From dd8190f329556a250446039977c39ddfbcb1fa4a Mon Sep 17 00:00:00 2001
From: Gaurav Sharma <sharmag@microsoft.com>
Date: Wed, 5 Nov 2025 06:43:05 +0000
Subject: [PATCH 1/2] FEAT: Added Security Compiler Options in CMake

---
 mssql_python/pybind/CMakeLists.txt | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/mssql_python/pybind/CMakeLists.txt b/mssql_python/pybind/CMakeLists.txt
index 489dfd45..8d543eb1 100644
--- a/mssql_python/pybind/CMakeLists.txt
+++ b/mssql_python/pybind/CMakeLists.txt
@@ -6,6 +6,23 @@ set(CMAKE_CXX_STANDARD 17)
 set(CMAKE_CXX_STANDARD_REQUIRED ON)
 
 if (MSVC)
+    # Security compiler options for OneBranch compliance
+    add_compile_options(
+        /GS          # Buffer security check - detects buffer overruns
+        /guard:cf    # Control Flow Guard - protects against control flow hijacking
+    )
+    
+    add_link_options(
+        /DYNAMICBASE # ASLR - Address Space Layout Randomization
+        /NXCOMPAT    # DEP - Data Execution Prevention
+        /GUARD:CF    # Control Flow Guard (linker)
+    )
+    
+    # SAFESEH only for x86 (32-bit) builds
+    if(CMAKE_SIZEOF_VOID_P EQUAL 4)  # 32-bit
+        add_link_options(/SAFESEH)  # Safe Structured Exception Handling
+    endif()
+    
     # Enable PDB generation for all target types
     add_compile_options("$<$<CONFIG:Release>:/Zi>")
     add_link_options("$<$<CONFIG:Release>:/DEBUG /OPT:REF /OPT:ICF>")

From b9cd6999609816f9abc1e33c2fd55c06ea9ef4f8 Mon Sep 17 00:00:00 2001
From: Gaurav Sharma <sharmag@microsoft.com>
Date: Wed, 5 Nov 2025 06:57:35 +0000
Subject: [PATCH 2/2] verbose

---
 mssql_python/pybind/CMakeLists.txt | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/mssql_python/pybind/CMakeLists.txt b/mssql_python/pybind/CMakeLists.txt
index 8d543eb1..0433f9b6 100644
--- a/mssql_python/pybind/CMakeLists.txt
+++ b/mssql_python/pybind/CMakeLists.txt
@@ -5,8 +5,13 @@ project(ddbc_bindings)
 set(CMAKE_CXX_STANDARD 17)
 set(CMAKE_CXX_STANDARD_REQUIRED ON)
 
+# Enable verbose output to see actual compiler/linker commands
+set(CMAKE_VERBOSE_MAKEFILE ON CACHE BOOL "Verbose output" FORCE)
+
 if (MSVC)
     # Security compiler options for OneBranch compliance
+    message(STATUS "Applying MSVC security compiler options for OneBranch compliance")
+    
     add_compile_options(
         /GS          # Buffer security check - detects buffer overruns
         /guard:cf    # Control Flow Guard - protects against control flow hijacking
@@ -20,12 +25,17 @@ if (MSVC)
     
     # SAFESEH only for x86 (32-bit) builds
     if(CMAKE_SIZEOF_VOID_P EQUAL 4)  # 32-bit
+        message(STATUS "Applying /SAFESEH for 32-bit build")
         add_link_options(/SAFESEH)  # Safe Structured Exception Handling
+    else()
+        message(STATUS "Skipping /SAFESEH (not applicable for 64-bit builds)")
     endif()
     
     # Enable PDB generation for all target types
     add_compile_options("$<$<CONFIG:Release>:/Zi>")
     add_link_options("$<$<CONFIG:Release>:/DEBUG /OPT:REF /OPT:ICF>")
+    
+    message(STATUS "Security flags applied: /GS /guard:cf /DYNAMICBASE /NXCOMPAT /GUARD:CF")
 endif()
 
 # Detect platform