New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider applying flags for warnings about potential security issues #112301
Comments
I don't think we want |
These warnings do no make much sense in current use-cases:
I think that they should be silenced / ignored. |
@mdboom Are you okay with me editing your topic to create a checklist style table with links to either why we're not implementing or the actual implementation? My guess is we'll be adopting these one by one :) |
@sethmlarson: Good idea. |
Sounds a good approach. To share another method that could additionally help: as part of #101100, we're working through a lot of docs "nit-picky" warnings. When building the docs, we only allow warnings to occur in files that already have warnings and are listed in a We also fail the docs build if we "accidentally" clean a file: if warnings do not occur in a file where we previously expected warnings, so the file must also be removed from the list, again to prevent regressions. This does need some custom tooling, but it's helped us make gradual progress, and we've fixed 40% so far. |
I am in favor of a solution like this. It would not require any custom tooling as we could change the build arguments to whatever we find consensus in and then silence compiler warnings for offending lines until somebody comes along and fixes them. This also allows us to silence errors locally, but enforce them globally. That way we could still have |
Feature or enhancement
Proposal:
At a recent meeting of OpenSSF's Memory Safety SIG, I became aware of the C/C++ hardening guide they are putting together.
At a high-level, they recommend compiling with the following flags:
(
-shared
doesn't really make sense as a global CFLAG, so I removed it.)When compiling on most x86 architectures (amd64, i386 and x32), add:
At @sethmlarson's urging, I compiled CPython on Linux/x86_64/gcc with these flags. From the complete build log, there are 3,084 warnings, but otherwise the result builds and passes all unit tests.
The warnings are of these types: (EDIT: Table updated to not double count the same line)
**Top warnings per file.**
I am not a security expert, so I don't know a good way to assess how many of these are potentially exploitable, and how many are harmless false positives. Some are probably un-resolvable (format-literal is pretty hard to avoid when wrapping
sprintf
, for example).At a high level, I think the process to address these and make incremental progress maybe looks something like:
But this is just to start the discussion about how to move forward.
Has this already been discussed elsewhere?
No response given
Links to previous discussion of this feature:
No response
Linked PRs
The text was updated successfully, but these errors were encountered: