# Build log hardening check, checks build logs for missing hardening flags.
-# Copyright (C) 2012 Simon Ruderich
+# Copyright (C) 2012-2013 Simon Ruderich
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# Renaming rules for the output so the regex parts are not visible. Also
# stores string values of flag regexps above, see compile_flag_regexp().
my %flag_renames = (
- '-O(?:2|3)' => '-O2',
- '-Wformat(?:=2)?' => '-Wformat',
+ '-O(?:2|3)' => '-O2',
+ '-Wformat(?:=2)?' => '-Wformat',
'--param[= ]ssp-buffer-size=4' => '--param=ssp-buffer-size=4',
- '-Wl,(?:-z,)?relro' => '-Wl,-z,relro',
- '-Wl,(?:-z,)?now' => '-Wl,-z,now',
+ '-Wl,(?:-z,)?relro' => '-Wl,-z,relro',
+ '-Wl,(?:-z,)?now' => '-Wl,-z,now',
);
my %exit_code = (
#
# C++ compiler setting.
return 0 if $line =~ /^\s*C\+\+.+?:\s+(?:yes|no)\s*$/;
+ return 0 if $line =~ /^\s*C\+\+ Library: stdc\+\+$/;
# "Compiling" with no file name.
if ($line =~ /^\s*[Cc]ompiling\s+(.+?)(?:\.\.\.)?$/) {
# $file_extension_regex may need spaces around the filename.
Pod::Usage::pod2usage(1);
}
if ($option_version) {
- print "blhc $VERSION Copyright (C) 2012 Simon Ruderich
+ print "blhc $VERSION Copyright (C) 2012-2013 Simon Ruderich
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
}
}
- if (index($line, 'Build-Depends: ') == 0) {
+ # Debian's build daemons use Build-Depends: for the build
+ # dependencies, but pbuilder just uses Depends:; support both.
+ if (index($line, 'Build-Depends: ') == 0
+ or index($line, 'Depends: ') == 0) {
# If hardening wrapper is used (wraps calls to gcc and adds
# hardening flags automatically) we can't perform any checks,
# abort.
if (not $arch
and index($line, 'dpkg-buildpackage: host architecture ') == 0) {
$arch = substr $line, 37, -1; # -1 to ignore '\n' at the end
+
+ # Old buildd logs use e.g. "host architecture is alpha", remove
+ # the "is", otherwise debarch_to_debtriplet() will not detect the
+ # architecture.
+ if (index($arch, 'is ') == 0) {
+ $arch = substr $arch, 3;
+ }
}
# Ignore compiler warnings for now.
[Cc]ompiler[\s.]*:?\s+
/x;
next if $line =~ /^\s*(?:- )?(?:HOST_)?(?:CC|CXX)\s*=\s*$cc_regex_full\s*$/o;
- # `moc-qt4`, contains '-I/usr/share/qt4/mkspecs/linux-g++' (or
- # similar for other architectures) which gets recognized as a
- # compiler line. Ignore it.
- next if $line =~ m{^/usr/bin/moc-qt4
+ # `moc-qt4`/`moc-qt5` contain '-I.../linux-g++' in their command
+ # line (or similar for other architectures) which gets recognized
+ # as a compiler line, but `moc-qt*` is only a preprocessor for Qt
+ # C++ files. No hardening flags are relevant during this step,
+ # thus ignore `moc-qt*` lines. The resulting files will be
+ # compiled in a separate step (and therefore checked).
+ next if $line =~ m{^\S+/bin/moc-qt[45]
\s.+\s
- -I/usr/share/qt4/mkspecs/[a-z]+-g\++(?:-64)?
+ -I\S+/mkspecs/[a-z]+-g\++(?:-64)?
\s}x;
# Ignore false positives when the line contains only CC=gcc but no
# other gcc command.
=head1 LICENSE AND COPYRIGHT
-Copyright (C) 2012 by Simon Ruderich
+Copyright (C) 2012-2013 by Simon Ruderich
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
ruderich.org/simon / blhc / blhc.git / blobdiff