X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=bin%2Fblhc;h=618fa7698dc69406157114cd56bcd866dcdfc31d;hb=2fe2ed37ef0b9093272f674bd9323a3516af7b40;hp=38ca653cd655b8dd6209df0229fdf86e1754edc6;hpb=d7e5c1de20c3adb24676f405e8930a61c5746759;p=blhc%2Fblhc.git

diff --git a/bin/blhc b/bin/blhc
index 38ca653..618fa76 100755
--- a/bin/blhc
+++ b/bin/blhc
@@ -23,6 +23,7 @@ use warnings;
 
 use Getopt::Long ();
 use Term::ANSIColor ();
+use Text::ParseWords ();
 
 our $VERSION = '0.01';
 
@@ -30,10 +31,119 @@ our $VERSION = '0.01';
 # CONSTANTS/VARIABLES
 
 # Regex to catch compiler commands.
-my $cc_regex = qr/(?:x86_64-linux-gnu-)?(?:(?<!\.)cc|gcc|g\+\+|c\+\+)(?:-[\d.]+)?/;
+my $cc_regex = qr/(?:[a-z0-9_]+-(?:linux-|kfreebsd-)?gnu(?:eabi|eabihf)?-)?
+                  (?<!\.)(?:cc|gcc|g\+\+|c\+\+)
+                  (?:-[\d.]+)?/x;
 # Regex to catch (GCC) compiler warnings.
 my $warning_regex = qr/^(.+?):([0-9]+):[0-9]+: warning: (.+?) \[(.+?)\]$/;
 
+# List of source file extensions which require preprocessing.
+my @source_preprocess_compile_cpp = (
+    # C++
+    qw( cc cp cxx cpp CPP c++ C ),
+    # Objective-C++
+    qw( mm Mr),
+);
+my @source_preprocess_compile = (
+    # C
+    qw( c ),
+    # Objective-C
+    qw( m ),
+    # (Objective-)C++
+    @source_preprocess_compile_cpp,
+    # Fortran
+    qw( F FOR fpp FPP FTN F90 F95 F03 F08 ),
+);
+my @source_preprocess_no_compile = (
+    # Assembly
+    qw( s ),
+);
+my @source_preprocess = (
+    @source_preprocess_compile,
+    @source_preprocess_no_compile,
+);
+# List of source file extensions which don't require preprocessing.
+my @source_no_preprocess_compile_cpp = (
+    # C++
+    qw( ii ),
+    # Objective-C++
+    qw( mii ),
+);
+my @source_no_preprocess_compile = (
+    # C
+    qw( i ),
+    # (Objective-)C++
+    @source_no_preprocess_compile_cpp,
+    # Objective-C
+    qw( mi ),
+    # Fortran
+    qw( f for ftn f90 f95 f03 f08 ),
+);
+my @source_no_preprocess_no_compile = (
+    # Assembly
+    qw( S sx ),
+);
+my @source_no_preprocess = (
+    @source_no_preprocess_compile,
+    @source_no_preprocess_no_compile,
+);
+# List of header file extensions which require preprocessing.
+my @header_preprocess = (
+    # C, C++, Objective-C, Objective-C++
+    qw( h ),
+    # C++
+    qw( hh H hp hxx hpp HPP h++ tcc ),
+);
+
+# Hashes for fast extensions lookup to check if a file falls in one of these
+# categories.
+my %extensions_no_preprocess = map { $_ => 1 } (
+    @source_no_preprocess,
+);
+my %extensions_preprocess = map { $_ => 1 } (
+    @header_preprocess,
+    @source_preprocess,
+);
+my %extensions_compile_link = map { $_ => 1 } (
+    @source_preprocess,
+    @source_no_preprocess,
+);
+my %extensions_compile = map { $_ => 1 } (
+    @source_preprocess_compile,
+    @source_no_preprocess_compile,
+);
+my %extensions_no_compile = map { $_ => 1 } (
+    @source_preprocess_no_compile,
+    @source_no_preprocess_no_compile,
+);
+my %extensions_compile_cpp = map { $_ => 1 } (
+    @source_preprocess_compile_cpp,
+    @source_no_preprocess_compile_cpp,
+);
+my %extension = map { $_ => 1 } (
+    @source_no_preprocess,
+    @source_no_preprocess_compile,
+    @source_no_preprocess_compile_cpp,
+    @source_no_preprocess_no_compile,
+    @header_preprocess,
+    @source_preprocess,
+    @source_preprocess_compile,
+    @source_preprocess_compile_cpp,
+    @source_preprocess_no_compile,
+);
+
+# Regexp to match file extensions.
+my $file_extension_regex = qr/
+    \s
+    \S+         # Filename without extension.
+    \.
+    ([^\\.\s]+) # File extension.
+    (?=\s|\\)   # At end of word. Can't use \b because some files have non
+                # word characters at the end and because \b matches double
+                # extensions (like .cpp.o). Works always as all lines are
+                # terminated with "\n".
+    /x;
+
 # Expected (hardening) flags. All flags are used as regexps.
 my @cflags = (
     '-g',
@@ -54,6 +164,11 @@ my @cflags_stack = (
 my @cflags_pie = (
     '-fPIE',
 );
+my @cxxflags = (
+    '-g',
+    '-O(?:2|3)',
+);
+# @cxxflags_* is the same as @cflags_*.
 my @cppflags = ();
 my @cppflags_fortify = (
     '-D_FORTIFY_SOURCE=2',
@@ -76,6 +191,9 @@ my %flag_renames = (
     '-Wl,(-z,)?now'   => '-Wl,-z,now',
 );
 
+# Use colored (ANSI) output?
+my $option_color;
+
 
 # FUNCTIONS
 
@@ -102,11 +220,16 @@ sub error_non_verbose_build {
            error_color(':', 'yellow'),
            $line;
 }
+sub error_hardening_wrapper {
+    printf "%s%s %s\n",
+            error_color('HARDENING WRAPPER', 'red'),
+            error_color(':', 'yellow'),
+            'no checks possible, aborting';
+}
 sub error_color {
     my ($message, $color) = @_;
 
-    # Use colors when writing to a terminal.
-    if (-t STDOUT) {
+    if ($option_color) {
         return Term::ANSIColor::colored($message, $color);
     } else {
         return $message;
@@ -117,7 +240,7 @@ sub any_flags_used {
     my ($line, @flags) = @_;
 
     foreach my $flag (@flags) {
-        return 1 if $line =~ /\s$flag(?:\s|\\|$)/;
+        return 1 if $line =~ /\s$flag(?:\s|\\)/;
     }
 
     return 0;
@@ -127,14 +250,12 @@ sub all_flags_used {
 
     my @missing_flags = ();
     foreach my $flag (@flags) {
-        if ($line !~ /\s$flag(?:\s|\\|$)/) {
+        if ($line !~ /\s$flag(?:\s|\\)/) {
             push @missing_flags, $flag;
         }
     }
 
-    if (scalar @missing_flags == 0) {
-        return 1;
-    }
+    return 1 if scalar @missing_flags == 0;
 
     @{$missing_flags_ref} = @missing_flags;
     return 0;
@@ -166,7 +287,7 @@ sub is_non_verbose_build {
     my ($line, $next_line, $skip_ref) = @_;
 
     if (not ($line =~ /^checking if you want to see long compiling messages\.\.\. no/
-                or $line =~ /^\s*(?:CC|CCLD)\s+(.+?)$/
+                or $line =~ /^\s*\[?(?:CC|CCLD|CXX|CXXLD|LD|LINK)\]?\s+(.+?)$/
                 or $line =~ /^\s*(?:C|c)ompiling\s+(.+?)(?:\.\.\.)?$/
                 or $line =~ /^\s*(?:B|b)uilding (?:program|shared library)\s+(.+?)$/
                 or $line =~ /^\s*\[[\d ]+%\] Building (?:C|CXX) object (.+?)$/)) {
@@ -190,7 +311,7 @@ sub is_non_verbose_build {
         $file =~ m{/([a-zA-Z0-9._-]+)$};
         $file = $1;
 
-        if ($next_line =~ /\Q$file\E/ and $next_line =~ /$cc_regex/) {
+        if ($next_line =~ /\Q$file\E/ and $next_line =~ /$cc_regex/o) {
             # We still have to skip the current line as it doesn't contain any
             # compiler commands.
             ${$skip_ref} = 1;
@@ -201,6 +322,19 @@ sub is_non_verbose_build {
     return 1;
 }
 
+sub extension_found {
+    my ($extensions_ref, @extensions) = @_;
+
+    my $found = 0;
+    foreach my $extension (@extensions) {
+        if (exists $extensions_ref->{$extension}) {
+            $found = 1;
+            last;
+        }
+    }
+    return $found;
+}
+
 
 # MAIN
 
@@ -217,6 +351,8 @@ my $option_help    = 0;
 my $option_version = 0;
 my $option_all     = 0;
 my $option_arch    = undef;
+my $option_buildd  = 0;
+   $option_color   = 0;
 if (not Getopt::Long::GetOptions(
             'help|h|?' => \$option_help,
             'version'  => \$option_version,
@@ -225,7 +361,9 @@ if (not Getopt::Long::GetOptions(
             'bindnow'  => \$harden_bindnow,
             'all'      => \$option_all,
             # Misc.
-            'arch'     => \$option_arch,
+            'color'    => \$option_color,
+            'arch=s'   => \$option_arch,
+            'buildd'   => \$option_buildd,
         )) {
     require Pod::Usage;
     Pod::Usage::pod2usage(2);
@@ -266,11 +404,44 @@ my @input = ();
 
 my $start = 0;
 my $continuation = 0;
+my $complete_line = undef;
 while (my $line = <>) {
-    # We skip over unimportant lines at the beginning to prevent false
-    # positives.
+    # dpkg-buildflags only provides hardening flags since 1.16.1, don't check
+    # for hardening flags in buildd mode if an older dpkg-dev is used. Default
+    # flags (-g -O2) are still checked.
+    #
+    # Packages which were built before 1.16.1 but used their own hardening
+    # flags are not checked.
+    if ($option_buildd and not $start
+            and $line =~ /^Toolchain package versions: /) {
+        require Dpkg::Version;
+        if ($line !~ /dpkg-dev_(\S+)/
+                or Dpkg::Version::version_compare($1, '1.16.1') < 0) {
+            $harden_format  = 0;
+            $harden_fortify = 0;
+            $harden_stack   = 0;
+            $harden_relro   = 0;
+            $harden_bindnow = 0;
+            $harden_pie     = 0;
+        }
+    }
+
+    # If hardening wrapper is used (wraps calls to gcc and adds hardening
+    # flags automatically) we can't perform any checks, abort.
+    if (not $start and $line =~ /^Build-Depends: .*\bhardening-wrapper\b/) {
+        error_hardening_wrapper();
+        $exit |= 1 << 4;
+        exit $exit;
+    }
+
+    # We skip over unimportant lines at the beginning of the log to prevent
+    # false positives.
     $start = 1 if $line =~ /^dpkg-buildpackage:/;
     next if not $start;
+    # And stop at the end of the build log. Package details (reported by the
+    # buildd logs) are not important for us. This also prevents false
+    # positives.
+    last if $line =~ /^Build finished at \d{8}-\d{4}$/;
 
     # Detect architecture automatically unless overridden.
     if (not $option_arch
@@ -279,43 +450,85 @@ while (my $line = <>) {
     }
 
     # Ignore compiler warnings for now.
-    next if $line =~ /$warning_regex/;
+    next if $line =~ /$warning_regex/o;
+
+    if ($line =~ /\033/) { # esc
+        # Remove all ANSI color sequences which are sometimes used in
+        # non-verbose builds.
+        $line = Term::ANSIColor::colorstrip($line);
+        # Also strip '\0xf' (delete previous character), used by Elinks' build
+        # system.
+        $line =~ s/\x0f//g;
+        # And "ESC(B" which seems to be used on armhf and hurd (not sure what
+        # it does).
+        $line =~ s/\033\(B//g;
+    }
 
     # Check if this line indicates a non verbose build.
     my $non_verbose = is_non_verbose_build($line);
 
     # One line may contain multiple commands (";"). Treat each one as single
-    # line.
-    my @line = split /(?<!\\);/, $line;
+    # line. parse_line() is slow, only use it when necessary.
+    my @line = (not $line =~ /;/)
+             ? ($line)
+             : map {
+                   # Ensure newline at the line end - necessary for correct
+                   # parsing later.
+                   $_ =~ s/\s+$//;
+                   $_ .= "\n";
+               } Text::ParseWords::parse_line(';', 1, $line);
     foreach $line (@line) {
-        # Add newline, drop all other whitespace at the end of a line.
-        $line =~ s/\s+$//;
-        $line .= "\n";
-
         if ($continuation) {
             $continuation = 0;
 
             # Join lines, but leave the "\" in place so it's clear where the
             # original line break was.
-            chomp $input[-1];
-            $input[-1] .= ' ' . $line;
+            chomp $complete_line;
+            $complete_line .= ' ' . $line;
+        }
+        # Line continuation, line ends with "\".
+        if ($line =~ /\\\s*$/) {
+            $continuation = 1;
+            # Start line continuation.
+            if (not defined $complete_line) {
+                $complete_line = $line;
+            }
+            next;
+        }
+
+        if (not $continuation) {
+            # Use the complete line if a line continuation occurred.
+            if (defined $complete_line) {
+                $line = $complete_line;
+                $complete_line = undef;
+            }
 
-        } else {
             # Ignore lines with no compiler commands.
-            next if $line !~ /\b$cc_regex(?:\s|\\)/ and not $non_verbose;
+            next if $line !~ /\b$cc_regex(?:\s|\\)/o and not $non_verbose;
 
             # Ignore false positives.
             #
             # `./configure` output.
-            next if not $non_verbose and $line =~ /^checking /;
+            next if not $non_verbose
+                    and $line =~ /^(?:checking|(?:C|c)onfigure:) /;
+            next if $line =~ /^\s*(?:Host\s+)?(?:C\s+)?
+                               (?:C|c)ompiler[\s.]*:?\s+
+                               $cc_regex
+                               (?:\s-std=[a-z0-9:+]+)?\s*$
+                             /xo
+                    or $line =~ /^\s*(?:- )?(?:HOST_)?(?:CC|CXX)\s*=\s*$cc_regex\s*$/o
+                    or $line =~ /^\s*-- Check for working (?:C|CXX) compiler: /
+                    or $line =~ /^\s*(?:echo )?Using [A-Z_]+\s*=\s*/;
+            # `make` output.
+            next if $line =~ /^Making [a-z]+ in \S+/; # e.g. "[...] in c++"
+
+            # Check if additional hardening options were used. Used to ensure
+            # they are used for the complete build.
+            $harden_pie     = 1 if any_flags_used($line, @cflags_pie, @ldflags_pie);
+            $harden_bindnow = 1 if any_flags_used($line, @ldflags_bindnow);
 
             push @input, $line;
         }
-
-        # Line continuation, line ends with "\".
-        if ($line =~ /\\\s*$/) {
-            $continuation = 1;
-        }
     }
 }
 
@@ -346,27 +559,24 @@ if ($option_arch) {
     }
 }
 
-# Check if additional hardening options were used. Used to ensure they are
-# used for the complete build.
-foreach my $line (@input) {
-    $harden_pie     = 1 if any_flags_used($line, @cflags_pie, @ldflags_pie);
-    $harden_bindnow = 1 if any_flags_used($line, @ldflags_bindnow);
-}
-
 # Check the specified hardening options, same order as dpkg-buildflags.
 if ($harden_pie) {
-    @cflags  = (@cflags,  @cflags_pie);
-    @ldflags = (@ldflags, @ldflags_pie);
+    @cflags   = (@cflags,   @cflags_pie);
+    @cxxflags = (@cxxflags, @cflags_pie);
+    @ldflags  = (@ldflags,  @ldflags_pie);
 }
 if ($harden_stack) {
-    @cflags = (@cflags, @cflags_stack);
+    @cflags   = (@cflags,   @cflags_stack);
+    @cxxflags = (@cxxflags, @cflags_stack);
 }
 if ($harden_fortify) {
     @cflags   = (@cflags,   @cflags_fortify);
+    @cxxflags = (@cxxflags, @cflags_fortify);
     @cppflags = (@cppflags, @cppflags_fortify);
 }
 if ($harden_format) {
-    @cflags = (@cflags, @cflags_format);
+    @cflags   = (@cflags,   @cflags_format);
+    @cxxflags = (@cxxflags, @cflags_format);
 }
 if ($harden_relro) {
     @ldflags = (@ldflags, @ldflags_relro);
@@ -387,55 +597,96 @@ for (my $i = 0; $i < scalar @input; $i++) {
     # Even if it's a verbose build, we might have to skip this line.
     next if $skip;
 
-    # Ignore false positives.
-    #
-    # ./configure summary.
-    next if $line =~ /^\s*(?:C|c)ompiler[\s.]*:\s+$cc_regex(?:\s-std=[a-z0-9:+]+)?\s*$/
-            or $line =~ /^\s*- (?:CC|CXX)\s*=\s*$cc_regex\s*$/
-            or $line =~ /^\s*-- Check for working (?:C|CXX) compiler: /;
-
-    # Is this a compiler or linker command?
-    my $compiler = 1;
-    my $linker   = 0;
-
-    # Linker commands.
-    if ($line =~ m{\s-o                        # -o
-                   [\s\\]*\s+                  # possible line continuation
-                   (?:[/.A-Za-z0-9~_-]+/)?     # path to file
-                        [A-Za-z0-9~_-]+        # binary name (no dots!)
-                   (?:[0-9.]*\.so[0-9.]*[a-z]? # library (including version)
-                    |\.la)?
-                   (?:\s|\\|$)                 # end of file name
-                  }x
-            or $line =~ /^libtool: link: /
-            or $line =~ m{\s*/bin/bash .+?libtool\s+(.+?\s+)?--mode=(re)?link}) {
-        $compiler = 0;
-        $linker   = 1;
+    # Remove everything until and including the compiler command. Makes checks
+    # easier and faster.
+    $line =~ s/^.*?$cc_regex//o;
+
+    # Skip unnecessary tests when only preprocessing.
+    my $flag_preprocess = 0;
+
+    my $preprocess = 0;
+    my $compile    = 0;
+    my $link       = 0;
+
+    # Preprocess, compile, assemble.
+    if ($line =~ /\s(-E|-S|-c)\b/) {
+        $preprocess      = 1;
+        $flag_preprocess = 1 if $1 eq '-E';
+        $compile         = 1 if $1 eq '-S' or $1 eq '-c';
+    # Otherwise assume we are linking.
+    } else {
+        $link = 1;
+    }
+
+    # Get all file extensions on this line.
+    my @extensions = $line =~ /$file_extension_regex/go;
+    # Ignore all unknown extensions to speedup the search below.
+    @extensions = grep { exists $extension{$_} } @extensions;
+
+    # These file types don't require preprocessing.
+    if (extension_found(\%extensions_no_preprocess, @extensions)) {
+        $preprocess = 0;
+    }
+    # These file types require preprocessing.
+    if (extension_found(\%extensions_preprocess, @extensions)) {
+        $preprocess = 1;
     }
 
     # If there are source files then it's compiling/linking in one step and we
-    # must check both.
-    if ($line =~ /\.(?:c|cc|cpp)\b/) {
-        $compiler = 1;
+    # must check both. We only check for source files here, because header
+    # files cause too many false positives.
+    if (not $flag_preprocess
+            and extension_found(\%extensions_compile_link, @extensions)) {
+        # Assembly files don't need CFLAGS.
+        if (not extension_found(\%extensions_compile, @extensions)
+                and extension_found(\%extensions_no_compile, @extensions)) {
+            $compile = 0;
+        # But the rest does.
+        } else {
+            $compile = 1;
+        }
+    }
+
+    # Assume CXXFLAGS are required when a C++ file is specified in the
+    # compiler line.
+    my $compile_cpp = 0;
+    if ($compile
+            and extension_found(\%extensions_compile_cpp, @extensions)) {
+        $compile     = 0;
+        $compile_cpp = 1;
     }
 
     # Check hardening flags.
     my @missing;
-    if ($compiler and not all_flags_used($line, \@missing, @cflags)
+    if ($compile and not all_flags_used($line, \@missing, @cflags)
             # Libraries linked with -fPIC don't have to (and can't) be linked
             # with -fPIE as well. It's no error if only PIE flags are missing.
-            and not pic_pie_conflict($line, $harden_pie, \@missing, @cflags_pie)) {
-        error_flags('CFLAGS missing', \@missing, \%flag_renames, $line);
+            and not pic_pie_conflict($line, $harden_pie, \@missing, @cflags_pie)
+            # Assume dpkg-buildflags returns the correct flags.
+            and not $line =~ /`dpkg-buildflags --get CFLAGS`/) {
+        error_flags('CFLAGS missing', \@missing, \%flag_renames, $input[$i]);
+        $exit |= 1 << 3;
+    } elsif ($compile_cpp and not all_flags_used($line, \@missing, @cflags)
+            # Libraries linked with -fPIC don't have to (and can't) be linked
+            # with -fPIE as well. It's no error if only PIE flags are missing.
+            and not pic_pie_conflict($line, $harden_pie, \@missing, @cflags_pie)
+            # Assume dpkg-buildflags returns the correct flags.
+            and not $line =~ /`dpkg-buildflags --get CXXFLAGS`/) {
+        error_flags('CXXFLAGS missing', \@missing, \%flag_renames, $input[$i]);
         $exit |= 1 << 3;
     }
-    if ($compiler and not all_flags_used($line, \@missing, @cppflags)) {
-        error_flags('CPPFLAGS missing', \@missing, \%flag_renames, $line);
+    if ($preprocess and not all_flags_used($line, \@missing, @cppflags)
+            # Assume dpkg-buildflags returns the correct flags.
+            and not $line =~ /`dpkg-buildflags --get CPPFLAGS`/) {
+        error_flags('CPPFLAGS missing', \@missing, \%flag_renames, $input[$i]);
         $exit |= 1 << 3;
     }
-    if ($linker and not all_flags_used($line, \@missing, @ldflags)
+    if ($link and not all_flags_used($line, \@missing, @ldflags)
             # Same here, -fPIC conflicts with -fPIE.
-            and not pic_pie_conflict($line, $harden_pie, \@missing, @ldflags_pie)) {
-        error_flags('LDFLAGS missing', \@missing, \%flag_renames, $line);
+            and not pic_pie_conflict($line, $harden_pie, \@missing, @ldflags_pie)
+            # Assume dpkg-buildflags returns the correct flags.
+            and not $line =~ /`dpkg-buildflags --get LDFLAGS`/) {
+        error_flags('LDFLAGS missing', \@missing, \%flag_renames, $input[$i]);
         $exit |= 1 << 3;
     }
 }
@@ -451,16 +702,16 @@ blhc - build log hardening check, checks build logs for missing hardening flags
 
 =head1 SYNOPSIS
 
-B<blhc> [-h -? --help]
-
-B<blhc> [--pie] [--bindnow] [--all]
+B<blhc> [options] <dpkg-buildpackage build log file>
 
-    --help                  available options
-    --version               version number and license
-    --pie                   force +pie check
-    --bindnow               force +bindbow check
     --all                   force +all (+pie, +bindnow) check
     --arch                  set architecture (autodetected)
+    --bindnow               force +bindbow check
+    --buildd                parser mode for buildds
+    --color                 use colored output
+    --pie                   force +pie check
+    --help                  available options
+    --version               version number and license
 
 =head1 DESCRIPTION
 
@@ -471,44 +722,63 @@ other important warnings. It's licensed under the GPL 3 or later.
 
 =over 8
 
-=item B<-h -? --help>
-
-Print available options.
-
-=item B<--version>
+=item B<--all>
 
-Print version number and license.
+Force check for all +all (+pie, +bindnow) hardening flags. By default it's
+auto detected.
 
-=item B<--pie>
+=item B<--arch>
 
-Force check for all +pie hardening flags. By default it's auto detected.
+Set the specific architecture (e.g. amd64, armel, etc.), automatically
+disables hardening flags not available on this architecture. Is detected
+automatically if dpkg-buildpackage is used.
 
 =item B<--bindnow>
 
 Force check for all +bindnow hardening flags. By default it's auto detected.
 
-=item B<--all>
+=item B<--buildd>
 
-Force check for all +all (+pie, +bindnow) hardening flags. By default it's
-auto detected.
+Special mode for buildds when automatically parsing log files. The following
+changes are in effect:
 
-=item B<--arch>
+=over 2
 
-Set the specific architecture (e.g. amd64, armel, etc.), automatically
-disables hardening flags not available on this architecture. Is detected
-automatically if dpkg-buildpackage is used.
+=item
+
+Don't check hardening flags in old log files (if dpkg-dev << 1.16.1 is
+detected).
+
+=back
+
+=item B<--color>
+
+Use colored (ANSI) output for warning messages.
+
+=item B<--pie>
+
+Force check for all +pie hardening flags. By default it's auto detected.
+
+=item B<-h -? --help>
+
+Print available options.
+
+=item B<--version>
+
+Print version number and license.
 
 =back
 
-Auto detection only works if at least one command uses the required hardening
-flag (e.g. -fPIE). Then it's required for all other commands as well.
+Auto detection for B<--pie> and B<--bindnow> only works if at least one
+command uses the required hardening flag (e.g. -fPIE). Then it's required for
+all other commands as well.
 
 =head1 EXIT STATUS
 
 The exit status is a "bit mask", each listed status is ORed when the error
 condition occurs to get the result.
 
-=over 8
+=over 4
 
 =item B<0>
 
@@ -530,6 +800,10 @@ Non verbose build.
 
 Missing hardening flags.
 
+=item B<16>
+
+Hardening wrapper detected, no tests performed.
+
 =back
 
 =head1 AUTHOR