BLHC(1) 						User Contributed Perl Documentation						   BLHC(1)

NAME

       blhc - build log hardening check, checks build logs for missing hardening flags

SYNOPSIS

       blhc [options] <dpkg-buildpackage build log file>..

DESCRIPTION

       blhc is a small tool which checks build logs for missing hardening flags. It's licensed under the GPL 3 or later.

       It's designed to check build logs generated by Debian's dpkg-buildpackage (or tools using dpkg-buildpackage like pbuilder or the official
       buildd build logs) to help maintainers detect missing hardening flags in their packages.

       Only gcc is detected as compiler at the moment. If other compilers support hardening flags as well, please report them.

       If there's no output, no flags are missing and the build log is fine.

OPTIONS

       --all   Force check for all +all (+pie, +bindnow) hardening flags. By default it's auto detected.

       --arch architecture
	       Set the specific architecture (e.g. amd64, armel, etc.), automatically disables hardening flags not available on this architecture.
	       Is detected automatically if dpkg-buildpackage is used.

       --bindnow
	       Force check for all +bindnow hardening flags. By default it's auto detected.

       --buildd
	       Special mode for buildds when automatically parsing log files. The following changes are in effect:

	       o Print tags instead of normal warnings, see "BUILDD TAGS" for a list of possible tags.

	       o Don't check hardening flags in old log files (if dpkg-dev << 1.16.1 is detected).

	       o Don't require Term::ANSIColor.

	       o Return exit code 0, unless there was a error (-I, -W messages don't count as error).

       --color Use colored (ANSI) output for warning messages.

       --ignore-arch arch
	       Ignore build logs from architectures matching arch. arch is a string.

	       Used to prevent false positives. This option can be specified multiple times.

       --ignore-arch-flag arch:flag
	       Like --ignore-flag, but only ignore flag on arch.

       --ignore-arch-line arch:line
	       Like --ignore-line, but only ignore line on arch.

       --ignore-flag flag
	       Don't print an error when the specific flag is missing in a compiler line.  flag is a string.

	       Used to prevent false positives. This option can be specified multiple times.

       --ignore-line regex
	       Ignore lines matching the given Perl regex. regex is automatically anchored at the beginning and end of the line to prevent false
	       negatives.

	       NOTE: Not the input lines are checked, but the lines which are displayed in warnings (which have line continuation resolved).

	       Used to prevent false positives. This option can be specified multiple times.

       --pie   Force check for all +pie hardening flags. By default it's auto detected.

       -h -? --help
	       Print available options.

       --version
	       Print version number and license.

       Auto detection for --pie and --bindnow only works if at least one command uses the required hardening flag (e.g. -fPIE). Then it's required
       for all other commands as well.

EXAMPLES

       Normal usage, parse a single log file.

	   blhc path/to/log/file

       If there's no output, no flags are missing and the build log is fine.

       Parse multiple log files. The exit code is ORed over all files.

	   blhc path/to/directory/with/log/files/*

       Don't treat missing "-g" as error:

	   blhc --ignore-flag -g path/to/log/file

       Don't treat missing "-pie" on kfreebsd-amd64 as error:

	   blhc --ignore-arch-flag kfreebsd-amd64:-pie path/to/log/file

       Ignore lines consisting exactly of "./script gcc file" which would cause a false positive.

	   blhc --ignore-line './script gcc file' path/to/log/file

       Ignore lines matching "./script gcc file" somewhere in the line.

	   blhc --ignore-line '.*./script gcc file.*' path/to/log/file

       Use blhc with pbuilder.

	   pbuilder path/to/package.dsc | tee path/log/file
	   blhc path/to/file || echo flags missing

BUILDD TAGS

       The following tags are used in --buildd mode. In braces the additional data which is displayed.

       I-hardening-wrapper-used
	 The package uses hardening-wrapper which intercepts calls to gcc and adds hardening flags. The build log doesn't contain any hardening
	 flags and thus can't be checked by blhc.

       W-compiler-flags-hidden (summary of hidden lines)
	 Build log contains lines which hide the real compiler flags. For example:

	     CC test-a.c
	     CC test-b.c
	     CC test-c.c
	     LD test

	 Most of the time either "export V=1" or "export verbose=1" in debian/rules fixes builds with hidden compiler flags. Sometimes ".SILENT"
	 in a Makefile must be removed. And as last resort the Makefile must be patched to remove the "@"s hiding the real compiler commands.

       W-dpkg-buildflags-missing (summary of missing flags)
	 CPPFLAGS, CFLAGS, CXXFLAGS, LDFLAGS missing.

       I-invalid-cmake-used (version)
	 By default CMake ignores CPPFLAGS thus missing those hardening flags. Debian patched CMake in versions 2.8.7-1 and 2.8.7-2 to respect
	 CPPFLAGS, but this patch was rejected by upstream and later reverted in Debian. Thus those two versions show correct usage of CPPFLAGS
	 even if the package doesn't correctly handle them (for example by passing them to CFLAGS). To prevent false negatives just blacklist
	 those two versions.

       I-no-compiler-commands
	 No compiler commands were detected. Either the log contains none or they were not correctly detected by blhc (please report the bug in
	 this case).

EXIT STATUS

       The exit status is a "bit mask", each listed status is ORed when the error condition occurs to get the result.

       0   Success.

       1   No compiler commands were found.

       2   Invalid arguments/options given to blhc.

       4   Non verbose build.

       8   Missing hardening flags.

       16  Hardening wrapper detected, no tests performed.

       32  Invalid CMake version used. See I-invalid-cmake-used under "BUILDD TAGS" for a detailed explanation.

AUTHOR

       Simon Ruderich, <simon@ruderich.org>

       Thanks to to Bernhard R. Link <brlink@debian.org> and Jaria Alto <jari.aalto@cante.net> for their valuable input and suggestions.

COPYRIGHT AND LICENSE

       Copyright (C) 2012 by Simon Ruderich

       This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by
       the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

       This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.

       You should have received a copy of the GNU General Public License along with this program.  If not, see <http://www.gnu.org/licenses/>.

SEE ALSO

       hardening-check(1), dpkg-buildflags(1)

perl v5.14.2							    2012-06-27								   BLHC(1)