How Do I Handle Secure Complier Option Vulnerabilities?
CodeArts Governance checks the C, C++, and Go files to see whether there are secure compiler options to defend against attacks.
Handle the secure compiler option issues according to the following instructions.
- Export the Excel report and view the secure compiler option sheet.
- Obtain the file source according to the filepath column.
- View the check items and handle the vulnerabilities accordingly.
- If a check item is passed, its result is in green and it does not require further actions. For files passed Rpath, their results are No or N/A. For other passed check items, their results are YES or N/A.
- For files failed the check items, obtain their building scripts, and add the secure compiler options accordingly. Note that Ftrapv and FS may affect the files and you can add them based on your needs.
Item |
Description |
Parameter |
---|---|---|
BIND_NOW |
Immediate binding |
-Wl, -z, now |
NX |
Non-executable stack |
-WI, -z, noexecstack |
PIC |
Position-independent |
-fPIC |
PIE |
Position-independent executable |
-fPIE or -pie |
Relocation read-only (RELRO) |
Global Offset Table (GOT) protection |
-WI, -z, relro |
SP |
Stack protection |
-fstack-protector-strong or -fstack-protector-all |
NO Rpath/Runpath |
Dynamic library search path (forbidden) |
Delete --rpath from the script. |
FS |
Fortify Source (buffer overflow check) |
-D_FORTIFY_SOURCE=2 |
Ftrapv |
Integer overflow check |
-ftrapv |
Strip |
Symbol table deletion |
-s |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot