SqlClient: Package causes a new UWP app to fail Windows App Certification for Deployment to Microsoft Store

Describe the bug

If you add the latest version of the NuGet package (1.1.0) to a blank UWP app, the app will fail the Windows App Certification with the following error and not be able to be deployed to the Microsoft Store. The failure relates to sni.dll failing the Binary analyzer Windows Security features test.

Windows security features test

FAILED
Binary analyzer
Error Found: The binary analyzer test detected the following errors:
File C:\Program Files\WindowsApps\(PackageName)\sni.dll has failed the AppContainerCheck check.
Impact if not fixed: If the app doesn’t use the available Windows protections, it can increase the vulnerability of the customer's computer to malware.
How to fix: Apply the required linker options - SAFESEH, DYNAMICBASE, NXCOMPAT, and APPCONTAINER - when you link the app. See links below for more information:
Fixing Binary Analyzer Errors

PASSED
Banned file analyzer

PASSED
Private code signing



Supported API test

FAILED
Supported APIs
Error Found: The supported APIs test detected the following errors:
API _mbschr in api-ms-win-crt-multibyte-l1-1-0.dll is not supported for this application type. sni.dll calls this API.
API _mbsnbicmp_l in api-ms-win-crt-multibyte-l1-1-0.dll is not supported for this application type. sni.dll calls this API.
API _mbsspn in api-ms-win-crt-multibyte-l1-1-0.dll is not supported for this application type. sni.dll calls this API.
API IsTokenRestricted in advapi32.dll is not supported for this application type. sni.dll calls this API.
Impact if not fixed: Using an API that is not part of the Windows SDK for Microsoft Store apps violates the Microsoft Store certification requirements.
How to fix: Review the error messages to identify the API that is not part of the Windows SDK for Microsoft Store apps. Please note, apps that are built in a debug configuration or without .NET Native enabled (where applicable) can fail this test as these environments may pull in unsupported APIs. Retest your app in a release configuration, and with .NET Native enabled if applicable.

To reproduce

Create a new, blank UWP app (File->New->Project->Blank App (Universal Windows))
Right click the project -> Publish -> Create app packages -> Sideloading -> Yes, select a certificate: Create -> Next -> Next -> Choose an installer location -> Create -> Copy and Close (once it finishes running)
Launch the Windows App Cert Kit (just search for app in Windows 10)
Choose Validate Store App -> Browse for the app you want to validate -> Select the .msixbundle created in Step 2. -> Next -> leave all Selected, Next
View the report once finished (should pass for everything except for default logos)
Right click the project -> Manage NuGet Packages -> search for Microsoft.Data.SqlClient and install the latest version (v1.1.0 as of now)
Repeat steps 2-5, report will show the failure documented above.

Expected behavior

Package should not prevent UWP apps from being deployed to store, as this will prevent production usage.

Further technical details

Microsoft.Data.SqlClient version: 1.1.0 .NET target: Universal Windows Target Version 1903 SQL Server version: SQL Server 2017 Operating system: Windows 10 Version 1909

Additional context This seems to have been an issue at one point with the System.Data.SqlClient package as well. Perhaps the same fix could be applied to this package? https://social.msdn.microsoft.com/Forums/en-US/5bcc17fa-5184-4fab-8ff2-cbee229a12a2/snidll-has-failed-the-appcontainercheck-check?forum=wpsubmit

Here is some documentation on fixing similar failures of this test with another dll (with the linker options /dynamicbase /nxcompat /appcontainer) https://github.com/grpc/grpc/issues/18188 Specifically, step 3 of this comment in the issue thread: https://github.com/grpc/grpc/issues/18188#issuecomment-544848727

About this issue

Original URL
State: closed
Created 5 years ago
Comments: 24 (9 by maintainers)

Most upvoted comments

Hi @David-Engel

Thank you again for your suggestions. After further troubleshooting I was able to get it to successfully pass the Binary analyzer check on my local machine. I first had to add the following lines to my project’s post build script to delete all files recursively as you suggested: cd $(TargetDir) DEL /F/Q/S Microsoft.Data.SqlClient.SNI.dll

Similar to your suggestions about the *.deps.json file for a .NET Core project, I then also had to remove all references (about 50 in my case) to Microsoft.Data.SqlClient.SNI.dll in the project.assets.json file located in the obj folder of my UWP App project. Doing this right before publishing the app packages for the project I was able to get a package created which successfully passes the Binary analyzer check. It’s worth noting that a Rebuild All on the solution would trigger a NuGet Package Restore, which re inserts the ~50 references to the JSON file and then it will not pass or build successfully again until they are deleted.

bolyb on Feb 8, 2021

For me what worked is using PowerShell script to remove Microsoft.Data.SqlClient.SNI references in project.assets.json from the obj directory after restore, before build. I am using build pipeline to create the store upload package so I needed something automated. The PowerShell script:

function Remove-Property {
  param(
    [Parameter(Mandatory, ValueFromPipeline, Position = 0)]
    [object] $InputObject,
    [Parameter(Mandatory, Position = 1)]
    [string] $NamePattern
  )
  process {
    foreach ($el in $InputObject) {
      foreach ($propName in $el.psobject.Properties.Name) {
        if ($propName -like $NamePattern) {
          $el.psobject.Properties.Remove($propName)
        }
        else {
          $null = Remove-Property -InputObject $el.$propName -NamePattern $NamePattern
        }
      }
    }
    $InputObject
  }
}

$fileContent = Get-Content ".\obj\project.assets.json" -Raw | ConvertFrom-Json
$fileContent = Remove-Property -InputObject $fileContent -NamePattern "*Microsoft.Data.SqlClient.SNI*"
$fileContent | ConvertTo-Json -Depth 100 | Out-File ".\obj\project.assets.json" -Force

In my case the obj and bin folders do not exist. Restore target is run using msbuild, then the script above is run from the UWP project folder. Then I run msbuild with appropriate parameters to create store upload package, and it passes certification.

The above script creates a world where Microsoft.Data.SqlClient package does not depend on SNI package, and it removes any references to the SNI package from targets/libraries portions of json file.

(sigh). Sad this was needed, but hope it helps someone.

dahovey on May 19, 2021

Is there any chance that you can work with the Microsoft Store team and have them allow this Microsoft SNI dll?

@wjvii The purpose of UWP is to provide a uniform set of APIs that apps can use, which are supported on all the devices that Windows 10 runs on. The Microsoft.Data.SqlClient.SNI.dll is not compiled specifically to use only the UWP core APIs, so there isn’t any way the store can simply “allow” it because, without changing it, it likely would not work across all devices.

@bolyb As ErikEJ suggested, try deleting the SNI files from your build/publish folder (and maybe remove any references to it from your dep.json file, depending on your publish config), assuming you have set the switch to Enable Managed SNI on Windows. Those SNI dlls are not actually used when that switch is set.

David-Engel on Feb 4, 2021

Remove the SNI files during build?

ErikEJ on Feb 4, 2021

@cheenamalhotra is there any chance that you can work with the Microsoft Store team and have them allow this Microsoft SNI dll?

wjvii on Feb 4, 2021

Hi @bolyb @wjvii

I think the error you’re seeing is mainly due to SNI dependency that continues to exist even if you enable Managed SNI and do not use that DLL at all. I think the only solution that would work is when you we completely move away from Native SNI to managed for UAP targets. But because Microsoft.Data.SqlClient is now an external component and not built same way as System.Data.SqlClient was built in the .NET Core SDK, we have had challenges in the past when building for UAP targets.

I’ll reopen this issue again, and we can revisit options that we can do here.

cheenamalhotra on Feb 4, 2021

@bolyb @cheenamalhotra @David-Engel I too am circling back around this as I have run into the same thing again as well, I updated #703 mentioned above back in December. Right now, we cannot ship the newest versions of our Microsoft Windows application due to this issue.

wjvii on Feb 4, 2021

@bolyb One of the things that was done in System.Data.SqlClient was specifically supporting a UWP build target. In doing that, S.D.SqlClient could provide different bits for UWP targets versus regular Windows targets. The UWP-specific bits in S.D.SqlClient do not include references to the native sni.dll (it uses a managed SNI implementation which is not quite as performant). In creating Microsoft.Data.SqlClient, that UWP-specific build target was not done and thus UWP applications which reference M.D.SqlClient will get the Windows bits with the native sni.dll references. It is on the roadmap to provide a UWP-specific build target in M.D.SqlClient with similar changes, but there is no date set for it at this time.

I recommend staying with System.Data.SqlClient for UWP applications until UWP-specific build support is added to Microsoft.Data.SqlClient.

David-Engel on Jan 21, 2020

Hi @bolyb

I believe you’re suggesting changes in SNI.dll source which loads from runtime.native.System.Data.SqlClient.sni when targeting UWP Apps.

Currently there are some hiccups with this library, we’ll look into it if feasible and get back to you.

cheenamalhotra on Dec 17, 2019