Merge pull request #1843 from shimat/fix/hardening-security-flags

Hardening security with compiler switches - /GS and /HIGHENTROPYVA

Author: shimat

.github/workflows/manylinux.yml

@@ -210,7 +210,7 @@ jobs:
         with:
           path: |
             ${{ github.workspace }}/opencv_artifacts_slim/include
-            ${{ github.workspace }}/opencv_artifacts_slim/lib
+            ${{ github.workspace }}/opencv_artifacts_slim/lib64
           key: opencv-${{ env.OPENCV_VERSION }}-manylinux2_28-slim-${{ hashFiles('cmake/opencv_build_options_slim.cmake') }}
 
       - name: Configure OpenCV (slim)
@@ -238,7 +238,7 @@ jobs:
         with:
           path: |
             ${{ github.workspace }}/opencv_artifacts_slim/include
-            ${{ github.workspace }}/opencv_artifacts_slim/lib
+            ${{ github.workspace }}/opencv_artifacts_slim/lib64
           key: opencv-${{ env.OPENCV_VERSION }}-manylinux2_28-slim-${{ hashFiles('cmake/opencv_build_options_slim.cmake') }}
 
       - name: Build OpenCvSharpExtern (slim)
@@ -248,6 +248,7 @@ jobs:
             -S src \
             -B src/build-slim \
             -D CMAKE_BUILD_TYPE=Release \
+            -D OpenCV_DIR=${GITHUB_WORKSPACE}/opencv_artifacts_slim/lib64/cmake/opencv4 \
             -D CMAKE_PREFIX_PATH=${GITHUB_WORKSPACE}/opencv_artifacts_slim \
             -D NO_CONTRIB=ON \
             -D NO_VIDEOIO=ON \

.github/workflows/windows.yml

@@ -1,6 +1,12 @@
 name: Windows Server 2025
 
 on:
+  workflow_dispatch:
+    inputs:
+      run_binskim:
+        description: 'Run BinSkim security hardening check'
+        type: boolean
+        default: true
   pull_request:
     types: [synchronize, opened]
   push:
@@ -173,6 +179,43 @@ jobs:
           cd ${env:GITHUB_WORKSPACE}\test\OpenCvSharp.Tests.Windows
           dotnet test -c Release -f net48 --runtime win-x64
 
+      - name: Verify security hardening with BinSkim
+        if: inputs.run_binskim == true
+        shell: powershell
+        run: |
+          # Official install: download .nupkg from NuGet, unzip, run exe from tools/
+          $dest = "$env:TEMP\binskim"
+          Invoke-WebRequest "https://www.nuget.org/api/v2/package/Microsoft.CodeAnalysis.BinSkim" -OutFile "$dest.zip"
+          Expand-Archive "$dest.zip" $dest -Force
+          $binskimExe = Get-ChildItem "$dest\tools\net*\win-x64\binskim.exe" | Select-Object -Last 1 -ExpandProperty FullName
+          if (-not $binskimExe) { throw "binskim.exe not found" }
+
+          # Scan OpenCvSharpExtern.dll only.
+          # opencv_videoio_ffmpeg*.dll is a pre-built binary from opencv_3rdparty
+          # and cannot be recompiled with different flags (see opencv/3rdparty/ffmpeg/ffmpeg.cmake).
+          $dll = "$env:GITHUB_WORKSPACE\src\build\OpenCvSharpExtern\Release\OpenCvSharpExtern.dll"
+          if (-not (Test-Path $dll)) { throw "OpenCvSharpExtern.dll not found: $dll" }
+
+          $sarifFile = "$env:TEMP\binskim.sarif"
+          & $binskimExe analyze $dll --output $sarifFile
+          # Ignore BinSkim's own exit code (it returns 1 on PDB load failures etc.);
+          # rely solely on SARIF result filtering below.
+          $LASTEXITCODE = 0
+
+          # Ignore findings we cannot address:
+          #   ERR997 - PDB unavailable (Release builds have no PDB by default)
+          #   BA2007 - compiler warning level violations in vcpkg static libs (tesseract, tiff, etc.)
+          if (-not (Test-Path $sarifFile)) { Write-Warning "No SARIF output produced."; exit 0 }
+          $failures = (Get-Content $sarifFile | ConvertFrom-Json).runs[0].results | Where-Object {
+            $ruleId = ($_.ruleId -split "/")[0]
+            $_.level -eq "error" -and $ruleId -notmatch "^ERR997" -and $ruleId -ne "BA2007"
+          }
+          if ($failures) {
+            $failures | ForEach-Object { Write-Host "FAIL $($_.ruleId): $(($_.message.text -split "`n")[0])" }
+            exit 1
+          }
+          Write-Host "Security hardening verified: no actionable failures."
+
       - name: Pack NuGet packages
         shell: powershell
         run: |
@@ -208,4 +251,4 @@ jobs:
         uses: actions/upload-artifact@v6
         with:
           name: packages_windows
-          path: ${{ github.workspace }}\artifacts
+          path: ${{ github.workspace }}\artifacts

cmake/opencv_build_options.cmake

@@ -58,5 +58,12 @@ if(WIN32)
   set(BUILD_JPEG  OFF CACHE BOOL "" FORCE)
   set(BUILD_PNG   OFF CACHE BOOL "" FORCE)
   set(BUILD_WEBP  OFF CACHE BOOL "" FORCE)
+
+  # Enable security hardening flags (/GS, /sdl, /guard:cf, /DYNAMICBASE, etc.)
+  # to satisfy security audit requirements (issue #1841).
+  # Note: opencv_videoio_ffmpeg*.dll is a pre-built binary downloaded from
+  # https://github.com/opencv/opencv_3rdparty and is not affected by this flag.
+  # Its security hardening status depends entirely on the OpenCV project's build pipeline.
+  set(ENABLE_BUILD_HARDENING ON CACHE BOOL "" FORCE)
 endif()
 

src/CMakeLists.txt

@@ -25,6 +25,13 @@ option(NO_HIGHGUI "Disable highgui bindings" OFF)
 option(NO_VIDEOIO "Disable videoio bindings" OFF)
 option(NO_INSTALL_TO_TEST "Skip copying built DLL to the test project directory (Windows only)" OFF)
 
+# Enable MSVC security hardening flags (issue #1841)
+if(MSVC)
+  add_compile_options(/guard:cf /GS)
+  # /HIGHENTROPYVA: enable high-entropy 64-bit ASLR
+  add_link_options(/guard:cf /DYNAMICBASE /HIGHENTROPYVA)
+endif()
+
 # Convert options to compile definitions so C++ preprocessor can see them
 if(NO_CONTRIB)
     add_compile_definitions(NO_CONTRIB)