From d390dfefea4af4f6c40ea6780f10b7b3cd83e879 Mon Sep 17 00:00:00 2001 From: Alfredo Ramos Date: Sun, 29 Dec 2024 19:50:49 -0600 Subject: [PATCH 1/2] Build hardening --- README.md | 1 + cmake/FindCppStd.cmake | 22 +++++++++++++++------- src/CMakeLists.txt | 18 ++++++++++++++++++ 3 files changed, 34 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 31bb2a3..01cadb2 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,7 @@ Single application library for Qt without `network` dependency. Based on [Dmitry - Qt >= 5.9.2 - Compiler with standard >= C++11 +- CMake >= 3.18.0 ### Build diff --git a/cmake/FindCppStd.cmake b/cmake/FindCppStd.cmake index 7151df4..2a72462 100644 --- a/cmake/FindCppStd.cmake +++ b/cmake/FindCppStd.cmake @@ -6,14 +6,22 @@ include(CheckCXXCompilerFlag) set(HIGHEST_SUPPORTED_CXX_STANDARD 11) foreach(STANDARD 23 20 17 14) - string(REPLACE "." "" CXX_STANDARD_FLAG "-std=c++${STANDARD}") - check_cxx_compiler_flag(${CXX_STANDARD_FLAG} SUPPORTED_FLAG) - if(SUPPORTED_FLAG) - set(HIGHEST_SUPPORTED_CXX_STANDARD ${STANDARD}) - break() - endif() + string(REPLACE "." "" CXX_STANDARD_FLAG "-std=c++${STANDARD}") + check_cxx_compiler_flag(${CXX_STANDARD_FLAG} SUPPORTED_FLAG) + if(SUPPORTED_FLAG) + set(HIGHEST_SUPPORTED_CXX_STANDARD ${STANDARD}) + break() + endif() endforeach() set(CMAKE_CXX_STANDARD ${HIGHEST_SUPPORTED_CXX_STANDARD}) -add_compile_options(-Wall) message(STATUS "Using C++${CMAKE_CXX_STANDARD} standard") + +add_compile_options(-Wall -Wextra -Werror -fstack-protector-strong -D_FORTIFY_SOURCE=2 -fPIC -O2 -DNDEBUG) +add_link_options(-Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack) + +if (CMAKE_BUILD_TYPE MATCHES Debug) + message(STATUS "Enabling sanitizers for Debug build") + add_compile_options(-fsanitize=address -fsanitize=undefined -fno-omit-frame-pointer) + add_link_options(-fsanitize=address -fsanitize=undefined) +endif() diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 8a3ab64..752ae37 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -3,6 +3,22 @@ include(GNUInstallDirs) include(FindQtLib) include(LibBuildType) +target_compile_options( + "${PROJECT_NAME}" + PRIVATE + -fstack-protector-strong + -D_FORTIFY_SOURCE=2 + -O2 +) + +target_link_options( + "${PROJECT_NAME}" + PRIVATE + -Wl,-z,relro + -Wl,-z,now + -Wl,-z,noexecstack +) + target_sources( "${PROJECT_NAME}" PRIVATE @@ -27,6 +43,8 @@ target_compile_definitions( SINGLEAPPLICATION_LIBRARY QT_DEPRECATED_WARNINGS QT_DISABLE_DEPRECATED_BEFORE=0x050902 + QT_NO_DEBUG_OUTPUT + QT_NO_WARNING_OUTPUT ) set_target_properties( From 5436a8a32763b470ca93f348c07e0a283e774f98 Mon Sep 17 00:00:00 2001 From: Alfredo Ramos Date: Sun, 29 Dec 2024 19:59:25 -0600 Subject: [PATCH 2/2] Update minimum standard to C++17 --- .github/workflows/ci.yml | 2 +- README.md | 2 +- cmake/FindCppStd.cmake | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0ce24b8..ea30554 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -47,7 +47,7 @@ jobs: extra: --external 7z - name: Run Cppcheck - run: cppcheck --enable=all --inconclusive --report-progress --std=c++11 src/ + run: cppcheck --enable=all --inconclusive --report-progress --std=c++17 src/ - name: Package build run: | diff --git a/README.md b/README.md index 01cadb2..ed6a6b4 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ Single application library for Qt without `network` dependency. Based on [Dmitry ### Dependencies - Qt >= 5.9.2 -- Compiler with standard >= C++11 +- Compiler with standard >= C++17 - CMake >= 3.18.0 ### Build diff --git a/cmake/FindCppStd.cmake b/cmake/FindCppStd.cmake index 2a72462..37849b4 100644 --- a/cmake/FindCppStd.cmake +++ b/cmake/FindCppStd.cmake @@ -1,11 +1,11 @@ -set(CMAKE_CXX_STANDARD 11) +set(CMAKE_CXX_STANDARD 17) set(CMAKE_CXX_STANDARD_REQUIRED ON) set(CMAKE_CXX_EXTENSIONS OFF) include(CheckCXXCompilerFlag) -set(HIGHEST_SUPPORTED_CXX_STANDARD 11) +set(HIGHEST_SUPPORTED_CXX_STANDARD ${CMAKE_CXX_STANDARD}) -foreach(STANDARD 23 20 17 14) +foreach(STANDARD 23 20) string(REPLACE "." "" CXX_STANDARD_FLAG "-std=c++${STANDARD}") check_cxx_compiler_flag(${CXX_STANDARD_FLAG} SUPPORTED_FLAG) if(SUPPORTED_FLAG)