blhc generates the following warnings because all hardening flags are missing:
- CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -g -O2 -o test test.c
+ CFLAGS missing (-fstack-protector-strong -Wformat -Werror=format-security): gcc -g -O2 -o test test.c
CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -o test test.c
LDFLAGS missing (-Wl,-z,relro): gcc -g -O2 -o test test.c
The available hardening flags are adapted to the architecture because some
architectures don't support certain hardening options.
-Some checks (Ada and hardening-wrapper at the moment) check the build
-dependencies for certain packages. The following lines are used to get the
-build dependencies. The first is used in buildd build logs, the second by
-pbuilder logs, both are detected:
+Some checks check the build dependencies for certain packages. The following
+lines are used to get the build dependencies. The first two are used in buildd
+build logs (the second was used in older logs), the third by pbuilder logs,
+all are detected:
+ Filtered Buildd-Depends: ...
Build-Depends: ...
Depends: ...
dpkg-buildpackage: ...
If it's not present no compiler commands are detected. In case you don't use
-dpkp-buildpackage but still want to check a build log, adding it as first line
+dpkg-buildpackage but still want to check a build log, adding it as first line
should work fine.
+To prevent false positives when checking debug builds, compiler lines
+containing '-OO' or '-Og' are considered debug builds and are not checked for
+'-O2', even though fortification doesn't work without '-O2'.
+
The following non-verbose builds can't be detected:
gcc -o test
blhc is licensed under GPL version 3 or later.
-Copyright (C) 2012-2013 Simon Ruderich
+Copyright (C) 2012-2020 Simon Ruderich
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+// vim: ft=asciidoc