# Build log hardening check, checks build logs for missing hardening flags.
-# Copyright (C) 2012-2019 Simon Ruderich
+# Copyright (C) 2012-2020 Simon Ruderich
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
use Getopt::Long ();
use Text::ParseWords ();
-our $VERSION = '0.10';
+our $VERSION = '0.12';
# CONSTANTS/VARIABLES
# FUNCTIONS
-# Only works for single-level arrays with no undef values. Thanks to perlfaq4.
-sub array_equal {
- my ($first_ref, $second_ref) = @_;
+sub split_line {
+ my ($line) = @_;
- return 0 if scalar @{$first_ref} != scalar @{$second_ref};
-
- my $length = scalar @{$first_ref};
- for (my $i = 0; $i < $length; $i++) {
- return 0 if $first_ref->[$i] ne $second_ref->[$i];
+ my @work = ($line);
+ foreach my $delim (';', '&&', '||') {
+ my @x;
+ foreach (@work) {
+ push @x, Text::ParseWords::parse_line(qr/\Q$delim\E/, 1, $_);
+ }
+ @work = @x;
}
- return 1;
+ return map {
+ # Ensure newline at the line end - necessary for
+ # correct parsing later.
+ $_ =~ s/\s+$//;
+ $_ .= "\n";
+ } @work;
}
sub error_flags {
if (not (index($line, 'checking if you want to see long compiling messages... no') == 0
or $line =~ /^\s*\[?(?:CC|CCLD|C\+\+|CXX|CXXLD|LD|LINK)\]?\s+(.+?)$/
- or $line =~ /^\s*[Cc]ompiling\s+(.+?)(?:\.\.\.)?$/
+ or $line =~ /^\s*[][\/0-9 ]*[Cc]ompiling\s+(.+?)(?:\.\.\.)?$/
or $line =~ /^\s*[Bb]uilding (?:program|shared library)\s+(.+?)$/
or $line =~ /^\s*\[[\d ]+%\] Building (?:C|CXX) object (.+?)$/)) {
return 0;
}
if ($option_version) {
print <<"EOF";
-blhc $VERSION Copyright (C) 2012-2019 Simon Ruderich
+blhc $VERSION Copyright (C) 2012-2020 Simon Ruderich
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
}
# Precompile ignore line regexps, also anchor at beginning and end of line.
+# Additional entries are also extracted from the build log, see below.
foreach my $ignore (@option_ignore_line) {
$ignore = qr/^$ignore$/;
}
}
}
+ # Permit dynamic excludes from within the build log to ignore false
+ # positives. Cannot use a separate config file as we often only have
+ # the build log itself.
+ if (index($line, 'blhc: ignore-line-regexp: ') == 0) {
+ my $ignore = substr $line, 26, -1; # -1 to ignore '\n' at the end
+ push @option_ignore_line, qr/^$ignore$/;
+ next;
+ }
+
next if $line =~ /^\s*#/;
# Ignore compiler warnings for now.
next if $line =~ /$warning_regex/o;
$non_verbose |= is_non_verbose_build($line, \$skip);
next if $skip;
- # One line may contain multiple commands (";"). Treat each one as
- # single line. parse_line() is slow, only use it when necessary.
- my @line = (index($line, ';') == -1)
+ # Treat each command as a single line so we don't ignore valid
+ # commands when handling false positives. split_line() is slow, only
+ # use it when necessary.
+ my @line = ($line !~ /(?:;|&&|\|\|)/)
? ($line)
- : map {
- # Ensure newline at the line end - necessary for
- # correct parsing later.
- $_ =~ s/\s+$//;
- $_ .= "\n";
- } Text::ParseWords::parse_line(';', 1, $line);
+ : split_line($line);
foreach my $line (@line) {
if ($continuation) {
$continuation = 0;
# optional compiler options, don't allow
# "everything" here to prevent false negatives
\s*(?:\s-\S+)*\s*$}xo;
+ # `echo` is never a compiler command
+ next if $line =~ /^\s*echo\s/;
+ # Ignore calls to `make` because they can contain environment
+ # variables which look like compiler commands, e.g. CC=).
+ next if $line =~ /^\s*make\s/;
# `moc-qt4`/`moc-qt5` contain '-I.../linux-g++' in their command
# line (or similar for other architectures) which gets recognized
# as a compiler line, but `moc-qt*` is only a preprocessor for Qt
next if $line =~ m{$cc_regex_normal\s*>\s*\S+}o;
# Hex output may contain "cc".
next if $line =~ m#(?:\b[0-9a-fA-F]{2,}\b\s*){5}#;
+ # Meson build output
+ next if $line =~ /^C\+\+ linker for the host machine: /;
+ # Embedded `gcc -print-*` commands
+ next if $line =~ /`$cc_regex_normal\s*[^`]*-print-\S+`/;
# Check if additional hardening options were used. Used to ensure
# they are used for the complete build.
# Option or auto detected.
if ($arch) {
- # The following was partially copied from dpkg-dev 1.19.7
+ # The following was partially copied from dpkg-dev 1.20.5
# (/usr/share/perl5/Dpkg/Vendor/Debian.pm, _add_build_flags()),
# copyright Raphaƫl Hertzog <hertzog@debian.org>, Guillem Jover
# <guillem@debian.org>, Kees Cook <kees@debian.org>, Canonical, Ltd.
See F<README> for details about performed checks, auto-detection and
limitations.
+=head1 FALSE POSITIVES
+
+To suppress false positives you can embed the following string in the build
+log:
+
+ blhc: ignore-line-regexp: REGEXP
+
+All lines fully matching REGEXP (see B<--ignore-line> for details) will be
+ignored.
+
+Please use this feature sparingly so that missing flags are not overlooked. If
+you find false positives which affect more packages please report a bug.
+
+To generate this string simply use echo in C<debian/rules>; make sure to use @
+to suppress the echo command itself as it could also trigger a false positive.
+
=head1 OPTIONS
=over 8
=head1 LICENSE AND COPYRIGHT
-Copyright (C) 2012-2019 by Simon Ruderich
+Copyright (C) 2012-2020 by Simon Ruderich
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
ruderich.org/simon / blhc / blhc.git / blobdiff