From 6983b7ad21bf01caa6730986502bd17f556da02e Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Mon, 26 Mar 2012 03:20:27 +0200 Subject: [PATCH 01/16] Rewrap comments. --- bin/blhc | 58 +++++++++++++++++++++++++++++--------------------------- 1 file changed, 30 insertions(+), 28 deletions(-) diff --git a/bin/blhc b/bin/blhc index f8813ef..f158021 100755 --- a/bin/blhc +++ b/bin/blhc @@ -411,9 +411,9 @@ FILE: foreach my $file (@ARGV) { my $continuation = 0; my $complete_line = undef; while (my $line = <$fh>) { - # dpkg-buildflags only provides hardening flags since 1.16.1, don't check - # for hardening flags in buildd mode if an older dpkg-dev is used. Default - # flags (-g -O2) are still checked. + # dpkg-buildflags only provides hardening flags since 1.16.1, don't + # check for hardening flags in buildd mode if an older dpkg-dev is + # used. Default flags (-g -O2) are still checked. # # Packages which were built before 1.16.1 but used their own hardening # flags are not checked. @@ -439,12 +439,12 @@ FILE: foreach my $file (@ARGV) { next FILE; } - # We skip over unimportant lines at the beginning of the log to prevent - # false positives. + # We skip over unimportant lines at the beginning of the log to + # prevent false positives. $start = 1 if $line =~ /^dpkg-buildpackage:/; next if not $start; - # And stop at the end of the build log. Package details (reported by the - # buildd logs) are not important for us. This also prevents false + # And stop at the end of the build log. Package details (reported by + # the buildd logs) are not important for us. This also prevents false # positives. last if $line =~ /^Build finished at \d{8}-\d{4}$/; @@ -461,24 +461,24 @@ FILE: foreach my $file (@ARGV) { # Remove all ANSI color sequences which are sometimes used in # non-verbose builds. $line = Term::ANSIColor::colorstrip($line); - # Also strip '\0xf' (delete previous character), used by Elinks' build - # system. + # Also strip '\0xf' (delete previous character), used by Elinks' + # build system. $line =~ s/\x0f//g; - # And "ESC(B" which seems to be used on armhf and hurd (not sure what - # it does). + # And "ESC(B" which seems to be used on armhf and hurd (not sure + # what it does). $line =~ s/\033\(B//g; } # Check if this line indicates a non verbose build. my $non_verbose = is_non_verbose_build($line); - # One line may contain multiple commands (";"). Treat each one as single - # line. parse_line() is slow, only use it when necessary. + # One line may contain multiple commands (";"). Treat each one as + # single line. parse_line() is slow, only use it when necessary. my @line = (not $line =~ /;/) ? ($line) : map { - # Ensure newline at the line end - necessary for correct - # parsing later. + # Ensure newline at the line end - necessary for + # correct parsing later. $_ =~ s/\s+$//; $_ .= "\n"; } Text::ParseWords::parse_line(';', 1, $line); @@ -486,8 +486,8 @@ FILE: foreach my $file (@ARGV) { if ($continuation) { $continuation = 0; - # Join lines, but leave the "\" in place so it's clear where the - # original line break was. + # Join lines, but leave the "\" in place so it's clear where + # the original line break was. chomp $complete_line; $complete_line .= ' ' . $line; } @@ -527,8 +527,8 @@ FILE: foreach my $file (@ARGV) { # `make` output. next if $line =~ /^Making [a-z]+ in \S+/; # e.g. "[...] in c++" - # Check if additional hardening options were used. Used to ensure - # they are used for the complete build. + # Check if additional hardening options were used. Used to + # ensure they are used for the complete build. $harden_pie = 1 if any_flags_used($line, @def_cflags_pie, @def_ldflags_pie); $harden_bindnow = 1 if any_flags_used($line, @def_ldflags_bindnow); @@ -609,8 +609,8 @@ FILE: foreach my $file (@ARGV) { # Even if it's a verbose build, we might have to skip this line. next if $skip; - # Remove everything until and including the compiler command. Makes checks - # easier and faster. + # Remove everything until and including the compiler command. Makes + # checks easier and faster. $line =~ s/^.*?$cc_regex//o; # Skip unnecessary tests when only preprocessing. @@ -644,9 +644,9 @@ FILE: foreach my $file (@ARGV) { $preprocess = 1; } - # If there are source files then it's compiling/linking in one step and we - # must check both. We only check for source files here, because header - # files cause too many false positives. + # If there are source files then it's compiling/linking in one step + # and we must check both. We only check for source files here, because + # header files cause too many false positives. if (not $flag_preprocess and extension_found(\%extensions_compile_link, @extensions)) { # Assembly files don't need CFLAGS. @@ -671,16 +671,18 @@ FILE: foreach my $file (@ARGV) { # Check hardening flags. my @missing; if ($compile and not all_flags_used($line, \@missing, @cflags) - # Libraries linked with -fPIC don't have to (and can't) be linked - # with -fPIE as well. It's no error if only PIE flags are missing. + # Libraries linked with -fPIC don't have to (and can't) be + # linked with -fPIE as well. It's no error if only PIE flags + # are missing. and not pic_pie_conflict($line, $harden_pie, \@missing, @def_cflags_pie) # Assume dpkg-buildflags returns the correct flags. and not $line =~ /`dpkg-buildflags --get CFLAGS`/) { error_flags('CFLAGS missing', \@missing, \%flag_renames, $input[$i]); $exit |= 1 << 3; } elsif ($compile_cpp and not all_flags_used($line, \@missing, @cflags) - # Libraries linked with -fPIC don't have to (and can't) be linked - # with -fPIE as well. It's no error if only PIE flags are missing. + # Libraries linked with -fPIC don't have to (and can't) be + # linked with -fPIE as well. It's no error if only PIE flags + # are missing. and not pic_pie_conflict($line, $harden_pie, \@missing, @def_cflags_pie) # Assume dpkg-buildflags returns the correct flags. and not $line =~ /`dpkg-buildflags --get CXXFLAGS`/) { -- 2.44.2 From 573f74bd5133b4ef514c977814955942a91a3614 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Mon, 26 Mar 2012 03:23:47 +0200 Subject: [PATCH 02/16] Use dedicated loop to ignore beginning of the log file. Prevents a few unnecessary checks for each line. --- bin/blhc | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/bin/blhc b/bin/blhc index f158021..a188c89 100755 --- a/bin/blhc +++ b/bin/blhc @@ -404,12 +404,6 @@ FILE: foreach my $file (@ARGV) { my $harden_bindnow = $option_bindnow; # defaults to 0 my $harden_pie = $option_pie; # defaults to 0 - # Input lines, contain only the lines with compiler commands. - my @input = (); - - my $start = 0; - my $continuation = 0; - my $complete_line = undef; while (my $line = <$fh>) { # dpkg-buildflags only provides hardening flags since 1.16.1, don't # check for hardening flags in buildd mode if an older dpkg-dev is @@ -417,8 +411,7 @@ FILE: foreach my $file (@ARGV) { # # Packages which were built before 1.16.1 but used their own hardening # flags are not checked. - if ($option_buildd and not $start - and $line =~ /^Toolchain package versions: /) { + if ($option_buildd and $line =~ /^Toolchain package versions: /) { require Dpkg::Version; if ($line !~ /dpkg-dev_(\S+)/ or Dpkg::Version::version_compare($1, '1.16.1') < 0) { @@ -433,7 +426,7 @@ FILE: foreach my $file (@ARGV) { # If hardening wrapper is used (wraps calls to gcc and adds hardening # flags automatically) we can't perform any checks, abort. - if (not $start and $line =~ /^Build-Depends: .*\bhardening-wrapper\b/) { + if ($line =~ /^Build-Depends: .*\bhardening-wrapper\b/) { error_hardening_wrapper(); $exit |= 1 << 4; next FILE; @@ -441,8 +434,15 @@ FILE: foreach my $file (@ARGV) { # We skip over unimportant lines at the beginning of the log to # prevent false positives. - $start = 1 if $line =~ /^dpkg-buildpackage:/; - next if not $start; + last if $line =~ /^dpkg-buildpackage:/; + } + + # Input lines, contain only the lines with compiler commands. + my @input = (); + + my $continuation = 0; + my $complete_line = undef; + while (my $line = <$fh>) { # And stop at the end of the build log. Package details (reported by # the buildd logs) are not important for us. This also prevents false # positives. -- 2.44.2 From 76345db813476d45ab2cd8cce0c728314a24bfa9 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Mon, 26 Mar 2012 03:37:38 +0200 Subject: [PATCH 03/16] Use simpler regex to catch compiler commands. --- bin/blhc | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/bin/blhc b/bin/blhc index a188c89..7b228ec 100755 --- a/bin/blhc +++ b/bin/blhc @@ -31,9 +31,16 @@ our $VERSION = '0.01'; # CONSTANTS/VARIABLES # Regex to catch compiler commands. -my $cc_regex = qr/(?:[a-z0-9_]+-(?:linux-|kfreebsd-)?gnu(?:eabi|eabihf)?-)? - (? Date: Mon, 26 Mar 2012 04:05:07 +0200 Subject: [PATCH 04/16] Precompile flag regexps. Speeds up any_flags_used() and all_flags_used(). --- bin/blhc | 55 ++++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 46 insertions(+), 9 deletions(-) diff --git a/bin/blhc b/bin/blhc index 7b228ec..ad98dc5 100755 --- a/bin/blhc +++ b/bin/blhc @@ -191,7 +191,12 @@ my @def_ldflags_pie = ( '-fPIE', '-pie', ); -# Renaming rules for the output so the regex parts are not visible. +my @def_ldflags_pic = ( + '-fPIC', + '-fpic', +); +# Renaming rules for the output so the regex parts are not visible. Also +# stores string values of flag regexps above, see compile_flag_regexp(). my %flag_renames = ( '-O(?:2|3)' => '-O2', '-Wl,(-z,)?relro' => '-Wl,-z,relro', @@ -207,12 +212,10 @@ my $option_color; sub error_flags { my ($message, $missing_flags_ref, $flag_renames_ref, $line) = @_; - # Rename flags if requested. + # Get string value of qr//-escaped regexps and if requested rename them. my @missing_flags = map { - (exists $flag_renames_ref->{$_}) - ? $flag_renames_ref->{$_} - : $_ - } @{$missing_flags_ref}; + $flag_renames_ref->{$_} + } @{$missing_flags_ref}; my $flags = join ' ', @missing_flags; printf "%s (%s)%s %s", @@ -247,7 +250,7 @@ sub any_flags_used { my ($line, @flags) = @_; foreach my $flag (@flags) { - return 1 if $line =~ /\s$flag(?:\s|\\)/; + return 1 if $line =~ /$flag/; } return 0; @@ -257,7 +260,7 @@ sub all_flags_used { my @missing_flags = (); foreach my $flag (@flags) { - if ($line !~ /\s$flag(?:\s|\\)/) { + if (not $line =~ /$flag/) { push @missing_flags, $flag; } } @@ -273,7 +276,7 @@ sub pic_pie_conflict { my ($line, $pie, $missing_flags_ref, @flags_pie) = @_; return 0 if not $pie; - return 0 if not any_flags_used($line, ('-fPIC', '-fpic')); + return 0 if not any_flags_used($line, @def_ldflags_pic); my %flags = map { $_ => 1 } @flags_pie; @@ -329,6 +332,24 @@ sub is_non_verbose_build { return 1; } +sub compile_flag_regexp { + my ($flag_renames_ref, @flags) = @_; + + my @result = (); + foreach my $flag (@flags) { + # Store flag name in replacement string for correct flags in messages + # with qr//ed flag regexps. + $flag_renames_ref->{qr/\s$flag(?:\s|\\)/} + = (exists $flag_renames_ref->{$flag}) + ? $flag_renames_ref->{$flag} + : $flag; + + # Compile flag regexp for faster execution. + push @result, qr/\s$flag(?:\s|\\)/; + } + return @result; +} + sub extension_found { my ($extensions_ref, @extensions) = @_; @@ -397,6 +418,22 @@ if ($option_all) { $option_bindnow = 1; } +# Precompile all flag regexps. any_flags_used(), all_flags_used() get a lot +# faster with this. +@def_cflags = compile_flag_regexp(\%flag_renames, @def_cflags); +@def_cflags_format = compile_flag_regexp(\%flag_renames, @def_cflags_format); +@def_cflags_fortify = compile_flag_regexp(\%flag_renames, @def_cflags_fortify); +@def_cflags_stack = compile_flag_regexp(\%flag_renames, @def_cflags_stack); +@def_cflags_pie = compile_flag_regexp(\%flag_renames, @def_cflags_pie); +@def_cxxflags = compile_flag_regexp(\%flag_renames, @def_cxxflags); +@def_cppflags = compile_flag_regexp(\%flag_renames, @def_cppflags); +@def_cppflags_fortify = compile_flag_regexp(\%flag_renames, @def_cppflags_fortify); +@def_ldflags = compile_flag_regexp(\%flag_renames, @def_ldflags); +@def_ldflags_relro = compile_flag_regexp(\%flag_renames, @def_ldflags_relro); +@def_ldflags_bindnow = compile_flag_regexp(\%flag_renames, @def_ldflags_bindnow); +@def_ldflags_pie = compile_flag_regexp(\%flag_renames, @def_ldflags_pie); +@def_ldflags_pic = compile_flag_regexp(\%flag_renames, @def_ldflags_pic); + # Final exit code. my $exit = 0; -- 2.44.2 From 5ba101e4f167d461647d9481f83528d5151bafac Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Mon, 26 Mar 2012 04:06:13 +0200 Subject: [PATCH 05/16] Use default CFLAGS for CXXFLAGS too. --- bin/blhc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/bin/blhc b/bin/blhc index ad98dc5..7b196a0 100755 --- a/bin/blhc +++ b/bin/blhc @@ -172,8 +172,7 @@ my @def_cflags_pie = ( '-fPIE', ); my @def_cxxflags = ( - '-g', - '-O(?:2|3)', + @def_cflags, ); # @def_cxxflags_* is the same as @def_cflags_*. my @def_cppflags = (); -- 2.44.2 From 0c04e1006d384e806204b31b15dd5e6d6a31497a Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Mon, 26 Mar 2012 04:11:58 +0200 Subject: [PATCH 06/16] Be more liberal in non-verbose file name checks. --- bin/blhc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/blhc b/bin/blhc index 7b196a0..bfd4be8 100755 --- a/bin/blhc +++ b/bin/blhc @@ -317,7 +317,7 @@ sub is_non_verbose_build { if (defined $file) { # Get filename, we can't use the complete path as only parts of it are # used in the real compiler command. - $file =~ m{/([a-zA-Z0-9._-]+)$}; + $file =~ m{/([^/\s]+)$}; $file = $1; if ($next_line =~ /\Q$file\E/ and $next_line =~ /$cc_regex/o) { -- 2.44.2 From 36c9f05a7471f321df247f0237ac8efa81d69207 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Mon, 26 Mar 2012 04:17:39 +0200 Subject: [PATCH 07/16] Ignore ', " and ) at the end of the line. Necessary to detect cases like "(gcc test.c)". --- bin/blhc | 3 +++ t/logs/bad-cflags | 2 ++ t/tests.t | 11 +++++++++++ 3 files changed, 16 insertions(+) diff --git a/bin/blhc b/bin/blhc index bfd4be8..bfa954b 100755 --- a/bin/blhc +++ b/bin/blhc @@ -655,6 +655,9 @@ FILE: foreach my $file (@ARGV) { # Remove everything until and including the compiler command. Makes # checks easier and faster. $line =~ s/^.*?$cc_regex//o; + # "([...] test.c)" is not detected as 'test.c' - fix this by removing + # the brace and similar characters. + $line =~ s/['")]+$//; # Skip unnecessary tests when only preprocessing. my $flag_preprocess = 0; diff --git a/t/logs/bad-cflags b/t/logs/bad-cflags index e231307..170e238 100644 --- a/t/logs/bad-cflags +++ b/t/logs/bad-cflags @@ -12,3 +12,5 @@ gcc -shared -fPIC -Wl,-z,relro -o test.so test.c -ltest gcc -fPIC -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -c -D_FORTIFY_SOURCE=2 ../../../../src/test/test.c -o test.so.o gcc test.c -o test.output + +(gcc -Wl,-z,relro -o test.output test.c) diff --git a/t/tests.t b/t/tests.t index e3acca2..1be7495 100644 --- a/t/tests.t +++ b/t/tests.t @@ -227,6 +227,8 @@ CFLAGS missing (-Wformat): gcc -fPIC -g -O2 -fstack-protector --param=ssp-buffer CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc test.c -o test.output CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc test.c -o test.output LDFLAGS missing (-Wl,-z,relro): gcc test.c -o test.output +CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): (gcc -Wl,-z,relro -o test.output test.c) +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): (gcc -Wl,-z,relro -o test.output test.c) '; is_blhc 'bad-cflags', '--pie', 8, 'CFLAGS missing (-fPIE -Wformat): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c @@ -242,6 +244,9 @@ CFLAGS missing (-Wformat): gcc -fPIC -g -O2 -fstack-protector --param=ssp-buffer CFLAGS missing (-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc test.c -o test.output CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc test.c -o test.output LDFLAGS missing (-fPIE -pie -Wl,-z,relro): gcc test.c -o test.output +CFLAGS missing (-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): (gcc -Wl,-z,relro -o test.output test.c) +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): (gcc -Wl,-z,relro -o test.output test.c) +LDFLAGS missing (-fPIE -pie): (gcc -Wl,-z,relro -o test.output test.c) '; is_blhc 'bad-cflags', '--bindnow', 8, 'CFLAGS missing (-Wformat): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c @@ -258,6 +263,9 @@ CFLAGS missing (-Wformat): gcc -fPIC -g -O2 -fstack-protector --param=ssp-buffer CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc test.c -o test.output CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc test.c -o test.output LDFLAGS missing (-Wl,-z,relro -Wl,-z,now): gcc test.c -o test.output +CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): (gcc -Wl,-z,relro -o test.output test.c) +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): (gcc -Wl,-z,relro -o test.output test.c) +LDFLAGS missing (-Wl,-z,now): (gcc -Wl,-z,relro -o test.output test.c) '; is_blhc 'bad-cflags', '--pie --bindnow', 8, 'CFLAGS missing (-fPIE -Wformat): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c @@ -274,6 +282,9 @@ CFLAGS missing (-Wformat): gcc -fPIC -g -O2 -fstack-protector --param=ssp-buffer CFLAGS missing (-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc test.c -o test.output CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc test.c -o test.output LDFLAGS missing (-fPIE -pie -Wl,-z,relro -Wl,-z,now): gcc test.c -o test.output +CFLAGS missing (-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): (gcc -Wl,-z,relro -o test.output test.c) +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): (gcc -Wl,-z,relro -o test.output test.c) +LDFLAGS missing (-fPIE -pie -Wl,-z,now): (gcc -Wl,-z,relro -o test.output test.c) '; is_blhc 'bad-cppflags', '', 8, -- 2.44.2 From 17f9869280cd3b89f8a6a1dd172d03a0871bf786 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Mon, 26 Mar 2012 05:21:33 +0200 Subject: [PATCH 08/16] Print tag messages including statistics in buildd mode. --- MANIFEST | 1 + bin/blhc | 99 ++++++++++++++++++++++++++++++++++--- t/logs/buildd-dpkg-dev | 3 +- t/logs/buildd-dpkg-dev-old | 3 +- t/logs/buildd-verbose-build | 7 +++ t/tests.t | 26 +++------- 6 files changed, 113 insertions(+), 26 deletions(-) create mode 100644 t/logs/buildd-verbose-build diff --git a/MANIFEST b/MANIFEST index 2932b8a..9764e06 100644 --- a/MANIFEST +++ b/MANIFEST @@ -17,6 +17,7 @@ t/logs/bad-multiline t/logs/buildd-dpkg-dev t/logs/buildd-dpkg-dev-old t/logs/buildd-package-details +t/logs/buildd-verbose-build t/logs/c++ t/logs/cc t/logs/configure diff --git a/bin/blhc b/bin/blhc index bfa954b..62ddb86 100755 --- a/bin/blhc +++ b/bin/blhc @@ -202,6 +202,21 @@ my %flag_renames = ( '-Wl,(-z,)?now' => '-Wl,-z,now', ); +# Statistics of missing flags and non-verbose build commands. Used for +# $option_buildd. +my %statistics = ( + preprocess => 0, + preprocess_missing => 0, + compile => 0, + compile_missing => 0, + compile_cpp => 0, + compile_cpp_missing => 0, + link => 0, + link_missing => 0, + commands => 0, + commands_nonverbose => 0, +); + # Use colored (ANSI) output? my $option_color; @@ -470,7 +485,11 @@ FILE: foreach my $file (@ARGV) { # If hardening wrapper is used (wraps calls to gcc and adds hardening # flags automatically) we can't perform any checks, abort. if ($line =~ /^Build-Depends: .*\bhardening-wrapper\b/) { - error_hardening_wrapper(); + if (not $option_buildd) { + error_hardening_wrapper(); + } else { + print "I-hardening-wrapper-used\n"; + } $exit |= 1 << 4; next FILE; } @@ -588,6 +607,10 @@ FILE: foreach my $file (@ARGV) { next FILE; } + if ($option_buildd) { + $statistics{commands} += scalar @input; + } + # Option or auto detected. if ($option_arch) { # The following was partially copied from dpkg-dev 1.16.1.2 @@ -645,7 +668,11 @@ FILE: foreach my $file (@ARGV) { my $skip = 0; if (is_non_verbose_build($line, $input[$i + 1], \$skip)) { - error_non_verbose_build($line); + if (not $option_buildd) { + error_non_verbose_build($line); + } else { + $statistics{commands_nonverbose}++; + } $exit |= 1 << 2; next; } @@ -714,6 +741,13 @@ FILE: foreach my $file (@ARGV) { $compile_cpp = 1; } + if ($option_buildd) { + $statistics{preprocess}++ if $preprocess; + $statistics{compile}++ if $compile; + $statistics{compile_cpp}++ if $compile_cpp; + $statistics{link}++ if $link; + } + # Check hardening flags. my @missing; if ($compile and not all_flags_used($line, \@missing, @cflags) @@ -723,7 +757,11 @@ FILE: foreach my $file (@ARGV) { and not pic_pie_conflict($line, $harden_pie, \@missing, @def_cflags_pie) # Assume dpkg-buildflags returns the correct flags. and not $line =~ /`dpkg-buildflags --get CFLAGS`/) { - error_flags('CFLAGS missing', \@missing, \%flag_renames, $input[$i]); + if (not $option_buildd) { + error_flags('CFLAGS missing', \@missing, \%flag_renames, $input[$i]); + } else { + $statistics{compile_missing}++; + } $exit |= 1 << 3; } elsif ($compile_cpp and not all_flags_used($line, \@missing, @cflags) # Libraries linked with -fPIC don't have to (and can't) be @@ -732,13 +770,21 @@ FILE: foreach my $file (@ARGV) { and not pic_pie_conflict($line, $harden_pie, \@missing, @def_cflags_pie) # Assume dpkg-buildflags returns the correct flags. and not $line =~ /`dpkg-buildflags --get CXXFLAGS`/) { - error_flags('CXXFLAGS missing', \@missing, \%flag_renames, $input[$i]); + if (not $option_buildd) { + error_flags('CXXFLAGS missing', \@missing, \%flag_renames, $input[$i]); + } else { + $statistics{compile_cpp_missing}++; + } $exit |= 1 << 3; } if ($preprocess and not all_flags_used($line, \@missing, @cppflags) # Assume dpkg-buildflags returns the correct flags. and not $line =~ /`dpkg-buildflags --get CPPFLAGS`/) { - error_flags('CPPFLAGS missing', \@missing, \%flag_renames, $input[$i]); + if (not $option_buildd) { + error_flags('CPPFLAGS missing', \@missing, \%flag_renames, $input[$i]); + } else { + $statistics{preprocess_missing}++; + } $exit |= 1 << 3; } if ($link and not all_flags_used($line, \@missing, @ldflags) @@ -746,12 +792,53 @@ FILE: foreach my $file (@ARGV) { and not pic_pie_conflict($line, $harden_pie, \@missing, @def_ldflags_pie) # Assume dpkg-buildflags returns the correct flags. and not $line =~ /`dpkg-buildflags --get LDFLAGS`/) { - error_flags('LDFLAGS missing', \@missing, \%flag_renames, $input[$i]); + if (not $option_buildd) { + error_flags('LDFLAGS missing', \@missing, \%flag_renames, $input[$i]); + } else { + $statistics{link_missing}++; + } $exit |= 1 << 3; } } } +# Print statistics for buildd mode, only output in this mode. +if ($option_buildd) { + my @warning; + + if ($statistics{preprocess_missing}) { + push @warning, sprintf "CPPFLAGS %d (of %d)", + $statistics{preprocess_missing}, + $statistics{preprocess}; + } + if ($statistics{compile_missing}) { + push @warning, sprintf "CFLAGS %d (of %d)", + $statistics{compile_missing}, + $statistics{compile}; + } + if ($statistics{compile_cpp_missing}) { + push @warning, sprintf "CXXFLAGS %d (of %d)", + $statistics{compile_cpp_missing}, + $statistics{compile_cpp}; + } + if ($statistics{link_missing}) { + push @warning, sprintf "LDFLAGS %d (of %d)", + $statistics{link_missing}, + $statistics{link}; + } + if (scalar @warning) { + local $" = ', '; # array join string + print "W-dpkg-buildflags-missing @warning missing\n"; + } + + if ($statistics{commands_nonverbose}) { + printf "W-compiler-flags-hidden %d (of %d) hidden\n", + $statistics{commands_nonverbose}, + $statistics{commands}, + } +} + + exit $exit; diff --git a/t/logs/buildd-dpkg-dev b/t/logs/buildd-dpkg-dev index 4cd6530..4cc32a5 100644 --- a/t/logs/buildd-dpkg-dev +++ b/t/logs/buildd-dpkg-dev @@ -4,7 +4,8 @@ dpkg-buildpackage: source package test gcc -g -O2 -c test-a.c gcc -g -O2 -c test-b.c gcc -g -O2 -c test-c.c -gcc -o test test-a.o test-b.o test-c.o -ltest +gcc -g -O2 -c test-d.cpp +gcc -o test test-a.o test-b.o test-c.o -test-d.cpp.o -ltest gcc -g -c test-a.c gcc -g -c test-b.c diff --git a/t/logs/buildd-dpkg-dev-old b/t/logs/buildd-dpkg-dev-old index 0a9d035..c3e601c 100644 --- a/t/logs/buildd-dpkg-dev-old +++ b/t/logs/buildd-dpkg-dev-old @@ -9,4 +9,5 @@ gcc -o test test-a.o test-b.o test-c.o -ltest gcc -g -c test-a.c gcc -g -c test-b.c gcc -g -c test-c.c -gcc -o test test-a.o test-b.o test-c.o -ltest +gcc -g -c test-d.cpp +gcc -o test test-a.o test-b.o test-c.o test-d.cpp.o -ltest diff --git a/t/logs/buildd-verbose-build b/t/logs/buildd-verbose-build new file mode 100644 index 0000000..f52dc4d --- /dev/null +++ b/t/logs/buildd-verbose-build @@ -0,0 +1,7 @@ +dpkg-buildpackage: source package test + + CC libtest-a.lo +/bin/bash ../libtool --silent --tag=CC --mode=compile gcc -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -W -Wall -c -o libtest-a.lo `test -f 'libtest-a.c' || echo './'`libtest-a.c + CC libtest-b.lo +/bin/bash ../libtool --silent --tag=CC --mode=compile gcc -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -W -Wall -c -o libtest-b.lo `test -f 'libtest-b.c' || echo './'`libtest-b.c + CCLD libtest.la diff --git a/t/tests.t b/t/tests.t index 1be7495..f1102a9 100644 --- a/t/tests.t +++ b/t/tests.t @@ -19,7 +19,7 @@ use strict; use warnings; -use Test::More tests => 98; +use Test::More tests => 100; sub is_blhc { @@ -586,28 +586,18 @@ is_blhc 'buildd-package-details', '--buildd', 0, ''; is_blhc 'buildd-dpkg-dev', '--buildd', 8, - 'CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -g -O2 -c test-a.c -CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -c test-a.c -CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -g -O2 -c test-b.c -CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -c test-b.c -CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -g -O2 -c test-c.c -CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -c test-c.c -LDFLAGS missing (-Wl,-z,relro): gcc -o test test-a.o test-b.o test-c.o -ltest -CFLAGS missing (-O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -g -c test-a.c -CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -c test-a.c -CFLAGS missing (-O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -g -c test-b.c -CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -c test-b.c -CFLAGS missing (-O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -g -c test-c.c -CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -c test-c.c -LDFLAGS missing (-Wl,-z,relro): gcc -o test test-a.o test-b.o test-c.o -ltest + 'W-dpkg-buildflags-missing CPPFLAGS 7 (of 7), CFLAGS 6 (of 6), CXXFLAGS 1 (of 1), LDFLAGS 2 (of 2) missing '; is_blhc 'buildd-dpkg-dev-old', '--buildd', 8, - 'CFLAGS missing (-O2): gcc -g -c test-a.c -CFLAGS missing (-O2): gcc -g -c test-b.c -CFLAGS missing (-O2): gcc -g -c test-c.c + 'W-dpkg-buildflags-missing CFLAGS 3 (of 6), CXXFLAGS 1 (of 1) missing '; +is_blhc 'buildd-verbose-build', '--buildd', 4, + 'W-compiler-flags-hidden 1 (of 5) hidden +'; + + # multiple files is_blhc ['good', 'good-pie', 'good-bindnow', 'good-all', 'good-multiline', 'good-library'], '', 0, -- 2.44.2 From 33cf53c9dffe333db74d89b90e8b1d1bb88d91b9 Mon Sep 17 00:00:00 2001 From: Jari Aalto Date: Mon, 26 Mar 2012 21:47:42 +0200 Subject: [PATCH 09/16] Don't list available options in SYNOPSIS. --- bin/blhc | 9 --------- t/tests.t | 9 --------- 2 files changed, 18 deletions(-) diff --git a/bin/blhc b/bin/blhc index 62ddb86..f994602 100755 --- a/bin/blhc +++ b/bin/blhc @@ -852,15 +852,6 @@ blhc - build log hardening check, checks build logs for missing hardening flags B [options] .. - --all force +all (+pie, +bindnow) check - --arch set architecture (autodetected) - --bindnow force +bindbow check - --buildd parser mode for buildds - --color use colored output - --pie force +pie check - --help available options - --version version number and license - =head1 DESCRIPTION blhc is a small tool which checks build logs for missing hardening flags and diff --git a/t/tests.t b/t/tests.t index f1102a9..8d72b91 100644 --- a/t/tests.t +++ b/t/tests.t @@ -48,15 +48,6 @@ is_blhc 'empty', '--invalid', 2, Usage: blhc [options] .. - --all force +all (+pie, +bindnow) check - --arch set architecture (autodetected) - --bindnow force +bindbow check - --buildd parser mode for buildds - --color use colored output - --pie force +pie check - --help available options - --version version number and license - '; -- 2.44.2 From a3b3787fe94bdcd8a1fe8df77c5edaa2f5e04319 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Mon, 26 Mar 2012 21:49:40 +0200 Subject: [PATCH 10/16] List argument for --arch in POD. --- bin/blhc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/blhc b/bin/blhc index f994602..61de44e 100755 --- a/bin/blhc +++ b/bin/blhc @@ -866,7 +866,7 @@ other important warnings. It's licensed under the GPL 3 or later. Force check for all +all (+pie, +bindnow) hardening flags. By default it's auto detected. -=item B<--arch> +=item B<--arch> I Set the specific architecture (e.g. amd64, armel, etc.), automatically disables hardening flags not available on this architecture. Is detected -- 2.44.2 From c3b000d786b82874943c7f8792179e64559bd58a Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Mon, 26 Mar 2012 21:51:30 +0200 Subject: [PATCH 11/16] Use I<> for arguments in POD. --- bin/blhc | 2 +- t/tests.t | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/blhc b/bin/blhc index 61de44e..04b7125 100755 --- a/bin/blhc +++ b/bin/blhc @@ -850,7 +850,7 @@ blhc - build log hardening check, checks build logs for missing hardening flags =head1 SYNOPSIS -B [options] .. +B [I] Idpkg-buildpackage build log fileE..> =head1 DESCRIPTION diff --git a/t/tests.t b/t/tests.t index 8d72b91..9bdab49 100644 --- a/t/tests.t +++ b/t/tests.t @@ -46,7 +46,7 @@ sub is_blhc { is_blhc 'empty', '--invalid', 2, 'Unknown option: invalid Usage: - blhc [options] .. + blhc [*options*] *..* '; -- 2.44.2 From bd14bca33d2d8a8b2b296a62f2e13292a3f58068 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Tue, 27 Mar 2012 19:08:48 +0200 Subject: [PATCH 12/16] Use tag W-no-compiler-commands in buildd mode. --- bin/blhc | 6 +++++- t/tests.t | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/bin/blhc b/bin/blhc index 04b7125..544b32c 100755 --- a/bin/blhc +++ b/bin/blhc @@ -602,7 +602,11 @@ FILE: foreach my $file (@ARGV) { close $fh; if (scalar @input == 0) { - print "No compiler commands!\n"; + if (not $option_buildd) { + print "No compiler commands!\n"; + } else { + print "W-no-compiler-commands\n"; + } $exit |= 1; next FILE; } diff --git a/t/tests.t b/t/tests.t index 9bdab49..bb8471b 100644 --- a/t/tests.t +++ b/t/tests.t @@ -19,7 +19,7 @@ use strict; use warnings; -use Test::More tests => 100; +use Test::More tests => 102; sub is_blhc { @@ -573,6 +573,10 @@ is_blhc 'debian-hardening-wrapper', '', 16, # buildd support +is_blhc 'empty', '--buildd', 1, + 'W-no-compiler-commands +'; + is_blhc 'buildd-package-details', '--buildd', 0, ''; -- 2.44.2 From bbdf77da3205abbc957d6b720e01f6d390db46dc Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Thu, 29 Mar 2012 16:00:43 +0200 Subject: [PATCH 13/16] Also ignore PIE flags when -shared is used. --- bin/blhc | 1 + t/tests.t | 5 ++--- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/bin/blhc b/bin/blhc index 544b32c..b4d87e4 100755 --- a/bin/blhc +++ b/bin/blhc @@ -193,6 +193,7 @@ my @def_ldflags_pie = ( my @def_ldflags_pic = ( '-fPIC', '-fpic', + '-shared', ); # Renaming rules for the output so the regex parts are not visible. Also # stores string values of flag regexps above, see compile_flag_regexp(). diff --git a/t/tests.t b/t/tests.t index bb8471b..949ed88 100644 --- a/t/tests.t +++ b/t/tests.t @@ -339,7 +339,7 @@ LDFLAGS missing (-Wl,-z,relro -Wl,-z,now): gcc -D_FORTIFY_SOURCE=2 -g -O2 --para LDFLAGS missing (-Wl,-z,now): gcc -shared -fPIC -DPIC libtest.o -lpthread -O2 -Wl,relro -Wl,--as-needed -o libtest.so LDFLAGS missing (-Wl,-z,relro -Wl,-z,now): gcc -shared -fPIC -DPIC libtest.o -lpthread -O2 -Wl,--as-needed -o libtest.so LDFLAGS missing (-Wl,-z,now): gcc -shared -fPIC test.o -Wl,-z -Wl,relro -o .libs/libtest.so.1.0.0 -LDFLAGS missing (-fPIE -pie -Wl,-z,relro): gcc -shared -o libtest.so.0d ./test-a.o test/./test-b.o -Wl,-z,now -lpthread -ldl +LDFLAGS missing (-Wl,-z,relro): gcc -shared -o libtest.so.0d ./test-a.o test/./test-b.o -Wl,-z,now -lpthread -ldl LDFLAGS missing (-Wl,-z,relro -Wl,-z,now): /usr/bin/g++ -shared -fpic -o libtest-6.1.so.0 test.o -ltiff -lz LDFLAGS missing (-Wl,-z,relro -Wl,-z,now): gcc -Wl,--as-needed -fPIE -pie -o test.cgi test.o -lgcrypt CFLAGS missing (-fPIE): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security test.c -o lib`basename test/test`.so @@ -501,8 +501,7 @@ is_blhc 'libtool', '--bindnow', 8, CXXFLAGS missing (-fPIE -Wformat): /bin/bash ../../libtool --tag=CC --mode=compile x86_64-linux-gnu-g++ -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -c test.cpp CFLAGS missing (-fPIE -Wformat): /bin/bash ../../libtool --tag=CC --mode=compile gcc-4.6 -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -c test.c CFLAGS missing (-fPIE -Wformat): /bin/bash ../../libtool --tag=CXX --mode=compile g++-4.6 -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -c test.c -LDFLAGS missing (-fPIE): libtool: link: g++ -shared test-a.o test-b.o test-b.o test-c.o -O2 -pie -Wl,relro -Wl,now -o test.so -LDFLAGS missing (-fPIE -pie -Wl,-z,now): libtool: link: g++ -shared test-a.o test-b.o test-b.o test-c.o -O2 -Wl,relro -o test.so +LDFLAGS missing (-Wl,-z,now): libtool: link: g++ -shared test-a.o test-b.o test-b.o test-c.o -O2 -Wl,relro -o test.so LDFLAGS missing (-fPIE -pie -Wl,-z,now): libtool: link: gcc -Wl,-z -Wl,relro -o test test.o LDFLAGS missing (-fPIE -pie -Wl,-z,now): /bin/bash ../../../libtool --mode=link cc -Wl,-z,relro -o test.so test.o LDFLAGS missing (-fPIE -pie -Wl,-z,now): /bin/bash ../../../libtool --mode=link gcc-4.6 -Wl,-z,relro -o test.so test.o -- 2.44.2 From 1e107c19fd86533a6e0eb426904d6e48b6876844 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Thu, 29 Mar 2012 17:06:20 +0200 Subject: [PATCH 14/16] Ignore compiler lines with no files with extensions. This prevents many false positives and shouldn't cause any false negatives. Also update $file_extension_regex to exclude ',', ';' and ':' from the file extension which prevents additional false positives. --- bin/blhc | 22 ++++++++++------------ t/logs/configure | 10 ++++++++++ t/logs/good | 2 ++ t/logs/make | 6 ++++++ t/tests.t | 6 +++++- 5 files changed, 33 insertions(+), 13 deletions(-) diff --git a/bin/blhc b/bin/blhc index b4d87e4..4a1c0b1 100755 --- a/bin/blhc +++ b/bin/blhc @@ -144,7 +144,7 @@ my $file_extension_regex = qr/ \s \S+ # Filename without extension. \. - ([^\\.\s]+) # File extension. + ([^\\.,;:\s]+) # File extension. (?=\s|\\) # At end of word. Can't use \b because some files have non # word characters at the end and because \b matches double # extensions (like .cpp.o). Works always as all lines are @@ -572,23 +572,21 @@ FILE: foreach my $file (@ARGV) { } # Ignore lines with no compiler commands. - next if $line !~ /\b$cc_regex(?:\s|\\)/o and not $non_verbose; + next if not $non_verbose + and not $line =~ /\b$cc_regex(?:\s|\\)/o; + # Ignore lines with no filenames with extensions. May miss + # some non-verbose builds (e.g. "gcc -o test" [sic!]), but + # shouldn't be a problem as the log will most likely contain + # other non-verbose commands which are detected. + next if not $non_verbose + and not $line =~ /$file_extension_regex/o; # Ignore false positives. # # `./configure` output. next if not $non_verbose and $line =~ /^(?:checking|(?:C|c)onfigure:) /; - next if $line =~ /^\s*(?:Host\s+)?(?:C\s+)? - (?:C|c)ompiler[\s.]*:?\s+ - $cc_regex_full - (?:\s-std=[a-z0-9:+]+)?\s*$ - /xo - or $line =~ /^\s*(?:- )?(?:HOST_)?(?:CC|CXX)\s*=\s*$cc_regex_full\s*$/o - or $line =~ /^\s*-- Check for working (?:C|CXX) compiler: / - or $line =~ /^\s*(?:echo )?Using [A-Z_]+\s*=\s*/; - # `make` output. - next if $line =~ /^Making [a-z]+ in \S+/; # e.g. "[...] in c++" + next if $line =~ /^\s*(?:- )?(?:HOST_)?(?:CC|CXX)\s*=\s*$cc_regex_full\s*$/o; # Check if additional hardening options were used. Used to # ensure they are used for the complete build. diff --git a/t/logs/configure b/t/logs/configure index 623c563..b390ba8 100644 --- a/t/logs/configure +++ b/t/logs/configure @@ -29,6 +29,8 @@ Host C compiler gcc Compiler: s390x-linux-gnu-gcc Compiler: sparc-linux-gnu-gcc + C++ Compiler...: g++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -Wall -D_FORTIFY_SOURCE=2 + - General Compile FLAGS - CC = mpicc - CXX = g++ @@ -68,6 +70,12 @@ Configuration: -- Check for working CXX compiler: /usr/bin/c++ -- Check for working CXX compiler: /usr/bin/c++ -- works -- Check for working CXX compiler: /usr/bin/c++ -- works +-- Use g++ visibility support..... YES + + setting CPP to "sparc-linux-gnu-gcc -E" + +Looking for compiler... gcc is executable. +Looking for compiler... cc is executable. configure: using CFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -fPIC configure: using LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -Wl,--as-needed @@ -83,6 +91,8 @@ Using ALL_CFLAGS=-D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffe echo Using LDFLAGS="-Wl,-z,relro -Wl,--as-needed -fPIE -pie -Wall" Using LDFLAGS=-Wl,-z,relro -Wl,--as-needed -fPIE -pie -Wall ++ CC=cc CFLAGS=-g -O2 -Wformat -Wformat-security -Werror=format-security -Wall -Wformat LDFLAGS=-Wl,-z,relro -Wl,-z,now -Wl,--as-needed + CC = cc CC=gcc diff --git a/t/logs/good b/t/logs/good index 74057f5..180a64d 100644 --- a/t/logs/good +++ b/t/logs/good @@ -31,3 +31,5 @@ gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-securit gcc -E -D_FORTIFY_SOURCE=2 test.c gcc -Wl,-z,relro -o test test.cpp.o + +command --cc test diff --git a/t/logs/make b/t/logs/make index 1b5b31e..57584da 100644 --- a/t/logs/make +++ b/t/logs/make @@ -4,3 +4,9 @@ dpkg-buildpackage: source package test Making all in c++ Making install in c++ + +make CC="gcc -Wall -Wextra" CFLAGS="-fPIE" + +CC=gcc /usr/bin/program + +/usr/bin/make CC=g++ DBGFLAGS="-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -Wl,-z,relro -Wl,--as-needed" diff --git a/t/tests.t b/t/tests.t index 949ed88..69da465 100644 --- a/t/tests.t +++ b/t/tests.t @@ -19,7 +19,7 @@ use strict; use warnings; -use Test::More tests => 102; +use Test::More tests => 104; sub is_blhc { @@ -591,6 +591,10 @@ is_blhc 'buildd-verbose-build', '--buildd', 4, 'W-compiler-flags-hidden 1 (of 5) hidden '; +is_blhc 'make', '--buildd', 1, + 'W-no-compiler-commands +'; + # multiple files -- 2.44.2 From 2976a38e3eb5e7fd1568f9dd6d4baacd6e6b484e Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Thu, 29 Mar 2012 17:11:30 +0200 Subject: [PATCH 15/16] Whitespace only change. --- bin/blhc | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/bin/blhc b/bin/blhc index 4a1c0b1..8703745 100755 --- a/bin/blhc +++ b/bin/blhc @@ -142,13 +142,13 @@ my %extension = map { $_ => 1 } ( # Regexp to match file extensions. my $file_extension_regex = qr/ \s - \S+ # Filename without extension. + \S+ # Filename without extension. \. - ([^\\.,;:\s]+) # File extension. - (?=\s|\\) # At end of word. Can't use \b because some files have non - # word characters at the end and because \b matches double - # extensions (like .cpp.o). Works always as all lines are - # terminated with "\n". + ([^\\.,;:\s]+) # File extension. + (?=\s|\\) # At end of word. Can't use \b because some files have non + # word characters at the end and because \b matches double + # extensions (like .cpp.o). Works always as all lines are + # terminated with "\n". /x; # Expected (hardening) flags. All flags are used as regexps. -- 2.44.2 From e8d66101e7bf4ba755df5c5f893402f98131fedf Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Thu, 29 Mar 2012 17:42:15 +0200 Subject: [PATCH 16/16] Detect more C++ non-verbose builds. --- bin/blhc | 8 +++++++- t/logs/configure | 4 ++++ t/logs/verbose-build | 3 +++ t/tests.t | 2 ++ 4 files changed, 16 insertions(+), 1 deletion(-) diff --git a/bin/blhc b/bin/blhc index 8703745..9800eaf 100755 --- a/bin/blhc +++ b/bin/blhc @@ -312,13 +312,16 @@ sub is_non_verbose_build { my ($line, $next_line, $skip_ref) = @_; if (not ($line =~ /^checking if you want to see long compiling messages\.\.\. no/ - or $line =~ /^\s*\[?(?:CC|CCLD|CXX|CXXLD|LD|LINK)\]?\s+(.+?)$/ + or $line =~ /^\s*\[?(?:CC|CCLD|C\+\+|CXX|CXXLD|LD|LINK)\]?\s+(.+?)$/ or $line =~ /^\s*(?:C|c)ompiling\s+(.+?)(?:\.\.\.)?$/ or $line =~ /^\s*(?:B|b)uilding (?:program|shared library)\s+(.+?)$/ or $line =~ /^\s*\[[\d ]+%\] Building (?:C|CXX) object (.+?)$/)) { return 0; } + # False positives. + return 0 if $line =~ /^\s*C\+\+.+?:\s+(?:yes|no)\s*$/; + my $file = $1; # On the first pass we only check if this line is verbose or not. @@ -586,6 +589,9 @@ FILE: foreach my $file (@ARGV) { # `./configure` output. next if not $non_verbose and $line =~ /^(?:checking|(?:C|c)onfigure:) /; + next if $line =~ /^\s*(?:Host\s+)?(?:C(?:\+\+)?\s+)? + (?:C|c)ompiler[\s.]*:?\s+ + /xo; next if $line =~ /^\s*(?:- )?(?:HOST_)?(?:CC|CXX)\s*=\s*$cc_regex_full\s*$/o; # Check if additional hardening options were used. Used to diff --git a/t/logs/configure b/t/logs/configure index b390ba8..91cb354 100644 --- a/t/logs/configure +++ b/t/logs/configure @@ -77,11 +77,15 @@ Configuration: Looking for compiler... gcc is executable. Looking for compiler... cc is executable. +Compiler version: gcc (Debian 4.6.3-1) 4.6.3 + configure: using CFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -fPIC configure: using LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -Wl,--as-needed configure: Compiling with gcc -fstack-protector-all et al. + C++ library: yes + echo Using CC="gcc" Using CC=gcc echo Using CXX="gcc" diff --git a/t/logs/verbose-build b/t/logs/verbose-build index 835e7c5..aca060b 100644 --- a/t/logs/verbose-build +++ b/t/logs/verbose-build @@ -48,6 +48,9 @@ checking whether compiling and linking against OpenSSL works... yes CC modules/server/test.c + C++ test/test.o +C++ test.cpp + Byte-compiling python modules... Byte-compiling python modules (optimized versions) ... Byte-compiling python modules... diff --git a/t/tests.t b/t/tests.t index 69da465..0d9281a 100644 --- a/t/tests.t +++ b/t/tests.t @@ -377,6 +377,8 @@ NONVERBOSE BUILD: [CC] src/test-b.o NONVERBOSE BUILD: [CC] src/test_c.o NONVERBOSE BUILD: [LD] src/test.o NONVERBOSE BUILD: CC modules/server/test.c +NONVERBOSE BUILD: C++ test/test.o +NONVERBOSE BUILD: C++ test.cpp NONVERBOSE BUILD: Compiling test/test.cc to ../build/test/test.o NONVERBOSE BUILD: Building shared library ../build/test/libtest.so.1.2.3 NONVERBOSE BUILD: Compiling test.cc to ../build/test/test.o -- 2.44.2