# Build log hardening check, checks build logs for missing hardening flags.
-# Copyright (C) 2012-2019 Simon Ruderich
+# Copyright (C) 2012-2020 Simon Ruderich
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
use Getopt::Long ();
use Text::ParseWords ();
-our $VERSION = '0.09';
+our $VERSION = '0.11';
# CONSTANTS/VARIABLES
my $warning_regex = qr/^(.+?):(\d+):\d+: warning: (.+?) \[(.+?)\]$/;
# Regex to catch libtool commands and not lines which show commands executed
# by libtool (e.g. libtool: link: ...).
-my $libtool_regex = qr/\blibtool\s.*--mode=/;
+my $libtool_regex = qr/\blibtool["']?\s.*--mode=/;
my $libtool_link_regex = qr/\blibtool: link: /;
# List of source file extensions which require preprocessing.
if (not (index($line, 'checking if you want to see long compiling messages... no') == 0
or $line =~ /^\s*\[?(?:CC|CCLD|C\+\+|CXX|CXXLD|LD|LINK)\]?\s+(.+?)$/
- or $line =~ /^\s*[Cc]ompiling\s+(.+?)(?:\.\.\.)?$/
+ or $line =~ /^\s*[][\/0-9 ]*[Cc]ompiling\s+(.+?)(?:\.\.\.)?$/
or $line =~ /^\s*[Bb]uilding (?:program|shared library)\s+(.+?)$/
or $line =~ /^\s*\[[\d ]+%\] Building (?:C|CXX) object (.+?)$/)) {
return 0;
return 0 if $line =~ /^\s*C\+\+.+?:\s+(?:yes|no)\s*$/;
return 0 if $line =~ /^\s*C\+\+ Library: stdc\+\+$/;
# "Compiling" non binary files.
- return 0 if $line =~ /^\s*Compiling \S+\.(?:py|el)['"]?\s*(?:\.\.\.)?$/;
+ return 0 if $line =~ /^\s*Compiling \S+\.(?:py|pyx|el)['"]?\s*(?:\.\.\.|because it changed\.)?$/;
return 0 if $line =~ /^\s*[Cc]ompiling catalog \S+\.po\b/;
# "Compiling" with no file name.
if ($line =~ /^\s*[Cc]ompiling\s+(.+?)(?:\.\.\.)?$/) {
}
if ($option_version) {
print <<"EOF";
-blhc $VERSION Copyright (C) 2012-2019 Simon Ruderich
+blhc $VERSION Copyright (C) 2012-2020 Simon Ruderich
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
}
# Precompile ignore line regexps, also anchor at beginning and end of line.
+# Additional entries are also extracted from the build log, see below.
foreach my $ignore (@option_ignore_line) {
$ignore = qr/^$ignore$/;
}
}
}
+ # Permit dynamic excludes from within the build log to ignore false
+ # positives. Cannot use a separate config file as we often only have
+ # the build log itself.
+ if (index($line, 'blhc: ignore-line-regexp: ') == 0) {
+ my $ignore = substr $line, 26, -1; # -1 to ignore '\n' at the end
+ push @option_ignore_line, qr/^$ignore$/;
+ next;
+ }
+
next if $line =~ /^\s*#/;
# Ignore compiler warnings for now.
next if $line =~ /$warning_regex/o;
# look like a compiler executable thus causing the line to be
# treated as a normal compiler line.
next if $line =~ m{^\s*rm\s+};
+ next if $line =~ m{^\s*dwz\s+};
# Some build systems emit "gcc > file".
next if $line =~ m{$cc_regex_normal\s*>\s*\S+}o;
# Hex output may contain "cc".
next if $line =~ m#(?:\b[0-9a-fA-F]{2,}\b\s*){5}#;
+ # Meson build output
+ next if $line =~ /^C\+\+ linker for the host machine: /;
+ # Embedded `gcc -print-*` commands
+ next if $line =~ /`$cc_regex_normal\s*[^`]*-print-\S+`/;
# Check if additional hardening options were used. Used to ensure
# they are used for the complete build.
# Option or auto detected.
if ($arch) {
- # The following was partially copied from dpkg-dev 1.19.7
+ # The following was partially copied from dpkg-dev 1.20.5
# (/usr/share/perl5/Dpkg/Vendor/Debian.pm, _add_build_flags()),
# copyright Raphaƫl Hertzog <hertzog@debian.org>, Guillem Jover
# <guillem@debian.org>, Kees Cook <kees@debian.org>, Canonical, Ltd.
# information. Same for fortran.
my @cflags_backup;
my @cflags_noformat = grep {
- my $ok = 1;
- foreach my $flag (@def_cflags_format) {
- $ok = 0 if $_ eq $flag;
- }
- $ok;
- } @cflags;
+ my $ok = 1;
+ foreach my $flag (@def_cflags_format) {
+ $ok = 0 if $_ eq $flag;
+ }
+ $ok;
+ } @cflags;
# Hack to fix cppflags_fortify_broken() if --ignore-flag
# -D_FORTIFY_SOURCE=2 is used to ignore missing fortification. Only works
See F<README> for details about performed checks, auto-detection and
limitations.
+=head1 FALSE POSITIVES
+
+To suppress false positives you can embed the following string in the build
+log:
+
+ blhc: ignore-line-regexp: REGEXP
+
+All lines fully matching REGEXP (see B<--ignore-line> for details) will be
+ignored.
+
+Please use this feature sparingly so that missing flags are not overlooked. If
+you find false positives which affect more packages please report a bug.
+
+To generate this string simply use echo in C<debian/rules>; make sure to use @
+to suppress the echo command itself as it could also trigger a false positive.
+
=head1 OPTIONS
=over 8
=head1 LICENSE AND COPYRIGHT
-Copyright (C) 2012-2019 by Simon Ruderich
+Copyright (C) 2012-2020 by Simon Ruderich
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by