X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=bin%2Fblhc;h=997093b2591b2ee30d45ef8f601de2aacb6c9145;hb=c71bb2f5637f5a0975740b1b1cbb069c8549ead4;hp=3611c6de4c3980fa743b201be179484705559590;hpb=79d3a9eaaffbb1c593adf715fa5055a4a91ed0af;p=blhc%2Fblhc.git diff --git a/bin/blhc b/bin/blhc index 3611c6d..997093b 100755 --- a/bin/blhc +++ b/bin/blhc @@ -2,7 +2,7 @@ # Build log hardening check, checks build logs for missing hardening flags. -# Copyright (C) 2012-2020 Simon Ruderich +# Copyright (C) 2012-2022 Simon Ruderich # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -24,7 +24,7 @@ use warnings; use Getopt::Long (); use Text::ParseWords (); -our $VERSION = '0.12'; +our $VERSION = '0.13'; # CONSTANTS/VARIABLES @@ -616,7 +616,7 @@ sub compile_flag_regexp { my @result = (); foreach my $flag (@flags) { # Compile flag regexp for faster execution. - my $regex = qr/\s$flag(?:\s|\\)/; + my $regex = qr/\s(['"]?)$flag\1(?:\s|\\)/; # Store flag name in replacement string for correct flags in messages # with qr//ed flag regexps. @@ -690,7 +690,7 @@ if ($option_help) { } if ($option_version) { print <<"EOF"; -blhc $VERSION Copyright (C) 2012-2020 Simon Ruderich +blhc $VERSION Copyright (C) 2012-2022 Simon Ruderich This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -1022,9 +1022,29 @@ foreach my $file (@ARGV) { $complete_line = undef; } + my $noenv = $line; + # Strip (basic) environment variables for compiler detection. This + # prevents false positives when environment variables contain + # compiler binaries. Nested quotes, command substitution, etc. is + # not supported. + $noenv =~ s/^ + \s* + (?: + [a-zA-Z_]+ # environment variable name + = + (?: + [^\s"'\$`\\]+ # non-quoted string + | + '[^"'\$`\\]*' # single-quoted string + | + "[^"'\$`\\]*" # double-quoted string + ) + \s+ + )* + //x; # Ignore lines with no compiler commands. next if not $non_verbose - and not $line =~ /$cc_regex_normal/o; + and not $noenv =~ /$cc_regex_normal/o; # Ignore lines with no filenames with extensions. May miss some # non-verbose builds (e.g. "gcc -o test" [sic!]), but shouldn't be # a problem as the log will most likely contain other non-verbose @@ -1056,7 +1076,7 @@ foreach my $file (@ARGV) { # C++ files. No hardening flags are relevant during this step, # thus ignore `moc-qt*` lines. The resulting files will be # compiled in a separate step (and therefore checked). - next if $line =~ m{^\S+/bin/moc(?:-qt[45])? + next if $line =~ m{^\S+(?:/bin/moc(?:-qt[45])?|/lib/qt6/libexec/moc) \s.+\s -I\S+/mkspecs/[a-z]+-g\++(?:-64)? \s}x; @@ -1087,6 +1107,8 @@ foreach my $file (@ARGV) { next if $line =~ /^C\+\+ linker for the host machine: /; # Embedded `gcc -print-*` commands next if $line =~ /`$cc_regex_normal\s*[^`]*-print-\S+`/; + # cmake checking for compiler flags without setting CPPFLAGS + next if $line =~ m{^\s*/usr/(bin|lib)/(ccache/)?c\+\+ -dM -E -c /usr/share/cmake-\S+/Modules/CMakeCXXCompilerABI\.cpp}; # Check if additional hardening options were used. Used to ensure # they are used for the complete build. @@ -1550,6 +1572,9 @@ you find false positives which affect more packages please report a bug. To generate this string simply use echo in C; make sure to use @ to suppress the echo command itself as it could also trigger a false positive. +If the build process takes a long time edit the C<.build> file in place and +tweak the ignore string until B no longer +reports any false positives. =head1 OPTIONS @@ -1796,7 +1821,7 @@ Ejari.aalto@cante.netE for their valuable input and suggestions. =head1 LICENSE AND COPYRIGHT -Copyright (C) 2012-2020 by Simon Ruderich +Copyright (C) 2012-2022 by Simon Ruderich This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by