable Spectre mitigation.
That said, recent NuGet packages for DirectXTex already include variants of the library built with Spectre, and I have been using /ZH:SHA_256
for a while, so try a more recent build.
For reference, see https://github.com/microsoft/DirectXTex/pull/295
Also, note that this project is for DirectX Tool Kit, not DirectXTex. See https://github.com/microsoft/DirectXTex/
As part of our build process, we are linking against the DirectXTex nuget package. Recently, our infrastructure started running binskim to flag security issues (https://github.com/microsoft/binskim). Binskim is flagging the following issues with DirectXTex:
Could we get a nuget release with these compiler switches added? Specifically, we need these flags for the ARM64 release.
In addition, I want to make sure the libs are compiled with the /SDL flag (in case our scan process did not get far enough along in the process to catch this in DirectXTex.lib). This was flagged on some of our other components. For more info, see BA2026 (https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-ba2026enablemicrosoftcompilersdlswitch).