X-Git-Url: https://ruderich.org/simon/gitweb/?p=blhc%2Fblhc.git;a=blobdiff_plain;f=bin%2Fblhc;h=3611c6de4c3980fa743b201be179484705559590;hp=e84b12b5e6abf504810b0c943b7350507ac69df9;hb=79d3a9eaaffbb1c593adf715fa5055a4a91ed0af;hpb=f0a9d412466ca504fb2e279e1d98718a9c2bab28

diff --git a/bin/blhc b/bin/blhc
index e84b12b..3611c6d 100755
--- a/bin/blhc
+++ b/bin/blhc
@@ -2,7 +2,7 @@
 
 # Build log hardening check, checks build logs for missing hardening flags.
 
-# Copyright (C) 2012-2019  Simon Ruderich
+# Copyright (C) 2012-2020  Simon Ruderich
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -24,7 +24,7 @@ use warnings;
 use Getopt::Long ();
 use Text::ParseWords ();
 
-our $VERSION = '0.10';
+our $VERSION = '0.12';
 
 
 # CONSTANTS/VARIABLES
@@ -341,18 +341,24 @@ my $option_color;
 
 # FUNCTIONS
 
-# Only works for single-level arrays with no undef values. Thanks to perlfaq4.
-sub array_equal {
-    my ($first_ref, $second_ref) = @_;
+sub split_line {
+    my ($line) = @_;
 
-    return 0 if scalar @{$first_ref} != scalar @{$second_ref};
-
-    my $length = scalar @{$first_ref};
-    for (my $i = 0; $i < $length; $i++) {
-        return 0 if $first_ref->[$i] ne $second_ref->[$i];
+    my @work = ($line);
+    foreach my $delim (';', '&&', '||') {
+        my @x;
+        foreach (@work) {
+            push @x, Text::ParseWords::parse_line(qr/\Q$delim\E/, 1, $_);
+        }
+        @work = @x;
     }
 
-    return 1;
+    return map {
+        # Ensure newline at the line end - necessary for
+        # correct parsing later.
+        $_ =~ s/\s+$//;
+        $_ .= "\n";
+    } @work;
 }
 
 sub error_flags {
@@ -532,7 +538,7 @@ sub is_non_verbose_build {
 
     if (not (index($line, 'checking if you want to see long compiling messages... no') == 0
                 or $line =~ /^\s*\[?(?:CC|CCLD|C\+\+|CXX|CXXLD|LD|LINK)\]?\s+(.+?)$/
-                or $line =~ /^\s*[Cc]ompiling\s+(.+?)(?:\.\.\.)?$/
+                or $line =~ /^\s*[][\/0-9 ]*[Cc]ompiling\s+(.+?)(?:\.\.\.)?$/
                 or $line =~ /^\s*[Bb]uilding (?:program|shared library)\s+(.+?)$/
                 or $line =~ /^\s*\[[\d ]+%\] Building (?:C|CXX) object (.+?)$/)) {
         return 0;
@@ -684,7 +690,7 @@ if ($option_help) {
 }
 if ($option_version) {
     print <<"EOF";
-blhc $VERSION  Copyright (C) 2012-2019  Simon Ruderich
+blhc $VERSION  Copyright (C) 2012-2020  Simon Ruderich
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -750,6 +756,7 @@ foreach my $flags (@flag_refs_all) {
 }
 
 # Precompile ignore line regexps, also anchor at beginning and end of line.
+# Additional entries are also extracted from the build log, see below.
 foreach my $ignore (@option_ignore_line) {
     $ignore = qr/^$ignore$/;
 }
@@ -954,6 +961,15 @@ foreach my $file (@ARGV) {
             }
         }
 
+        # Permit dynamic excludes from within the build log to ignore false
+        # positives. Cannot use a separate config file as we often only have
+        # the build log itself.
+        if (index($line, 'blhc: ignore-line-regexp: ') == 0) {
+            my $ignore = substr $line, 26, -1; # -1 to ignore '\n' at the end
+            push @option_ignore_line, qr/^$ignore$/;
+            next;
+        }
+
         next if $line =~ /^\s*#/;
         # Ignore compiler warnings for now.
         next if $line =~ /$warning_regex/o;
@@ -975,16 +991,12 @@ foreach my $file (@ARGV) {
         $non_verbose |= is_non_verbose_build($line, \$skip);
         next if $skip;
 
-        # One line may contain multiple commands (";"). Treat each one as
-        # single line. parse_line() is slow, only use it when necessary.
-        my @line = (index($line, ';') == -1)
+        # Treat each command as a single line so we don't ignore valid
+        # commands when handling false positives. split_line() is slow, only
+        # use it when necessary.
+        my @line = ($line !~ /(?:;|&&|\|\|)/)
                  ? ($line)
-                 : map {
-                       # Ensure newline at the line end - necessary for
-                       # correct parsing later.
-                       $_ =~ s/\s+$//;
-                       $_ .= "\n";
-                   } Text::ParseWords::parse_line(';', 1, $line);
+                 : split_line($line);
         foreach my $line (@line) {
             if ($continuation) {
                 $continuation = 0;
@@ -1033,6 +1045,11 @@ foreach my $file (@ARGV) {
                                 # optional compiler options, don't allow
                                 # "everything" here to prevent false negatives
                                 \s*(?:\s-\S+)*\s*$}xo;
+            # `echo` is never a compiler command
+            next if $line =~ /^\s*echo\s/;
+            # Ignore calls to `make` because they can contain environment
+            # variables which look like compiler commands, e.g. CC=).
+            next if $line =~ /^\s*make\s/;
             # `moc-qt4`/`moc-qt5` contain '-I.../linux-g++' in their command
             # line (or similar for other architectures) which gets recognized
             # as a compiler line, but `moc-qt*` is only a preprocessor for Qt
@@ -1066,6 +1083,10 @@ foreach my $file (@ARGV) {
             next if $line =~ m{$cc_regex_normal\s*>\s*\S+}o;
             # Hex output may contain "cc".
             next if $line =~ m#(?:\b[0-9a-fA-F]{2,}\b\s*){5}#;
+            # Meson build output
+            next if $line =~ /^C\+\+ linker for the host machine: /;
+            # Embedded `gcc -print-*` commands
+            next if $line =~ /`$cc_regex_normal\s*[^`]*-print-\S+`/;
 
             # Check if additional hardening options were used. Used to ensure
             # they are used for the complete build.
@@ -1107,7 +1128,7 @@ foreach my $file (@ARGV) {
 
     # Option or auto detected.
     if ($arch) {
-        # The following was partially copied from dpkg-dev 1.19.7
+        # The following was partially copied from dpkg-dev 1.20.5
         # (/usr/share/perl5/Dpkg/Vendor/Debian.pm, _add_build_flags()),
         # copyright Raphaël Hertzog <hertzog@debian.org>, Guillem Jover
         # <guillem@debian.org>, Kees Cook <kees@debian.org>, Canonical, Ltd.
@@ -1514,6 +1535,22 @@ If there's no output, no flags are missing and the build log is fine.
 See F<README> for details about performed checks, auto-detection and
 limitations.
 
+=head1 FALSE POSITIVES
+
+To suppress false positives you can embed the following string in the build
+log:
+
+    blhc: ignore-line-regexp: REGEXP
+
+All lines fully matching REGEXP (see B<--ignore-line> for details) will be
+ignored.
+
+Please use this feature sparingly so that missing flags are not overlooked. If
+you find false positives which affect more packages please report a bug.
+
+To generate this string simply use echo in C<debian/rules>; make sure to use @
+to suppress the echo command itself as it could also trigger a false positive.
+
 =head1 OPTIONS
 
 =over 8
@@ -1759,7 +1796,7 @@ E<lt>jari.aalto@cante.netE<gt> for their valuable input and suggestions.
 
 =head1 LICENSE AND COPYRIGHT
 
-Copyright (C) 2012-2019 by Simon Ruderich
+Copyright (C) 2012-2020 by Simon Ruderich
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by