use warnings;
use Getopt::Long ();
-use Term::ANSIColor ();
use Text::ParseWords ();
our $VERSION = '0.01';
);
my %extension = map { $_ => 1 } (
@source_no_preprocess,
- @source_no_preprocess_compile,
- @source_no_preprocess_compile_cpp,
- @source_no_preprocess_no_compile,
@header_preprocess,
@source_preprocess,
- @source_preprocess_compile,
- @source_preprocess_compile_cpp,
- @source_preprocess_no_compile,
);
# Regexp to match file extensions.
\s
\S+ # Filename without extension.
\.
- ([^\\.,;:\s]+) # File extension.
+ ([^\/\\.,;:\s]+)# File extension.
(?=\s|\\) # At end of word. Can't use \b because some files have non
# word characters at the end and because \b matches double
# extensions (like .cpp.o). Works always as all lines are
);
my @def_ldflags = ();
my @def_ldflags_relro = (
- '-Wl,(-z,)?relro',
+ '-Wl,(?:-z,)?relro',
);
my @def_ldflags_bindnow = (
- '-Wl,(-z,)?now',
+ '-Wl,(?:-z,)?now',
);
my @def_ldflags_pie = (
'-fPIE',
# Renaming rules for the output so the regex parts are not visible. Also
# stores string values of flag regexps above, see compile_flag_regexp().
my %flag_renames = (
- '-O(?:2|3)' => '-O2',
- '-Wl,(-z,)?relro' => '-Wl,-z,relro',
- '-Wl,(-z,)?now' => '-Wl,-z,now',
+ '-O(?:2|3)' => '-O2',
+ '-Wl,(?:-z,)?relro' => '-Wl,-z,relro',
+ '-Wl,(?:-z,)?now' => '-Wl,-z,now',
);
my %exit_code = (
non_verbose_build => 1 << 2,
flags_missing => 1 << 3,
hardening_wrapper => 1 << 4,
+ invalid_cmake => 1 << 5,
);
# Statistics of missing flags and non-verbose build commands. Used for
error_color(':', 'yellow'),
$line;
}
+sub error_invalid_cmake {
+ my ($version) = @_;
+
+ printf "%s%s %s\n",
+ error_color('INVALID CMAKE', 'red'),
+ error_color(':', 'yellow'),
+ $version;
+}
sub error_hardening_wrapper {
printf "%s%s %s\n",
error_color('HARDENING WRAPPER', 'red'),
}
# False positives.
+ #
+ # C++ compiler setting.
return 0 if $line =~ /^\s*C\+\+.+?:\s+(?:yes|no)\s*$/;
+ # "Compiling" with no file name.
+ if ($line =~ /^\s*(?:C|c)ompiling\s+(.+?)(?:\.\.\.)?$/) {
+ # $file_extension_regex may need spaces around the filename.
+ return 0 if not " $1 " =~ /$file_extension_regex/o;
+ }
my $file = $1;
exit 0;
}
+# Don't load Term::ANSIColor in buildd mode because Term::ANSIColor is not
+# installed on Debian's buildds.
+if (not $option_buildd) {
+ require Term::ANSIColor;
+}
+
if ($option_all) {
$option_pie = 1;
$option_bindnow = 1;
my $exit = 0;
FILE: foreach my $file (@ARGV) {
+ print "checking '$file'...\n" if scalar @ARGV > 1;
+
open my $fh, '<', $file or die "$!: $file";
+ # Architecture of this file.
+ my $arch = $option_arch;
+
# Hardening options. Not all architectures support all hardening options.
my $harden_format = 1;
my $harden_fortify = 1;
# flags are not checked.
if ($option_buildd and $line =~ /^Toolchain package versions: /) {
require Dpkg::Version;
- if ($line !~ /dpkg-dev_(\S+)/
+ if ($line !~ /\bdpkg-dev_(\S+)/
or Dpkg::Version::version_compare($1, '1.16.1') < 0) {
$harden_format = 0;
$harden_fortify = 0;
}
}
+ # The following two versions of CMake in Debian obeyed CPPFLAGS, but
+ # this was later dropped because upstream rejected the patch. Thus
+ # build logs with these versions will have fortify hardening flags
+ # enabled, even though they may be not correctly set and are missing
+ # when build with later CMake versions. Thanks to Aron Xu for letting
+ # me know.
+ if ($line =~ /^Package versions: /
+ and $line =~ /\bcmake_(\S+)/
+ and ($1 eq '2.8.7-1' or $1 eq '2.8.7-2')) {
+ if (not $option_buildd) {
+ error_invalid_cmake($1);
+ } else {
+ print "W-invalid-cmake-used $1\n";
+ }
+ $exit |= $exit_code{invalid_cmake};
+ }
+
# If hardening wrapper is used (wraps calls to gcc and adds hardening
# flags automatically) we can't perform any checks, abort.
if ($line =~ /^Build-Depends: .*\bhardening-wrapper\b/) {
last if $line =~ /^Build finished at \d{8}-\d{4}$/;
# Detect architecture automatically unless overridden.
- if (not $option_arch
+ if (not $arch
and $line =~ /^dpkg-buildpackage: host architecture (.+)$/) {
- $option_arch = $1;
+ $arch = $1;
}
# Ignore compiler warnings for now.
next if $line =~ /$warning_regex/o;
- if ($line =~ /\033/) { # esc
+ if (not $option_buildd and $line =~ /\033/) { # esc
# Remove all ANSI color sequences which are sometimes used in
# non-verbose builds.
$line = Term::ANSIColor::colorstrip($line);
}
# Option or auto detected.
- if ($option_arch) {
+ if ($arch) {
# The following was partially copied from dpkg-dev 1.16.1.2
# (/usr/share/perl5/Dpkg/Vendor/Debian.pm, add_hardening_flags()),
# copyright Raphaƫl Hertzog <hertzog@debian.org>, Kees Cook
# later. Keep it in sync.
require Dpkg::Arch;
- my ($abi, $os, $cpu) = Dpkg::Arch::debarch_to_debtriplet($option_arch);
+ my ($abi, $os, $cpu) = Dpkg::Arch::debarch_to_debtriplet($arch);
# Disable unsupported hardening options.
- if ($cpu =~ /^(ia64|alpha|mips|mipsel|hppa)$/ or $option_arch eq 'arm') {
+ if ($cpu =~ /^(ia64|alpha|mips|mipsel|hppa)$/ or $arch eq 'arm') {
$harden_stack = 0;
}
if ($cpu =~ /^(ia64|hppa|avr32)$/) {
# Skip unnecessary tests when only preprocessing.
my $flag_preprocess = 0;
+ my $dependency = 0;
my $preprocess = 0;
my $compile = 0;
my $link = 0;
$preprocess = 1;
$flag_preprocess = 1 if $1 eq '-E';
$compile = 1 if $1 eq '-S' or $1 eq '-c';
+ # Dependency generation for Makefiles. The other flags (-MF -MG -MP
+ # -MT -MQ) are always used with -M/-MM.
+ } elsif ($line =~ /\s(?:-M|-MM)\b/) {
+ $dependency = 1;
# Otherwise assume we are linking.
} else {
$link = 1;
}
+ # -MD/-MMD also cause dependency generation, but they don't imply -E!
+ if ($line =~ /\s(?:-MD|-MMD)\b/) {
+ $dependency = 0;
+ $flag_preprocess = 0;
+ }
+
+ # Dependency generation for Makefiles, no preprocessing or other flags
+ # needed.
+ next if $dependency;
+
# Get all file extensions on this line.
my @extensions = $line =~ /$file_extension_regex/go;
# Ignore all unknown extensions to speedup the search below.
ruderich.org/simon / blhc / blhc.git / blobdiff