Enable spectre mitigations for ANCM binaries#63725
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR enables Spectre mitigations for all ASP.NET Core Module (ANCM) binaries to address BinSkim security alerts. Spectre mitigations help protect against side-channel attacks by adding compiler-generated security hardening.
- Adds the
/Qspectrecompiler flag to existing security options across all ANCM project files - Updates both individual project files and common build configuration
- Maintains existing Control Flow Guard (
/guard:cf) protections while adding Spectre mitigations
Reviewed Changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| OutOfProcessRequestHandler.vcxproj | Adds /Qspectre flag to out-of-process request handler compilation options |
| InProcessRequestHandler.vcxproj | Adds /Qspectre flag to in-process request handler compilation options |
| AspNetCore.vcxproj | Adds /Qspectre flag to main ASP.NET Core module compilation options |
| common.props | Adds /Qspectre flag to shared build settings for installer components |
| aspnetcoreCA.vcxproj | Adds /Qspectre flag to custom action compilation options |
|
From Liquid, seems there's a specific property for it:
But I tried that in a vanilla C++ project and it didn't seem to work, so fine. |
danmoseley
left a comment
There was a problem hiding this comment.
the binskim bugs only relate to aspnetcorev2.dll and its _outofprocess variant. Not sure all of these are needed, but also seems reasonable to add to all.
Couldn't hurt to add the property as well - I'll do that too |
This reverts commit b573d8a.
|
/backport to release/10.0 |
|
Started backporting to release/10.0: https://github.com/dotnet/aspnetcore/actions/runs/17843652108 |
Fixes binskim alerts