BinSkim warning BA2024 in react-native-win32.dll during publish #14263
Description
Problem Description
We've been getting the following warning in Publish runs:
##[warning]1. BinSkim Warning BA2024 - File: vnext/target/x64/Release/React.Windows.Desktop.DLL/react-native-win32.dll.
Signature: 9a6848a3b14b3b29e072d292a2bde84ebf0770d22a182473d5e936e8f614d042
Tool: BinSkim: Rule: BA2024 (EnableSpectreMitigations). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2024EnableSpectreMitigations
'react-native-win32.dll' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.
The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:
MSVCRT.lib,cxx,19.42.34321.1 (argv_mode.obj,default_local_stdio_options.obj,delete_array.obj,delete_array_size.obj,delete_scalar.obj,delete_scalar_size.obj,dll_dllmain.obj,dll_dllmain_stub.obj,ehvecctr.obj,ehvecdtr.obj,fltused.obj,gshandler.obj,gshandlereh4.obj,initializers.obj,initsect.obj,new_array.obj,new_scalar.obj,new_scalar_nothrow.obj,std_nothrow.obj,std_type_info_static.obj,thread_safe_statics.obj,throw_bad_alloc.obj,tlsdyn.obj,tlssup.obj,tncleanup.obj,ucrt_stubs.obj,utility.obj,utility_desktop.obj)
MSVCRT.lib,c,19.42.34321.1 (cpu_disp.obj,dyn_tls_init.obj,gs_cookie.obj,gs_report.obj,gs_support.obj,guard_support.obj,loadcfg.obj,ucrt_detection.obj)
msvcprt.lib,cxx,19.42.34321.1 (charconv.obj,filesystem.obj,locale0_implib.obj,sharedmutex.obj,syserror_import_lib.obj,vector_algorithms.obj,xonce2.obj)
Delayimp.lib,cxx,19.42.34321.1 (delaygv1.obj,delayhk1.obj,delayhk2.obj,delayhlp.obj)
vcruntime.lib,cxx,19.42.34321.1 (softmemtag.obj)
It doesn't block our publish.
Steps To Reproduce
Expected Results
No response
CLI version
15.0.0-alpha.2
Environment
info Fetching system and libraries information...
System:
OS: Windows 11 10.0.26100
CPU: "(24) x64 AMD Ryzen Threadripper PRO 3945WX 12-Cores "
Memory: 46.11 GB / 63.86 GB
Binaries:
Node:
version: 18.18.0
path: C:\Program Files\nodejs\node.EXE
Yarn:
version: 1.22.22
path: C:\Program Files (x86)\Yarn\bin\yarn.CMD
npm:
version: 9.8.1
path: C:\Program Files\nodejs\npm.CMD
Watchman: Not Found
SDKs:
Android SDK: Not Found
Windows SDK:
AllowDevelopmentWithoutDevLicense: Enabled
AllowAllTrustedApps: Enabled
Versions:
- 10.0.19041.0
- 10.0.22621.0
IDEs:
Android Studio: Not Found
Visual Studio:
- 17.12.35309.182 (Visual Studio Enterprise 2022)
- 17.12.35514.174 (Visual Studio Enterprise 2022)
Languages:
Java: Not Found
Ruby: Not Found
npmPackages:
"@react-native-community/cli": Not Found
react: Not Found
react-native: Not Found
react-native-windows: Not Found
npmGlobalPackages:
"*react-native*": Not Found
Android:
hermesEnabled: Not found
newArchEnabled: Not found
iOS:
hermesEnabled: Not found
newArchEnabled: Not foundCommunity Modules
No response
Target Platform Version
10.0.22621
Target Device(s)
Desktop
Visual Studio Version
Visual Studio 2022
Build Configuration
Release
Snack, code example, screenshot, or link to a repository
No response