diff options
author | Jun Aruga <jaruga@redhat.com> | 2022-05-10 16:34:08 +0200 |
---|---|---|
committer | Jun Aruga <junaruga@users.noreply.github.com> | 2022-05-16 10:10:16 +0200 |
commit | dccfff943c3ea9defd91647cfa3fd8714041bb5a (patch) | |
tree | 980e2e0f05cc7f9771d9f521d649542d5b450088 /tool/test-annocheck.sh | |
parent | 36efb2a146b247efd3d8d0ac85542998cd67b437 (diff) |
Add `make test-annocheck` to detect security issues.
* Note that as the annocheck binary package is not available on Ubuntu, and it
is working in progress in Debian, the script uses Fedora container, and
it requires docker or podman command.
https://www.debian.org/devel/wnpp/itp.en.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926470
* .github/workflows/compilers.yml: Add "gcc-11 annocheck" case.
To pass the CI, set `TEST_ANNOCHECK_OPTS: "--skip-pie --skip-notes"` for now.
See <https://bugs.ruby-lang.org/issues/18061>.
* Skip MJIT tests in case of annocheck case.
The MJIT tests fail in the annocheck case.
See <https://bugs.ruby-lang.org/issues/18781>.
Notes
Notes:
Merged: https://github.com/ruby/ruby/pull/5900
Diffstat (limited to 'tool/test-annocheck.sh')
-rwxr-xr-x | tool/test-annocheck.sh | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/tool/test-annocheck.sh b/tool/test-annocheck.sh new file mode 100755 index 0000000000..0224152d00 --- /dev/null +++ b/tool/test-annocheck.sh @@ -0,0 +1,33 @@ +#!/bin/sh -eu +# Run the `tool/test-annocheck.sh [binary files]` to check security issues +# by annocheck <https://sourceware.org/annobin/>. +# +# E.g. `tool/test-annocheck.sh ruby libruby.so.3.2.0`. +# +# Note that as the annocheck binary package is not available on Ubuntu, and it +# is working in progress in Debian, this script uses Fedora container for now. +# It requires docker or podman. +# https://www.debian.org/devel/wnpp/itp.en.html +# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926470 + +set -x + +DOCKER="$(command -v docker || command -v podman)" +TAG=ruby-fedora-annocheck +TOOL_DIR=$(dirname "${0}") +DOCKER_RUN_VOLUME_OPTS= + +if [ -z "${CI-}" ]; then + # Use a volume option on local (non-CI). + DOCKER_RUN_VOLUME_OPTS="-v $(pwd):/work" + "${DOCKER}" build --rm -t "${TAG}" ${TOOL_DIR}/annocheck/ +else + # TODO: A temporary workaround on CI to build by copying binary files from + # host to container without volume option, as I couldn't find a way to use + # volume in container in container on GitHub Actions + # <.github/workflows/compilers.yml>. + TAG="${TAG}-copy" + "${DOCKER}" build --rm -t "${TAG}" --build-arg=FILES="${*}" -f ${TOOL_DIR}/annocheck/Dockerfile-copy . +fi + +"${DOCKER}" run --rm -t ${DOCKER_RUN_VOLUME_OPTS} "${TAG}" annocheck --verbose ${TEST_ANNOCHECK_OPTS-} "${@}" |