+FILE: foreach my $file (@ARGV) {
+ open my $fh, '<', $file or die "$!: $file";
+
+ # Hardening options. Not all architectures support all hardening options.
+ my $harden_format = 1;
+ my $harden_fortify = 1;
+ my $harden_stack = 1;
+ my $harden_relro = 1;
+ my $harden_bindnow = $option_bindnow; # defaults to 0
+ my $harden_pie = $option_pie; # defaults to 0
+
+ while (my $line = <$fh>) {
+ # dpkg-buildflags only provides hardening flags since 1.16.1, don't
+ # check for hardening flags in buildd mode if an older dpkg-dev is
+ # used. Default flags (-g -O2) are still checked.
+ #
+ # Packages which were built before 1.16.1 but used their own hardening
+ # flags are not checked.
+ if ($option_buildd and $line =~ /^Toolchain package versions: /) {
+ require Dpkg::Version;
+ if ($line !~ /dpkg-dev_(\S+)/
+ or Dpkg::Version::version_compare($1, '1.16.1') < 0) {
+ $harden_format = 0;
+ $harden_fortify = 0;
+ $harden_stack = 0;
+ $harden_relro = 0;
+ $harden_bindnow = 0;
+ $harden_pie = 0;
+ }
+ }
+
+ # If hardening wrapper is used (wraps calls to gcc and adds hardening
+ # flags automatically) we can't perform any checks, abort.
+ if ($line =~ /^Build-Depends: .*\bhardening-wrapper\b/) {
+ if (not $option_buildd) {
+ error_hardening_wrapper();
+ } else {
+ print "I-hardening-wrapper-used\n";
+ }
+ $exit |= 1 << 4;
+ next FILE;
+ }
+
+ # We skip over unimportant lines at the beginning of the log to
+ # prevent false positives.
+ last if $line =~ /^dpkg-buildpackage:/;
+ }
+
+ # Input lines, contain only the lines with compiler commands.
+ my @input = ();
+
+ my $continuation = 0;
+ my $complete_line = undef;
+ while (my $line = <$fh>) {
+ # And stop at the end of the build log. Package details (reported by
+ # the buildd logs) are not important for us. This also prevents false
+ # positives.
+ last if $line =~ /^Build finished at \d{8}-\d{4}$/;
+
+ # Detect architecture automatically unless overridden.
+ if (not $option_arch
+ and $line =~ /^dpkg-buildpackage: host architecture (.+)$/) {
+ $option_arch = $1;
+ }
+
+ # Ignore compiler warnings for now.
+ next if $line =~ /$warning_regex/o;
+
+ if ($line =~ /\033/) { # esc
+ # Remove all ANSI color sequences which are sometimes used in
+ # non-verbose builds.
+ $line = Term::ANSIColor::colorstrip($line);
+ # Also strip '\0xf' (delete previous character), used by Elinks'
+ # build system.
+ $line =~ s/\x0f//g;
+ # And "ESC(B" which seems to be used on armhf and hurd (not sure
+ # what it does).
+ $line =~ s/\033\(B//g;
+ }
+
+ # Check if this line indicates a non verbose build.
+ my $non_verbose = is_non_verbose_build($line);
+
+ # One line may contain multiple commands (";"). Treat each one as
+ # single line. parse_line() is slow, only use it when necessary.
+ my @line = (not $line =~ /;/)
+ ? ($line)
+ : map {
+ # Ensure newline at the line end - necessary for
+ # correct parsing later.
+ $_ =~ s/\s+$//;
+ $_ .= "\n";
+ } Text::ParseWords::parse_line(';', 1, $line);
+ foreach $line (@line) {
+ if ($continuation) {
+ $continuation = 0;
+
+ # Join lines, but leave the "\" in place so it's clear where
+ # the original line break was.
+ chomp $complete_line;
+ $complete_line .= ' ' . $line;
+ }
+ # Line continuation, line ends with "\".
+ if ($line =~ /\\\s*$/) {
+ $continuation = 1;
+ # Start line continuation.
+ if (not defined $complete_line) {
+ $complete_line = $line;
+ }
+ next;
+ }
+
+ if (not $continuation) {
+ # Use the complete line if a line continuation occurred.
+ if (defined $complete_line) {
+ $line = $complete_line;
+ $complete_line = undef;
+ }
+
+ # Ignore lines with no compiler commands.
+ next if $line !~ /\b$cc_regex(?:\s|\\)/o and not $non_verbose;
+
+ # Ignore false positives.
+ #
+ # `./configure` output.
+ next if not $non_verbose
+ and $line =~ /^(?:checking|(?:C|c)onfigure:) /;
+ next if $line =~ /^\s*(?:Host\s+)?(?:C\s+)?
+ (?:C|c)ompiler[\s.]*:?\s+
+ $cc_regex_full
+ (?:\s-std=[a-z0-9:+]+)?\s*$
+ /xo
+ or $line =~ /^\s*(?:- )?(?:HOST_)?(?:CC|CXX)\s*=\s*$cc_regex_full\s*$/o
+ or $line =~ /^\s*-- Check for working (?:C|CXX) compiler: /
+ or $line =~ /^\s*(?:echo )?Using [A-Z_]+\s*=\s*/;
+ # `make` output.
+ next if $line =~ /^Making [a-z]+ in \S+/; # e.g. "[...] in c++"
+
+ # Check if additional hardening options were used. Used to
+ # ensure they are used for the complete build.
+ $harden_pie = 1 if any_flags_used($line, @def_cflags_pie, @def_ldflags_pie);
+ $harden_bindnow = 1 if any_flags_used($line, @def_ldflags_bindnow);
+
+ push @input, $line;
+ }
+ }
+ }