hermes.dll is not compatible with PkgESSecComp@10 (CfgChk + CheckCFlags2) analysis
nichamp opened this issue · 1 comments
Bug Description
PkgESSecComp@10 is required for many internal pipelines for compliance to ensure the most appropriate flags are set when compiling binaries.
Currently, it runs the pipeline task on hermes.dll (with hermes.pdb downloaded from symbol server), PkgESSecComp flags several issues:
Example: Pipeline Run
CfgChk fails to analyze the binary entirely due to BB0042: There is no fixup debug information in the image 'D:\a\_work\1\b\Native\hermes.dll'. Please link with /DEBUGTYPE:CV,FIXUP.
CheckCFlags2 runs but file a bug for CCF0904 indicating that the compiler arguments are stripped from the PDB so it cannot actually analyze them without building objects with /Z7 and /debug:full. (It also raised CCF1010 but C++ export are clearly expected with the JSI so this would be baselined.)
I have been told that addressing the issue with symbol information is also a requirement for SBOM tooling to process the binaries so multiple compliance tools require these fixes.
The Expected Behavior
Given symbols, hermes.dll should have the right flags set at compilation time such that it is processable by analysis tooling such as CfgChk and CheckCFlags2 can process the binary. Ideally it would also pass CfgChk and CheckCFlags2 too for security reasons, but I expect it is likely that would not be possible with Hermes for reasons like performance or code size so some issues would need to baselined by CCF1010.
(Regarding symbols, given they are not included in the NuGet package, any pipelines consuming hermes.dll have the additional step to implement using symchk (or equivalent) to download them so it would also be ideal if symbols were included in the main or a separate nuget package too.)