Binskim fails on native dependencies

Describe the bug BinSkim, Microsoft’s binary analysis security tool, encounters errors when run against a project that uses the Microsoft.Azure.Cosmos nuget package.

It appears to fail for two separate reasons.

• When running binskim with the defaults, which uses Microsoft’s public symbol server, there are no symbols found for either Cosmos.CRTCompat.dll or Microsoft.Azure.Documents.ServiceInterop.dll. The error from BinSkim is E_PDB_NOT_FOUND (repeated many times). It would appear that symbols aren’t being published publicly for these two files.
• When adding Microsoft’s internal symbol server to binskim’s options (I am a Microsoft employee), then it find symbols for these. However, Microsoft.Azure.Documents.ServiceInterop.dll still fails BinSkim with error BA2008 and warning BA2024 as follows:

C:\dev\foo\bin\Debug\netcoreapp3.1\runtimes\win-x64\native\Microsoft.Azure.Cosmos.ServiceInterop.dll: error BA2008: 'Microsoft.Azure.Cosmos.ServiceInterop.dll' does not enable the control flow guard (CFG) mitigation. To resolve this issue, pass /guard:cf on both the compiler and linker command lines. Binaries also require the /DYNAMICBASE linker option in order to enable CFG.
C:\dev\foo\bin\Debug\netcoreapp3.1\runtimes\win-x64\native\Microsoft.Azure.Cosmos.ServiceInterop.dll: warning BA2024: 'Microsoft.Azure.Cosmos.ServiceInterop.dll' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request. The following modules are out of policy:
The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:
libcpmt.lib,cxx,19.15.26706.0 : nothrow.obj
LIBCMT.lib,cxx,19.15.26706.0 : argv_mode.obj,default_local_stdio_options.obj,delete_scalar.obj,delete_scalar_nothrow.obj,delete_scalar_size.obj,dll_dllmain.obj,dll_dllmain_stub.obj,ehvecctr.obj,ehvecdtr.obj,fltused.obj,gshandler.obj,gshandlereh.obj,gshandlerseh.obj,initializers.obj,initsect.obj,new_scalar.obj,new_scalar_nothrow.obj,std_type_info_static.obj,thread_safe_statics.obj,throw_bad_alloc.obj,tlssup.obj,tncleanup.obj,utility.obj,utility_desktop.obj
LIBCMT.lib,c,19.15.26706.0 : cpu_disp.obj,dyn_tls_init.obj,gs_cookie.obj,gs_report.obj,gs_support.obj,guard_support.obj,loadcfg.obj,pesect.obj,ucrt_detection.obj
libvcruntime.lib,cxx,19.15.26706.0 : ehhelpers.obj,ehstate.obj,frame.obj,initialization.obj,locks.obj,per_thread_data.obj,purevirt.obj,purevirt_data.obj,riscchandler.obj,risctrnsctrl.obj,rtti.obj,std_exception.obj,std_type_info.obj,throw.obj,undname.obj,winapi_downlevel.obj
libvcruntime.lib,c,19.15.26706.0 : jbcxrval.obj,jmpuwind.obj,strchr.obj,strrchr.obj,strstr.obj,wcschr.obj,wcsstr.obj

To Reproduce

dotnet new console
dotnet add package Microsoft.Azure.Cosmos
dotnet build
path\to\BinSkim.exe analyze -r bin\*

Expected behavior No failures reported by BinSkim.

Actual behavior Failures reported by BinSkim, as described above.

Environment summary SDK Version: 3.11.0 OS Version: Windows 10 (2004), 64-bit

Additional context The same issue occurs with the v2 SDK. See Azure/azure-cosmos-dotnet-v2#801