How can I successfully run secannotate.exe on a library that depends on a Portable Class Library?

Question

I am working on the Autofac project trying to convert all of our common logic into Portable Class Libraries and adding platform-specific libraries for specific functionality.

My development machine is Windows 8 Enterprise (64-bit) and I have VS 2012 Ultimate installed with all the trimmings. I don't have any previous .NET framework stuff installed, any additional tools, or any extra PCL-specific tooling. It's a clean, new VM with just base stuff. Everything builds and tests run fine in this configuration.

When I attempt to run secannotate.exe on a .NET 4.5 (full profile) library that depends on one of the Portable Class Libraries, I get an error indicating I need mscorlib 2.0.5.0.

Here is an example error. The PCL is Autofac.dll; the .NET 4.5 full profile library is Autofac.Configuration.dll.

Error running annotator: Could not find referenced assembly 'Assembly(Name=mscorlib, Version=2.0.5.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)'. Ensure that the reference paths and assemblies are setup correctly.
Microsoft (R) .NET Framework Security Transparency Annotator 4.0.30319.17929
Copyright (C) Microsoft Corporation.  All rights reserved.

Loaded assembly 'Autofac.Configuration' from 'C:\dev\opensource\autofac\trunk\build_output\bin\net40\Autofac.Configuration.dll'.
Resolving assembly 'Assembly(Name=mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089)'.
Loaded assembly 'mscorlib' from 'C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll'.
Loaded referenced assembly from 'C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll'.
Using core assembly: 'mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' from 'C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll'.
Assembly 'Autofac.Configuration' is using transparency model 'Level 2'.
Assembly 'mscorlib' is using transparency model 'Level 2'.
Loaded assembly 'Autofac' from 'C:\dev\opensource\autofac\trunk\build_output\bin\net40\Autofac.dll'.
Resolving assembly 'Assembly(Name=mscorlib, Version=2.0.5.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)'.
   at Microsoft.Security.Tools.CciHostEnvironment.ResolvingAssemblyReference(IUnit referringUnit, AssemblyIdentity referencedAssembly)
   at Microsoft.Security.Tools.CciHostEnvironment.LoadCoreAssembly()
   at Microsoft.Security.Tools.CciHostEnvironment..ctor(ISecAnnotateHost host, String rootAssemblyPath)
   at Microsoft.Security.Tools.SecAnnotate.LoadInputAssemblies()
   at Microsoft.Security.Tools.SecAnnotate.AnnotateAssemblies()
   at Microsoft.Security.Tools.SecAnnotate.Main(String[] args)

The Autofac Portable Class Library targets:

• .NET 4.0
• Silverlight 5
• .NET for Windows Store apps

You can replicate the issue by creating a new/empty PCL targeting those things and build it. You'll see it references mscorlib 2.0.5.0.

Some searching leads me to believe that this is a reference to the old Silverlight assembly version, but PCL projects don't have specific version references so I can only imagine this is getting put in by the VS 2012 PCL tools. Other people seem to have fixed similar issues by installing a .NET framework update that came out before VS 2012. I can't actually find mscorlib 2.0.5.0 anywhere on my machine.

Looking in dotPeek at the Autofac.dll assembly I built, I see it references:

• mscorlib 2.0.5.0
• System 2.0.5.0
• System.ComponentModel.Composition 2.0.5.0
• System.Core 2.0.5.0

And, again, it's just a PCL project, not directly referencing anything. Literally - there's not a single reference line in the .csproj file.

How do I resolve this secannotate problem? Is there something additional I need to install? Is there a parameter I should be adding to the secannotate command line?

Answer 1

You need to pass the /d switch, pointing to the Portable Library reference assemblies, for example:

secannotate /v "Autofac.Configuration.dll" /d:"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETPortable\v4.0"

Make note that you will get warnings around mixing desktop and CoreCLR mscorlib, which can be ignored because although "portable" looks like CoreCLR (Silverlight) to secannotate, it's not when run under the context of .NET Framework.