From 1445b6fdb726cb2edeec88889cd4762119c3cb51 Mon Sep 17 00:00:00 2001
From: Wenbing Li <10278425+wenbingl@users.noreply.github.com>
Date: Wed, 22 Feb 2023 09:33:04 -0800
Subject: [PATCH] Fix the current valid binSkim error and warnings. (#363)

* add qspectre check

* more fixing

* partially enable /sdl scan

* Update CMakeLists.txt

Co-authored-by: Edward Chen <18449977+edgchen1@users.noreply.github.com>

---------

Co-authored-by: Edward Chen <18449977+edgchen1@users.noreply.github.com>
---
 .pipelines/OneBranch.Official.yml    |  4 ++--
 .pipelines/OneBranch.PullRequest.yml |  4 ++--
 CMakeLists.txt                       | 24 +++++++++++++++++++++
 cmake/externals/opencv-no-rtti.patch | 31 +++++++++++++++++++++++++---
 4 files changed, 56 insertions(+), 7 deletions(-)

diff --git a/.pipelines/OneBranch.Official.yml b/.pipelines/OneBranch.Official.yml
index bcc12d1f..ef5ac027 100644
--- a/.pipelines/OneBranch.Official.yml
+++ b/.pipelines/OneBranch.Official.yml
@@ -44,7 +44,7 @@ extends:
       tsa:
         enabled: true
       binskim:
-        break: false # always break the build on binskim issues in addition to TSA upload
+        break: true # always break the build on binskim issues in addition to TSA upload
         analyzeTargetGlob: '**\RelWithDebInfo\ortextensions.dll'  # avoid scanning the 3rd party DLLs.
       codeql:
         python:
@@ -62,7 +62,7 @@ extends:
         
         variables:
           ob_outputDirectory: '$(REPOROOT)\out'
-          ob_sdl_binskim_break: false
+          ob_sdl_binskim_break: true
         steps:
         - script: |
             @echo off
diff --git a/.pipelines/OneBranch.PullRequest.yml b/.pipelines/OneBranch.PullRequest.yml
index ed1430e5..06b9c22c 100644
--- a/.pipelines/OneBranch.PullRequest.yml
+++ b/.pipelines/OneBranch.PullRequest.yml
@@ -45,7 +45,7 @@ extends:
       tsa:
         enabled: false
       binskim:
-        break: false # always break the build on binskim issues in addition to TSA upload
+        break: true # always break the build on binskim issues in addition to TSA upload
         analyzeTargetGlob: '**\RelWithDebInfo\ortextensions.dll'  # avoid scanning the 3rd party DLLs.
       codeql:
         python:
@@ -63,7 +63,7 @@ extends:
 
         variables:
           ob_outputDirectory: '$(REPOROOT)\out'
-          ob_sdl_binskim_break: false
+          ob_sdl_binskim_break: true
         steps:
         - script: |
             @echo off
diff --git a/CMakeLists.txt b/CMakeLists.txt
index e883c91c..35f3c24b 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -77,6 +77,13 @@ function(disable_all_operators)
   set(OCOS_ENABLE_VISION OFF CACHE INTERNAL "" FORCE)
 endfunction()
 
+if (CMAKE_GENERATOR_PLATFORM)
+  # Multi-platform generator
+  set(ocos_target_platform ${CMAKE_GENERATOR_PLATFORM})
+else()
+  set(ocos_target_platform ${CMAKE_SYSTEM_PROCESSOR})
+endif()
+
 if(NOT CC_OPTIMIZE)
   message("!!!THE COMPILER OPTIMIZATION HAS BEEN DISABLED, DEBUG-ONLY!!!")
   string(REGEX REPLACE "([\-\/]O[123])" "" CMAKE_C_FLAGS_RELWITHDEBINFO "${CMAKE_C_FLAGS_RELWITHDEBINFO}")
@@ -94,6 +101,12 @@ if(NOT CC_OPTIMIZE)
 endif()
 
 if (MSVC)
+  check_cxx_compiler_flag(-sdl HAS_SDL)
+  check_cxx_compiler_flag(-Qspectre HAS_QSPECTRE)
+  if (HAS_QSPECTRE)
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /Qspectre")
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} /Qspectre")
+  endif()
   set(CMAKE_EXE_LINKER_FLAGS  "${CMAKE_EXE_LINKER_FLAGS} /DYNAMICBASE")
   check_cxx_compiler_flag(-guard:cf HAS_GUARD_CF)
   if (HAS_GUARD_CF)
@@ -329,6 +342,10 @@ endif()
 add_compile_options("$<$<C_COMPILER_ID:MSVC>:/utf-8>")
 add_compile_options("$<$<CXX_COMPILER_ID:MSVC>:/utf-8>")
 add_library(ocos_operators STATIC ${TARGET_SRC})
+# TODO: need to address the SDL warnings happens on custom operator code.
+# if (HAS_SDL)
+#   target_compile_options(ocos_operators PRIVATE "/sdl")
+# endif()
 set_target_properties(ocos_operators PROPERTIES FOLDER "operators")
 
 # filter out any files in ${TARGET_SRC} which don't have prefix of ${PROJECT_SOURCE_DIR} before calling source_group
@@ -460,6 +477,9 @@ if(NOT OCOS_ENABLE_STATIC_LIB AND CMAKE_SYSTEM_NAME STREQUAL "Emscripten")
   endif()
 else()
   add_library(ortcustomops STATIC ${shared_TARGET_LIB_SRC})
+  if (HAS_SDL)
+    target_compile_options(ortcustomops PRIVATE "/sdl")
+  endif()
   add_library(onnxruntime_extensions ALIAS ortcustomops)
   standardize_output_folder(ortcustomops)
   set(_BUILD_SHARED_LIBRARY TRUE)
@@ -490,6 +510,10 @@ if(_BUILD_SHARED_LIBRARY)
     "$<TARGET_PROPERTY:ortcustomops,INTERFACE_INCLUDE_DIRECTORIES>")
   target_link_libraries(extensions_shared PRIVATE ortcustomops)
   set_target_properties(extensions_shared PROPERTIES OUTPUT_NAME "ortextensions")
+  if(MSVC AND ocos_target_platform MATCHES "x86|x64")
+    target_link_options(extensions_shared PRIVATE "/CETCOMPAT")
+  endif()
+
 endif()
 
 if(OCOS_BUILD_PYTHON)
diff --git a/cmake/externals/opencv-no-rtti.patch b/cmake/externals/opencv-no-rtti.patch
index b275eff4..487f9296 100644
--- a/cmake/externals/opencv-no-rtti.patch
+++ b/cmake/externals/opencv-no-rtti.patch
@@ -1,5 +1,30 @@
+diff --git a/3rdparty/libjpeg-turbo/CMakeLists.txt b/3rdparty/libjpeg-turbo/CMakeLists.txt
+index 3c7f29b08e..066ea4e545 100644
+--- a/3rdparty/libjpeg-turbo/CMakeLists.txt
++++ b/3rdparty/libjpeg-turbo/CMakeLists.txt
+@@ -67,7 +67,7 @@ set(JPEG_LIB_VERSION "${VERSION}-${JPEG_LIB_VERSION}" PARENT_SCOPE)
+ set(THREAD_LOCAL "")  # WITH_TURBOJPEG is not used
+ 
+ if(MSVC)
+-  add_definitions(-W3 -wd4996 -wd4018)
++  add_definitions(-W3)
+ endif()
+ 
+ if(WIN32)
+diff --git a/3rdparty/zlib/CMakeLists.txt b/3rdparty/zlib/CMakeLists.txt
+index 9758861a6b..9e654ba922 100644
+--- a/3rdparty/zlib/CMakeLists.txt
++++ b/3rdparty/zlib/CMakeLists.txt
+@@ -81,7 +81,6 @@ set_target_properties(${ZLIB_LIBRARY} PROPERTIES DEFINE_SYMBOL ZLIB_DLL)
+ 
+ ocv_warnings_disable(CMAKE_C_FLAGS -Wshorten-64-to-32 -Wattributes -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wshift-negative-value
+     -Wundef  # _LFS64_LARGEFILE is not defined
+-    /wd4267  # MSVS 2015 (x64) + zlib 1.2.11
+     -Wimplicit-fallthrough
+ )
+ 
 diff --git a/CMakeLists.txt b/CMakeLists.txt
-index d95e5db1..db185453 100644
+index d95e5db163..db185453df 100644
 --- a/CMakeLists.txt
 +++ b/CMakeLists.txt
 @@ -617,11 +617,6 @@ endif()
@@ -15,7 +40,7 @@ index d95e5db1..db185453 100644
  
  ocv_cmake_hook(POST_COMPILER_OPTIONS)
 diff --git a/modules/core/include/opencv2/core/ocl.hpp b/modules/core/include/opencv2/core/ocl.hpp
-index 4503fa00..642b0508 100644
+index 4503fa00dd..642b0508d0 100644
 --- a/modules/core/include/opencv2/core/ocl.hpp
 +++ b/modules/core/include/opencv2/core/ocl.hpp
 @@ -302,21 +302,6 @@ public:
@@ -41,7 +66,7 @@ index 4503fa00..642b0508 100644
      inline Impl* getImpl() const { return (Impl*)p; }
      inline bool empty() const { return !p; }
 diff --git a/modules/core/src/ocl_disabled.impl.hpp b/modules/core/src/ocl_disabled.impl.hpp
-index a217979a..0ba30d02 100644
+index a217979a1e..0ba30d024c 100644
 --- a/modules/core/src/ocl_disabled.impl.hpp
 +++ b/modules/core/src/ocl_disabled.impl.hpp
 @@ -177,11 +177,6 @@ void* Context::getOpenCLContextProperty(int /*propertyId*/) const { OCL_NOT_AVAI