Skip to content

BA2004 EnableSecureSourceCodeHashing is triggered for code that links against msvcmrt.lib #1117

Description

@mikamins

My team in Azure Storage is hitting a BinSkim violation for our C++/CLI binaries. The problematic module is the native/managed CRT (msvcmrt.lib). Is there a version of this library that we can link against to comply with Azure security policy?

BA2004: EnableSecureSourceCodeHashing

'myCppCliProject.dll' is a native binary that links one or more static libraries that include
object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject
to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256'
on the cl.exe command-line to enable secure source code hashing. The following modules
are out of policy: 
Microsoft (R) Optimizing Compiler : cxx : 19.44.35207.1 : msvcmrt.lib (mehvecctr.obj)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions