Help Center/ CodeArts Governance/ FAQs/ Binary Software Composition Analysis (SCA)/ How Do I Handle Secure Complier Option Vulnerabilities?
Updated on 2025-06-05 GMT+08:00

How Do I Handle Secure Complier Option Vulnerabilities?

CodeArts Governance checks the C, C++, and Go files to see whether there are secure compiler options to defend against attacks.

Handle the secure compiler option issues according to the following instructions.

  1. Export the Excel report and view the secure compiler option sheet.
  2. Obtain the file source according to the filepath column.
  3. View the check items and handle the vulnerabilities accordingly.
    • If a check item is passed, its result is in green and it does not require further actions. For files passed Rpath, their results are No or N/A. For other passed check items, their results are YES or N/A.
    • For files failed the check items, obtain their building scripts, and add the secure compiler options accordingly. Note that Ftrapv and FS may affect the files and you can add them based on your needs.
Table 1 Secure complier options

Item

Description

Parameter

BIND_NOW

Immediate binding

-Wl, -z, now

NX

Non-executable stack

-WI, -z, noexecstack

PIC

Position-independent

-fPIC

PIE

Position-independent executable

-fPIE or -pie

Relocation read-only (RELRO)

Global Offset Table (GOT) protection

-WI, -z, relro

SP

Stack protection

-fstack-protector-strong or -fstack-protector-all

NO Rpath/Runpath

Dynamic library search path (forbidden)

Delete --rpath from the script.

FS

Fortify Source (buffer overflow check)

-D_FORTIFY_SOURCE=2

Ftrapv

Integer overflow check

-ftrapv

Strip

Symbol table deletion

-s