fix false positive with `gcc -v`

[blhc/blhc.git] / bin / blhc

diff --git a/bin/blhc b/bin/blhc
index 0c2ba90e922ba4e6a4887f8d98cf7561825bbccf..cc4f44bb723a2fc6c2321b08a84ce4c3f23a2cac 100755 (executable)
--- a/bin/blhc
+++ b/bin/blhc
@@ -38,8 +38,11 @@ my $cc_regex = qr/
     /x;
 # Full regex which matches the complete compiler name. Used in a few places to
 # prevent false negatives.
+my $cc_regex_full_prefix = qr/
+    [a-z0-9_]+-(?:linux-|kfreebsd-)?gnu(?:eabi|eabihf)?
+    /x;
 my $cc_regex_full = qr/
-    (?:[a-z0-9_]+-(?:linux-|kfreebsd-)?gnu(?:eabi|eabihf)?-)?
+    (?:$cc_regex_full_prefix-)?
     $cc_regex
     /x;
 # Regex to check if a line contains a compiler command.
@@ -943,6 +946,12 @@ foreach my $file (@ARGV) {
                 next if     not $before =~ /$cc_regex_normal/o
                         and not $after  =~ /$cc_regex_normal/o;
             }
+            # Ignore false positives caused by gcc -v. It outputs a line
+            # looking like a normal compiler line but which is sometimes
+            # missing hardening flags, although the normal compiler line
+            # contains them.
+            next if $line =~ m{^\s+/usr/lib/gcc/$cc_regex_full_prefix/
+                                   [0-9.]+/cc1(?:plus)?}xo;
 
             # Check if additional hardening options were used. Used to ensure
             # they are used for the complete build.