Compile native libraries with security mitigations

[petrroll]

Hi, it seems the included native libraries are compiled without some security mitigations s.a. control flow guard.

 ##[error]4. BinSkim Error BA2008 -XXX/net9.0/runtimes/win-arm64/native/libzstd.dll.  
Signature: fed33d15f202d6c830d9059685fa93cc59105ea075cf57abf287593d444ce222
Tool: BinSkim: Rule: BA2008 (EnableControlFlowGuard). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2008EnableControlFlowGuard
'libzstd.dll' does not enable the control flow guard (CFG) mitigation.
To resolve this issue, pass /guard:cf on both the compiler and linker command lines. Binaries also require the /DYNAMICBASE linker option in order to enable CFG.
For VC projects use ItemDefinitionGroup - ClCompile - ControlFlowGuard property with 'Guard' value, link CFG property will be set automatically.

Same for all other native libraries in the package (z4, ...)

Would it be possible to rectify?

[neuecc]

Thank you.
We build the library in GitHub Actions in a mostly visible manner.
https://github.com/Cysharp/NativeCompressions/blob/main/.github/workflows/build-native-zstd.yaml
Also, we keep the build command as simple as possible, just "make lib-release", to avoid any changes from the original make.
I'm not familiar with security scanning so I don't know, but what about the normally built zstd and lz4 (such as those prebuilt on the official sites)?
If that's the case, is this an issue that actually needs to be fixed in the first place?
In principle, we want to avoid specifying parameters that deviate significantly from the original make.

[petrroll]

I can see that for arm64 win you're not using the lib's MAKE but invoking compiler directly: https://github.com/Cysharp/NativeCompressions/blob/a8f65508eda3aa6fd6ccb2336b30ac3f5fe577d7/.github/workflows/build-native-lz4.yaml#L150C1-L159C1 is that correct?

[neuecc]

Thanks for checking, indeed!
This is probably my mistake, I think.
It's likely a remnant from when I was going through trial and error with ARM builds, I'll fix it.