X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=bin%2Fblhc;h=2f8da5f2c4efdda473a2e3d414f98e65f3d796c8;hb=06b7783ef223d0f58804f3f08d27c45dc3b97351;hp=eacf541b40c0891e6c59ff4f422b0e976ad99e68;hpb=ee8f350576149b3cccaf0dacf11e35660209ff7d;p=blhc%2Fblhc.git

diff --git a/bin/blhc b/bin/blhc
index eacf541..2f8da5f 100755
--- a/bin/blhc
+++ b/bin/blhc
@@ -2,7 +2,7 @@
 
 # Build log hardening check, checks build logs for missing hardening flags.
 
-# Copyright (C) 2012-2020  Simon Ruderich
+# Copyright (C) 2012-2021  Simon Ruderich
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -616,7 +616,7 @@ sub compile_flag_regexp {
     my @result = ();
     foreach my $flag (@flags) {
         # Compile flag regexp for faster execution.
-        my $regex = qr/\s$flag(?:\s|\\)/;
+        my $regex = qr/\s(['"]?)$flag\1(?:\s|\\)/;
 
         # Store flag name in replacement string for correct flags in messages
         # with qr//ed flag regexps.
@@ -690,7 +690,7 @@ if ($option_help) {
 }
 if ($option_version) {
     print <<"EOF";
-blhc $VERSION  Copyright (C) 2012-2020  Simon Ruderich
+blhc $VERSION  Copyright (C) 2012-2021  Simon Ruderich
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -1047,6 +1047,9 @@ foreach my $file (@ARGV) {
                                 \s*(?:\s-\S+)*\s*$}xo;
             # `echo` is never a compiler command
             next if $line =~ /^\s*echo\s/;
+            # Ignore calls to `make` because they can contain environment
+            # variables which look like compiler commands, e.g. CC=).
+            next if $line =~ /^\s*make\s/;
             # `moc-qt4`/`moc-qt5` contain '-I.../linux-g++' in their command
             # line (or similar for other architectures) which gets recognized
             # as a compiler line, but `moc-qt*` is only a preprocessor for Qt
@@ -1084,6 +1087,8 @@ foreach my $file (@ARGV) {
             next if $line =~ /^C\+\+ linker for the host machine: /;
             # Embedded `gcc -print-*` commands
             next if $line =~ /`$cc_regex_normal\s*[^`]*-print-\S+`/;
+            # cmake checking for compiler flags without setting CPPFLAGS
+            next if $line =~ m{^\s*/usr/(bin|lib)/(ccache/)?c\+\+ -dM -E -c /usr/share/cmake-\S+/Modules/CMakeCXXCompilerABI\.cpp};
 
             # Check if additional hardening options were used. Used to ensure
             # they are used for the complete build.
@@ -1547,6 +1552,9 @@ you find false positives which affect more packages please report a bug.
 
 To generate this string simply use echo in C<debian/rules>; make sure to use @
 to suppress the echo command itself as it could also trigger a false positive.
+If the build process takes a long time edit the C<.build> file in place and
+tweak the ignore string until B<blhc --all --debian package.build> no longer
+reports any false positives.
 
 =head1 OPTIONS