From 35a018278ad2fb931749f25d41bea0b7bd4f11e9 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Wed, 21 Mar 2012 20:43:06 +0100 Subject: [PATCH] Detect compile type (preprocess, compile, link) correctly. The arguments to gcc (-E, -S, -c) and the file extension are used to detect the correct type. This fixes many false positives and a few false negatives. Thanks to Bernhard R. Link for the idea. --- bin/blhc | 136 ++++++++++++++++++++++++++++++++++++-------- t/logs/bad | 7 +++ t/logs/bad-cflags | 4 ++ t/logs/bad-cppflags | 4 ++ t/logs/bad-library | 4 +- t/logs/cc | 4 ++ t/logs/g++ | 4 ++ t/logs/gcc | 4 ++ t/logs/good | 9 +++ t/logs/good-library | 10 +++- t/tests.t | 59 ++++++++++++++++++- 11 files changed, 218 insertions(+), 27 deletions(-) diff --git a/bin/blhc b/bin/blhc index bf5f8ff..3d5f73c 100755 --- a/bin/blhc +++ b/bin/blhc @@ -36,6 +36,81 @@ my $cc_regex = qr/(?:[a-z0-9_]+-(?:linux|kfreebsd)-gnu(?:eabi|eabihf)?-)? # Regex to catch (GCC) compiler warnings. my $warning_regex = qr/^(.+?):([0-9]+):[0-9]+: warning: (.+?) \[(.+?)\]$/; +# Regex for source files which require preprocessing. +my $source_preprocess_compile_regex = qr/ + # C + c + # Objective-C + | m + # C++ + | cc | cp | cxx | cpp | CPP | c\+\+ | C + # Objective-C++ + | mm | M + # Fortran + | F | FOR | fpp | FPP | FTN | F90 | F95 | F03 | F08 + /x; +my $source_preprocess_no_compile_regex = qr/ + # Assembly + s + /x; +my $source_preprocess_regex = qr/ + $source_preprocess_compile_regex + | $source_preprocess_no_compile_regex + /x; +# Regex for source files which don't require preprocessing. +my $source_no_preprocess_compile_regex = qr/ + # C + i + # C++ + | ii + # Objective-C + | mi + # Objective-C++ + | mii + # Fortran + | f | for | ftn | f90 | f95 | f03 | f08 + /x; +my $source_no_preprocess_no_compile_regex = qr/ + # Assembly + S | sx + /x; +my $source_no_preprocess_regex = qr/ + $source_no_preprocess_compile_regex + | $source_no_preprocess_no_compile_regex + /x; +# Regex for header files which require preprocessing. +my $header_preprocess_regex = qr/ + # C, C++, Objective-C, Objective-C++ + h + # C++ + | hh | H | hp | hxx | hpp | HPP | h\+\+ | tcc + /x; +# Regexps to match files with the given characteristics. +my $file_no_preprocess_regex = qr/ + $cc_regex.+? + \.(?: $source_no_preprocess_regex)\b + /x; +my $file_preprocess_regex = qr/ + $cc_regex.+? + \.(?: $header_preprocess_regex + | $source_preprocess_regex)\b + /x; +my $file_compile_link_regex = qr/ + $cc_regex.+? + \.(?: $source_preprocess_regex + | $source_no_preprocess_regex)\b + /x; +my $file_compile_regex = qr/ + $cc_regex.+? + \.(?: $source_preprocess_compile_regex + | $source_no_preprocess_compile_regex)\b + /x; +my $file_no_compile_regex = qr/ + $cc_regex.+ + \.(?: $source_preprocess_no_compile_regex + | $source_no_preprocess_no_compile_regex)\b + /x; + # Expected (hardening) flags. All flags are used as regexps. my @cflags = ( '-g', @@ -443,47 +518,60 @@ for (my $i = 0; $i < scalar @input; $i++) { # Even if it's a verbose build, we might have to skip this line. next if $skip; + # Skip unnecessary tests when only preprocessing. + my $flag_preprocess = 0; + + my $preprocess = 0; + my $compile = 0; + my $link = 0; - # Is this a compiler or linker command? - my $compiler = 1; - my $linker = 0; - - # Linker commands. - if ($line =~ m{\s-o # -o - [\s\\]*\s+ # possible line continuation - (?:[/.A-Za-z0-9~_-]+/)? # path to file - [A-Za-z0-9~_-]+ # binary name (no dots!) - (?:[0-9.]*\.so[0-9.]*[a-z]? # library (including version) - |\.la - |\.cgi)? # CGI binary - (?:\s|\\|$) # end of file name - }x - or $line =~ /^libtool: link: / - or $line =~ m{\s*/bin/bash .+?libtool\s+(.+?\s+)?--mode=(re)?link}) { - $compiler = 0; - $linker = 1; + # Preprocess, compile, assemble. + if ($line =~ /$cc_regex.*?\s(-E|-S|-c)\b/) { + $preprocess = 1; + $flag_preprocess = 1 if $1 eq '-E'; + $compile = 1 if $1 eq '-S' or $1 eq '-c'; + # Otherwise assume we are linking. + } else { + $link = 1; + } + + # These file types don't require preprocessing. + if ($line =~ /$file_no_preprocess_regex/) { + $preprocess = 0; + } + # These file types require preprocessing. + if ($line =~ /$file_preprocess_regex/) { + $preprocess = 1; } # If there are source files then it's compiling/linking in one step and we - # must check both. - if ($line =~ /\.(?:c|cc|cpp)\b/) { - $compiler = 1; + # must check both. We only check for source files here, because header + # files cause too many false positives. + if (not $flag_preprocess and $line =~ /$file_compile_link_regex/) { + # Assembly files don't need CFLAGS. + if (not $line =~ /$file_compile_regex/ + and $line =~ /$file_no_compile_regex/) { + $compile = 0; + # But the rest does. + } else { + $compile = 1; + } } # Check hardening flags. my @missing; - if ($compiler and not all_flags_used($line, \@missing, @cflags) + if ($compile and not all_flags_used($line, \@missing, @cflags) # Libraries linked with -fPIC don't have to (and can't) be linked # with -fPIE as well. It's no error if only PIE flags are missing. and not pic_pie_conflict($line, $harden_pie, \@missing, @cflags_pie)) { error_flags('CFLAGS missing', \@missing, \%flag_renames, $line); $exit |= 1 << 3; } - if ($compiler and not all_flags_used($line, \@missing, @cppflags)) { + if ($preprocess and not all_flags_used($line, \@missing, @cppflags)) { error_flags('CPPFLAGS missing', \@missing, \%flag_renames, $line); $exit |= 1 << 3; } - if ($linker and not all_flags_used($line, \@missing, @ldflags) + if ($link and not all_flags_used($line, \@missing, @ldflags) # Same here, -fPIC conflicts with -fPIE. and not pic_pie_conflict($line, $harden_pie, \@missing, @ldflags_pie)) { error_flags('LDFLAGS missing', \@missing, \%flag_renames, $line); diff --git a/t/logs/bad b/t/logs/bad index 49357a1..3240885 100644 --- a/t/logs/bad +++ b/t/logs/bad @@ -23,3 +23,10 @@ g++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-securi gcc -o test test-a.o test-b.o test-c.a g++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security ../src/test/objs/test.o -o ../src/test/bin/test + +gcc -c -o test test.S +gcc -c -o test test.s + +gcc -E test.c + +gcc test.c diff --git a/t/logs/bad-cflags b/t/logs/bad-cflags index 3de1841..e231307 100644 --- a/t/logs/bad-cflags +++ b/t/logs/bad-cflags @@ -8,3 +8,7 @@ gcc -Wl,-z,relro -o test test-a.o test-b.o test-c.o -ltest # Compiling and linking in one step must also check CFLAGS/CPPFLAGS. gcc -Wl,-z,relro -o test test.c -ltest gcc -shared -fPIC -Wl,-z,relro -o test.so test.c -ltest + +gcc -fPIC -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -c -D_FORTIFY_SOURCE=2 ../../../../src/test/test.c -o test.so.o + +gcc test.c -o test.output diff --git a/t/logs/bad-cppflags b/t/logs/bad-cppflags index 48e7f5a..a4d83b1 100644 --- a/t/logs/bad-cppflags +++ b/t/logs/bad-cppflags @@ -4,3 +4,7 @@ gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-securit gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -c test-b.c gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -c test-c.c gcc -Wl,-z,relro -o test test-a.o test-b.o test-c.o -ltest + +gcc -fPIC -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -c ../../../../src/test/test.c -o test.so.o + +g++ -o test -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security test-a.cxx test-b.o test-c.o -Wl,-z,relro diff --git a/t/logs/bad-library b/t/logs/bad-library index 383a8db..ec7603e 100644 --- a/t/logs/bad-library +++ b/t/logs/bad-library @@ -1,6 +1,6 @@ dpkg-buildpackage: source package test -gcc -D_FORTIFY_SOURCE=2 -g -O2 --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security test.c -fPIC -DPIC -o libtest.o +gcc -D_FORTIFY_SOURCE=2 -g -O2 --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security test.c -fPIC -DPIC -o libtest.so gcc -shared -fPIC -DPIC libtest.o -lpthread -O2 -Wl,relro -Wl,--as-needed -o libtest.so gcc -shared -fPIC -DPIC libtest.o -lpthread -O2 -Wl,--as-needed -o libtest.so @@ -10,3 +10,5 @@ gcc -shared -o libtest.so.0d ./test-a.o test/./test-b.o -Wl,-z,now -lpthread -ld /usr/bin/g++ -shared -fpic -o libtest-6.1.so.0 test.o -ltiff -lz gcc -Wl,--as-needed -fPIE -pie -o test.cgi test.o -lgcrypt + +gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security test.c -o lib`basename test/test`.so diff --git a/t/logs/cc b/t/logs/cc index 38e7cab..49df5c7 100644 --- a/t/logs/cc +++ b/t/logs/cc @@ -6,4 +6,8 @@ cc -g -O2 -fstack-protector -Wformat -Wformat-security -Werror=format-security - cc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -c test-c.c cc -Wl,-z,defs -o test test-a.o test-b.o test-c.o -ltest +rm cc-test.h +cc\ + test.cc + cc -Wl,-z,defs test-a.o test-b.o test-c.o -ltest -Wl,-z,relro -o test/test-4.2~_4711/test.so test.o diff --git a/t/logs/g++ b/t/logs/g++ index 7118ef1..3c372a1 100644 --- a/t/logs/g++ +++ b/t/logs/g++ @@ -21,6 +21,10 @@ x86_64-linux-gnu-g++ -Wl,-z,defs -o test test-a.o test-b.o test-c.o test-d.o -lt g++ -Wl,-z,defs test-a.o test-b.o test-c.o -ltest -Wl,-z,relro -o test/test-4.2~_4711/test.so test.o +rm g++test.h +g++\ + test.c + g++-4.6 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.cpp g++-4.6 -g -O2 -fstack-protector -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.cpp g++-4.6 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -c test-c.cpp diff --git a/t/logs/gcc b/t/logs/gcc index e90dba5..def411d 100644 --- a/t/logs/gcc +++ b/t/logs/gcc @@ -8,4 +8,8 @@ gcc-4.6 -g -O2 -fstack-protector -Wformat -Wformat-security -Werror=format-secur gcc-4.6 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -c test-c.c gcc-4.6 -Wl,-z,defs -o test test-a.o test-b.o test-c.o -ltest +rm gcc-test.h +gcc\ + test.c + gcc-4.6 -Wl,-z,defs test-a.o test-b.o test-c.o -ltest -Wl,-z,relro -o test/test-4.2~_4711/test.so test.o diff --git a/t/logs/good b/t/logs/good index 447ff17..82a6d97 100644 --- a/t/logs/good +++ b/t/logs/good @@ -20,3 +20,12 @@ g++ -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wfo g++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -pthread -Wl,-z,relro -o ../src/test/bin/test ../src/test/objs/test.o g++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -pthread -Wl,-z,relro ../src/test/objs/test.o -o ../src/test/bin/test + +gcc -c -o test test.S +gcc -D_FORTIFY_SOURCE=2 -c -o test test.s + +gcc -fPIC -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -c -D_FORTIFY_SOURCE=2 ../../../../src/test/test.c -o test.so.o + +gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro test.c -o test.output + +gcc -E -D_FORTIFY_SOURCE=2 test.c diff --git a/t/logs/good-library b/t/logs/good-library index a104f0d..a52c84f 100644 --- a/t/logs/good-library +++ b/t/logs/good-library @@ -2,7 +2,7 @@ dpkg-buildpackage: source package test # -fPIC and -fPIE conflict with each other and -fPIE is not necessary for # libraries. -gcc -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security test.c -fPIC -DPIC -o libtest.o +gcc -D_FORTIFY_SOURCE=2 -g -Wl,relro -Wl,now -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security test.c -fPIC -DPIC -o libtest.so gcc -shared -fPIC -DPIC libtest.o -lpthread -O2 -Wl,relro -Wl,now -Wl,--as-needed -o libtest.so gcc -shared -fPIC test.o -Wl,-z -Wl,relro -Wl,now -o .libs/libtest.so.1.0.0 @@ -11,3 +11,11 @@ gcc -shared -fPIE -pie -o libtest.so.0d ./test-a.o test/./test-b.o -Wl,-z,relro /usr/bin/g++ -shared -fpic -Wl,-z,relro -Wl,-z,now -o libtest-6.1.so.0 test.o -ltiff -lz gcc -Wl,-z,now -Wl,-z,relro -Wl,--as-needed -fPIE -pie -o test.cgi test.o -lgcrypt + +gcc -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -fPIE -pie -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security test.c -o lib`basename test/test`.so + +gcc -fPIE -pie -Wl,-z,relro -Wl,-z,now -o test+test test+test.o +gcc -fPIE -pie -Wl,-z,relro -Wl,-z,now -o test.test test.test.o +gcc -fPIE -pie -Wl,-z,relro -Wl,-z,now -o test.bin test.test.o +gcc -fPIE -pie -Wl,-z,relro -Wl,-z,now -o test.real test.test.o +gcc -fPIE -pie -Wl,-z,relro -Wl,-z,now -o test.cgi test.test.o diff --git a/t/tests.t b/t/tests.t index 09c22f1..d754c64 100644 --- a/t/tests.t +++ b/t/tests.t @@ -107,6 +107,11 @@ CPPFLAGS missing (-D_FORTIFY_SOURCE=2): g++ -g -O2 -fstack-protector --param=ss LDFLAGS missing (-Wl,-z,relro): g++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -pthread -o ./testProgram ../src/test/testProgram.cpp LDFLAGS missing (-Wl,-z,relro): gcc -o test test-a.o test-b.o test-c.a LDFLAGS missing (-Wl,-z,relro): g++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security ../src/test/objs/test.o -o ../src/test/bin/test +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -c -o test test.s +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -E test.c +CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc test.c +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc test.c +LDFLAGS missing (-Wl,-z,relro): gcc test.c '; is_blhc 'bad', '--pie', 8, 'CFLAGS missing (-fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -g -O2 -c test-a.c @@ -129,6 +134,11 @@ LDFLAGS missing (-fPIE -pie -Wl,-z,relro): g++ -g -O2 -fstack-protector --param LDFLAGS missing (-fPIE -pie): g++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -pthread -Wl,-z,relro -o ../src/test/bin/test ../src/test/objs/test.o LDFLAGS missing (-fPIE -pie -Wl,-z,relro): gcc -o test test-a.o test-b.o test-c.a LDFLAGS missing (-fPIE -pie -Wl,-z,relro): g++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security ../src/test/objs/test.o -o ../src/test/bin/test +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -c -o test test.s +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -E test.c +CFLAGS missing (-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc test.c +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc test.c +LDFLAGS missing (-fPIE -pie -Wl,-z,relro): gcc test.c '; is_blhc 'bad', '--bindnow', 8, 'CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -g -O2 -c test-a.c @@ -150,6 +160,11 @@ LDFLAGS missing (-Wl,-z,relro -Wl,-z,now): g++ -g -O2 -fstack-protector --param LDFLAGS missing (-Wl,-z,now): g++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -pthread -Wl,-z,relro -o ../src/test/bin/test ../src/test/objs/test.o LDFLAGS missing (-Wl,-z,relro -Wl,-z,now): gcc -o test test-a.o test-b.o test-c.a LDFLAGS missing (-Wl,-z,relro -Wl,-z,now): g++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security ../src/test/objs/test.o -o ../src/test/bin/test +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -c -o test test.s +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -E test.c +CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc test.c +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc test.c +LDFLAGS missing (-Wl,-z,relro -Wl,-z,now): gcc test.c '; is_blhc 'bad', '--pie --bindnow', 8, 'CFLAGS missing (-fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -g -O2 -c test-a.c @@ -172,6 +187,11 @@ LDFLAGS missing (-fPIE -pie -Wl,-z,relro -Wl,-z,now): g++ -g -O2 -fstack-protec LDFLAGS missing (-fPIE -pie -Wl,-z,now): g++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -pthread -Wl,-z,relro -o ../src/test/bin/test ../src/test/objs/test.o LDFLAGS missing (-fPIE -pie -Wl,-z,relro -Wl,-z,now): gcc -o test test-a.o test-b.o test-c.a LDFLAGS missing (-fPIE -pie -Wl,-z,relro -Wl,-z,now): g++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security ../src/test/objs/test.o -o ../src/test/bin/test +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -c -o test test.s +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -E test.c +CFLAGS missing (-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc test.c +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc test.c +LDFLAGS missing (-fPIE -pie -Wl,-z,relro -Wl,-z,now): gcc test.c '; is_blhc 'bad', '--all', 8, 'CFLAGS missing (-fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -g -O2 -c test-a.c @@ -194,6 +214,11 @@ LDFLAGS missing (-fPIE -pie -Wl,-z,relro -Wl,-z,now): g++ -g -O2 -fstack-protec LDFLAGS missing (-fPIE -pie -Wl,-z,now): g++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -pthread -Wl,-z,relro -o ../src/test/bin/test ../src/test/objs/test.o LDFLAGS missing (-fPIE -pie -Wl,-z,relro -Wl,-z,now): gcc -o test test-a.o test-b.o test-c.a LDFLAGS missing (-fPIE -pie -Wl,-z,relro -Wl,-z,now): g++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security ../src/test/objs/test.o -o ../src/test/bin/test +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -c -o test test.s +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -E test.c +CFLAGS missing (-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc test.c +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc test.c +LDFLAGS missing (-fPIE -pie -Wl,-z,relro -Wl,-z,now): gcc test.c '; is_blhc 'bad-cflags', '', 8, @@ -204,6 +229,10 @@ CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wfo CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -Wl,-z,relro -o test test.c -ltest CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -shared -fPIC -Wl,-z,relro -o test.so test.c -ltest CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -shared -fPIC -Wl,-z,relro -o test.so test.c -ltest +CFLAGS missing (-Wformat): gcc -fPIC -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -c -D_FORTIFY_SOURCE=2 ../../../../src/test/test.c -o test.so.o +CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc test.c -o test.output +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc test.c -o test.output +LDFLAGS missing (-Wl,-z,relro): gcc test.c -o test.output '; is_blhc 'bad-cflags', '--pie', 8, 'CFLAGS missing (-fPIE -Wformat): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c @@ -215,6 +244,10 @@ CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -Wl,-z,relro -o test test.c -ltest LDFLAGS missing (-fPIE -pie): gcc -Wl,-z,relro -o test test.c -ltest CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -shared -fPIC -Wl,-z,relro -o test.so test.c -ltest CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -shared -fPIC -Wl,-z,relro -o test.so test.c -ltest +CFLAGS missing (-Wformat): gcc -fPIC -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -c -D_FORTIFY_SOURCE=2 ../../../../src/test/test.c -o test.so.o +CFLAGS missing (-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc test.c -o test.output +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc test.c -o test.output +LDFLAGS missing (-fPIE -pie -Wl,-z,relro): gcc test.c -o test.output '; is_blhc 'bad-cflags', '--bindnow', 8, 'CFLAGS missing (-Wformat): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c @@ -227,6 +260,10 @@ LDFLAGS missing (-Wl,-z,now): gcc -Wl,-z,relro -o test test.c -ltest CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -shared -fPIC -Wl,-z,relro -o test.so test.c -ltest CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -shared -fPIC -Wl,-z,relro -o test.so test.c -ltest LDFLAGS missing (-Wl,-z,now): gcc -shared -fPIC -Wl,-z,relro -o test.so test.c -ltest +CFLAGS missing (-Wformat): gcc -fPIC -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -c -D_FORTIFY_SOURCE=2 ../../../../src/test/test.c -o test.so.o +CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc test.c -o test.output +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc test.c -o test.output +LDFLAGS missing (-Wl,-z,relro -Wl,-z,now): gcc test.c -o test.output '; is_blhc 'bad-cflags', '--pie --bindnow', 8, 'CFLAGS missing (-fPIE -Wformat): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c @@ -239,12 +276,18 @@ LDFLAGS missing (-fPIE -pie -Wl,-z,now): gcc -Wl,-z,relro -o test test.c -ltest CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -shared -fPIC -Wl,-z,relro -o test.so test.c -ltest CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -shared -fPIC -Wl,-z,relro -o test.so test.c -ltest LDFLAGS missing (-Wl,-z,now): gcc -shared -fPIC -Wl,-z,relro -o test.so test.c -ltest +CFLAGS missing (-Wformat): gcc -fPIC -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -c -D_FORTIFY_SOURCE=2 ../../../../src/test/test.c -o test.so.o +CFLAGS missing (-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc test.c -o test.output +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc test.c -o test.output +LDFLAGS missing (-fPIE -pie -Wl,-z,relro -Wl,-z,now): gcc test.c -o test.output '; is_blhc 'bad-cppflags', '', 8, 'CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -c test-a.c CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -c test-b.c CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -c test-c.c +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -fPIC -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -c ../../../../src/test/test.c -o test.so.o +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): g++ -o test -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security test-a.cxx test-b.o test-c.o -Wl,-z,relro '; is_blhc 'bad-ldflags', '', 8, @@ -291,13 +334,17 @@ CPPFLAGS missing (-D_FORTIFY_SOURCE=2): \ gcc -g -O2 -fstack-protector --param= '; is_blhc 'bad-library', '--all', 8, - 'CFLAGS missing (-fstack-protector): gcc -D_FORTIFY_SOURCE=2 -g -O2 --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security test.c -fPIC -DPIC -o libtest.o + 'CFLAGS missing (-fstack-protector): gcc -D_FORTIFY_SOURCE=2 -g -O2 --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security test.c -fPIC -DPIC -o libtest.so +LDFLAGS missing (-Wl,-z,relro -Wl,-z,now): gcc -D_FORTIFY_SOURCE=2 -g -O2 --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security test.c -fPIC -DPIC -o libtest.so LDFLAGS missing (-Wl,-z,now): gcc -shared -fPIC -DPIC libtest.o -lpthread -O2 -Wl,relro -Wl,--as-needed -o libtest.so LDFLAGS missing (-Wl,-z,relro -Wl,-z,now): gcc -shared -fPIC -DPIC libtest.o -lpthread -O2 -Wl,--as-needed -o libtest.so LDFLAGS missing (-Wl,-z,now): gcc -shared -fPIC test.o -Wl,-z -Wl,relro -o .libs/libtest.so.1.0.0 LDFLAGS missing (-fPIE -pie -Wl,-z,relro): gcc -shared -o libtest.so.0d ./test-a.o test/./test-b.o -Wl,-z,now -lpthread -ldl LDFLAGS missing (-Wl,-z,relro -Wl,-z,now): /usr/bin/g++ -shared -fpic -o libtest-6.1.so.0 test.o -ltiff -lz LDFLAGS missing (-Wl,-z,relro -Wl,-z,now): gcc -Wl,--as-needed -fPIE -pie -o test.cgi test.o -lgcrypt +CFLAGS missing (-fPIE): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security test.c -o lib`basename test/test`.so +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security test.c -o lib`basename test/test`.so +LDFLAGS missing (-fPIE -pie -Wl,-z,relro -Wl,-z,now): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security test.c -o lib`basename test/test`.so '; @@ -363,6 +410,9 @@ CFLAGS missing (-fPIE -Wformat): cc -g -O2 -fstack-protector --param=ssp-buffer- CFLAGS missing (-fPIE --param=ssp-buffer-size=4): cc -g -O2 -fstack-protector -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c CFLAGS missing (-fPIE -Werror=format-security): cc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -c test-c.c LDFLAGS missing (-fPIE -pie -Wl,-z,relro -Wl,-z,now): cc -Wl,-z,defs -o test test-a.o test-b.o test-c.o -ltest +CFLAGS missing (-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): cc\ test.cc +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): cc\ test.cc +LDFLAGS missing (-fPIE -pie -Wl,-z,relro -Wl,-z,now): cc\ test.cc LDFLAGS missing (-fPIE -pie -Wl,-z,now): cc -Wl,-z,defs test-a.o test-b.o test-c.o -ltest -Wl,-z,relro -o test/test-4.2~_4711/test.so test.o '; @@ -375,6 +425,9 @@ CFLAGS missing (-fPIE -Wformat): gcc-4.6 -g -O2 -fstack-protector --param=ssp-bu CFLAGS missing (-fPIE --param=ssp-buffer-size=4): gcc-4.6 -g -O2 -fstack-protector -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c CFLAGS missing (-fPIE -Werror=format-security): gcc-4.6 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -c test-c.c LDFLAGS missing (-fPIE -pie -Wl,-z,relro -Wl,-z,now): gcc-4.6 -Wl,-z,defs -o test test-a.o test-b.o test-c.o -ltest +CFLAGS missing (-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc\ test.c +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc\ test.c +LDFLAGS missing (-fPIE -pie -Wl,-z,relro -Wl,-z,now): gcc\ test.c LDFLAGS missing (-fPIE -pie -Wl,-z,now): gcc-4.6 -Wl,-z,defs test-a.o test-b.o test-c.o -ltest -Wl,-z,relro -o test/test-4.2~_4711/test.so test.o '; @@ -390,6 +443,7 @@ LDFLAGS missing (-fPIE -pie -Wl,-z,relro -Wl,-z,now): c++ -Wl,-z,defs -o test te LDFLAGS missing (-fPIE -pie -Wl,-z,now): c++ -Wl,-z,defs test-a.o test-b.o test-c.o -ltest -Wl,-z,relro -o test/test-4.2~_4711/test.so test.o CFLAGS missing (-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): c++\ test.c CPPFLAGS missing (-D_FORTIFY_SOURCE=2): c++\ test.c +LDFLAGS missing (-fPIE -pie -Wl,-z,relro -Wl,-z,now): c++\ test.c CFLAGS missing (-fPIE -Wformat): c++-4.6 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.cpp CFLAGS missing (-fPIE --param=ssp-buffer-size=4): c++-4.6 -g -O2 -fstack-protector -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.cpp CFLAGS missing (-fPIE -Werror=format-security): c++-4.6 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -c test-c.cpp @@ -412,6 +466,9 @@ CFLAGS missing (-fPIE -Werror=format-security): x86_64-linux-gnu-g++ -g -O2 -fst CFLAGS missing (-fPIE): x86_64-linux-gnu-g++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-d.cc LDFLAGS missing (-fPIE -pie -Wl,-z,relro -Wl,-z,now): x86_64-linux-gnu-g++ -Wl,-z,defs -o test test-a.o test-b.o test-c.o test-d.o -ltest LDFLAGS missing (-fPIE -pie -Wl,-z,now): g++ -Wl,-z,defs test-a.o test-b.o test-c.o -ltest -Wl,-z,relro -o test/test-4.2~_4711/test.so test.o +CFLAGS missing (-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): g++\ test.c +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): g++\ test.c +LDFLAGS missing (-fPIE -pie -Wl,-z,relro -Wl,-z,now): g++\ test.c CFLAGS missing (-fPIE -Wformat): g++-4.6 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.cpp CFLAGS missing (-fPIE --param=ssp-buffer-size=4): g++-4.6 -g -O2 -fstack-protector -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.cpp CFLAGS missing (-fPIE -Werror=format-security): g++-4.6 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -c test-c.cpp -- 2.43.2