X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=bin%2Fblhc;h=71c97cef5bda0e31a5282160557c2e769898e520;hb=ac8118289ece66a515f2602928242d9179401fbb;hp=666c2afc207ddbb6bbacb4d997c107d9306a0df9;hpb=5d47f4a04c4a45b6cacca330725539822b99a276;p=blhc%2Fblhc.git

diff --git a/bin/blhc b/bin/blhc
index 666c2af..71c97ce 100755
--- a/bin/blhc
+++ b/bin/blhc
@@ -32,7 +32,7 @@ our $VERSION = '0.01';
 
 # Regex to catch compiler commands.
 my $cc_regex = qr/(?:[a-z0-9_]+-(?:linux-|kfreebsd-)?gnu(?:eabi|eabihf)?-)?
-                  (?:(?<!\.)cc|gcc|g\+\+|c\+\+)
+                  (?<!\.)(?:cc|gcc|g\+\+|c\+\+)
                   (?:-[\d.]+)?/x;
 # Regex to catch (GCC) compiler warnings.
 my $warning_regex = qr/^(.+?):([0-9]+):[0-9]+: warning: (.+?) \[(.+?)\]$/;
@@ -154,6 +154,9 @@ my %flag_renames = (
     '-Wl,(-z,)?now'   => '-Wl,-z,now',
 );
 
+# Use colored (ANSI) output?
+my $option_color;
+
 
 # FUNCTIONS
 
@@ -189,8 +192,7 @@ sub error_hardening_wrapper {
 sub error_color {
     my ($message, $color) = @_;
 
-    # Use colors when writing to a terminal.
-    if (-t STDOUT) {
+    if ($option_color) {
         return Term::ANSIColor::colored($message, $color);
     } else {
         return $message;
@@ -300,6 +302,7 @@ my $option_version = 0;
 my $option_all     = 0;
 my $option_arch    = undef;
 my $option_buildd  = 0;
+   $option_color   = 0;
 if (not Getopt::Long::GetOptions(
             'help|h|?' => \$option_help,
             'version'  => \$option_version,
@@ -308,7 +311,8 @@ if (not Getopt::Long::GetOptions(
             'bindnow'  => \$harden_bindnow,
             'all'      => \$option_all,
             # Misc.
-            'arch'     => \$option_arch,
+            'color'    => \$option_color,
+            'arch=s'   => \$option_arch,
             'buildd'   => \$option_buildd,
         )) {
     require Pod::Usage;
@@ -452,7 +456,8 @@ while (my $line = <>) {
             # Ignore false positives.
             #
             # `./configure` output.
-            next if not $non_verbose and $line =~ /^checking /;
+            next if not $non_verbose
+                    and $line =~ /^(?:checking|(?:C|c)onfigure:) /;
             next if $line =~ /^\s*(?:Host\s+)?(?:C\s+)?
                                (?:C|c)ompiler[\s.]*:?\s+
                                $cc_regex
@@ -461,9 +466,8 @@ while (my $line = <>) {
                     or $line =~ /^\s*(?:- )?(?:HOST_)?(?:CC|CXX)\s*=\s*$cc_regex\s*$/
                     or $line =~ /^\s*-- Check for working (?:C|CXX) compiler: /
                     or $line =~ /^\s*(?:echo )?Using [A-Z_]+\s*=\s*/;
-            # Debian buildd output.
-            next if $line =~ /^\s*Depends: .*?$cc_regex.*?$/
-                    and $line !~ /\s-./; # option, prevent false negatives
+            # `make` output.
+            next if $line =~ /^Making [a-z]+ in \S+/; # e.g. "[...] in c++"
 
             # Check if additional hardening options were used. Used to ensure
             # they are used for the complete build.
@@ -614,17 +618,16 @@ blhc - build log hardening check, checks build logs for missing hardening flags
 
 =head1 SYNOPSIS
 
-B<blhc> [-h -? --help]
-
-B<blhc> [--pie] [--bindnow] [--all]
+B<blhc> [options] <dpkg-buildpackage build log file>
 
-    --help                  available options
-    --version               version number and license
-    --pie                   force +pie check
-    --bindnow               force +bindbow check
     --all                   force +all (+pie, +bindnow) check
     --arch                  set architecture (autodetected)
+    --bindnow               force +bindbow check
     --buildd                parser mode for buildds
+    --color                 use colored output
+    --pie                   force +pie check
+    --help                  available options
+    --version               version number and license
 
 =head1 DESCRIPTION
 
@@ -635,22 +638,6 @@ other important warnings. It's licensed under the GPL 3 or later.
 
 =over 8
 
-=item B<-h -? --help>
-
-Print available options.
-
-=item B<--version>
-
-Print version number and license.
-
-=item B<--pie>
-
-Force check for all +pie hardening flags. By default it's auto detected.
-
-=item B<--bindnow>
-
-Force check for all +bindnow hardening flags. By default it's auto detected.
-
 =item B<--all>
 
 Force check for all +all (+pie, +bindnow) hardening flags. By default it's
@@ -662,6 +649,10 @@ Set the specific architecture (e.g. amd64, armel, etc.), automatically
 disables hardening flags not available on this architecture. Is detected
 automatically if dpkg-buildpackage is used.
 
+=item B<--bindnow>
+
+Force check for all +bindnow hardening flags. By default it's auto detected.
+
 =item B<--buildd>
 
 Special mode for buildds when automatically parsing log files. The following
@@ -676,6 +667,22 @@ detected).
 
 =back
 
+=item B<--color>
+
+Use colored (ANSI) output for warning messages.
+
+=item B<--pie>
+
+Force check for all +pie hardening flags. By default it's auto detected.
+
+=item B<-h -? --help>
+
+Print available options.
+
+=item B<--version>
+
+Print version number and license.
+
 =back
 
 Auto detection for B<--pie> and B<--bindnow> only works if at least one
@@ -687,7 +694,7 @@ all other commands as well.
 The exit status is a "bit mask", each listed status is ORed when the error
 condition occurs to get the result.
 
-=over 8
+=over 4
 
 =item B<0>