X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=bin%2Fblhc;h=47f4e2a8ca9027fe1996a31ba5739d49ca8a6782;hb=b84ebbd86fd950d7334d2a2b4adf977918a56a47;hp=d804ecdea41338865a799061ad4c5fad01359639;hpb=981d562930dc0f7eb76323571ccad3332029371a;p=blhc%2Fblhc.git

diff --git a/bin/blhc b/bin/blhc
index d804ecd..47f4e2a 100755
--- a/bin/blhc
+++ b/bin/blhc
@@ -31,8 +31,8 @@ our $VERSION = '0.01';
 # CONSTANTS/VARIABLES
 
 # Regex to catch compiler commands.
-my $cc_regex = qr/(?:[a-z0-9_]+-(?:linux|kfreebsd)-gnu(?:eabi|eabihf)?-)?
-                  (?:(?<!\.)cc|gcc|g\+\+|c\+\+)
+my $cc_regex = qr/(?:[a-z0-9_]+-(?:linux-|kfreebsd-)?gnu(?:eabi|eabihf)?-)?
+                  (?<!\.)(?:cc|gcc|g\+\+|c\+\+)
                   (?:-[\d.]+)?/x;
 # Regex to catch (GCC) compiler warnings.
 my $warning_regex = qr/^(.+?):([0-9]+):[0-9]+: warning: (.+?) \[(.+?)\]$/;
@@ -180,6 +180,12 @@ sub error_non_verbose_build {
            error_color(':', 'yellow'),
            $line;
 }
+sub error_hardening_wrapper {
+    printf "%s%s %s\n",
+            error_color('HARDENING WRAPPER', 'red'),
+            error_color(':', 'yellow'),
+            'no checks possible, aborting';
+}
 sub error_color {
     my ($message, $color) = @_;
 
@@ -366,6 +372,14 @@ while (my $line = <>) {
         }
     }
 
+    # If hardening wrapper is used (wraps calls to gcc and adds hardening
+    # flags automatically) we can't perform any checks, abort.
+    if (not $start and $line =~ /^Build-Depends: .*\bhardening-wrapper\b/) {
+        error_hardening_wrapper();
+        $exit |= 1 << 4;
+        exit $exit;
+    }
+
     # We skip over unimportant lines at the beginning of the log to prevent
     # false positives.
     $start = 1 if $line =~ /^dpkg-buildpackage:/;
@@ -447,9 +461,6 @@ while (my $line = <>) {
                     or $line =~ /^\s*(?:- )?(?:HOST_)?(?:CC|CXX)\s*=\s*$cc_regex\s*$/
                     or $line =~ /^\s*-- Check for working (?:C|CXX) compiler: /
                     or $line =~ /^\s*(?:echo )?Using [A-Z_]+\s*=\s*/;
-            # Debian buildd output.
-            next if $line =~ /^\s*Depends: .*?$cc_regex.*?$/
-                    and $line !~ /\s-./; # option, prevent false negatives
 
             # Check if additional hardening options were used. Used to ensure
             # they are used for the complete build.
@@ -695,6 +706,10 @@ Non verbose build.
 
 Missing hardening flags.
 
+=item B<16>
+
+Hardening wrapper detected, no tests performed.
+
 =back
 
 =head1 AUTHOR