[blhc/blhc.git] / blhc

#!/usr/bin/perl

# Build log hardening check, checks build logs for missing hardening flags.

# Copyright (C) 2012-2024  Simon Ruderich
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.


use strict;
use warnings;

use Getopt::Long ();
use Text::ParseWords ();

our $VERSION = '0.14';


# CONSTANTS/VARIABLES

# Regex to catch compiler commands.
my $cc_regex = qr/
    (?<!\s-)               # ignore options, e.g. "-c++" [sic!] (used by swig)
    (?<!\.)                # ignore file names, e.g. "test.gcc"
    (?:cc|gcc|g\+\+|c\+\+|gfortran|mpicc|mpicxx|mpifort)
    (?:-[\d.]+)?           # version suffix, e.g. "gcc-4.6"
    /x;
# Full regex which matches the complete compiler name. Used in a few places to
# prevent false negatives.
my $cc_regex_full_prefix = qr/
    [a-z0-9_]+-(?:linux-|kfreebsd-)?gnu(?:eabi|eabihf)?
    /x;
my $cc_regex_full = qr/
    (?:$cc_regex_full_prefix-)?
    $cc_regex
    /x;
# Regex to check if a line contains a compiler command.
my $cc_regex_normal = qr/
    \b$cc_regex(?:\s|\\)
    /x;
my $rustc_regex = qr/
    \brustc\b
    /x;
# Regex to catch (GCC) compiler warnings.
my $warning_regex = qr/^(.+?):(\d+):\d+: warning: (.+?) \[(.+?)\]$/;
# Regex to catch libtool commands and not lines which show commands executed
# by libtool (e.g. libtool: link: ...).
my $libtool_regex = qr/\blibtool["']?\s.*--mode=/;
my $libtool_link_regex = qr/\blibtool: link: /;

# List of source file extensions which require preprocessing.
my @source_preprocess_compile_cpp = (
    # C++
    qw( cc cp cxx cpp CPP c++ C ),
    # Objective-C++
    qw( mm M ),
);
my @source_preprocess_compile_fortran = (
    # Fortran
    qw( F FOR fpp FPP FTN F90 F95 F03 F08 ),
);
my @source_preprocess_compile = (
    # C
    qw( c ),
    # Objective-C
    qw( m ),
    # (Objective-)C++
    @source_preprocess_compile_cpp,
    # Fortran
    @source_preprocess_compile_fortran,
);
my @source_preprocess_no_compile = (
    # Assembly
    qw( S sx ),
);
my @source_preprocess = (
    @source_preprocess_compile,
    @source_preprocess_no_compile,
);
# List of source file extensions which don't require preprocessing.
my @source_no_preprocess_compile_cpp = (
    # C++
    qw( ii ),
    # Objective-C++
    qw( mii ),
);
my @source_no_preprocess_compile_ada = (
    # Ada source
    qw( ada ),
    # Ada body
    qw( adb ),
);
my @source_no_preprocess_compile_fortran = (
    # Fortran
    qw( f for ftn f90 f95 f03 f08 ),
);
my @source_no_preprocess_compile = (
    # C
    qw( i ),
    # (Objective-)C++
    @source_no_preprocess_compile_cpp,
    # Objective-C
    qw( mi ),
    # Fortran
    @source_no_preprocess_compile_fortran,
    # Ada
    @source_no_preprocess_compile_ada,
);
my @source_no_preprocess_no_compile_ada = (
    # Ada specification
    qw( ads ),
);
my @source_no_preprocess_no_compile = (
    # Assembly
    qw( s ),
    # Ada
    @source_no_preprocess_no_compile_ada,
);
my @source_no_preprocess = (
    @source_no_preprocess_compile,
    @source_no_preprocess_no_compile,
);
# List of header file extensions which require preprocessing.
my @header_preprocess = (
    # C, C++, Objective-C, Objective-C++
    qw( h ),
    # C++
    qw( hh H hp hxx hpp HPP h++ tcc ),
);
# Object files.
my @object = (
    # Normal object files.
    qw ( o ),
    # Libtool object files.
    qw ( lo la ),
    # Dynamic libraries. bzip2 uses .sho.
    qw ( so sho ),
    # Static libraries.
    qw ( a ),
);

# Hashes for fast extensions lookup to check if a file falls in one of these
# categories.
my %extensions_no_preprocess = map { $_ => 1 } (
    # There's no @header_no_preprocess.
    @source_no_preprocess,
);
my %extensions_preprocess = map { $_ => 1 } (
    @header_preprocess,
    @source_preprocess,
);
my %extensions_compile_link = map { $_ => 1 } (
    @source_preprocess,
    @source_no_preprocess,
);
my %extensions_compile = map { $_ => 1 } (
    @source_preprocess_compile,
    @source_no_preprocess_compile,
);
my %extensions_no_compile = map { $_ => 1 } (
    @source_preprocess_no_compile,
    @source_no_preprocess_no_compile,
);
my %extensions_compile_cpp = map { $_ => 1 } (
    @source_preprocess_compile_cpp,
    @source_no_preprocess_compile_cpp,
);
my %extensions_ada = map { $_ => 1 } (
    @source_no_preprocess_compile_ada,
    @source_no_preprocess_no_compile_ada,
);
my %extensions_fortran = map { $_ => 1 } (
    @source_no_preprocess_compile_fortran,
    @source_preprocess_compile_fortran,
);
my %extensions_object = map { $_ => 1 } (
    @object,
);
my %extension = map { $_ => 1 } (
    @source_no_preprocess,
    @header_preprocess,
    @source_preprocess,
    @object,
);

# Regexp to match file extensions.
my $file_extension_regex = qr/
    \s
    \S+             # Filename without extension.
    \.
    ([^\/\\.,;:\s]+)# File extension.
    (?=\s|\\)       # At end of word. Can't use \b because some files have non
                    # word characters at the end and because \b matches double
                    # extensions (like .cpp.o). Works always as all lines are
                    # terminated with "\n".
    /x;

# Expected (hardening) flags. All flags are used as regexps (and compiled to
# real regexps below for better execution speed).
my @def_cflags = (
    '-g3?',
    '-O(?:2|3)', # keep at index 1, search for @def_cflags_debug to change it
);
my @def_cflags_debug = (
    # These flags indicate a debug build which disables checks for -O2.
    '-O0',
    '-Og',
);
my @def_cflags_format = (
    '-Wformat(?:=2)?', # -Wformat=2 implies -Wformat, accept it too
    '-Werror=format-security', # implies -Wformat-security
);
my @def_cflags_fortify = (
    # fortify needs at least -O1, but -O2 is recommended anyway
);
my @def_cflags_stack = (
    '-fstack-protector', # keep first, used by cflags_stack_broken()
    '--param[= ]ssp-buffer-size=4',
);
my @def_cflags_stack_strong = (
    '-fstack-protector-strong', # keep first, used by cflags_stack_broken()
);
my @def_cflags_stack_bad = (
    # Blacklist all stack protector options for simplicity.
    '-fno-stack-protector',
    '-fno-stack-protector-all',
    '-fno-stack-protector-strong',
);
my @def_cflags_stack_clash = (
    '-fstack-clash-protection',
);
my @def_cflags_pie = (
    '-fPIE',
);
my @def_cflags_branch_amd64 = (
    '-fcf-protection',
);
my @def_cflags_branch_arm64 = (
    '-mbranch-protection=standard',
);
my @def_cxxflags = (
    @def_cflags,
);
# @def_cxxflags_* is the same as @def_cflags_*.
my @def_cppflags = ();
my @def_cppflags_fortify = (
    '-D_FORTIFY_SOURCE=[23]', # must be first, see cppflags_fortify_broken()
    # If you add another flag fix hack below (search for "Hack to fix") and
    # $def_cppflags_fortify[0].
);
my @def_cppflags_fortify_bad = (
    # These flags may overwrite -D_FORTIFY_SOURCE=2.
    '-U_FORTIFY_SOURCE',
    '-D_FORTIFY_SOURCE=0',
    '-D_FORTIFY_SOURCE=1',
);
my @def_ldflags = ();
my @def_ldflags_relro = (
    '-Wl,(?:-z,)?relro',
);
my @def_ldflags_bindnow = (
    '-Wl,(?:-z,)?now',
);
my @def_ldflags_pie = (
    '-fPIE',
    '-pie',
);
my @def_ldflags_pic = (
    '-fPIC',
    '-fpic',
    '-shared',
);
# References to all flags checked by the flag checker.
my @flag_refs = (
    \@def_cflags,
    \@def_cflags_format,
    \@def_cflags_fortify,
    \@def_cflags_stack,
    \@def_cflags_stack_strong,
    \@def_cflags_stack_bad,
    \@def_cflags_stack_clash,
    \@def_cflags_pie,
    \@def_cflags_branch_amd64,
    \@def_cflags_branch_arm64,
    \@def_cxxflags,
    \@def_cppflags,
    \@def_cppflags_fortify,
    \@def_ldflags,
    \@def_ldflags_relro,
    \@def_ldflags_bindnow,
    \@def_ldflags_pie,
);
# References to all used flags.
my @flag_refs_all = (
    @flag_refs,
    \@def_cflags_debug,
    \@def_cppflags_fortify_bad,
    \@def_ldflags_pic,
);
# Renaming rules for the output so the regex parts are not visible. Also
# stores string values of flag regexps above, see compile_flag_regexp().
my %flag_renames = (
    '-g3?'                         => '-g',
    '-O(?:2|3)'                    => '-O2',
    '-Wformat(?:=2)?'              => '-Wformat',
    '--param[= ]ssp-buffer-size=4' => '--param=ssp-buffer-size=4',
    '-D_FORTIFY_SOURCE=[23]'       => '-D_FORTIFY_SOURCE=2',
    '-Wl,(?:-z,)?relro'            => '-Wl,-z,relro',
    '-Wl,(?:-z,)?now'              => '-Wl,-z,now',
);

my %exit_code = (
    no_compiler_commands => 1 << 0,
    # used by POD::Usage => 1 << 1,
    non_verbose_build    => 1 << 2,
    flags_missing        => 1 << 3,
    hardening_wrapper    => 1 << 4,
    invalid_cmake        => 1 << 5,
);

my %buildd_tag = (
    no_compiler_commands => 'I-no-compiler-commands',
    non_verbose_build    => 'W-compiler-flags-hidden',
    flags_missing        => 'W-dpkg-buildflags-missing',
    hardening_wrapper    => 'I-hardening-wrapper-used',
    invalid_cmake        => 'I-invalid-cmake-used',
);

# Statistics of missing flags and non-verbose build commands. Used for
# $option_buildd.
my %statistics = (
    preprocess          => 0,
    preprocess_missing  => 0,
    compile             => 0,
    compile_missing     => 0,
    compile_cpp         => 0,
    compile_cpp_missing => 0,
    link                => 0,
    link_missing        => 0,
    commands            => 0,
    commands_nonverbose => 0,
);

# Use colored (ANSI) output?
my $option_color;


# FUNCTIONS

sub split_line {
    my ($line) = @_;

    my @work = ($line);
    foreach my $delim (';', '&&', '||') {
        my @x;
        foreach (@work) {
            push @x, Text::ParseWords::parse_line(qr/\Q$delim\E/, 1, $_);
        }
        @work = @x;
    }

    return map {
        # Ensure newline at the line end - necessary for
        # correct parsing later.
        $_ =~ s/\s+$//;
        $_ .= "\n";
    } @work;
}

sub error_flags {
    my ($message, $missing_flags_ref, $flag_renames_ref, $line, $number) = @_;

    # Get string value of qr//-escaped regexps and if requested rename them.
    my @missing_flags = map {
            $flag_renames_ref->{$_}
        } @{$missing_flags_ref};

    my $flags = join ' ', @missing_flags;
    printf '%d:', $number if defined $number;
    printf '%s (%s)%s %s',
           error_color($message, 'red'), $flags, error_color(':', 'yellow'),
           $line;

    return;
}
sub error_non_verbose_build {
    my ($line, $number) = @_;

    printf '%d:', $number if defined $number;
    printf '%s%s %s',
           error_color('NONVERBOSE BUILD', 'red'),
           error_color(':', 'yellow'),
           $line;

    return;
}
sub error_invalid_cmake {
    my ($version) = @_;

    printf "%s%s %s\n",
            error_color('INVALID CMAKE', 'red'),
            error_color(':', 'yellow'),
            $version;

    return;
}
sub error_hardening_wrapper {
    printf "%s%s %s\n",
            error_color('HARDENING WRAPPER', 'red'),
            error_color(':', 'yellow'),
            'no checks possible, aborting';

    return;
}
sub error_color {
    my ($message, $color) = @_;

    if ($option_color) {
        return Term::ANSIColor::colored($message, $color);
    } else {
        return $message;
    }
}

sub any_flags_used {
    my ($line, @flags) = @_;

    foreach my $flag (@flags) {
        return 1 if $line =~ /$flag/;
    }

    return 0;
}
sub all_flags_used {
    my ($line, $missing_flags_ref, @flags) = @_;

    my @missing_flags = ();
    foreach my $flag (@flags) {
        if (not $line =~ /$flag/) {
            push @missing_flags, $flag;
        }
    }

    return 1 if scalar @missing_flags == 0;

    @{$missing_flags_ref} = @missing_flags;
    return 0;
}
# Check if any of \@bad_flags occurs after $good_flag. Doesn't check if
# $good_flag is present.
sub flag_overwritten {
    my ($line, $good_flag, $bad_flags) = @_;

    if (not any_flags_used($line, @{$bad_flags})) {
        return 0;
    }

    my $bad_pos = 0;
    foreach my $flag (@{$bad_flags}) {
        while ($line =~ /$flag/g) {
            if ($bad_pos < $+[0]) {
                $bad_pos = $+[0];
            }
        }
    }
    my $good_pos = 0;
    while ($line =~ /$good_flag/g) {
        $good_pos = $+[0];
    }
    if ($good_pos > $bad_pos) {
        return 0;
    }
    return 1;
}

sub cppflags_fortify_broken {
    my ($line, $missing_flags) = @_;

    # $def_cppflags_fortify[0] must be -D_FORTIFY_SOURCE=2!
    my $fortify_source = $def_cppflags_fortify[0];

    # Some build systems enable/disable fortify source multiple times, check
    # the final result.
    if (not flag_overwritten($line,
                             $fortify_source,
                             \@def_cppflags_fortify_bad)) {
        return 0;
    }
    push @{$missing_flags}, $fortify_source;
    return 1;
}

sub cflags_stack_broken {
    my ($line, $missing_flags, $strong) = @_;

    my $flag = $strong ? $def_cflags_stack_strong[0]
                       : $def_cflags_stack[0];

    if (not flag_overwritten($line, $flag, \@def_cflags_stack_bad)) {
        return 0;
    }
    push @{$missing_flags}, $flag;
    return 1;
}

# Modifies $missing_flags_ref array.
sub pic_pie_conflict {
    my ($line, $pie, $missing_flags_ref, @flags_pie) = @_;

    return 0 if not $pie;
    return 0 if not any_flags_used($line, @def_ldflags_pic);

    my %flags = map { $_ => 1 } @flags_pie;

    # Remove all PIE flags from @missing_flags as they are not required with
    # -fPIC.
    my @result = grep {
        not exists $flags{$_}
    } @{$missing_flags_ref};
    @{$missing_flags_ref} = @result;

    # We got a conflict when no flags are left, thus only PIE flags were
    # missing. If other flags were missing abort because the conflict is not
    # the problem.
    return scalar @result == 0;
}

sub is_non_verbose_build {
    my ($line, $cargo, $skip_ref, $input_ref, $line_offset, $line_count) = @_;

    if ($line =~ /$libtool_regex/o) {
        # libtool's --silent hides the real compiler flags.
        if ($line =~ /\s--silent/) {
            return 1;
        # If --silent is not present, skip this line as some compiler flags
        # might be missing (e.g. -fPIE) which are handled correctly by libtool
        # internally. libtool displays the real compiler command on the next
        # line, so the flags are checked as usual.
        } else {
            ${$skip_ref} = 1;
            return 0;
        }
    }

    if (not (index($line, 'checking if you want to see long compiling messages... no') == 0
                or $line =~ /^\s*\[?(?:CC|CCLD|C\+\+|CXX|CXXLD|LD|LINK)\]?\s+(.+?)$/
                or $line =~ /^\s*[][\/0-9 ]*[Cc]ompiling\s+(.+?)(?:\.\.\.)?$/
                or $line =~ /^\s*[Bb]uilding (?:program|shared library)\s+(.+?)$/
                or $line =~ /^\s*\[[\d ]+%\] Building (?:C|CXX) object (.+?)$/)) {
        return 0;
    }

    # False positives.
    #
    # C++ compiler setting.
    return 0 if $line =~ /^\s*C\+\+.+?:\s+(?:yes|no)\s*$/;
    return 0 if $line =~ /^\s*C\+\+ Library: stdc\+\+$/;
    return 0 if $line =~ /^\s*CXX\s*:\s*g\+\+\s*$/;
    # "Compiling" non binary files.
    return 0 if $line =~ /^\s*Compiling \S+\.(?:py|pyx|el)['"]?\s*(?:\.\.\.|because it changed\.)?$/;
    return 0 if $line =~ /^\s*[Cc]ompiling catalog \S+\.po\b/;
    # cargo build
    return 0 if $cargo and $line =~ m{^\s*Compiling\s+\S+\s+v\S+(?:\s+\(/(?:<<PKGBUILDDIR>>|builds/\S+)\))?$};
    # "Compiling" with no file name.
    if ($line =~ /^\s*[Cc]ompiling\s+(.+?)(?:\.\.\.)?$/) {
        # $file_extension_regex may need spaces around the filename.
        return 0 if not " $1 " =~ /$file_extension_regex/o;
    }

    my $file = $1;

    # On the first pass we only check if this line is verbose or not.
    return 1 if not defined $input_ref;

    # Second pass, we have access to the next lines.
    ${$skip_ref} = 0;

    # CMake and other build systems print the non-verbose messages also when
    # building verbose. If a compiler and the file name occurs in the next
    # lines, treat it as verbose build.
    if (defined $file) {
        # Get filename, we can't use the complete path as only parts of it are
        # used in the real compiler command.
        $file =~ m{/([^/\s]+)$};
        $file = $1;

        for (my $i = 1; $i <= $line_count; $i++) {
            my $next_line = $input_ref->[$line_offset + $i];
            last unless defined $next_line;

            if (index($next_line, $file) != -1 and $next_line =~ /$cc_regex/o) {
                # Not a non-verbose line, but we still have to skip the
                # current line as it doesn't contain any compiler commands.
                ${$skip_ref} = 1;
                return 0;
            }
        }
    }

    return 1;
}

# Remove @flags from $flag_refs_ref, uses $flag_renames_ref as reference.
sub remove_flags {
    my ($flag_refs_ref, $flag_renames_ref, @flags) = @_;

    my %removes = map { $_ => 1 } @flags;
    foreach my $flags (@{$flag_refs_ref}) {
        @{$flags} = grep {
            # Flag found as string.
            not exists $removes{$_}
            # Flag found as string representation of regexp.
                and (not defined $flag_renames_ref->{$_}
                        or not exists $removes{$flag_renames_ref->{$_}})
        } @{$flags};
    }

    return;
}

# Modifies $flag_renames_ref hash.
sub compile_flag_regexp {
    my ($flag_renames_ref, @flags) = @_;

    my @result = ();
    foreach my $flag (@flags) {
        # Compile flag regexp for faster execution.
        my $regex = qr/\s(['"]?)$flag\1(?:\s|\\)/;

        # Store flag name in replacement string for correct flags in messages
        # with qr//ed flag regexps.
        $flag_renames_ref->{$regex}
            = (exists $flag_renames_ref->{$flag})
                ? $flag_renames_ref->{$flag}
                : $flag;

        push @result, $regex;
    }
    return @result;
}

# Does any extension in @extensions exist in %{$extensions_ref}?
sub extension_found {
    my ($extensions_ref, @extensions) = @_;

    foreach my $extension (@extensions) {
        if (exists $extensions_ref->{$extension}) {
            return 1;
        }
    }
    return 0;
}


# MAIN

# Parse command line arguments.
my $option_help             = 0;
my $option_version          = 0;
my $option_pie              = 0;
my $option_bindnow          = 0;
my @option_ignore_arch      = ();
my @option_ignore_flag      = ();
my @option_ignore_arch_flag = ();
my @option_ignore_line      = ();
my @option_ignore_arch_line = ();
my $option_all              = 0;
my $option_arch             = undef;
my $option_buildd           = 0;
my $option_debian           = 0;
   $option_color            = 0;
my $option_line_numbers     = 0;
if (not Getopt::Long::GetOptions(
            'help|h|?'           => \$option_help,
            'version'            => \$option_version,
            # Hardening options.
            'pie'                => \$option_pie,
            'bindnow'            => \$option_bindnow,
            'all'                => \$option_all,
            # Ignore.
            'ignore-arch=s'      => \@option_ignore_arch,
            'ignore-flag=s'      => \@option_ignore_flag,
            'ignore-arch-flag=s' => \@option_ignore_arch_flag,
            'ignore-line=s'      => \@option_ignore_line,
            'ignore-arch-line=s' => \@option_ignore_arch_line,
            # Misc.
            'color'              => \$option_color,
            'arch=s'             => \$option_arch,
            'buildd'             => \$option_buildd,
            'debian'             => \$option_debian,
            'line-numbers'       => \$option_line_numbers,
        )) {
    require Pod::Usage;
    Pod::Usage::pod2usage(2);
}
if ($option_help) {
    require Pod::Usage;
    Pod::Usage::pod2usage(1);
}
if ($option_version) {
    print <<"EOF";
blhc $VERSION  Copyright (C) 2012-2024  Simon Ruderich

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.
EOF
    exit 0;
}

# Arguments missing.
if (scalar @ARGV == 0) {
    require Pod::Usage;
    Pod::Usage::pod2usage(2);
}

# Don't load Term::ANSIColor in buildd mode because Term::ANSIColor is not
# installed on Debian's buildds.
if (not $option_buildd) {
    require Term::ANSIColor;
}

if ($option_all) {
    $option_pie     = 1;
    $option_bindnow = 1;
}

# Precompiled ignores for faster lookup.
my %option_ignore_arch_flag = ();
my %option_ignore_arch_line = ();

# Strip flags which should be ignored.
if (scalar @option_ignore_flag > 0) {
    remove_flags(\@flag_refs, \%flag_renames, @option_ignore_flag);
}
# Same for arch specific ignore flags, but only prepare here.
if (scalar @option_ignore_arch_flag > 0) {
    foreach my $ignore (@option_ignore_arch_flag) {
        my ($ignore_arch, $ignore_flag) = split /:/, $ignore, 2;

        if (not $ignore_arch or not $ignore_flag) {
            printf STDERR 'Value "%s" invalid for option ignore-arch-flag '
                        . '("arch:flag" expected)' . "\n", $ignore;
            require Pod::Usage;
            Pod::Usage::pod2usage(2);
        }

        push @{$option_ignore_arch_flag{$ignore_arch}}, $ignore_flag;
    }
}

# Precompile all flag regexps. any_flags_used(), all_flags_used() get a lot
# faster with this.
foreach my $flags (@flag_refs_all) {
    @{$flags} = compile_flag_regexp(\%flag_renames, @{$flags});
}

# Precompile ignore line regexps, also anchor at beginning and end of line.
# Additional entries are also extracted from the build log, see below.
foreach my $ignore (@option_ignore_line) {
    $ignore = qr/^$ignore$/;
}
# Same for arch specific ignore lines.
if (scalar @option_ignore_arch_line > 0) {
    foreach my $ignore (@option_ignore_arch_line) {
        my ($ignore_arch, $ignore_line) = split /:/, $ignore, 2;

        if (not $ignore_arch or not $ignore_line) {
            printf STDERR 'Value "%s" invalid for option ignore-arch-line '
                        . '("arch:line" expected)' . "\n", $ignore;
            require Pod::Usage;
            Pod::Usage::pod2usage(2);
        }

        push @{$option_ignore_arch_line{$ignore_arch}}, qr/^$ignore_line$/;
    }
}

# Final exit code.
my $exit = 0;

FILE:
foreach my $file (@ARGV) {
    print "checking '$file'...\n" if scalar @ARGV > 1;

    -f $file or die "No such file: $file";

    open my $fh, '<', $file or die $!;

    # Architecture of this file.
    my $arch = $option_arch;

    # Hardening options. Not all architectures support all hardening options.
    my $harden_format  = 1;
    my $harden_fortify = 1;
    my $harden_stack   = 1;
    my $harden_stack_strong = 1;
    my $harden_stack_clash = 1;
    my $harden_branch  = 1;
    my $harden_relro   = 1;
    my $harden_bindnow = $option_bindnow; # defaults to 0
    my $harden_pie     = $option_pie;     # defaults to 0

    # Number of parallel jobs to prevent false positives when detecting
    # non-verbose builds. As not all jobs declare the number of parallel jobs
    # use a large enough default.
    my $parallel = 10;

    # Don't check for PIE flags if automatically applied by the compiler. Only
    # used in buildd and Debian mode.
    my $disable_harden_pie = 0;
    if ($option_debian) {
        $disable_harden_pie = 1;
    }

    # Ignore additional false positives if cargo/rust is used
    my $cargo = 0;

    my $number = 0;
    while (my $line = <$fh>) {
        $number++;

        # Detect architecture automatically unless overridden. For buildd logs
        # only, doesn't use the dpkg-buildpackage header. Necessary to ignore
        # build logs which aren't built (wrong architecture, build error,
        # etc.).
        if (not $arch) {
            if (index($line, 'Build Architecture: ') == 0) {
                $arch = substr $line, 20, -1; # -1 to ignore '\n' at the end
            # For old logs (sbuild << 0.63.0-1).
            } elsif (index($line, 'Architecture: ') == 0) {
                $arch = substr $line, 14, -1; # -1 to ignore '\n' at the end
            }
        }

        # dpkg-buildflags only provides hardening flags since 1.16.1, don't
        # check for hardening flags in buildd mode if an older dpkg-dev is
        # used. Default flags (-g -O2) are still checked.
        #
        # Packages which were built before 1.16.1 but used their own hardening
        # flags are not checked.
        #
        # Strong stack protector is used since dpkg 1.17.11.
        #
        # Recent GCC versions automatically use PIE (only on supported
        # architectures) and dpkg respects this properly since 1.18.15 and
        # doesn't pass PIE flags manually.
        if ($option_buildd
                and index($line, 'Toolchain package versions: ') == 0) {
            require Dpkg::Version;

            my $disable = 1;
            my $disable_strong = 1;
            my $disable_clash = 1;
            my $disable_branch = 1;

            if ($line =~ /\bdpkg-dev_(\S+)/) {
                if (Dpkg::Version::version_compare($1, '1.16.1') >= 0) {
                    $disable = 0;
                }
                if (Dpkg::Version::version_compare($1, '1.17.11') >= 0) {
                    $disable_strong = 0;
                }
                if (Dpkg::Version::version_compare($1, '1.18.15') >= 0) {
                    $disable_harden_pie = 1;
                }
                if (Dpkg::Version::version_compare($1, '1.22.0') >= 0) {
                    $disable_clash = 0;
                    $disable_branch = 0;
                }
            }

            if ($disable) {
                $harden_format  = 0;
                $harden_fortify = 0;
                $harden_stack   = 0;
                $harden_relro   = 0;
                $harden_bindnow = 0;
                $harden_pie     = 0;
            }
            if ($disable_strong) {
                $harden_stack_strong = 0;
            }
            if ($disable_clash) {
                $harden_stack_clash = 0;
            }
            if ($disable_branch) {
                $harden_branch = 0;
            }
        }

        # The following two versions of CMake in Debian obeyed CPPFLAGS, but
        # this was later dropped because upstream rejected the patch. Thus
        # build logs with these versions will have fortify hardening flags
        # enabled, even though they may be not correctly set and are missing
        # when build with later CMake versions. Thanks to Aron Xu for letting
        # me know.
        if (index($line, 'Package versions: ') == 0
                and $line =~ /\bcmake_(\S+)/
                and ($1 eq '2.8.7-1' or $1 eq '2.8.7-2')) {
            if (not $option_buildd) {
                error_invalid_cmake($1);
                $exit |= $exit_code{invalid_cmake};
            } else {
                print "$buildd_tag{invalid_cmake}|$1|\n";
            }
        }

        # Debian's build daemons use "Filtered Build-Depends:" (or just
        # "Build-Depends:" in older versions) for the build dependencies, but
        # pbuilder uses "Depends:"; support both.
        if (index($line, 'Filtered Build-Depends: ') == 0
                or index($line, 'Build-Depends: ') == 0
                or index($line, 'Depends: ') == 0) {
            # If hardening wrapper is used (wraps calls to gcc and adds
            # hardening flags automatically) we can't perform any checks,
            # abort.
            if ($line =~ /\bhardening-wrapper\b/) {
                if (not $option_buildd) {
                    error_hardening_wrapper();
                    $exit |= $exit_code{hardening_wrapper};
                } else {
                    print "$buildd_tag{hardening_wrapper}||\n";
                }
                next FILE;
            }

            if ($line =~ /\bcargo\b/) {
                $cargo = 1;
            }
        }

        # This flags is not always available, but if it is use it.
        if ($line =~ /^DEB_BUILD_OPTIONS=.*\bparallel=(\d+)/) {
            $parallel = $1 * 2;
        }

        # We skip over unimportant lines at the beginning of the log to
        # prevent false positives.
        last if index($line, 'dpkg-buildpackage: ') == 0;
    }

    # Input lines, contain only the lines with compiler commands.
    my @input = ();
    # Non-verbose lines in the input. Used to reduce calls to
    # is_non_verbose_build() (which is quite slow) in the second loop when
    # it's already clear if a line is non-verbose or not.
    my @input_nonverbose = ();
    # Input line number.
    my @input_number = ();

    my $continuation = 0;
    my $complete_line = undef;
    my $non_verbose;
    while (my $line = <$fh>) {
        $number++;

        # And stop at the end of the build log. Package details (reported by
        # the buildd logs) are not important for us. This also prevents false
        # positives.
        last if index($line, 'Build finished at ') == 0
                and $line =~ /^Build finished at \d{8}-\d{4}$/;

        if (not $continuation) {
            $non_verbose = 0;
        }

        # Detect architecture automatically unless overridden.
        if (not $arch
                and index($line, 'dpkg-buildpackage: info: host architecture ') == 0) {
            $arch = substr $line, 43, -1; # -1 to ignore '\n' at the end
        # Older versions of dpkg-buildpackage
        } elsif (not $arch
                and index($line, 'dpkg-buildpackage: host architecture ') == 0) {
            $arch = substr $line, 37, -1; # -1 to ignore '\n' at the end

            # Old buildd logs use e.g. "host architecture is alpha", remove
            # the "is", otherwise debarch_to_debtriplet() will not detect the
            # architecture.
            if (index($arch, 'is ') == 0) {
                $arch = substr $arch, 3;
            }
        }

        # Permit dynamic excludes from within the build log to ignore false
        # positives. Cannot use a separate config file as we often only have
        # the build log itself.
        if (index($line, 'blhc: ignore-line-regexp: ') == 0) {
            my $ignore = substr $line, 26, -1; # -1 to ignore '\n' at the end
            push @option_ignore_line, qr/^$ignore$/;
            next;
        }

        next if $line =~ /^\s*#/;
        # Ignore compiler warnings for now.
        next if $line =~ /$warning_regex/o;

        if (not $option_buildd and index($line, "\033") != -1) { # \033 = esc
            # Remove all ANSI color sequences which are sometimes used in
            # non-verbose builds.
            $line = Term::ANSIColor::colorstrip($line);
            # Also strip '\0xf' (delete previous character), used by Elinks'
            # build system.
            $line =~ s/\x0f//g;
            # And "ESC(B" which seems to be used on armhf and hurd (not sure
            # what it does).
            $line =~ s/\033\(B//g;
        }

        # Check if this line indicates a non verbose build.
        my $skip = 0;
        $non_verbose |= is_non_verbose_build($line, $cargo, \$skip);
        next if $skip;

        # Treat each command as a single line so we don't ignore valid
        # commands when handling false positives. split_line() is slow, only
        # use it when necessary.
        my @line = ($line !~ /(?:;|&&|\|\|)/)
                 ? ($line)
                 : split_line($line);
        foreach my $line (@line) {
            if ($continuation) {
                $continuation = 0;

                # Join lines, but leave the "\" in place so it's clear where
                # the original line break was.
                chomp $complete_line;
                $complete_line .= ' ' . $line;
            }
            # Line continuation, line ends with "\".
            if ($line =~ /\\$/) {
                $continuation = 1;
                # Start line continuation.
                if (not defined $complete_line) {
                    $complete_line = $line;
                }
                next;
            }

            # Use the complete line if a line continuation occurred.
            if (defined $complete_line) {
                $line = $complete_line;
                $complete_line = undef;
            }

            my $noenv = $line;
            # Strip (basic) environment variables for compiler detection. This
            # prevents false positives when environment variables contain
            # compiler binaries. Nested quotes, command substitution, etc. is
            # not supported.
            $noenv =~ s/^
                \s*
                (?:
                    [a-zA-Z_]+          # environment variable name
                    =
                    (?:
                        [^\s"'\$`\\]+   # non-quoted string
                        |
                        '[^"'\$`\\]*'   # single-quoted string
                        |
                        "[^"'\$`\\]*"   # double-quoted string
                    )
                    \s+
                )*
            //x;
            # Ignore lines with no compiler commands.
            next if not $non_verbose
                    and not $noenv =~ /$cc_regex_normal/o;
            # Ignore lines with no filenames with extensions. May miss some
            # non-verbose builds (e.g. "gcc -o test" [sic!]), but shouldn't be
            # a problem as the log will most likely contain other non-verbose
            # commands which are detected.
            next if not $non_verbose
                    and not $line =~ /$file_extension_regex/o;

            # Ignore false positives.
            #
            # `./configure` output.
            next if not $non_verbose
                    and $line =~ /^(?:checking|[Cc]onfigure:) /;
            next if $line =~ /^\s*(?:Host\s+)?(?:C(?:\+\+)?\s+)?
                                [Cc]ompiler[\s.]*:?\s+
                                /x;
            next if $line =~ m{^\s*(?:-\s)?(?:HOST_)?(?:CC|CXX)
                                \s*=\s*$cc_regex_full
                                # optional compiler options, don't allow
                                # "everything" here to prevent false negatives
                                \s*(?:\s-\S+)*\s*$}xo;
            # `echo` is never a compiler command
            next if $line =~ /^\s*echo\s/;
            # Ignore calls to `make` because they can contain environment
            # variables which look like compiler commands, e.g. CC=).
            next if $line =~ /^\s*make\s/;
            # `moc-qt4`/`moc-qt5` contain '-I.../linux-g++' in their command
            # line (or similar for other architectures) which gets recognized
            # as a compiler line, but `moc-qt*` is only a preprocessor for Qt
            # C++ files. No hardening flags are relevant during this step,
            # thus ignore `moc-qt*` lines. The resulting files will be
            # compiled in a separate step (and therefore checked).
            next if $line =~ m{^\S+(?:/bin/moc(?:-qt[45])?|/lib/qt6/libexec/moc)
                               \s.+\s
                               -I\S+/mkspecs/[a-z]+-g\++(?:-64)?
                               \s}x;
            # nvcc is not a regular C compiler
            next if $line =~ m{^\S+/bin/nvcc\s};
            # Ignore false positives when the line contains only CC=gcc but no
            # other gcc command.
            if ($line =~ /(.*)CC=$cc_regex_full(.*)/o) {
                my $before = $1;
                my $after  = $2;
                next if     not $before =~ /$cc_regex_normal/o
                        and not $after  =~ /$cc_regex_normal/o;
            }
            # Ignore false positives caused by gcc -v. It outputs a line
            # looking like a normal compiler line but which is sometimes
            # missing hardening flags, although the normal compiler line
            # contains them.
            next if $line =~ m{^\s+/usr/lib/gcc/$cc_regex_full_prefix/
                                   [0-9.]+/cc1(?:plus)?}xo;
            # Ignore false positive with `rm` which may remove files which
            # look like a compiler executable thus causing the line to be
            # treated as a normal compiler line.
            next if $line =~ m{^\s*rm\s+};
            next if $line =~ m{^\s*dwz\s+};
            # Some build systems emit "gcc > file".
            next if $line =~ m{$cc_regex_normal\s*>\s*\S+}o;
            # Hex output may contain "cc".
            next if $line =~ m#(?:\b[0-9a-fA-F]{2,}\b\s*){5}#;
            # Meson build output
            next if $line =~ /^C\+\+ linker for the host machine: /;
            # Embedded `gcc -print-*` commands
            next if $line =~ /`$cc_regex_normal\s*[^`]*-print-\S+`/;
            # cmake checking for compiler flags without setting CPPFLAGS
            next if $line =~ m{^\s*/usr/(bin|lib)/(ccache/)?c\+\+ (?:-std=\S+ )?-dM -E -c /usr/share/cmake-\S+/Modules/CMakeCXXCompilerABI\.cpp};
            # Some rustc lines look like linker commands
            next if $cargo and $line =~ /$rustc_regex/o;

            # Check if additional hardening options were used. Used to ensure
            # they are used for the complete build.
            $harden_pie     = 1 if any_flags_used($line, @def_cflags_pie,
                                                         @def_ldflags_pie);
            $harden_bindnow = 1 if any_flags_used($line, @def_ldflags_bindnow);

            push @input, $line;
            push @input_nonverbose, $non_verbose;
            push @input_number, $number if $option_line_numbers;
        }
    }

    close $fh or die $!;

    # Ignore arch if requested.
    if (scalar @option_ignore_arch > 0 and $arch) {
        foreach my $ignore (@option_ignore_arch) {
            if ($arch eq $ignore) {
                print "ignoring architecture '$arch'\n";
                next FILE;
            }
        }
    }

    if (scalar @input == 0) {
        if (not $cargo) {
            if (not $option_buildd) {
                print "No compiler commands!\n";
                $exit |= $exit_code{no_compiler_commands};
            } else {
                print "$buildd_tag{no_compiler_commands}||\n";
            }
        }
        next FILE;
    }

    if ($option_buildd) {
        $statistics{commands} += scalar @input;
    }

    # Option or auto detected.
    my @harden_branch_flags;
    if ($arch) {
        # The following was partially copied from dpkg-dev 1.22.0
        # (/usr/share/perl5/Dpkg/Vendor/Debian.pm, set_build_features and
        # _add_build_flags()), copyright Raphaël Hertzog <hertzog@debian.org>,
        # Guillem Jover <guillem@debian.org>, Kees Cook <kees@debian.org>,
        # Canonical, Ltd. licensed under GPL version 2 or later. Keep it in
        # sync.

        require Dpkg::Arch;
        my ($os, $cpu);
        # Recent dpkg versions use a quadruplet for arch. Support both.
        eval {
            (undef, undef, $os, $cpu) = Dpkg::Arch::debarch_to_debtuple($arch);
        };
        if ($@) {
            (undef, $os, $cpu) = Dpkg::Arch::debarch_to_debtriplet($arch);
        }

        my %builtin_pie_arch = map { $_ => 1 } qw(
            amd64
            arm64
            armel
            armhf
            hurd-amd64
            hurd-i386
            i386
            kfreebsd-amd64
            kfreebsd-i386
            loong64
            mips
            mips64
            mips64el
            mips64r6
            mips64r6el
            mipsel
            mipsn32
            mipsn32el
            mipsn32r6
            mipsn32r6el
            mipsr6
            mipsr6el
            powerpc
            ppc64
            ppc64el
            riscv64
            s390x
            sparc
            sparc64
        );

        # Disable unsupported hardening options.
        if ($disable_harden_pie and exists $builtin_pie_arch{$arch}) {
            $harden_pie = 0;
        }
        if ($os !~ /^(?:linux|kfreebsd|hurd)$/
                or $cpu =~ /^(?:alpha|hppa|ia64)$/) {
            $harden_pie = 0;
        }
        if ($cpu =~ /^(?:ia64|alpha|hppa|nios2)$/ or $arch eq 'arm') {
            $harden_stack = 0;
            $harden_stack_strong = 0;
        }
        if ($arch !~ /^(?:amd64|arm64|armhf|armel)$/) {
            $harden_stack_clash = 0;
        }
        if ($cpu =~ /^(?:ia64|hppa)$/) {
            $harden_relro   = 0;
            $harden_bindnow = 0;
        }
        if ($cpu eq 'amd64') {
            @harden_branch_flags = @def_cflags_branch_amd64;
        } elsif ($cpu eq 'arm64') {
            @harden_branch_flags = @def_cflags_branch_arm64;
        }
    }

    # Default values.
    my @cflags   = @def_cflags;
    my @cxxflags = @def_cxxflags;
    my @cppflags = @def_cppflags;
    my @ldflags  = @def_ldflags;
    # Check the specified hardening options, same order as dpkg-buildflags.
    if ($harden_pie) {
        @cflags   = (@cflags,   @def_cflags_pie);
        @cxxflags = (@cxxflags, @def_cflags_pie);
        @ldflags  = (@ldflags,  @def_ldflags_pie);
    }
    if ($harden_stack_strong) {
        @cflags   = (@cflags,   @def_cflags_stack_strong);
        @cxxflags = (@cxxflags, @def_cflags_stack_strong);
    } elsif ($harden_stack) {
        @cflags   = (@cflags,   @def_cflags_stack);
        @cxxflags = (@cxxflags, @def_cflags_stack);
    }
    if ($harden_stack_clash) {
        @cflags   = (@cflags,   @def_cflags_stack_clash);
        @cxxflags = (@cxxflags, @def_cflags_stack_clash);
    }
    if ($harden_fortify) {
        @cflags   = (@cflags,   @def_cflags_fortify);
        @cxxflags = (@cxxflags, @def_cflags_fortify);
        @cppflags = (@cppflags, @def_cppflags_fortify);
    }
    if ($harden_format) {
        @cflags   = (@cflags,   @def_cflags_format);
        @cxxflags = (@cxxflags, @def_cflags_format);
    }
    if ($harden_branch and @harden_branch_flags) {
        @cflags   = (@cflags,   @harden_branch_flags);
        @cxxflags = (@cxxflags, @harden_branch_flags);
    }
    if ($harden_relro) {
        @ldflags = (@ldflags, @def_ldflags_relro);
    }
    if ($harden_bindnow) {
        @ldflags = (@ldflags, @def_ldflags_bindnow);
    }

    # Ada doesn't support format hardening flags, see #680117 for more
    # information. Same for fortran.
    my @cflags_backup;
    my @cflags_noformat = grep {
        my $ok = 1;
        foreach my $flag (@def_cflags_format) {
            $ok = 0 if $_ eq $flag;
        }
        $ok;
    } @cflags;

    # Hack to fix cppflags_fortify_broken() if --ignore-flag
    # -D_FORTIFY_SOURCE=2 is used to ignore missing fortification. Only works
    # as long as @def_cppflags_fortify contains only one variable.
    if (scalar @def_cppflags_fortify == 0) {
        $harden_fortify = 0;
    }

    # Ignore flags for this arch if requested.
    if ($arch and exists $option_ignore_arch_flag{$arch}) {
        my @local_flag_refs = (\@cflags, \@cxxflags, \@cppflags, \@ldflags);

        remove_flags(\@local_flag_refs,
                     \%flag_renames,
                     @{$option_ignore_arch_flag{$arch}});
    }

    my @ignore_line = @option_ignore_line;
    # Ignore lines for this arch if requested.
    if ($arch and exists $option_ignore_arch_line{$arch}) {
        @ignore_line = (@ignore_line, @{$option_ignore_arch_line{$arch}});
    }

LINE:
    for (my $i = 0; $i < scalar @input; $i++) {
        my $line = $input[$i];

        # Ignore line if requested.
        foreach my $ignore (@ignore_line) {
            next LINE if $line =~ /$ignore/;
        }

        my $skip = 0;
        if ($input_nonverbose[$i]
                and is_non_verbose_build($line, $cargo, \$skip,
                                         \@input, $i, $parallel)) {
            if (not $option_buildd) {
                error_non_verbose_build($line, $input_number[$i]);
                $exit |= $exit_code{non_verbose_build};
            } else {
                $statistics{commands_nonverbose}++;
            }
            next;
        }
        # Even if it's a verbose build, we might have to skip this line (see
        # is_non_verbose_build()).
        next if $skip;

        my $orig_line = $line;

        # Remove everything until and including the compiler command. Makes
        # checks easier and faster.
        $line =~ s/^.*?$cc_regex//o;
        # "([...] test.c)" is not detected as 'test.c' - fix this by removing
        # the brace and similar characters at the line end.
        $line =~ s/['")]+$//;

        # Skip unnecessary tests when only preprocessing.
        my $flag_preprocess = 0;

        my $dependency = 0;
        my $preprocess = 0;
        my $compile    = 0;
        my $link       = 0;

        # Preprocess, compile, assemble.
        if ($line =~ /\s(-E|-S|-c)\b/) {
            $preprocess      = 1;
            $flag_preprocess = 1 if $1 eq '-E';
            $compile         = 1 if $1 eq '-S' or $1 eq '-c';
        # Dependency generation for Makefiles. The other flags (-MF -MG -MP
        # -MT -MQ) are always used with -M/-MM.
        } elsif ($line =~ /\s(?:-M|-MM)\b/) {
            $dependency = 1;
        # Otherwise assume we are linking.
        } else {
            $link = 1;
        }

        # -MD/-MMD also cause dependency generation, but they don't imply -E!
        if ($line =~ /\s(?:-MD|-MMD)\b/) {
            $dependency      = 0;
            $flag_preprocess = 0;
        }

        # Dependency generation for Makefiles, no preprocessing or other flags
        # needed.
        next if $dependency;

        # Get all file extensions on this line.
        my @extensions = $line =~ /$file_extension_regex/go;
        # Ignore all unknown extensions to speedup the search below.
        @extensions = grep { exists $extension{$_} } @extensions;

        # These file types don't require preprocessing.
        if (extension_found(\%extensions_no_preprocess, @extensions)) {
            $preprocess = 0;
        }
        # These file types require preprocessing.
        if (extension_found(\%extensions_preprocess, @extensions)) {
            # Prevent false positives with "libtool: link: g++ -include test.h
            # .." compiler lines.
            if ($orig_line !~ /$libtool_link_regex/o) {
                $preprocess = 1;
            }
        }

        if (not $flag_preprocess) {
            # If there are source files then it's compiling/linking in one
            # step and we must check both. We only check for source files
            # here, because header files cause too many false positives.
            if (extension_found(\%extensions_compile_link, @extensions)) {
                # Assembly files don't need CFLAGS.
                if (not extension_found(\%extensions_compile, @extensions)
                        and extension_found(\%extensions_no_compile, @extensions)) {
                    $compile = 0;
                # But the rest does.
                } else {
                    $compile = 1;
                }
            # No compilable extensions found, either linking or compiling
            # header flags.
            #
            # If there are also no object files we are just compiling headers
            # (.h -> .h.gch). Don't check for linker flags in this case. Due
            # to our liberal checks for compiler lines, this also reduces the
            # number of false positives considerably.
            } elsif ($link
                    and not extension_found(\%extensions_object, @extensions)) {
                $link = 0;
            }
        }

        my $compile_cpp = 0;
        my $restore_cflags = 0;
        # Assume CXXFLAGS are required when a C++ file is specified in the
        # compiler line.
        if ($compile
                and extension_found(\%extensions_compile_cpp, @extensions)) {
            $compile     = 0;
            $compile_cpp = 1;
        # Ada needs special CFLAGS
        } elsif (extension_found(\%extensions_ada, @extensions)) {
            $restore_cflags = 1;
            $preprocess = 0; # Ada uses no CPPFLAGS
            @cflags_backup = @cflags;
            @cflags        = @cflags_noformat;
        # Same for fortran
        } elsif (extension_found(\%extensions_fortran, @extensions)) {
            $restore_cflags = 1;
            @cflags_backup = @cflags;
            @cflags        = @cflags_noformat;
        }

        if ($option_buildd) {
            $statistics{preprocess}++  if $preprocess;
            $statistics{compile}++     if $compile;
            $statistics{compile_cpp}++ if $compile_cpp;
            $statistics{link}++        if $link;
        }

        # Check if there are flags indicating a debug build. If that's true,
        # skip the check for -O2. This prevents fortification, but that's fine
        # for a debug build.
        if (any_flags_used($line, @def_cflags_debug)) {
            remove_flags([\@cflags], \%flag_renames, $def_cflags[1]);
            remove_flags([\@cppflags], \%flag_renames, $def_cppflags_fortify[0]);
        }

        # Check hardening flags.
        my @missing;
        if ($compile and (not all_flags_used($line, \@missing, @cflags)
                    or (($harden_stack or $harden_stack_strong)
                        and cflags_stack_broken($line, \@missing,
                                                $harden_stack_strong)))
                # Libraries linked with -fPIC don't have to (and can't) be
                # linked with -fPIE as well. It's no error if only PIE flags
                # are missing.
                and not pic_pie_conflict($line, $harden_pie, \@missing, @def_cflags_pie)
                # Assume dpkg-buildflags returns the correct flags.
                and index($line, '`dpkg-buildflags --get CFLAGS`') == -1) {
            if (not $option_buildd) {
                error_flags('CFLAGS missing', \@missing, \%flag_renames,
                            $input[$i], $input_number[$i]);
                $exit |= $exit_code{flags_missing};
            } else {
                $statistics{compile_missing}++;
            }
        } elsif ($compile_cpp and not all_flags_used($line, \@missing, @cflags)
                # Libraries linked with -fPIC don't have to (and can't) be
                # linked with -fPIE as well. It's no error if only PIE flags
                # are missing.
                and not pic_pie_conflict($line, $harden_pie, \@missing, @def_cflags_pie)
                # Assume dpkg-buildflags returns the correct flags.
                and index($line, '`dpkg-buildflags --get CXXFLAGS`') == -1) {
            if (not $option_buildd) {
                error_flags('CXXFLAGS missing', \@missing, \%flag_renames,
                            $input[$i], $input_number[$i]);
                $exit |= $exit_code{flags_missing};
            } else {
                $statistics{compile_cpp_missing}++;
            }
        }
        if ($preprocess
                and (not all_flags_used($line, \@missing, @cppflags)
                    # The fortify flag might be overwritten, detect that.
                     or ($harden_fortify
                         and cppflags_fortify_broken($line, \@missing)))
                # Assume dpkg-buildflags returns the correct flags.
                and index($line, '`dpkg-buildflags --get CPPFLAGS`') == -1) {
            if (not $option_buildd) {
                error_flags('CPPFLAGS missing', \@missing, \%flag_renames,
                            $input[$i], $input_number[$i]);
                $exit |= $exit_code{flags_missing};
            } else {
                $statistics{preprocess_missing}++;
            }
        }
        if ($link and not all_flags_used($line, \@missing, @ldflags)
                # Same here, -fPIC conflicts with -fPIE.
                and not pic_pie_conflict($line, $harden_pie, \@missing, @def_ldflags_pie)
                # Assume dpkg-buildflags returns the correct flags.
                and index($line, '`dpkg-buildflags --get LDFLAGS`') == -1) {
            if (not $option_buildd) {
                error_flags('LDFLAGS missing', \@missing, \%flag_renames,
                            $input[$i], $input_number[$i]);
                $exit |= $exit_code{flags_missing};
            } else {
                $statistics{link_missing}++;
            }
        }

        # Restore normal CFLAGS.
        if ($restore_cflags) {
            @cflags = @cflags_backup;
        }
    }
}

# Print statistics for buildd mode, only output in this mode.
if ($option_buildd) {
    my @warning;

    if ($statistics{preprocess_missing}) {
        push @warning, sprintf 'CPPFLAGS %d (of %d)',
                               $statistics{preprocess_missing},
                               $statistics{preprocess};
    }
    if ($statistics{compile_missing}) {
        push @warning, sprintf 'CFLAGS %d (of %d)',
                               $statistics{compile_missing},
                               $statistics{compile};
    }
    if ($statistics{compile_cpp_missing}) {
        push @warning, sprintf 'CXXFLAGS %d (of %d)',
                               $statistics{compile_cpp_missing},
                               $statistics{compile_cpp};
    }
    if ($statistics{link_missing}) {
        push @warning, sprintf 'LDFLAGS %d (of %d)',
                               $statistics{link_missing},
                               $statistics{link};
    }
    if (scalar @warning) {
        local $" = ', '; # array join string
        print "$buildd_tag{flags_missing}|@warning missing|\n";
    }

    if ($statistics{commands_nonverbose}) {
        printf "$buildd_tag{non_verbose_build}|%d (of %d) hidden|\n",
               $statistics{commands_nonverbose},
               $statistics{commands},
    }
}


exit $exit;


__END__

=head1 NAME

blhc - build log hardening check, checks build logs for missing hardening flags

=head1 SYNOPSIS

B<blhc> [I<options>] I<< <dpkg-buildpackage build log file>.. >>

=head1 DESCRIPTION

blhc is a small tool which checks build logs for missing hardening flags. It's
licensed under the GPL 3 or later.

It's designed to check build logs generated by Debian's dpkg-buildpackage (or
tools using dpkg-buildpackage like pbuilder or sbuild (which is used for the
official buildd build logs)) to help maintainers detect missing hardening
flags in their packages.

Only gcc is detected as compiler at the moment. If other compilers support
hardening flags as well, please report them.

If there's no output, no flags are missing and the build log is fine.

See F<README> for details about performed checks, auto-detection and
limitations.

=head1 FALSE POSITIVES

To suppress false positives you can embed the following string in the build
log:

    blhc: ignore-line-regexp: REGEXP

All lines fully matching REGEXP (see B<--ignore-line> for details) will be
ignored. The string can be embedded multiple times to ignore different
regexps.

Please use this feature sparingly so that missing flags are not overlooked. If
you find false positives which affect more packages please report a bug.

To generate this string simply use echo in C<debian/rules>; make sure to use @
to suppress the echo command itself as it could also trigger a false positive.
If the build process takes a long time edit the C<.build> file in place and
tweak the ignore string until B<blhc --all --debian package.build> no longer
reports any false positives.

=head1 OPTIONS

=over 8

=item B<--all>

Force check for all +all (+pie, +bindnow) hardening flags. By default it's
auto detected.

=item B<--arch> I<architecture>

Set the specific architecture (e.g. amd64, armel, etc.), automatically
disables hardening flags not available on this architecture. Is detected
automatically if dpkg-buildpackage is used.

=item B<--bindnow>

Force check for all +bindnow hardening flags. By default it's auto detected.

=item B<--buildd>

Special mode for buildds when automatically parsing log files. The following
changes are in effect:

=over 2

=item *

Print tags instead of normal warnings, see L</"BUILDD TAGS"> for a list of
possible tags.

=item *

Don't check hardening flags in old log files (if dpkg-dev << 1.16.1 is
detected).

=item *

Don't require Term::ANSIColor.

=item *

Return exit code 0, unless there was a error (-I, -W messages don't count as
error).

=back

=item B<--debian>

Apply Debian-specific settings. At the moment this only disables checking for
PIE which is automatically applied by Debian's GCC and no longer requires a
compiler command line argument.

=item B<--color>

Use colored (ANSI) output for warning messages.

=item B<--line-numbers>

Display line numbers.

=item B<--ignore-arch> I<arch>

Ignore build logs from architectures matching I<arch>. I<arch> is a string.

Used to prevent false positives. This option can be specified multiple times.

=item B<--ignore-arch-flag> I<arch>:I<flag>

Like B<--ignore-flag>, but only ignore flag on I<arch>.

=item B<--ignore-arch-line> I<arch>:I<line>

Like B<--ignore-line>, but only ignore line on I<arch>.

=item B<--ignore-flag> I<flag>

Don't print an error when the specific flag is missing in a compiler line.
I<flag> is a string.

Used to prevent false positives. This option can be specified multiple times.

=item B<--ignore-line> I<regex>

Ignore lines matching the given Perl regex. I<regex> is automatically anchored
at the beginning and end of the line to prevent false negatives.

B<NOTE>: Not the input lines are checked, but the lines which are displayed in
warnings (which have line continuation resolved).

Used to prevent false positives. This option can be specified multiple times.

=item B<--pie>

Force check for all +pie hardening flags. By default it's auto detected.

=item B<-h -? --help>

Print available options.

=item B<--version>

Print version number and license.

=back

Auto detection for B<--pie> and B<--bindnow> only works if at least one
command uses the required hardening flag (e.g. -fPIE). Then it's required for
all other commands as well.

=head1 EXAMPLES

Normal usage, parse a single log file.

    blhc path/to/log/file

If there's no output, no flags are missing and the build log is fine.

Parse multiple log files. The exit code is ORed over all files.

    blhc path/to/directory/with/log/files/*

Don't treat missing C<-g> as error:

    blhc --ignore-flag -g path/to/log/file

Don't treat missing C<-pie> on kfreebsd-amd64 as error:

    blhc --ignore-arch-flag kfreebsd-amd64:-pie path/to/log/file

Ignore lines consisting exactly of C<./script gcc file> which would cause a
false positive.

    blhc --ignore-line '\./script gcc file' path/to/log/file

Ignore lines matching C<./script gcc file> somewhere in the line.

    blhc --ignore-line '.*\./script gcc file.*' path/to/log/file

Use blhc with pbuilder.

    pbuilder path/to/package.dsc | tee path/log/file
    blhc path/to/file || echo flags missing

Assume this build log was created on a Debian system and thus don't warn about
missing PIE flags if the current architecture injects them automatically (this
is enabled in buildd mode per default). C<--arch> is necessary if the build
log contains no architecture information as written by dpkg-buildpackage.

    blhc --debian --all --arch=amd64 path/to/log/file

=head1 BUILDD TAGS

The following tags are used in I<--buildd> mode. In braces the additional data
which is displayed.

=over 2

=item B<I-hardening-wrapper-used>

The package uses hardening-wrapper which intercepts calls to gcc and adds
hardening flags. The build log doesn't contain any hardening flags and thus
can't be checked by blhc.

=item B<W-compiler-flags-hidden> (summary of hidden lines)

Build log contains lines which hide the real compiler flags. For example:

    CC test-a.c
    CC test-b.c
    CC test-c.c
    LD test

Most of the time either C<export V=1> or C<export verbose=1> in
F<debian/rules> fixes builds with hidden compiler flags. Sometimes C<.SILENT>
in a F<Makefile> must be removed. And as last resort the F<Makefile> must be
patched to remove the C<@>s hiding the real compiler commands.

=item B<W-dpkg-buildflags-missing> (summary of missing flags)

CPPFLAGS, CFLAGS, CXXFLAGS, LDFLAGS missing.

=item B<I-invalid-cmake-used> (version)

By default CMake ignores CPPFLAGS thus missing those hardening flags. Debian
patched CMake in versions 2.8.7-1 and 2.8.7-2 to respect CPPFLAGS, but this
patch was rejected by upstream and later reverted in Debian. Thus those two
versions show correct usage of CPPFLAGS even if the package doesn't correctly
handle them (for example by passing them to CFLAGS). To prevent false
negatives just blacklist those two versions.

=item B<I-no-compiler-commands>

No compiler commands were detected. Either the log contains none or they were
not correctly detected by blhc (please report the bug in this case).

=back

=head1 EXIT STATUS

The exit status is a "bit mask", each listed status is ORed when the error
condition occurs to get the result.

=over 4

=item B<0>

Success.

=item B<1>

No compiler commands were found.

=item B<2>

Invalid arguments/options given to blhc.

=item B<4>

Non verbose build.

=item B<8>

Missing hardening flags.

=item B<16>

Hardening wrapper detected, no tests performed.

=item B<32>

Invalid CMake version used. See B<I-invalid-cmake-used> under L</"BUILDD
TAGS"> for a detailed explanation.

=back

=head1 AUTHOR

Simon Ruderich, E<lt>simon@ruderich.orgE<gt>

Thanks to to Bernhard R. Link E<lt>brlink@debian.orgE<gt> and Jaria Alto
E<lt>jari.aalto@cante.netE<gt> for their valuable input and suggestions.

=head1 LICENSE AND COPYRIGHT

Copyright (C) 2012-2024 by Simon Ruderich

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.

=head1 SEE ALSO

L<hardening-check(1)>, L<dpkg-buildflags(1)>

=cut