Appendix E: Required and Recommended Compilers, Tools, and Options for All Platforms
On This Page
Win32 Requirements: Unmanaged Code
Win32 Requirements: Managed Code
Win32 Requirements: Testing Tools
Win64 Requirements (IA64 and AMD64): Unmanaged Code
Win64 Requirements (IA64 and AMD64): Managed Code
Win64 Requirements (IA64 and AMD64): Testing Tools
Windows CE Requirements: Unmanaged Code
Windows CE Requirements: Compact Framework Managed Code
Win32 Requirements: Unmanaged Code
Compiler/ Tool |
Minimum Required Version and Switches/Options |
Optimal/ Recommended Version and Switches/Options |
Comments |
|---|---|---|---|
C/C++ Compiler |
Microsoft Visual Studio .NET 2008 |
|
|
cl.exe |
Version 14.00.50727.42 Use /GS Use /GS |
Use /GS |
|
Link.exe |
Version 8.00.50727.762
Use /SAFESEH Use /NXCOMPAT and don’t use /NXCOMPAT:NO. See Appendix F: SDL Requirement: No Executable Pages for more information. |
Use /SAFESEH Use /functionpadmin:5 Use /DYNAMICBASE |
Visual Studio 2008 SP1 is needed for /DYNAMICBASE |
MIDL.exe |
Version 6.00.0366 Use /robust Use /robust |
Use /robust |
|
Source code analysis |
Visual Studio 2008 Code Analysis Options (“/analyze”) For Visual Studio 2008 code analysis, all warning IDs from the following list must be fixed: 4532 6029 6053 6057 6059 6063 6067 6200 6201 6202 6203 6204 6248 6259 6260 6268 6276 6277 6281 6282 6287 6288 6289 6290 6291 6296 6298 6299 6305 6306 6308 6334 6383 |
Visual Studio 2008 Code Analysis Options (“/analyze”). For Visual Studio 2008 code analysis, all warning IDs from the following list must be fixed: 4532 6029 6053 6057 6059 6063 6067 6200 6201 6202 6203 6204 6248 6259 6260 6268 6276 6277 6281 6282 6287 6288 6289 6290 6291 6296 6298 6299 6305 6306 6308 6334 6383 Standard Annotation Language (SAL): Code annotated with SAL should correct additional warnings in addition to those listed above. See Appendix H: SDL Standard Annotation Language (SAL) Recommendations for Native Win32 Code for more information. The warnings are summarized as follows: SAL Compliance Visual Studio 2008: 26020 - 26023 /analyze Visual Studio 2008: 6029 6053 6057 6059 6063 6067- 6201-6202 6248 6260 6276 6277 6305 |
Visual Studio 2008 Team Edition contains a publicly available version that is branded as “C/C++ Code Analysis”. |
Protecting Against Heap Corruption |
n/a |
All executable programs written using unmanaged code (.EXE) must call the HeapSetInformation interface. See Appendix I: SDL Requirement: Heap Manager Fail Fast Setting for more information. |
|
C4700 and C4701 Compiler Warnings |
n/a |
Compile code with C4700 and C4701 compiler warnings enabled and fix all instances of these warnings. |
|
Win32 Requirements: Managed Code
Compiler/ Tool |
Minimum Required Version and Switches/Options |
Optimal/ Recommended Version and Switches/Options |
Comments |
|---|---|---|---|
C# Compiler |
Visual Studio 2008 |
|
If using C#, use C# v2.0 or later; if using Visual Basic.NET use Visual Basic.NET 8.0 or later |
csc.exe |
Version 8.0.50727.42 |
|
|
.NET Framework |
Version 2.0.50727 |
|
|
FxCop |
Version 1.32 |
Most recent version |
|
Win32 Requirements: Testing Tools
Tool |
Minimum Required Version and Switches/Options |
Optimal/ Recommended Version and Switches/Options |
Comments |
|---|---|---|---|
Most recent version Run tests as described in Appendix J: SDL Requirement: Application Verifier |
Most recent version |
Note: AppVerifier is targeted at unmanaged code and is not optimized for managed code. |
Win64 Requirements (IA64 and AMD64): Unmanaged Code
Compiler/ tool |
Minimum Required Version and Switches/Options |
Optimal/ Recommended Version and Switches/Options |
Comments |
|---|---|---|---|
C/C++ Compiler |
Visual Studio 2008 |
|
|
cl.exe |
Version 14.00.50727.42 |
|
|
Link.exe |
Version 8.00.50727.762 Use of /SAFESEH does not apply to Win64 platforms. Use /NXCOMPAT and do not use /NXCOMPAT:NO. See Appendix F: SDL Requirement: No Executable Pages for more information. |
AMD64 only: Use /functionpadmin:6 Use of /SAFESEH does not apply to Win64 platforms. Use /DYNAMICBASE |
Visual Studio 2008 SP1 is needed for /DYNAMICBASE |
MIDL.exe |
Version 6.00.0366 Use /robust |
Use /robust |
|
Protecting Against Heap Corruption |
n/a |
All executable programs written using unmanaged code (.EXE) must call the HeapSetInformation interface. See Appendix I: SDL Requirement: Heap Manager Fail Fast Setting for more information. |
|
| C4700 and C4701 Compiler Warnings | n/a | Compile code with C4700 and C4701 compiler warnings enabled and fix all instances of these warnings. |
Win64 Requirements (IA64 and AMD64): Managed Code
Compiler/ Tool |
Minimum Required Version and Switches/Options |
Optimal/ Recommended Version and Switches/Options |
Comments |
|---|---|---|---|
C# Compiler |
Visual Studio 2008 |
|
If using C#, use C# v2.0 or later; if using Visual Basic.NET use Visual Basic.NET 8.0 or later |
csc.exe |
Version 8.0.50727.42 |
|
|
.NET Framework |
Version 2.0.50727 |
|
|
FxCop |
Most recent version |
Most recent version |
|
Win64 Requirements (IA64 and AMD64): Testing Tools
Tool |
Minimum Required Version and Switches/Options |
Optimal/ Recommended Version and Switches/Options |
Comments |
|---|---|---|---|
Most recent version Run tests as described in Appendix J: SDL Requirement: Application Verifier |
Most recent version |
Note: AppVerifier is targeted at unmanaged code and is not optimized for managed code. |
Windows CE Requirements: Unmanaged Code
Compiler/ Tool |
Minimum Required Version and Switches/Options |
Optimal/ Recommended Version and Switches/Options |
Comments |
|---|---|---|---|
C/C++ Compiler |
Visual Studio 2008 |
|
|
cl.exe |
Version 14.0.50725.0 Use –GS (see comments) |
Use –GS (see comments) |
The –GS flag has a modest impact on code size, which can be of interest on WinCE platforms. Minimally, –GS must be used on all Internet-facing code. Ideally, |
Link.exe |
Version 8.00.50727.762 Use of /SAFESEH only applies to x86 with WinCE platforms. Use of /NXCOMPAT does not apply to WinCE. |
Use of /SAFESEH only applies to x86 on WinCE platforms. Use of /NXCOMPAT:NO does not apply to WinCE. |
|
| MIDL.exe | Version 6.00.0366 Use /robust | Use /robust | |
Source code analysis |
Visual Studio 2008 Code Analysis Options (“/analyze.) For Visual Studio 2008 code analysis, all warning IDs from the following list must be fixed: 4532 6029 6053 6057 6059 6063 6067 6200 6201 6202 6203 6204 6248 6259 6260 6268 6276 6277 6281 6282 6287 6288 6289 6290 6291 6296 6298 6299 6305 6306 6308 6334 6383 |
|
|
Windows CE Requirements: Compact Framework Managed Code
Compiler/ Tool |
Minimum Required Version and Switches/Options |
Optimal/ Recommended Version and Switches/Options |
Comments |
|---|---|---|---|
C# Compiler |
Visual Studio 2008 |
|
If using C#, use C# v2.0 or later; if using Visual Basic.NET use Visual Basic.NET 8.0 or later |
csc.exe |
Version 8.0.50727.42 |
|
|
.NET Framework |
Version 2.0.50727 |
|
|
FxCop |
Most recent version |
Most recent version |
|
Content Disclaimer
This documentation is not an exhaustive reference on the SDL process as practiced at Microsoft. Additional assurance work may be performed by product teams (but not necessarily documented) at their discretion. As a result, this example should not be considered as the exact process that Microsoft follows to secure all products. This documentation is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it. This documentation does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. © 2012 Microsoft Corporation. All rights reserved. Licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported |