BinSkim warning BA2024 in react-native-win32.dll during publish

[jonthysell]

Problem Description

We've been getting the following warning in Publish runs:

##[warning]1. BinSkim Warning BA2024 - File: vnext/target/x64/Release/React.Windows.Desktop.DLL/react-native-win32.dll.  
Signature: 9a6848a3b14b3b29e072d292a2bde84ebf0770d22a182473d5e936e8f614d042
Tool: BinSkim: Rule: BA2024 (EnableSpectreMitigations). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2024EnableSpectreMitigations
'react-native-win32.dll' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.
The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:
MSVCRT.lib,cxx,19.42.34321.1 (argv_mode.obj,default_local_stdio_options.obj,delete_array.obj,delete_array_size.obj,delete_scalar.obj,delete_scalar_size.obj,dll_dllmain.obj,dll_dllmain_stub.obj,ehvecctr.obj,ehvecdtr.obj,fltused.obj,gshandler.obj,gshandlereh4.obj,initializers.obj,initsect.obj,new_array.obj,new_scalar.obj,new_scalar_nothrow.obj,std_nothrow.obj,std_type_info_static.obj,thread_safe_statics.obj,throw_bad_alloc.obj,tlsdyn.obj,tlssup.obj,tncleanup.obj,ucrt_stubs.obj,utility.obj,utility_desktop.obj)
MSVCRT.lib,c,19.42.34321.1 (cpu_disp.obj,dyn_tls_init.obj,gs_cookie.obj,gs_report.obj,gs_support.obj,guard_support.obj,loadcfg.obj,ucrt_detection.obj)
msvcprt.lib,cxx,19.42.34321.1 (charconv.obj,filesystem.obj,locale0_implib.obj,sharedmutex.obj,syserror_import_lib.obj,vector_algorithms.obj,xonce2.obj)
Delayimp.lib,cxx,19.42.34321.1 (delaygv1.obj,delayhk1.obj,delayhk2.obj,delayhlp.obj)
vcruntime.lib,cxx,19.42.34321.1 (softmemtag.obj)

It doesn't block our publish.

Steps To Reproduce

See Publish log: https://dev.azure.com/microsoft/ReactNative/_build/results?buildId=113750485&view=logs&j=70c3b8d5-ae77-5f63-2310-e2a7f8d2d462&t=f0ee8cd7-edaa-50c8-9649-a6d1129a84d4&l=60

Expected Results

No response

CLI version

15.0.0-alpha.2

Environment

info Fetching system and libraries information...
System:
  OS: Windows 11 10.0.26100
  CPU: "(24) x64 AMD Ryzen Threadripper PRO 3945WX 12-Cores     "
  Memory: 46.11 GB / 63.86 GB
Binaries:
  Node:
    version: 18.18.0
    path: C:\Program Files\nodejs\node.EXE
  Yarn:
    version: 1.22.22
    path: C:\Program Files (x86)\Yarn\bin\yarn.CMD
  npm:
    version: 9.8.1
    path: C:\Program Files\nodejs\npm.CMD
  Watchman: Not Found
SDKs:
  Android SDK: Not Found
  Windows SDK:
    AllowDevelopmentWithoutDevLicense: Enabled
    AllowAllTrustedApps: Enabled
    Versions:
      - 10.0.19041.0
      - 10.0.22621.0
IDEs:
  Android Studio: Not Found
  Visual Studio:
    - 17.12.35309.182 (Visual Studio Enterprise 2022)
    - 17.12.35514.174 (Visual Studio Enterprise 2022)
Languages:
  Java: Not Found
  Ruby: Not Found
npmPackages:
  "@react-native-community/cli": Not Found
  react: Not Found
  react-native: Not Found
  react-native-windows: Not Found
npmGlobalPackages:
  "*react-native*": Not Found
Android:
  hermesEnabled: Not found
  newArchEnabled: Not found
iOS:
  hermesEnabled: Not found
  newArchEnabled: Not found

Community Modules

No response

Target Platform Version

10.0.22621

Target Device(s)

Desktop

Visual Studio Version

Visual Studio 2022

Build Configuration

Release

Snack, code example, screenshot, or link to a repository

No response

[similar-issues-ai]

We've found some similar issues:

• BinSkim Error BA2007 in react-native-win32.dll #14251 , similarity score: 89%

If any of the above are duplicates, please consider closing this issue out and adding additional context in the original issue.

Note: You can give me feedback by 👍 or 👎 this comment.

[jonthysell]

In researching this issue, I found there's an issue with BinSkim not detecting the parameters in (release) builds, see microsoft/binskim#288.

The recommended resolution is to make sure you have /Zi /Qspectre when compiling your library, which we do enable in React.Cpp.props:

react-native-windows/vnext/PropertySheets/React.Cpp.props

Line 131 in 436981b

<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>

react-native-windows/vnext/PropertySheets/React.Cpp.props

Line 136 in 436981b

<SpectreMitigation>Spectre</SpectreMitigation>

So I'm not sure what the problem is.

[jonthysell]

It's possible we're missing this in the linker, which is why it's reporting. @vmoroz?