[blhc/blhc.git] / bin / blhc

#!/usr/bin/perl

# Build log hardening check, checks build logs for missing hardening flags.

# Copyright (C) 2012  Simon Ruderich
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.


use strict;
use warnings;

use Getopt::Long ();
use Text::ParseWords ();

our $VERSION = '0.03';


# CONSTANTS/VARIABLES

# Regex to catch compiler commands.
my $cc_regex = qr/
    (?<!\s-)               # ignore options, e.g. "-c++" [sic!] (used by swig)
    (?<!\.)                # ignore file names, e.g. "test.gcc"
    (?:cc|gcc|g\+\+|c\+\+)
    (?:-[\d.]+)?           # version suffix, e.g. "gcc-4.6"
    /x;
# Full regex which matches the complete compiler name. Used in a few places to
# prevent false negatives.
my $cc_regex_full = qr/
    (?:[a-z0-9_]+-(?:linux-|kfreebsd-)?gnu(?:eabi|eabihf)?-)?
    $cc_regex
    /x;
# Regex to check if a line contains a compiler command.
my $cc_regex_normal = qr/
    \b$cc_regex(?:\s|\\)
    /x;
# Regex to catch (GCC) compiler warnings.
my $warning_regex = qr/^(.+?):(\d+):\d+: warning: (.+?) \[(.+?)\]$/;

# List of source file extensions which require preprocessing.
my @source_preprocess_compile_cpp = (
    # C++
    qw( cc cp cxx cpp CPP c++ C ),
    # Objective-C++
    qw( mm M ),
);
my @source_preprocess_compile = (
    # C
    qw( c ),
    # Objective-C
    qw( m ),
    # (Objective-)C++
    @source_preprocess_compile_cpp,
    # Fortran
    qw( F FOR fpp FPP FTN F90 F95 F03 F08 ),
);
my @source_preprocess_no_compile = (
    # Assembly
    qw( S sx ),
);
my @source_preprocess = (
    @source_preprocess_compile,
    @source_preprocess_no_compile,
);
# List of source file extensions which don't require preprocessing.
my @source_no_preprocess_compile_cpp = (
    # C++
    qw( ii ),
    # Objective-C++
    qw( mii ),
);
my @source_no_preprocess_compile = (
    # C
    qw( i ),
    # (Objective-)C++
    @source_no_preprocess_compile_cpp,
    # Objective-C
    qw( mi ),
    # Fortran
    qw( f for ftn f90 f95 f03 f08 ),
    # Ada body
    qw( adb ),
);
my @source_no_preprocess_no_compile = (
    # Assembly
    qw( s ),
    # Ada specification
    qw( ads ),
);
my @source_no_preprocess = (
    @source_no_preprocess_compile,
    @source_no_preprocess_no_compile,
);
# List of header file extensions which require preprocessing.
my @header_preprocess = (
    # C, C++, Objective-C, Objective-C++
    qw( h ),
    # C++
    qw( hh H hp hxx hpp HPP h++ tcc ),
);
# Object files.
my @object = (
    # Normal object files.
    qw ( o ),
    # Libtool object files.
    qw ( lo la ),
    # Dynamic libraries. bzip2 uses .sho.
    qw ( so sho ),
    # Static libraries.
    qw ( a ),
);

# Hashes for fast extensions lookup to check if a file falls in one of these
# categories.
my %extensions_no_preprocess = map { $_ => 1 } (
    # There's no @header_no_preprocess.
    @source_no_preprocess,
);
my %extensions_preprocess = map { $_ => 1 } (
    @header_preprocess,
    @source_preprocess,
);
my %extensions_compile_link = map { $_ => 1 } (
    @source_preprocess,
    @source_no_preprocess,
);
my %extensions_compile = map { $_ => 1 } (
    @source_preprocess_compile,
    @source_no_preprocess_compile,
);
my %extensions_no_compile = map { $_ => 1 } (
    @source_preprocess_no_compile,
    @source_no_preprocess_no_compile,
);
my %extensions_compile_cpp = map { $_ => 1 } (
    @source_preprocess_compile_cpp,
    @source_no_preprocess_compile_cpp,
);
my %extensions_object = map { $_ => 1 } (
    @object,
);
my %extension = map { $_ => 1 } (
    @source_no_preprocess,
    @header_preprocess,
    @source_preprocess,
    @object,
);

# Regexp to match file extensions.
my $file_extension_regex = qr/
    \s
    \S+             # Filename without extension.
    \.
    ([^\/\\.,;:\s]+)# File extension.
    (?=\s|\\)       # At end of word. Can't use \b because some files have non
                    # word characters at the end and because \b matches double
                    # extensions (like .cpp.o). Works always as all lines are
                    # terminated with "\n".
    /x;

# Expected (hardening) flags. All flags are used as regexps.
my @def_cflags = (
    '-g',
    '-O(?:2|3)',
);
my @def_cflags_format = (
    '-Wformat',
    '-Werror=format-security', # implies -Wformat-security
);
my @def_cflags_fortify = (
    # fortify needs at least -O1, but -O2 is recommended anyway
);
my @def_cflags_stack = (
    '-fstack-protector',
    '--param=ssp-buffer-size=4',
);
my @def_cflags_pie = (
    '-fPIE',
);
my @def_cxxflags = (
    @def_cflags,
);
# @def_cxxflags_* is the same as @def_cflags_*.
my @def_cppflags = ();
my @def_cppflags_fortify = (
    '-D_FORTIFY_SOURCE=2', # must be first, see cppflags_fortify_broken()
    # If you add another flag fix hack below (search for "Hack to fix").
);
my @def_cppflags_fortify_bad = (
    # These flags may overwrite -D_FORTIFY_SOURCE=2.
    '-U_FORTIFY_SOURCE',
    '-D_FORTIFY_SOURCE=0',
    '-D_FORTIFY_SOURCE=1',
);
my @def_ldflags = ();
my @def_ldflags_relro = (
    '-Wl,(?:-z,)?relro',
);
my @def_ldflags_bindnow = (
    '-Wl,(?:-z,)?now',
);
my @def_ldflags_pie = (
    '-fPIE',
    '-pie',
);
my @def_ldflags_pic = (
    '-fPIC',
    '-fpic',
    '-shared',
);
# References to all flags checked by the flag checker.
my @flag_refs = (
    \@def_cflags,
    \@def_cflags_format,
    \@def_cflags_fortify,
    \@def_cflags_stack,
    \@def_cflags_pie,
    \@def_cxxflags,
    \@def_cppflags,
    \@def_cppflags_fortify,
    \@def_ldflags,
    \@def_ldflags_relro,
    \@def_ldflags_bindnow,
    \@def_ldflags_pie,
);
# References to all used flags.
my @flag_refs_all = (
    @flag_refs,
    \@def_cppflags_fortify_bad,
    \@def_ldflags_pic,
);
# Renaming rules for the output so the regex parts are not visible. Also
# stores string values of flag regexps above, see compile_flag_regexp().
my %flag_renames = (
    '-O(?:2|3)'         => '-O2',
    '-Wl,(?:-z,)?relro' => '-Wl,-z,relro',
    '-Wl,(?:-z,)?now'   => '-Wl,-z,now',
);

my %exit_code = (
    no_compiler_commands => 1 << 0,
    # used by POD::Usage => 1 << 1,
    non_verbose_build    => 1 << 2,
    flags_missing        => 1 << 3,
    hardening_wrapper    => 1 << 4,
    invalid_cmake        => 1 << 5,
);

my %buildd_tag = (
    no_compiler_commands => 'I-no-compiler-commands',
    non_verbose_build    => 'W-compiler-flags-hidden',
    flags_missing        => 'W-dpkg-buildflags-missing',
    hardening_wrapper    => 'I-hardening-wrapper-used',
    invalid_cmake        => 'I-invalid-cmake-used',
);

# Statistics of missing flags and non-verbose build commands. Used for
# $option_buildd.
my %statistics = (
    preprocess          => 0,
    preprocess_missing  => 0,
    compile             => 0,
    compile_missing     => 0,
    compile_cpp         => 0,
    compile_cpp_missing => 0,
    link                => 0,
    link_missing        => 0,
    commands            => 0,
    commands_nonverbose => 0,
);

# Use colored (ANSI) output?
my $option_color;


# FUNCTIONS

sub error_flags {
    my ($message, $missing_flags_ref, $flag_renames_ref, $line) = @_;

    # Get string value of qr//-escaped regexps and if requested rename them.
    my @missing_flags = map {
            $flag_renames_ref->{$_}
        } @{$missing_flags_ref};

    my $flags = join ' ', @missing_flags;
    printf '%s (%s)%s %s',
           error_color($message, 'red'), $flags, error_color(':', 'yellow'),
           $line;
}
sub error_non_verbose_build {
    my ($line) = @_;

    printf '%s%s %s',
           error_color('NONVERBOSE BUILD', 'red'),
           error_color(':', 'yellow'),
           $line;
}
sub error_invalid_cmake {
    my ($version) = @_;

    printf "%s%s %s\n",
            error_color('INVALID CMAKE', 'red'),
            error_color(':', 'yellow'),
            $version;
}
sub error_hardening_wrapper {
    printf "%s%s %s\n",
            error_color('HARDENING WRAPPER', 'red'),
            error_color(':', 'yellow'),
            'no checks possible, aborting';
}
sub error_color {
    my ($message, $color) = @_;

    if ($option_color) {
        return Term::ANSIColor::colored($message, $color);
    } else {
        return $message;
    }
}

sub any_flags_used {
    my ($line, @flags) = @_;

    foreach my $flag (@flags) {
        return 1 if $line =~ /$flag/;
    }

    return 0;
}
sub all_flags_used {
    my ($line, $missing_flags_ref, @flags) = @_;

    my @missing_flags = ();
    foreach my $flag (@flags) {
        if (not $line =~ /$flag/) {
            push @missing_flags, $flag;
        }
    }

    return 1 if scalar @missing_flags == 0;

    @{$missing_flags_ref} = @missing_flags;
    return 0;
}

sub cppflags_fortify_broken {
    my ($line, $missing_flags) = @_;

    # This doesn't take the position into account, but is a simple solution.
    # And if the build system tries to force -D_FORTIFY_SOURCE=0/1, something
    # is wrong anyway.

    if (any_flags_used($line, @def_cppflags_fortify_bad)) {
        # $def_cppflags_fortify[0] must be -D_FORTIFY_SOURCE=2!
        push @{$missing_flags}, $def_cppflags_fortify[0];
        return 1;
    }

    return 0;
}

# Modifies $missing_flags_ref array.
sub pic_pie_conflict {
    my ($line, $pie, $missing_flags_ref, @flags_pie) = @_;

    return 0 if not $pie;
    return 0 if not any_flags_used($line, @def_ldflags_pic);

    my %flags = map { $_ => 1 } @flags_pie;

    # Remove all PIE flags from @missing_flags as they are not required with
    # -fPIC.
    my @result = grep {
        not exists $flags{$_}
    } @{$missing_flags_ref};
    @{$missing_flags_ref} = @result;

    # We got a conflict when no flags are left, thus only PIE flags were
    # missing. If other flags were missing abort because the conflict is not
    # the problem.
    return scalar @result == 0;
}

sub is_non_verbose_build {
    my ($line, $next_line, $skip_ref) = @_;

    if (not (index($line, 'checking if you want to see long compiling messages... no') == 0
                or $line =~ /^\s*\[?(?:CC|CCLD|C\+\+|CXX|CXXLD|LD|LINK)\]?\s+(.+?)$/
                or $line =~ /^\s*[Cc]ompiling\s+(.+?)(?:\.\.\.)?$/
                or $line =~ /^\s*[Bb]uilding (?:program|shared library)\s+(.+?)$/
                or $line =~ /^\s*\[[\d ]+%\] Building (?:C|CXX) object (.+?)$/)) {
        return 0;
    }

    # False positives.
    #
    # C++ compiler setting.
    return 0 if $line =~ /^\s*C\+\+.+?:\s+(?:yes|no)\s*$/;
    # "Compiling" with no file name.
    if ($line =~ /^\s*[Cc]ompiling\s+(.+?)(?:\.\.\.)?$/) {
        # $file_extension_regex may need spaces around the filename.
        return 0 if not " $1 " =~ /$file_extension_regex/o;
    }

    my $file = $1;

    # On the first pass we only check if this line is verbose or not.
    return 1 if not defined $next_line;

    # Second pass, we have access to the next line.
    ${$skip_ref} = 0;

    # CMake and other build systems print the non-verbose messages also when
    # building verbose. If a compiler and the file name occurs in the next
    # line, treat it as verbose build.
    if (defined $file) {
        # Get filename, we can't use the complete path as only parts of it are
        # used in the real compiler command.
        $file =~ m{/([^/\s]+)$};
        $file = $1;

        if (index($next_line, $file) != -1 and $next_line =~ /$cc_regex/o) {
            # Not a non-verbose line, but we still have to skip the current line
            # as it doesn't contain any compiler commands.
            ${$skip_ref} = 1;
            return 0;
        }
    }

    return 1;
}

sub remove_flags {
    my ($flag_refs_ref, $flag_renames_ref, @flags) = @_;

    my %removes = map { $_ => 1 } @flags;
    foreach my $flags (@{$flag_refs_ref}) {
        @{$flags} = grep {
            # Flag found as string.
            not exists $removes{$_}
            # Flag found as string representation of regexp.
                and (not defined $flag_renames_ref->{$_}
                        or not exists $removes{$flag_renames_ref->{$_}})
        } @{$flags};
    }
}

sub compile_flag_regexp {
    my ($flag_renames_ref, @flags) = @_;

    my @result = ();
    foreach my $flag (@flags) {
        # Store flag name in replacement string for correct flags in messages
        # with qr//ed flag regexps.
        $flag_renames_ref->{qr/\s$flag(?:\s|\\)/}
            = (exists $flag_renames_ref->{$flag})
                ? $flag_renames_ref->{$flag}
                : $flag;

        # Compile flag regexp for faster execution.
        push @result, qr/\s$flag(?:\s|\\)/;
    }
    return @result;
}

sub extension_found {
    my ($extensions_ref, @extensions) = @_;

    my $found = 0;
    foreach my $extension (@extensions) {
        if (exists $extensions_ref->{$extension}) {
            $found = 1;
            last;
        }
    }
    return $found;
}


# MAIN

# Parse command line arguments.
my $option_help             = 0;
my $option_version          = 0;
my $option_pie              = 0;
my $option_bindnow          = 0;
my @option_ignore_arch      = ();
my @option_ignore_flag      = ();
my @option_ignore_arch_flag = ();
my @option_ignore_line      = ();
my @option_ignore_arch_line = ();
my $option_all              = 0;
my $option_arch             = undef;
my $option_buildd           = 0;
   $option_color            = 0;
if (not Getopt::Long::GetOptions(
            'help|h|?'           => \$option_help,
            'version'            => \$option_version,
            # Hardening options.
            'pie'                => \$option_pie,
            'bindnow'            => \$option_bindnow,
            'all'                => \$option_all,
            # Ignore.
            'ignore-arch=s'      => \@option_ignore_arch,
            'ignore-flag=s'      => \@option_ignore_flag,
            'ignore-arch-flag=s' => \@option_ignore_arch_flag,
            'ignore-line=s'      => \@option_ignore_line,
            'ignore-arch-line=s' => \@option_ignore_arch_line,
            # Misc.
            'color'              => \$option_color,
            'arch=s'             => \$option_arch,
            'buildd'             => \$option_buildd,
        )) {
    require Pod::Usage;
    Pod::Usage::pod2usage(2);
}
if ($option_help) {
    require Pod::Usage;
    Pod::Usage::pod2usage(1);
}
if ($option_version) {
    print "blhc $VERSION  Copyright (C) 2012  Simon Ruderich

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.
";
    exit 0;
}

# Arguments missing.
if (scalar @ARGV == 0) {
    require Pod::Usage;
    Pod::Usage::pod2usage(2);
}

# Don't load Term::ANSIColor in buildd mode because Term::ANSIColor is not
# installed on Debian's buildds.
if (not $option_buildd) {
    require Term::ANSIColor;
}

if ($option_all) {
    $option_pie     = 1;
    $option_bindnow = 1;
}

# Precompiled ignores for faster lookup.
my %option_ignore_arch_flag = ();
my %option_ignore_arch_line = ();

# Strip flags which should be ignored.
if (scalar @option_ignore_flag > 0) {
    remove_flags(\@flag_refs, \%flag_renames, @option_ignore_flag);
}
# Same for arch specific ignore flags, but only prepare here.
if (scalar @option_ignore_arch_flag > 0) {
    foreach my $ignore (@option_ignore_arch_flag) {
        my ($ignore_arch, $ignore_flag) = split /:/, $ignore, 2;

        if (not $ignore_arch or not $ignore_flag) {
            printf STDERR 'Value "%s" invalid for option ignore-arch-flag '
                        . '("arch:flag" expected)' . "\n", $ignore;
            require Pod::Usage;
            Pod::Usage::pod2usage(2);
        }

        push @{$option_ignore_arch_flag{$ignore_arch}}, $ignore_flag;
    }
}

# Precompile all flag regexps. any_flags_used(), all_flags_used() get a lot
# faster with this.
foreach my $flags (@flag_refs_all) {
    @{$flags} = compile_flag_regexp(\%flag_renames, @{$flags});
}

# Precompile ignore line regexps, also anchor at beginning and end of line.
foreach my $ignore (@option_ignore_line) {
    $ignore = qr/^$ignore$/;
}
# Same for arch specific ignore lines.
if (scalar @option_ignore_arch_line > 0) {
    foreach my $ignore (@option_ignore_arch_line) {
        my ($ignore_arch, $ignore_line) = split /:/, $ignore, 2;

        if (not $ignore_arch or not $ignore_line) {
            printf STDERR 'Value "%s" invalid for option ignore-arch-line '
                        . '("arch:line" expected)' . "\n", $ignore;
            require Pod::Usage;
            Pod::Usage::pod2usage(2);
        }

        push @{$option_ignore_arch_line{$ignore_arch}}, qr/^$ignore_line$/;
    }
}

# Final exit code.
my $exit = 0;

FILE:
foreach my $file (@ARGV) {
    print "checking '$file'...\n" if scalar @ARGV > 1;

    -f $file or die "No such file: $file";

    open my $fh, '<', $file or die $!;

    # Architecture of this file.
    my $arch = $option_arch;

    # Hardening options. Not all architectures support all hardening options.
    my $harden_format  = 1;
    my $harden_fortify = 1;
    my $harden_stack   = 1;
    my $harden_relro   = 1;
    my $harden_bindnow = $option_bindnow; # defaults to 0
    my $harden_pie     = $option_pie;     # defaults to 0

    while (my $line = <$fh>) {
        # Detect architecture automatically unless overridden. For buildd logs
        # only, doesn't use the dpkg-buildpackage header. Necessary to ignore
        # build logs which aren't built (wrong architecture, build error,
        # etc.).
        if (not $arch and index($line, 'Architecture: ') == 0) {
            $arch = substr $line, 14, -1; # -1 to ignore '\n' at the end
        }

        # dpkg-buildflags only provides hardening flags since 1.16.1, don't
        # check for hardening flags in buildd mode if an older dpkg-dev is
        # used. Default flags (-g -O2) are still checked.
        #
        # Packages which were built before 1.16.1 but used their own hardening
        # flags are not checked.
        if ($option_buildd
                and index($line, 'Toolchain package versions: ') == 0) {
            require Dpkg::Version;
            if (not $line =~ /\bdpkg-dev_(\S+)/
                    or Dpkg::Version::version_compare($1, '1.16.1') < 0) {
                $harden_format  = 0;
                $harden_fortify = 0;
                $harden_stack   = 0;
                $harden_relro   = 0;
                $harden_bindnow = 0;
                $harden_pie     = 0;
            }
        }

        # The following two versions of CMake in Debian obeyed CPPFLAGS, but
        # this was later dropped because upstream rejected the patch. Thus
        # build logs with these versions will have fortify hardening flags
        # enabled, even though they may be not correctly set and are missing
        # when build with later CMake versions. Thanks to Aron Xu for letting
        # me know.
        if (index($line, 'Package versions: ') == 0
                and $line =~ /\bcmake_(\S+)/
                and ($1 eq '2.8.7-1' or $1 eq '2.8.7-2')) {
            if (not $option_buildd) {
                error_invalid_cmake($1);
                $exit |= $exit_code{invalid_cmake};
            } else {
                print "$buildd_tag{invalid_cmake}|$1|\n";
            }
        }

        # If hardening wrapper is used (wraps calls to gcc and adds hardening
        # flags automatically) we can't perform any checks, abort.
        if (index($line, 'Build-Depends: ') == 0
                and $line =~ /\bhardening-wrapper\b/) {
            if (not $option_buildd) {
                error_hardening_wrapper();
                $exit |= $exit_code{hardening_wrapper};
            } else {
                print "$buildd_tag{hardening_wrapper}||\n";
            }
            next FILE;
        }

        # We skip over unimportant lines at the beginning of the log to
        # prevent false positives.
        last if index($line, 'dpkg-buildpackage: ') == 0;
    }

    # Input lines, contain only the lines with compiler commands.
    my @input = ();
    # Non-verbose lines in the input. Used to reduce calls to
    # is_non_verbose_build() (which is quite slow) in the second loop when
    # it's already clear if a line is non-verbose or not.
    my @input_nonverbose = ();

    my $continuation = 0;
    my $complete_line = undef;
    while (my $line = <$fh>) {
        # And stop at the end of the build log. Package details (reported by
        # the buildd logs) are not important for us. This also prevents false
        # positives.
        last if index($line, 'Build finished at ') == 0
                and $line =~ /^Build finished at \d{8}-\d{4}$/;

        # Detect architecture automatically unless overridden.
        if (not $arch
                and index($line, 'dpkg-buildpackage: host architecture ') == 0) {
            $arch = substr $line, 37, -1; # -1 to ignore '\n' at the end
        }

        # Ignore compiler warnings for now.
        next if $line =~ /$warning_regex/o;

        if (not $option_buildd and index($line, "\033") != -1) { # \033 = esc
            # Remove all ANSI color sequences which are sometimes used in
            # non-verbose builds.
            $line = Term::ANSIColor::colorstrip($line);
            # Also strip '\0xf' (delete previous character), used by Elinks'
            # build system.
            $line =~ s/\x0f//g;
            # And "ESC(B" which seems to be used on armhf and hurd (not sure
            # what it does).
            $line =~ s/\033\(B//g;
        }

        # Check if this line indicates a non verbose build.
        my $non_verbose = is_non_verbose_build($line);

        # One line may contain multiple commands (";"). Treat each one as
        # single line. parse_line() is slow, only use it when necessary.
        my @line = (index($line, ';') == -1)
                 ? ($line)
                 : map {
                       # Ensure newline at the line end - necessary for
                       # correct parsing later.
                       $_ =~ s/\s+$//;
                       $_ .= "\n";
                   } Text::ParseWords::parse_line(';', 1, $line);
        foreach my $line (@line) {
            if ($continuation) {
                $continuation = 0;

                # Join lines, but leave the "\" in place so it's clear where
                # the original line break was.
                chomp $complete_line;
                $complete_line .= ' ' . $line;
            }
            # Line continuation, line ends with "\".
            if ($line =~ /\\$/) {
                $continuation = 1;
                # Start line continuation.
                if (not defined $complete_line) {
                    $complete_line = $line;
                }
                next;
            }

            # Use the complete line if a line continuation occurred.
            if (defined $complete_line) {
                $line = $complete_line;
                $complete_line = undef;
            }

            # Ignore lines with no compiler commands.
            next if not $non_verbose
                    and not $line =~ /$cc_regex_normal/o;
            # Ignore lines with no filenames with extensions. May miss some
            # non-verbose builds (e.g. "gcc -o test" [sic!]), but shouldn't be
            # a problem as the log will most likely contain other non-verbose
            # commands which are detected.
            next if not $non_verbose
                    and not $line =~ /$file_extension_regex/o;

            # Ignore false positives.
            #
            # `./configure` output.
            next if not $non_verbose
                    and $line =~ /^(?:checking|[Cc]onfigure:) /;
            next if $line =~ /^\s*(?:Host\s+)?(?:C(?:\+\+)?\s+)?
                                [Cc]ompiler[\s.]*:?\s+
                                /x;
            next if $line =~ /^\s*(?:- )?(?:HOST_)?(?:CC|CXX)\s*=\s*$cc_regex_full\s*$/o;
            # `moc-qt4`, contains '-I/usr/share/qt4/mkspecs/linux-g++' (or
            # similar for other architectures) which gets recognized as a
            # compiler line. Ignore it.
            next if $line =~ m{^/usr/bin/moc-qt4
                               \s.+\s
                               -I/usr/share/qt4/mkspecs/[a-z]+-g\++(?:-64)?
                               \s}x;
            # Ignore false positives when the line contains only CC=gcc but no
            # other gcc command.
            if ($line =~ /(.*)CC=$cc_regex_full(.*)/o) {
                my $before = $1;
                my $after  = $2;
                next if     not $before =~ /$cc_regex_normal/o
                        and not $after  =~ /$cc_regex_normal/o;
            }

            # Check if additional hardening options were used. Used to ensure
            # they are used for the complete build.
            $harden_pie     = 1 if any_flags_used($line, @def_cflags_pie,
                                                         @def_ldflags_pie);
            $harden_bindnow = 1 if any_flags_used($line, @def_ldflags_bindnow);

            push @input, $line;
            push @input_nonverbose, $non_verbose;
        }
    }

    close $fh or die $!;

    # Ignore arch if requested.
    if (scalar @option_ignore_arch > 0 and $arch) {
        foreach my $ignore (@option_ignore_arch) {
            if ($arch eq $ignore) {
                print "ignoring architecture '$arch'\n";
                next FILE;
            }
        }
    }

    if (scalar @input == 0) {
        if (not $option_buildd) {
            print "No compiler commands!\n";
            $exit |= $exit_code{no_compiler_commands};
        } else {
            print "$buildd_tag{no_compiler_commands}||\n";
        }
        next FILE;
    }

    if ($option_buildd) {
        $statistics{commands} += scalar @input;
    }

    # Option or auto detected.
    if ($arch) {
        # The following was partially copied from dpkg-dev 1.16.4.3
        # (/usr/share/perl5/Dpkg/Vendor/Debian.pm, add_hardening_flags()),
        # copyright Raphaël Hertzog <hertzog@debian.org>, Kees Cook
        # <kees@debian.org>, Canonical, Ltd. licensed under GPL version 2 or
        # later. Keep it in sync.

        require Dpkg::Arch;
        my ($abi, $os, $cpu) = Dpkg::Arch::debarch_to_debtriplet($arch);

        # Disable unsupported hardening options.
        if ($cpu =~ /^(?:ia64|alpha|mips|mipsel|hppa)$/ or $arch eq 'arm') {
            $harden_stack = 0;
        }
        if ($cpu =~ /^(?:ia64|hppa|avr32)$/) {
            $harden_relro   = 0;
            $harden_bindnow = 0;
        }
    }

    # Default values.
    my @cflags   = @def_cflags;
    my @cxxflags = @def_cxxflags;
    my @cppflags = @def_cppflags;
    my @ldflags  = @def_ldflags;
    # Check the specified hardening options, same order as dpkg-buildflags.
    if ($harden_pie) {
        @cflags   = (@cflags,   @def_cflags_pie);
        @cxxflags = (@cxxflags, @def_cflags_pie);
        @ldflags  = (@ldflags,  @def_ldflags_pie);
    }
    if ($harden_stack) {
        @cflags   = (@cflags,   @def_cflags_stack);
        @cxxflags = (@cxxflags, @def_cflags_stack);
    }
    if ($harden_fortify) {
        @cflags   = (@cflags,   @def_cflags_fortify);
        @cxxflags = (@cxxflags, @def_cflags_fortify);
        @cppflags = (@cppflags, @def_cppflags_fortify);
    }
    if ($harden_format) {
        @cflags   = (@cflags,   @def_cflags_format);
        @cxxflags = (@cxxflags, @def_cflags_format);
    }
    if ($harden_relro) {
        @ldflags = (@ldflags, @def_ldflags_relro);
    }
    if ($harden_bindnow) {
        @ldflags = (@ldflags, @def_ldflags_bindnow);
    }

    # Hack to fix cppflags_fortify_broken() if --ignore-flag
    # -D_FORTIFY_SOURCE=2 is used to ignore missing fortification. Only works
    # as long as @def_cppflags_fortify contains only one variable.
    if (scalar @def_cppflags_fortify == 0) {
        $harden_fortify = 0;
    }

    # Ignore flags for this arch if requested.
    if ($arch and exists $option_ignore_arch_flag{$arch}) {
        my @local_flag_refs = (\@cflags, \@cxxflags, \@cppflags, \@ldflags);

        remove_flags(\@local_flag_refs,
                     \%flag_renames,
                     @{$option_ignore_arch_flag{$arch}});
    }

    my @ignore_line = @option_ignore_line;
    # Ignore lines for this arch if requested.
    if ($arch and exists $option_ignore_arch_line{$arch}) {
        @ignore_line = (@ignore_line, @{$option_ignore_arch_line{$arch}});
    }

LINE:
    for (my $i = 0; $i < scalar @input; $i++) {
        my $line = $input[$i];

        # Ignore line if requested.
        foreach my $ignore (@ignore_line) {
            next LINE if $line =~ /$ignore/;
        }

        my $skip = 0;
        if ($input_nonverbose[$i]
                and is_non_verbose_build($line, $input[$i + 1], \$skip)) {
            if (not $option_buildd) {
                error_non_verbose_build($line);
                $exit |= $exit_code{non_verbose_build};
            } else {
                $statistics{commands_nonverbose}++;
            }
            next;
        }
        # Even if it's a verbose build, we might have to skip this line.
        next if $skip;

        # Remove everything until and including the compiler command. Makes
        # checks easier and faster.
        $line =~ s/^.*?$cc_regex//o;
        # "([...] test.c)" is not detected as 'test.c' - fix this by removing
        # the brace and similar characters at the line end.
        $line =~ s/['")]+$//;

        # Skip unnecessary tests when only preprocessing.
        my $flag_preprocess = 0;

        my $dependency = 0;
        my $preprocess = 0;
        my $compile    = 0;
        my $link       = 0;

        # Preprocess, compile, assemble.
        if ($line =~ /\s(-E|-S|-c)\b/) {
            $preprocess      = 1;
            $flag_preprocess = 1 if $1 eq '-E';
            $compile         = 1 if $1 eq '-S' or $1 eq '-c';
        # Dependency generation for Makefiles. The other flags (-MF -MG -MP
        # -MT -MQ) are always used with -M/-MM.
        } elsif ($line =~ /\s(?:-M|-MM)\b/) {
            $dependency = 1;
        # Otherwise assume we are linking.
        } else {
            $link = 1;
        }

        # -MD/-MMD also cause dependency generation, but they don't imply -E!
        if ($line =~ /\s(?:-MD|-MMD)\b/) {
            $dependency      = 0;
            $flag_preprocess = 0;
        }

        # Dependency generation for Makefiles, no preprocessing or other flags
        # needed.
        next if $dependency;

        # Get all file extensions on this line.
        my @extensions = $line =~ /$file_extension_regex/go;
        # Ignore all unknown extensions to speedup the search below.
        @extensions = grep { exists $extension{$_} } @extensions;

        # These file types don't require preprocessing.
        if (extension_found(\%extensions_no_preprocess, @extensions)) {
            $preprocess = 0;
        }
        # These file types require preprocessing.
        if (extension_found(\%extensions_preprocess, @extensions)) {
            $preprocess = 1;
        }

        if (not $flag_preprocess) {
            # If there are source files then it's compiling/linking in one
            # step and we must check both. We only check for source files
            # here, because header files cause too many false positives.
            if (extension_found(\%extensions_compile_link, @extensions)) {
                # Assembly files don't need CFLAGS.
                if (not extension_found(\%extensions_compile, @extensions)
                        and extension_found(\%extensions_no_compile, @extensions)) {
                    $compile = 0;
                # But the rest does.
                } else {
                    $compile = 1;
                }
            # No compilable extensions found, either linking or compiling
            # header flags.
            #
            # If there are also no object files we are just compiling headers
            # (.h -> .h.gch). Don't check for linker flags in this case. Due
            # to our liberal checks for compiler lines, this also reduces the
            # number of false positives considerably.
            } elsif ($link
                    and not extension_found(\%extensions_object, @extensions)) {
                $link = 0;
            }
        }

        # Assume CXXFLAGS are required when a C++ file is specified in the
        # compiler line.
        my $compile_cpp = 0;
        if ($compile
                and extension_found(\%extensions_compile_cpp, @extensions)) {
            $compile     = 0;
            $compile_cpp = 1;
        }

        if ($option_buildd) {
            $statistics{preprocess}++  if $preprocess;
            $statistics{compile}++     if $compile;
            $statistics{compile_cpp}++ if $compile_cpp;
            $statistics{link}++        if $link;
        }

        # Check hardening flags.
        my @missing;
        if ($compile and not all_flags_used($line, \@missing, @cflags)
                # Libraries linked with -fPIC don't have to (and can't) be
                # linked with -fPIE as well. It's no error if only PIE flags
                # are missing.
                and not pic_pie_conflict($line, $harden_pie, \@missing, @def_cflags_pie)
                # Assume dpkg-buildflags returns the correct flags.
                and index($line, '`dpkg-buildflags --get CFLAGS`') == -1) {
            if (not $option_buildd) {
                error_flags('CFLAGS missing', \@missing, \%flag_renames, $input[$i]);
                $exit |= $exit_code{flags_missing};
            } else {
                $statistics{compile_missing}++;
            }
        } elsif ($compile_cpp and not all_flags_used($line, \@missing, @cflags)
                # Libraries linked with -fPIC don't have to (and can't) be
                # linked with -fPIE as well. It's no error if only PIE flags
                # are missing.
                and not pic_pie_conflict($line, $harden_pie, \@missing, @def_cflags_pie)
                # Assume dpkg-buildflags returns the correct flags.
                and index($line, '`dpkg-buildflags --get CXXFLAGS`') == -1) {
            if (not $option_buildd) {
                error_flags('CXXFLAGS missing', \@missing, \%flag_renames, $input[$i]);
                $exit |= $exit_code{flags_missing};
            } else {
                $statistics{compile_cpp_missing}++;
            }
        }
        if ($preprocess
                and (not all_flags_used($line, \@missing, @cppflags)
                    # The fortify flag might be overwritten, detect that.
                     or ($harden_fortify
                         and cppflags_fortify_broken($line, \@missing)))
                # Assume dpkg-buildflags returns the correct flags.
                and index($line, '`dpkg-buildflags --get CPPFLAGS`') == -1) {
            if (not $option_buildd) {
                error_flags('CPPFLAGS missing', \@missing, \%flag_renames, $input[$i]);
                $exit |= $exit_code{flags_missing};
            } else {
                $statistics{preprocess_missing}++;
            }
        }
        if ($link and not all_flags_used($line, \@missing, @ldflags)
                # Same here, -fPIC conflicts with -fPIE.
                and not pic_pie_conflict($line, $harden_pie, \@missing, @def_ldflags_pie)
                # Assume dpkg-buildflags returns the correct flags.
                and index($line, '`dpkg-buildflags --get LDFLAGS`') == -1) {
            if (not $option_buildd) {
                error_flags('LDFLAGS missing', \@missing, \%flag_renames, $input[$i]);
                $exit |= $exit_code{flags_missing};
            } else {
                $statistics{link_missing}++;
            }
        }
    }
}

# Print statistics for buildd mode, only output in this mode.
if ($option_buildd) {
    my @warning;

    if ($statistics{preprocess_missing}) {
        push @warning, sprintf 'CPPFLAGS %d (of %d)',
                               $statistics{preprocess_missing},
                               $statistics{preprocess};
    }
    if ($statistics{compile_missing}) {
        push @warning, sprintf 'CFLAGS %d (of %d)',
                               $statistics{compile_missing},
                               $statistics{compile};
    }
    if ($statistics{compile_cpp_missing}) {
        push @warning, sprintf 'CXXFLAGS %d (of %d)',
                               $statistics{compile_cpp_missing},
                               $statistics{compile_cpp};
    }
    if ($statistics{link_missing}) {
        push @warning, sprintf 'LDFLAGS %d (of %d)',
                               $statistics{link_missing},
                               $statistics{link};
    }
    if (scalar @warning) {
        local $" = ', '; # array join string
        print "$buildd_tag{flags_missing}|@warning missing|\n";
    }

    if ($statistics{commands_nonverbose}) {
        printf "$buildd_tag{non_verbose_build}|%d (of %d) hidden|\n",
               $statistics{commands_nonverbose},
               $statistics{commands},
    }
}


exit $exit;


__END__

=head1 NAME

blhc - build log hardening check, checks build logs for missing hardening flags

=head1 SYNOPSIS

B<blhc> [I<options>] I<< <dpkg-buildpackage build log file>.. >>

=head1 DESCRIPTION

blhc is a small tool which checks build logs for missing hardening flags. It's
licensed under the GPL 3 or later.

It's designed to check build logs generated by Debian's dpkg-buildpackage (or
tools using dpkg-buildpackage like pbuilder or the official buildd build logs)
to help maintainers detect missing hardening flags in their packages.

Only gcc is detected as compiler at the moment. If other compilers support
hardening flags as well, please report them.

If there's no output, no flags are missing and the build log is fine.

=head1 OPTIONS

=over 8

=item B<--all>

Force check for all +all (+pie, +bindnow) hardening flags. By default it's
auto detected.

=item B<--arch> I<architecture>

Set the specific architecture (e.g. amd64, armel, etc.), automatically
disables hardening flags not available on this architecture. Is detected
automatically if dpkg-buildpackage is used.

=item B<--bindnow>

Force check for all +bindnow hardening flags. By default it's auto detected.

=item B<--buildd>

Special mode for buildds when automatically parsing log files. The following
changes are in effect:

=over 2

=item *

Print tags instead of normal warnings, see L</"BUILDD TAGS"> for a list of
possible tags.

=item *

Don't check hardening flags in old log files (if dpkg-dev << 1.16.1 is
detected).

=item *

Don't require Term::ANSIColor.

=item *

Return exit code 0, unless there was a error (-I, -W messages don't count as
error).

=back

=item B<--color>

Use colored (ANSI) output for warning messages.

=item B<--ignore-arch> I<arch>

Ignore build logs from architectures matching I<arch>. I<arch> is a string.

Used to prevent false positives. This option can be specified multiple times.

=item B<--ignore-arch-flag> I<arch>:I<flag>

Like B<--ignore-flag>, but only ignore flag on I<arch>.

=item B<--ignore-arch-line> I<arch>:I<line>

Like B<--ignore-line>, but only ignore line on I<arch>.

=item B<--ignore-flag> I<flag>

Don't print an error when the specific flag is missing in a compiler line.
I<flag> is a string.

Used to prevent false positives. This option can be specified multiple times.

=item B<--ignore-line> I<regex>

Ignore lines matching the given Perl regex. I<regex> is automatically anchored
at the beginning and end of the line to prevent false negatives.

B<NOTE>: Not the input lines are checked, but the lines which are displayed in
warnings (which have line continuation resolved).

Used to prevent false positives. This option can be specified multiple times.

=item B<--pie>

Force check for all +pie hardening flags. By default it's auto detected.

=item B<-h -? --help>

Print available options.

=item B<--version>

Print version number and license.

=back

Auto detection for B<--pie> and B<--bindnow> only works if at least one
command uses the required hardening flag (e.g. -fPIE). Then it's required for
all other commands as well.

=head1 EXAMPLES

Normal usage, parse a single log file.

    blhc path/to/log/file

If there's no output, no flags are missing and the build log is fine.

Parse multiple log files. The exit code is ORed over all files.

    blhc path/to/directory/with/log/files/*

Don't treat missing C<-g> as error:

    blhc --ignore-flag -g path/to/log/file

Don't treat missing C<-pie> on kfreebsd-amd64 as error:

    blhc --ignore-arch-flag kfreebsd-amd64:-pie path/to/log/file

Ignore lines consisting exactly of C<./script gcc file> which would cause a
false positive.

    blhc --ignore-line '\./script gcc file' path/to/log/file

Ignore lines matching C<./script gcc file> somewhere in the line.

    blhc --ignore-line '.*\./script gcc file.*' path/to/log/file

Use blhc with pbuilder.

    pbuilder path/to/package.dsc | tee path/log/file
    blhc path/to/file || echo flags missing

=head1 BUILDD TAGS

The following tags are used in I<--buildd> mode. In braces the additional data
which is displayed.

=over 2

=item B<I-hardening-wrapper-used>

The package uses hardening-wrapper which intercepts calls to gcc and adds
hardening flags. The build log doesn't contain any hardening flags and thus
can't be checked by blhc.

=item B<W-compiler-flags-hidden> (summary of hidden lines)

Build log contains lines which hide the real compiler flags. For example:

    CC test-a.c
    CC test-b.c
    CC test-c.c
    LD test

Most of the time either C<export V=1> or C<export verbose=1> in
F<debian/rules> fixes builds with hidden compiler flags. Sometimes C<.SILENT>
in a F<Makefile> must be removed. And as last resort the F<Makefile> must be
patched to remove the C<@>s hiding the real compiler commands.

=item B<W-dpkg-buildflags-missing> (summary of missing flags)

CPPFLAGS, CFLAGS, CXXFLAGS, LDFLAGS missing.

=item B<I-invalid-cmake-used> (version)

By default CMake ignores CPPFLAGS thus missing those hardening flags. Debian
patched CMake in versions 2.8.7-1 and 2.8.7-2 to respect CPPFLAGS, but this
patch was rejected by upstream and later reverted in Debian. Thus those two
versions show correct usage of CPPFLAGS even if the package doesn't correctly
handle them (for example by passing them to CFLAGS). To prevent false
negatives just blacklist those two versions.

=item B<I-no-compiler-commands>

No compiler commands were detected. Either the log contains none or they were
not correctly detected by blhc (please report the bug in this case).

=back

=head1 EXIT STATUS

The exit status is a "bit mask", each listed status is ORed when the error
condition occurs to get the result.

=over 4

=item B<0>

Success.

=item B<1>

No compiler commands were found.

=item B<2>

Invalid arguments/options given to blhc.

=item B<4>

Non verbose build.

=item B<8>

Missing hardening flags.

=item B<16>

Hardening wrapper detected, no tests performed.

=item B<32>

Invalid CMake version used. See B<I-invalid-cmake-used> under L</"BUILDD
TAGS"> for a detailed explanation.

=back

=head1 AUTHOR

Simon Ruderich, E<lt>simon@ruderich.orgE<gt>

Thanks to to Bernhard R. Link E<lt>brlink@debian.orgE<gt> and Jaria Alto
E<lt>jari.aalto@cante.netE<gt> for their valuable input and suggestions.

=head1 LICENSE AND COPYRIGHT

Copyright (C) 2012 by Simon Ruderich

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.

=head1 SEE ALSO

L<hardening-check(1)>, L<dpkg-buildflags(1)>

=cut