# CONSTANTS/VARIABLES
# Regex to catch compiler commands.
-my $cc_regex = qr/(?:[a-z0-9_]+-(?:linux-|kfreebsd-)?gnu(?:eabi|eabihf)?-)?
- (?<!\.)(?:cc|gcc|g\+\+|c\+\+)
- (?:-[\d.]+)?/x;
+my $cc_regex = qr/
+ (?<!\.)(?:cc|gcc|g\+\+|c\+\+)
+ (?:-[\d.]+)?
+ /x;
+# Full regex which matches the complete compiler name. Used in a few places to
+# prevent false negatives.
+my $cc_regex_full = qr/
+ (?:[a-z0-9_]+-(?:linux-|kfreebsd-)?gnu(?:eabi|eabihf)?-)?
+ $cc_regex
+ /x;
# Regex to catch (GCC) compiler warnings.
my $warning_regex = qr/^(.+?):([0-9]+):[0-9]+: warning: (.+?) \[(.+?)\]$/;
my $harden_bindnow = $option_bindnow; # defaults to 0
my $harden_pie = $option_pie; # defaults to 0
- # Input lines, contain only the lines with compiler commands.
- my @input = ();
-
- my $start = 0;
- my $continuation = 0;
- my $complete_line = undef;
while (my $line = <$fh>) {
# dpkg-buildflags only provides hardening flags since 1.16.1, don't
# check for hardening flags in buildd mode if an older dpkg-dev is
#
# Packages which were built before 1.16.1 but used their own hardening
# flags are not checked.
- if ($option_buildd and not $start
- and $line =~ /^Toolchain package versions: /) {
+ if ($option_buildd and $line =~ /^Toolchain package versions: /) {
require Dpkg::Version;
if ($line !~ /dpkg-dev_(\S+)/
or Dpkg::Version::version_compare($1, '1.16.1') < 0) {
# If hardening wrapper is used (wraps calls to gcc and adds hardening
# flags automatically) we can't perform any checks, abort.
- if (not $start and $line =~ /^Build-Depends: .*\bhardening-wrapper\b/) {
+ if ($line =~ /^Build-Depends: .*\bhardening-wrapper\b/) {
error_hardening_wrapper();
$exit |= 1 << 4;
next FILE;
# We skip over unimportant lines at the beginning of the log to
# prevent false positives.
- $start = 1 if $line =~ /^dpkg-buildpackage:/;
- next if not $start;
+ last if $line =~ /^dpkg-buildpackage:/;
+ }
+
+ # Input lines, contain only the lines with compiler commands.
+ my @input = ();
+
+ my $continuation = 0;
+ my $complete_line = undef;
+ while (my $line = <$fh>) {
# And stop at the end of the build log. Package details (reported by
# the buildd logs) are not important for us. This also prevents false
# positives.
and $line =~ /^(?:checking|(?:C|c)onfigure:) /;
next if $line =~ /^\s*(?:Host\s+)?(?:C\s+)?
(?:C|c)ompiler[\s.]*:?\s+
- $cc_regex
+ $cc_regex_full
(?:\s-std=[a-z0-9:+]+)?\s*$
/xo
- or $line =~ /^\s*(?:- )?(?:HOST_)?(?:CC|CXX)\s*=\s*$cc_regex\s*$/o
+ or $line =~ /^\s*(?:- )?(?:HOST_)?(?:CC|CXX)\s*=\s*$cc_regex_full\s*$/o
or $line =~ /^\s*-- Check for working (?:C|CXX) compiler: /
or $line =~ /^\s*(?:echo )?Using [A-Z_]+\s*=\s*/;
# `make` output.