my $option_version = 0;
my $option_pie = 0;
my $option_bindnow = 0;
+my @option_ignore_arch = ();
my @option_ignore_flag = ();
my @option_ignore_line = ();
my $option_all = 0;
'bindnow' => \$option_bindnow,
'all' => \$option_all,
# Ignore.
+ 'ignore-arch=s' => \@option_ignore_arch,
'ignore-flag=s' => \@option_ignore_flag,
'ignore-line=s' => \@option_ignore_line,
# Misc.
my $harden_pie = $option_pie; # defaults to 0
while (my $line = <$fh>) {
+ # Detect architecture automatically unless overridden. For buildd logs
+ # only, doesn't use the dpkg-buildpackage header. Necessary to ignore
+ # build logs which aren't built (wrong architecture, build error,
+ # etc.).
+ if (not $arch
+ and $line =~ /^Architecture: (.+)$/) {
+ $arch = $1;
+ }
+
# dpkg-buildflags only provides hardening flags since 1.16.1, don't
# check for hardening flags in buildd mode if an older dpkg-dev is
# used. Default flags (-g -O2) are still checked.
if ($option_buildd
and index($line, 'Toolchain package versions: ') == 0) {
require Dpkg::Version;
- if ($line !~ /\bdpkg-dev_(\S+)/
+ if (not $line =~ /\bdpkg-dev_(\S+)/
or Dpkg::Version::version_compare($1, '1.16.1') < 0) {
$harden_format = 0;
$harden_fortify = 0;
$complete_line .= ' ' . $line;
}
# Line continuation, line ends with "\".
- if ($line =~ /\\\s*$/) {
+ if ($line =~ /\\$/) {
$continuation = 1;
# Start line continuation.
if (not defined $complete_line) {
close $fh;
+ # Ignore arch if requested.
+ if (scalar @option_ignore_arch > 0 and $arch) {
+ foreach my $ignore (@option_ignore_arch) {
+ if ($arch eq $ignore) {
+ print "ignoring architecture '$arch'\n";
+ next FILE;
+ }
+ }
+ }
+
if (scalar @input == 0) {
if (not $option_buildd) {
print "No compiler commands!\n";
Use colored (ANSI) output for warning messages.
+=item B<--ignore-arch> I<arch>
+
+Ignore build logs from architectures matching I<arch>. I<arch> is a string.
+
+Used to prevent false positives. This option can be specified multiple times.
+
=item B<--ignore-flag> I<flag>
Don't print an error when the specific flag is missing in a compiler line.