This is the command blhc that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator
PROGRAM:
NAME
blhc - build log hardening check, checks build logs for missing hardening flags
SYNOPSIS
blhc [options] <dpkg-buildpackage build log file>..
DESCRIPTION
blhc is a small tool which checks build logs for missing hardening flags. It's licensed
under the GPL 3 or later.
It's designed to check build logs generated by Debian's dpkg-buildpackage (or tools using
dpkg-buildpackage like pbuilder or sbuild (which is used for the official buildd build
logs)) to help maintainers detect missing hardening flags in their packages.
Only gcc is detected as compiler at the moment. If other compilers support hardening flags
as well, please report them.
If there's no output, no flags are missing and the build log is fine.
See README for details about performed checks, auto-detection and limitations.
OPTIONS
--all Force check for all +all (+pie, +bindnow) hardening flags. By default it's auto
detected.
--arch architecture
Set the specific architecture (e.g. amd64, armel, etc.), automatically disables
hardening flags not available on this architecture. Is detected automatically if
dpkg-buildpackage is used.
--bindnow
Force check for all +bindnow hardening flags. By default it's auto detected.
--buildd
Special mode for buildds when automatically parsing log files. The following
changes are in effect:
· Print tags instead of normal warnings, see "BUILDD TAGS" for a list of possible
tags.
· Don't check hardening flags in old log files (if dpkg-dev << 1.16.1 is
detected).
· Don't require Term::ANSIColor.
· Return exit code 0, unless there was a error (-I, -W messages don't count as
error).
--color Use colored (ANSI) output for warning messages.
--ignore-arch arch
Ignore build logs from architectures matching arch. arch is a string.
Used to prevent false positives. This option can be specified multiple times.
--ignore-arch-flag arch:flag
Like --ignore-flag, but only ignore flag on arch.
--ignore-arch-line arch:line
Like --ignore-line, but only ignore line on arch.
--ignore-flag flag
Don't print an error when the specific flag is missing in a compiler line. flag
is a string.
Used to prevent false positives. This option can be specified multiple times.
--ignore-line regex
Ignore lines matching the given Perl regex. regex is automatically anchored at the
beginning and end of the line to prevent false negatives.
NOTE: Not the input lines are checked, but the lines which are displayed in
warnings (which have line continuation resolved).
Used to prevent false positives. This option can be specified multiple times.
--pie Force check for all +pie hardening flags. By default it's auto detected.
-h -? --help
Print available options.
--version
Print version number and license.
Auto detection for --pie and --bindnow only works if at least one command uses the
required hardening flag (e.g. -fPIE). Then it's required for all other commands as well.
EXAMPLES
Normal usage, parse a single log file.
blhc path/to/log/file
If there's no output, no flags are missing and the build log is fine.
Parse multiple log files. The exit code is ORed over all files.
blhc path/to/directory/with/log/files/*
Don't treat missing "-g" as error:
blhc --ignore-flag -g path/to/log/file
Don't treat missing "-pie" on kfreebsd-amd64 as error:
blhc --ignore-arch-flag kfreebsd-amd64:-pie path/to/log/file
Ignore lines consisting exactly of "./script gcc file" which would cause a false positive.
blhc --ignore-line '\./script gcc file' path/to/log/file
Ignore lines matching "./script gcc file" somewhere in the line.
blhc --ignore-line '.*\./script gcc file.*' path/to/log/file
Use blhc with pbuilder.
pbuilder path/to/package.dsc | tee path/log/file
blhc path/to/file || echo flags missing
BUILDD TAGS
The following tags are used in --buildd mode. In braces the additional data which is
displayed.
I-hardening-wrapper-used
The package uses hardening-wrapper which intercepts calls to gcc and adds hardening
flags. The build log doesn't contain any hardening flags and thus can't be checked by
blhc.
W-compiler-flags-hidden (summary of hidden lines)
Build log contains lines which hide the real compiler flags. For example:
CC test-a.c
CC test-b.c
CC test-c.c
LD test
Most of the time either "export V=1" or "export verbose=1" in debian/rules fixes builds
with hidden compiler flags. Sometimes ".SILENT" in a Makefile must be removed. And as
last resort the Makefile must be patched to remove the "@"s hiding the real compiler
commands.
W-dpkg-buildflags-missing (summary of missing flags)
CPPFLAGS, CFLAGS, CXXFLAGS, LDFLAGS missing.
I-invalid-cmake-used (version)
By default CMake ignores CPPFLAGS thus missing those hardening flags. Debian patched
CMake in versions 2.8.7-1 and 2.8.7-2 to respect CPPFLAGS, but this patch was rejected
by upstream and later reverted in Debian. Thus those two versions show correct usage of
CPPFLAGS even if the package doesn't correctly handle them (for example by passing them
to CFLAGS). To prevent false negatives just blacklist those two versions.
I-no-compiler-commands
No compiler commands were detected. Either the log contains none or they were not
correctly detected by blhc (please report the bug in this case).
EXIT STATUS
The exit status is a "bit mask", each listed status is ORed when the error condition
occurs to get the result.
0 Success.
1 No compiler commands were found.
2 Invalid arguments/options given to blhc.
4 Non verbose build.
8 Missing hardening flags.
16 Hardening wrapper detected, no tests performed.
32 Invalid CMake version used. See I-invalid-cmake-used under "BUILDD TAGS" for a
detailed explanation.
Use blhc online using onworks.net services
