# Regexp to match file extensions.
my $file_extension_regex = qr/
\s
- \S+ # Filename without extension.
+ \S+ # Filename without extension.
\.
- ([^\\.,;:\s]+) # File extension.
- (?=\s|\\) # At end of word. Can't use \b because some files have non
- # word characters at the end and because \b matches double
- # extensions (like .cpp.o). Works always as all lines are
- # terminated with "\n".
+ ([^\\.,;:\s]+) # File extension.
+ (?=\s|\\) # At end of word. Can't use \b because some files have non
+ # word characters at the end and because \b matches double
+ # extensions (like .cpp.o). Works always as all lines are
+ # terminated with "\n".
/x;
# Expected (hardening) flags. All flags are used as regexps.
'-Wl,(-z,)?now' => '-Wl,-z,now',
);
+my %exit_code = (
+ no_compiler_commands => 1 << 0,
+ # used by POD::Usage => 1 << 1,
+ non_verbose_build => 1 << 2,
+ flags_missing => 1 << 3,
+ hardening_wrapper => 1 << 4,
+ invalid_cmake => 1 << 5,
+);
+
# Statistics of missing flags and non-verbose build commands. Used for
# $option_buildd.
my %statistics = (
error_color(':', 'yellow'),
$line;
}
+sub error_invalid_cmake {
+ my ($version) = @_;
+
+ printf "%s%s %s\n",
+ error_color('INVALID CMAKE', 'red'),
+ error_color(':', 'yellow'),
+ $version;
+}
sub error_hardening_wrapper {
printf "%s%s %s\n",
error_color('HARDENING WRAPPER', 'red'),
my ($line, $next_line, $skip_ref) = @_;
if (not ($line =~ /^checking if you want to see long compiling messages\.\.\. no/
- or $line =~ /^\s*\[?(?:CC|CCLD|CXX|CXXLD|LD|LINK)\]?\s+(.+?)$/
+ or $line =~ /^\s*\[?(?:CC|CCLD|C\+\+|CXX|CXXLD|LD|LINK)\]?\s+(.+?)$/
or $line =~ /^\s*(?:C|c)ompiling\s+(.+?)(?:\.\.\.)?$/
or $line =~ /^\s*(?:B|b)uilding (?:program|shared library)\s+(.+?)$/
or $line =~ /^\s*\[[\d ]+%\] Building (?:C|CXX) object (.+?)$/)) {
return 0;
}
+ # False positives.
+ return 0 if $line =~ /^\s*C\+\+.+?:\s+(?:yes|no)\s*$/;
+
my $file = $1;
# On the first pass we only check if this line is verbose or not.
}
}
+ # The following two versions of CMake in Debian obeyed CPPFLAGS, but
+ # this was later dropped because upstream rejected the patch. Thus
+ # build logs with these versions will have fortify hardening flags
+ # enabled, even though they may be not correctly set and are missing
+ # when build with later CMake versions. Thanks to Aron Xu for letting
+ # me know.
+ if ($line =~ /^Package versions: /
+ and $line =~ /\bcmake_(\S+)/
+ and ($1 eq '2.8.7-1' or $1 eq '2.8.7-2')) {
+ if (not $option_buildd) {
+ error_invalid_cmake($1);
+ } else {
+ print "W-invalid-cmake-used $1\n";
+ }
+ $exit |= $exit_code{invalid_cmake};
+ }
+
# If hardening wrapper is used (wraps calls to gcc and adds hardening
# flags automatically) we can't perform any checks, abort.
if ($line =~ /^Build-Depends: .*\bhardening-wrapper\b/) {
} else {
print "I-hardening-wrapper-used\n";
}
- $exit |= 1 << 4;
+ $exit |= $exit_code{hardening_wrapper};
next FILE;
}
# `./configure` output.
next if not $non_verbose
and $line =~ /^(?:checking|(?:C|c)onfigure:) /;
+ next if $line =~ /^\s*(?:Host\s+)?(?:C(?:\+\+)?\s+)?
+ (?:C|c)ompiler[\s.]*:?\s+
+ /xo;
next if $line =~ /^\s*(?:- )?(?:HOST_)?(?:CC|CXX)\s*=\s*$cc_regex_full\s*$/o;
# Check if additional hardening options were used. Used to
} else {
print "W-no-compiler-commands\n";
}
- $exit |= 1;
+ $exit |= $exit_code{no_compiler_commands};
next FILE;
}
} else {
$statistics{commands_nonverbose}++;
}
- $exit |= 1 << 2;
+ $exit |= $exit_code{non_verbose_build};
next;
}
# Even if it's a verbose build, we might have to skip this line.
} else {
$statistics{compile_missing}++;
}
- $exit |= 1 << 3;
+ $exit |= $exit_code{flags_missing};
} elsif ($compile_cpp and not all_flags_used($line, \@missing, @cflags)
# Libraries linked with -fPIC don't have to (and can't) be
# linked with -fPIE as well. It's no error if only PIE flags
} else {
$statistics{compile_cpp_missing}++;
}
- $exit |= 1 << 3;
+ $exit |= $exit_code{flags_missing};
}
if ($preprocess and not all_flags_used($line, \@missing, @cppflags)
# Assume dpkg-buildflags returns the correct flags.
} else {
$statistics{preprocess_missing}++;
}
- $exit |= 1 << 3;
+ $exit |= $exit_code{flags_missing};
}
if ($link and not all_flags_used($line, \@missing, @ldflags)
# Same here, -fPIC conflicts with -fPIE.
} else {
$statistics{link_missing}++;
}
- $exit |= 1 << 3;
+ $exit |= $exit_code{flags_missing};
}
}
}
ruderich.org/simon / blhc / blhc.git / blobdiff