lunar (1) blhc.1p.gz

Provided by: blhc_0.13-4_all bug

NAME

       blhc - build log hardening check, checks build logs for missing hardening flags

SYNOPSIS

       blhc [options] <dpkg-buildpackage build log file>..

DESCRIPTION

       blhc is a small tool which checks build logs for missing hardening flags. It's licensed
       under the GPL 3 or later.

       It's designed to check build logs generated by Debian's dpkg-buildpackage (or tools using
       dpkg-buildpackage like pbuilder or sbuild (which is used for the official buildd build
       logs)) to help maintainers detect missing hardening flags in their packages.

       Only gcc is detected as compiler at the moment. If other compilers support hardening flags
       as well, please report them.

       If there's no output, no flags are missing and the build log is fine.

       See README for details about performed checks, auto-detection and limitations.

FALSE POSITIVES

       To suppress false positives you can embed the following string in the build log:

           blhc: ignore-line-regexp: REGEXP

       All lines fully matching REGEXP (see --ignore-line for details) will be ignored.

       Please use this feature sparingly so that missing flags are not overlooked. If you find
       false positives which affect more packages please report a bug.

       To generate this string simply use echo in "debian/rules"; make sure to use @ to suppress
       the echo command itself as it could also trigger a false positive.  If the build process
       takes a long time edit the ".build" file in place and tweak the ignore string until blhc
       --all --debian package.build no longer reports any false positives.

OPTIONS

       --all   Force check for all +all (+pie, +bindnow) hardening flags. By default it's auto
               detected.

       --arch architecture
               Set the specific architecture (e.g. amd64, armel, etc.), automatically disables
               hardening flags not available on this architecture. Is detected automatically if
               dpkg-buildpackage is used.

       --bindnow
               Force check for all +bindnow hardening flags. By default it's auto detected.

       --buildd
               Special mode for buildds when automatically parsing log files. The following
               changes are in effect:

               • Print tags instead of normal warnings, see "BUILDD TAGS" for a list of possible
                 tags.

               • Don't check hardening flags in old log files (if dpkg-dev << 1.16.1 is
                 detected).

               • Don't require Term::ANSIColor.

               • Return exit code 0, unless there was a error (-I, -W messages don't count as
                 error).

       --debian
               Apply Debian-specific settings. At the moment this only disables checking for PIE
               which is automatically applied by Debian's GCC and no longer requires a compiler
               command line argument.

       --color Use colored (ANSI) output for warning messages.

       --line-numbers
               Display line numbers.

       --ignore-arch arch
               Ignore build logs from architectures matching arch. arch is a string.

               Used to prevent false positives. This option can be specified multiple times.

       --ignore-arch-flag arch:flag
               Like --ignore-flag, but only ignore flag on arch.

       --ignore-arch-line arch:line
               Like --ignore-line, but only ignore line on arch.

       --ignore-flag flag
               Don't print an error when the specific flag is missing in a compiler line.  flag
               is a string.

               Used to prevent false positives. This option can be specified multiple times.

       --ignore-line regex
               Ignore lines matching the given Perl regex. regex is automatically anchored at the
               beginning and end of the line to prevent false negatives.

               NOTE: Not the input lines are checked, but the lines which are displayed in
               warnings (which have line continuation resolved).

               Used to prevent false positives. This option can be specified multiple times.

       --pie   Force check for all +pie hardening flags. By default it's auto detected.

       -h -? --help
               Print available options.

       --version
               Print version number and license.

       Auto detection for --pie and --bindnow only works if at least one command uses the
       required hardening flag (e.g. -fPIE). Then it's required for all other commands as well.

EXAMPLES

       Normal usage, parse a single log file.

           blhc path/to/log/file

       If there's no output, no flags are missing and the build log is fine.

       Parse multiple log files. The exit code is ORed over all files.

           blhc path/to/directory/with/log/files/*

       Don't treat missing "-g" as error:

           blhc --ignore-flag -g path/to/log/file

       Don't treat missing "-pie" on kfreebsd-amd64 as error:

           blhc --ignore-arch-flag kfreebsd-amd64:-pie path/to/log/file

       Ignore lines consisting exactly of "./script gcc file" which would cause a false positive.

           blhc --ignore-line '\./script gcc file' path/to/log/file

       Ignore lines matching "./script gcc file" somewhere in the line.

           blhc --ignore-line '.*\./script gcc file.*' path/to/log/file

       Use blhc with pbuilder.

           pbuilder path/to/package.dsc | tee path/log/file
           blhc path/to/file || echo flags missing

       Assume this build log was created on a Debian system and thus don't warn about missing PIE
       flags if the current architecture injects them automatically (this is enabled in buildd
       mode per default). "--arch" is necessary if the build log contains no architecture
       information as written by dpkg-buildpackage.

           blhc --debian --all --arch=amd64 path/to/log/file

BUILDD TAGS

       The following tags are used in --buildd mode. In braces the additional data which is
       displayed.

       I-hardening-wrapper-used
         The package uses hardening-wrapper which intercepts calls to gcc and adds hardening
         flags. The build log doesn't contain any hardening flags and thus can't be checked by
         blhc.

       W-compiler-flags-hidden (summary of hidden lines)
         Build log contains lines which hide the real compiler flags. For example:

             CC test-a.c
             CC test-b.c
             CC test-c.c
             LD test

         Most of the time either "export V=1" or "export verbose=1" in debian/rules fixes builds
         with hidden compiler flags. Sometimes ".SILENT" in a Makefile must be removed. And as
         last resort the Makefile must be patched to remove the "@"s hiding the real compiler
         commands.

       W-dpkg-buildflags-missing (summary of missing flags)
         CPPFLAGS, CFLAGS, CXXFLAGS, LDFLAGS missing.

       I-invalid-cmake-used (version)
         By default CMake ignores CPPFLAGS thus missing those hardening flags. Debian patched
         CMake in versions 2.8.7-1 and 2.8.7-2 to respect CPPFLAGS, but this patch was rejected
         by upstream and later reverted in Debian. Thus those two versions show correct usage of
         CPPFLAGS even if the package doesn't correctly handle them (for example by passing them
         to CFLAGS). To prevent false negatives just blacklist those two versions.

       I-no-compiler-commands
         No compiler commands were detected. Either the log contains none or they were not
         correctly detected by blhc (please report the bug in this case).

EXIT STATUS

       The exit status is a "bit mask", each listed status is ORed when the error condition
       occurs to get the result.

       0   Success.

       1   No compiler commands were found.

       2   Invalid arguments/options given to blhc.

       4   Non verbose build.

       8   Missing hardening flags.

       16  Hardening wrapper detected, no tests performed.

       32  Invalid CMake version used. See I-invalid-cmake-used under "BUILDD TAGS" for a
           detailed explanation.

AUTHOR

       Simon Ruderich, <simon@ruderich.org>

       Thanks to to Bernhard R. Link <brlink@debian.org> and Jaria Alto <jari.aalto@cante.net>
       for their valuable input and suggestions.

       Copyright (C) 2012-2020 by Simon Ruderich

       This program is free software: you can redistribute it and/or modify it under the terms of
       the GNU General Public License as published by the Free Software Foundation, either
       version 3 of the License, or (at your option) any later version.

       This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
       without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
       See the GNU General Public License for more details.

       You should have received a copy of the GNU General Public License along with this program.
       If not, see <http://www.gnu.org/licenses/>.

SEE ALSO

       hardening-check(1), dpkg-buildflags(1)