stealthcopter
commented
3 years ago @nfmobile I'm pretty sure we don't use any functions that would benefit from fortification. If you look at the code it's very simple and only checks if files exist. So this would have no actual effect on the security of our library. To me, this seems like it would just be an exercise to make your security scanner happy.
That being said, I'm not against adding more security so if you want to do some testing and submit a pull request I'd be happy to review it.
Zhuinden
Dear @scottyab,
We still have a security warning generated from the *.so files of the rootbeer libs related to D_FORTIFY_SOURCE. The security warning is the following (attached below screen capture) :
The shared object does not have any fortified functions. Fortified functions provides buffer overflow checks against glibc's commons insecure functions like strcpy, gets etc. Use the compiler option -D_FORTIFY_SOURCE=2 to fortify functions.
This warning can be resolved by setting the flag -D_FORTIFY_SOURCE=2 in CPPFLAGS. please could you check if it's feasible to add this flag inside https://github.com/scottyab/rootbeer/blob/master/rootbeerlib/src/main/cpp/CMakeLists.txt by adding something similar to ( I am not sure which one of the below will work ) : set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -D_FORTIFY_SOURCE=2") set(CMAKE_CPP_FLAGS "${CMAKE_CPP_FLAGS} -D_FORTIFY_SOURCE=2")
for reference , please check these links https://wiki.debian.org/Hardening and https://wiki.ubuntu.com/ToolChain/CompilerFlags regarding D_FORTIFY_SOURCE
thanks again for your support