Name:    annobin

Summary: Annotate and examine compiled binary files

Version: 10.94

Release: 1%{?dist}

License: GPLv3+

# Maintainer: nickc@redhat.com

# Web Page: https://sourceware.org/annobin/

# Watermark Protocol: https://fedoraproject.org/wiki/Toolchain/Watermark

#---------------------------------------------------------------------------------

# Use "--without tests" to disable the testsuite.

%bcond_without tests

# Use "--without annocheck" to disable the installation of the annocheck program.

%bcond_without annocheck

# Use "--with debuginfod" to add support for debuginfod to be compiled into

# the annocheck program.  By default the configure script will check for

# availablilty at build time, but this might not match the run time situation.

# FIXME: Add a --without debuginfod option to forcefully disable the configure

# time check for debuginfod support.

%bcond_with debuginfod

# Use "--with clangplugin" to build the annobin plugin for Clang.

%bcond_with clangplugin

# Use "--without gccplugin" to disable the building of the annobin plugin for GCC.

%bcond_without gccplugin

# Use "--with llvmplugin" to build the annobin plugin for LLVM.

%bcond_with llvmplugin

# Set this to zero to disable the requirement for a specific version of gcc.

# This should only be needed if there is some kind of problem with the version

# checking logic or when building on RHEL-7 or earlier.

%global with_hard_gcc_version_requirement 1

%bcond_without plugin_rebuild

# Allow the building of annobin without using annobin itself.

# This is because if we are bootstrapping a new build environment we can have

# a new version of gcc installed, but without a new of annobin installed.

# (i.e. we are building the new version of annobin to go with the new version

# of gcc).  If the *old* annobin plugin is used whilst building this new

# version, the old plugin will complain that version of gcc for which it

# was built is different from the version of gcc that is now being used, and

# then it will abort.

#

# The default is to use annobin.  cf BZ 1630550.

%if %{without plugin_rebuild}

%undefine _annotated_build

%endif

#---------------------------------------------------------------------------------

%global annobin_sources annobin-%{version}.tar.xz

Source: https://nickc.fedorapeople.org/%{annobin_sources}

# For the latest sources use:  git clone git://sourceware.org/git/annobin.git

# This is where a copy of the sources will be installed.

%global annobin_source_dir %{_usrsrc}/annobin

# Insert patches here, if needed.  Eg:

# Patch01: annobin-foo.patch

# Insert patches here, if needed.

Patch01: annobin-nop.patch

Patch02: annobin-annocheck-no-debuginfod.patch

#---------------------------------------------------------------------------------

# [Stolen from gcc-python-plugin]

# GCC will only load plugins that were built against exactly that build of GCC

# We thus need to embed the exact GCC version as a requirement within the

# metadata.

#

# Define "gcc_vr", a variable to hold the VERSION-RELEASE string for the gcc

# we are being built against.

#

# Unfortunately, we can't simply run:

#   rpm -q --qf="%%{version}-%%{release}"

# to determine this, as there's no guarantee of a sane rpm database within

# the chroots created by our build system

#

# So we instead query the version from gcc's output.

#

# gcc.spec has:

#   Version: %%{gcc_version}

#   Release: %%{gcc_release}%%{?dist}

#   ...snip...

#   echo 'Red Hat %%{version}-%%{gcc_release}' > gcc/DEV-PHASE

#

# So, given this output:

#

#   $ gcc --version

#   gcc (GCC) 4.6.1 20110908 (Red Hat 4.6.1-9)

#   Copyright (C) 2011 Free Software Foundation, Inc.

#   This is free software; see the source for copying conditions.  There is NO

#   warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

#

# we can scrape out the "4.6.1" from the version line.

#

# The following implements the above:

%global gcc_vr %(gcc --version | head -n 1 | sed -e 's|.*(Red\ Hat\ ||g' -e 's|)$||g')

# We need the major version of gcc.

%global gcc_major %(echo "%{gcc_vr}" | cut -f1 -d".")

%global gcc_next  %(v="%{gcc_major}"; echo $((++v)))

# Needed when building the srpm.

%if 0%{?gcc_major} == 0

%global gcc_major 0

%endif

# This is a gcc plugin, hence gcc is required.

%if %{with_hard_gcc_version_requirement}

# BZ 1607430 - There is an exact requirement on the major version of gcc.

Requires: (gcc >= %{gcc_major} with gcc < %{gcc_next})

%else

Requires: gcc

%endif

BuildRequires: gcc gcc-plugin-devel gcc-c++

# The documentation uses pod2man...

BuildRequires: perl perl-podlators

%if %{with clangplugin}

BuildRequires: clang clang-devel llvm llvm-devel compiler-rt gawk

%endif

%if %{with llvmplugin}

BuildRequires: clang clang-devel llvm llvm-devel compiler-rt gawk

%endif

%description

Provides a plugin for GCC that records extra information in the files

that it compiles.

Note - the plugin is automatically enabled in gcc builds via flags

provided by the redhat-rpm-macros package.

%if %{with clangplugin}

Also provides a plugin for Clang which performs a similar function.

%endif

%if %{with llvmplugin}

Also provides a plugin for LLVM which performs a similar function.

%endif

#---------------------------------------------------------------------------------

%if %{with tests}

%package tests

Summary: Test scripts and binaries for checking the behaviour and output of the annobin plugin

%description tests

Provides a means to test the generation of annotated binaries and the parsing

of the resulting files.

BuildRequires: make

%if %{with debuginfod}

BuildRequires: elfutils-debuginfod-client-devel

%endif

%endif

#---------------------------------------------------------------------------------

%if %{with annocheck}

%package annocheck

Summary: A tool for checking the security hardening status of binaries

BuildRequires: gcc elfutils elfutils-devel elfutils-libelf-devel rpm-devel binutils-devel make

%if %{with debuginfod}

BuildRequires: elfutils-debuginfod-client-devel

%endif

Requires: cpio rpm

%description annocheck

Installs the annocheck program which uses the notes generated by annobin to

check that the specified files were compiled with the correct security

hardening options.

%endif

#---------------------------------------------------------------------------------

%global ANNOBIN_GCC_PLUGIN_DIR %(gcc --print-file-name=plugin)

%{!?llvm_plugin_dir:%global  llvm_plugin_dir  %{_libdir}/llvm/plugins}

%{!?clang_plugin_dir:%global clang_plugin_dir %{_libdir}/clang/plugins}

%if %{with gccplugin}

# Information about the gcc plugin is recorded in this file.

%global aver annobin-plugin-version-info

%endif

#---------------------------------------------------------------------------------

%prep

if [ -z "%{gcc_vr}" ]; then

    echo "*** Missing gcc_vr spec file macro, cannot continue." >&2

    exit 1

fi

echo "Requires: (gcc >= %{gcc_major} and gcc < %{gcc_next})"

%autosetup -p1

# The plugin has to be configured with the same arcane configure

# scripts used by gcc.  Hence we must not allow the Fedora build

# system to regenerate any of the configure files.

touch aclocal.m4 gcc-plugin/config.h.in

touch configure */configure Makefile.in */Makefile.in

# Similarly we do not want to rebuild the documentation.

touch doc/annobin.info

#---------------------------------------------------------------------------------

%build

CONFIG_ARGS="--quiet --with-gcc-plugin-dir=%{ANNOBIN_GCC_PLUGIN_DIR}"

%if %{with debuginfod}

CONFIG_ARGS="$CONFIG_ARGS --with-debuginfod"

%else

# Note - we explicitly disable debuginfod support if it was not configured.

# This is because by default annobin's configue script will assume --with-debuginfod=auto

# and then run a build time test to see if debugingfod is available.  It

# may well be, but the build time environment may not match the run time

# environment, and the rpm will not have a Requirement on the debuginfod

# client.

CONFIG_ARGS="$CONFIG_ARGS --without-debuginfod"

%endif

%if %{with clangplugin}

CONFIG_ARGS="$CONFIG_ARGS --with-clang"

%endif

%if %{without gccplugin}

CONFIG_ARGS="$CONFIG_ARGS --without-gcc-plugin"

%endif

%if %{with llvmplugin}

CONFIG_ARGS="$CONFIG_ARGS --with-llvm"

%endif

%if %{without tests}

CONFIG_ARGS="$CONFIG_ARGS --without-tests"

%endif

%if %{without annocheck}

CONFIG_ARGS="$CONFIG_ARGS --without-annocheck"

%endif

%set_build_flags

export CFLAGS="$CFLAGS $RPM_OPT_FLAGS %build_cflags"

export LDFLAGS="$LDFLAGS %build_ldflags"

# Fedora supports AArch64's -mbranch-protection=bti, RHEL does not.

%if 0%{?fedora} != 0

export CFLAGS="$CFLAGS -DAARCH64_BRANCH_PROTECTION_SUPPORTED=1"

%endif

CFLAGS="$CFLAGS" LDFLAGS="$LDFLAGS" CXXFLAGS="$CFLAGS" %configure ${CONFIG_ARGS} || cat config.log

%ifarch %{ix86} x86_64

# FIXME: There should be a better way to do this.

export CLANG_TARGET_OPTIONS="-fcf-protection"

%endif

%make_build

#---------------------------------------------------------------------------------

%if %{with plugin_rebuild}

# Rebuild the plugin(s), this time using the plugin itself!  This

# ensures that the plugin works, and that it contains annotations

# of its own.

%if %{with gccplugin}

cp gcc-plugin/.libs/annobin.so.0.0.0 %{_tmppath}/tmp_annobin.so

make -C gcc-plugin clean

BUILD_FLAGS="-fplugin=%{_tmppath}/tmp_annobin.so"

# Disable the standard annobin plugin so that we do get conflicts.

OPTS="$(rpm --eval '%undefine _annotated_build %build_cflags %build_ldflags')"

# If building on RHEL7, enable the next option as the .attach_to_group

# assembler pseudo op is not available in the assembler.

# BUILD_FLAGS="$BUILD_FLAGS -fplugin-arg-tmp_annobin-no-attach"

make -C gcc-plugin CXXFLAGS="$OPTS $BUILD_FLAGS"

rm %{_tmppath}/tmp_annobin.so

%endif

%if %{with clangplugin}

cp clang-plugin/annobin-for-clang.so %{_tmppath}/tmp_annobin.so

make -C clang-plugin all CXXFLAGS="$OPTS $BUILD_FLAGS"

%endif

%if %{with llvmplugin}

cp llvm-plugin/annobin-for-llvm.so %{_tmppath}/tmp_annobin.so

make -C llvm-plugin all CXXFLAGS="$OPTS $BUILD_FLAGS"

%endif

%endif

#---------------------------------------------------------------------------------

# PLUGIN_INSTALL_DIR is used by the Clang and LLVM makefiles...

%install

%make_install PLUGIN_INSTALL_DIR=%{buildroot}/%{llvm_plugin_dir}

%if %{with clangplugin}

# Move the clang plugin to a seperate directory.

mkdir -p %{buildroot}/%{clang_plugin_dir}

mv %{buildroot}/%{llvm_plugin_dir}/annobin-for-clang.so %{buildroot}/%{clang_plugin_dir}

%endif

%if %{with gccplugin}

# Record the version of gcc that built this plugin.

# Note - we cannot just store %%{gcc_vr} as sometimes the gcc rpm version changes

# without the NVR being altered.  See BZ #2030671 for more discussion on this.

mkdir -p                             %{buildroot}/%{ANNOBIN_GCC_PLUGIN_DIR}

cat `gcc --print-file-name=rpmver` > %{buildroot}/%{ANNOBIN_GCC_PLUGIN_DIR}/%{aver}

# Also install a copy of the sources into the build tree.

mkdir -p                            %{buildroot}%{annobin_source_dir}

cp %{_sourcedir}/%{annobin_sources} %{buildroot}%{annobin_source_dir}/latest-annobin.tar.xz

%endif

rm -f %{buildroot}%{_infodir}/dir

#---------------------------------------------------------------------------------

%if %{with tests}

%check

# Change the following line to "make check || :" on RHEL7 or if you need to see the

# test suite logs in order to diagnose a test failure.

make -k check CLANG_TESTS="check-pre-clang-13"

if [ -f tests/test-suite.log ]; then

    cat tests/*.log

fi

%endif

#---------------------------------------------------------------------------------

%files

%license COPYING3 LICENSE

%exclude %{_datadir}/doc/annobin-plugin/COPYING3

%exclude %{_datadir}/doc/annobin-plugin/LICENSE

%doc %{_datadir}/doc/annobin-plugin/annotation.proposal.txt

%doc %{_infodir}/annobin.info.gz

%doc %{_mandir}/man1/annobin.1.gz

%exclude %{_mandir}/man1/built-by.1*

%exclude %{_mandir}/man1/check-abi.1*

%exclude %{_mandir}/man1/hardened.1*

%exclude %{_mandir}/man1/run-on-binaries-in.1*

%if %{with clangplugin}

%{clang_plugin_dir}/annobin-for-clang.so

%endif

%if %{with llvmplugin}

%{llvm_plugin_dir}/annobin-for-llvm.so

%endif

%if %{with gccplugin}

%{ANNOBIN_GCC_PLUGIN_DIR}/annobin.so

%{ANNOBIN_GCC_PLUGIN_DIR}/annobin.so.0

%{ANNOBIN_GCC_PLUGIN_DIR}/annobin.so.0.0.0

%{ANNOBIN_GCC_PLUGIN_DIR}/%{aver}

%{annobin_source_dir}/latest-annobin.tar.xz

%endif

%if %{with annocheck}

%files annocheck

%{_includedir}/libannocheck.h

%{_libdir}/libannocheck.*

%{_bindir}/annocheck

%doc %{_mandir}/man1/annocheck.1.gz

%{_libdir}/pkgconfig/libannocheck.pc

%endif

#---------------------------------------------------------------------------------

%changelog

* Wed Dec 07 2022 Nick Clifton  <nickc@redhat.com> - 10.94-1

- Rebase to 10.94.  (#2151312)

- Annocheck: Better detection of binaries which do not contain code.  (#2144533)

- Annocheck: Provide more information when a test is skipped because the file being tested was not compiled.

- Annocheck: Try harder not to run mutually exclusive tests.

- Tests: Fix future-test so that it properly handles the situation where the compiler does not support the new options.

- Libannocheck: Actually set result fields after tests are run.

- Libannocheck: Replace libannocheck_version variable with LIBANNOCHECK_VERSION define.

- Libannocheck: Remove 'Requires binutils-devel' from libannocheck.pc.

- Libannocheck: Move into separate sub-package.

- Libannocheck: Add libannocheck.pc pkgconfig file.

- Libannocheck: Add libannocheck_reinit().

- GCC Plugin: Record -ftrivial-auto-var-init and -fzero-call-used-regs.

- Annocheck: Add future tests for  -ftrivial-auto-var-init and -fzero-call-used-regs.

- Clang Plugin: Fix for building with Clang-15.  (#2125875)

- Annocheck: Add a test for the inconsistent use of -Ofast.  (#1248744)

- Plugin: Fix top level configuration support for RiscV.

- Annocheck: Improvements to the size tool.

- Annocheck: Fixes for libannocheck.h.

- Annocheck: Add automatic profile selection.

- Annocheck: Improve gap detection and reporting.

- Annocheck: Check build-id of separate debuginfo files.

- Annocheck: Add GAPS test replacing --ignore-gaps.

- Annocheck: Fix covscan detected race condition between stat() and open().

- Annocheck: Handle binaries created by Rust 1.18.  (#2094420)

- Annocheck: Add optional function name to --skip arguments.  (PR 29229)

- Annocheck: Fix handling of command line options that take arguments.  (#2086850)

- Annocheck: Do not complain about unenabled -mbranch-protection option in AArch64 binaries.  (#2078909)

- gcc-plugin: Fix typo in configure.ac.

- Add support for RISC-V.

- Annocheck: Add another special case for glibc rpms.  (#2083070)

- Annocheck: Do not complain about unenabled -mbranch-protection option in AArch64 binaries if compiled using LTO.  (#2082146)

- Annocheck: Add more glibc exceptions + check PT_TLS segments.  (#2081131)

* Thu Jul 21 2022 Florian Weimer <fweimer@redhat.com> - 10.67-3

- Rebuild to switch back to system annobin (#2108721)

* Fri Jul 15 2022 Florian Weimer <fweimer@redhat.com> - 10.67-2

- Rebuild to switch back to system annobin (#2001788)

* Fri Apr 29 2022 Nick Clifton  <nickc@redhat.com> - 10.67-1

- Rebuild against LLVM 14.  (#2064521)

- Annocheck: Do not complain about missing -mbranch-protection option in AArch64 binaries if compiled by golang.

- Annocheck: Do not complain about missing -mbranch-protection option in AArch64 binaries if compiled in LTO mode.

- gcc-plugin: Add support for CLVC_INTEGER options.

* Wed Apr 06 2022 Nick Clifton  <nickc@redhat.com> - 10.64-1

- Annocheck: Add more special cases for AArch64 glibc on RHEL-8.  (#2072082)

- llvm-plugin: Fix a thinko in the sources.

- gcc-plugin: Add remap of OPT_Wall.

- configure: Fix typo in top level configure.ac.

- Add support for building using meson+ninja.

- Annocheck: Fix test for AArch64 property notes.  (#2068657)

- gcc-plugin: Do not issue warning messages for autoconf generated source files.  (#2009958)

* Thu Mar 24 2022 Nick Clifton  <nickc@redhat.com> - 10.58-1

- Rebase to 10.58.  (#2067148)

- gcc-plugin: Do not issue warning messages for autoconf generated source files.  (#2009958)

- Annocheck: Update documentation and fix typo in annocheck.  (#2061291)

- Annocheck: Add option to enable/disable following symbolic links.

- Annocheck: Always identify Rust binaries, even if built on a host that does not know about Rust.  (#2057737)

- Spec File: Use a different method to disable the annobin plugin  (#2054571)

- Annocheck: Accept static GO binaries.  (#2053606)

- gcc-plugin: Fix libtool so that extraneous runpaths are not added to the plugin.  (#2047356)

- gcc-plugin: Use canonical_option field of save_decoded_options array. (#2047148)

- Annocheck: Add an option to disable the use of debuginfod (if available).

- Annocheck: Add more glibc special file names.

- Annocheck: Skip some tests for BPF binaries.  (#2044897)

- Annocheck: Skip property note test for GO binaries.  (#204300)

- Annocheck: Add another glibc static library symbol.  (#2043047)

- Spec File: Use gcc --print-file-name=rpmver for the gcc version info.

- GCC Plugin: Do not fail if a section cannot be attached to a group.

- Annocheck: Improve detection of kernel modules.

- GCC Plugin: Only default to link-once when using gcc-12 or later.  (#2039297)

- Annocheck: Add option to disable instrumentation test.

- GCC Plugin: Fix building with gcc-12.

- Spec file: Add requirement on cpio for annocheck.  (#2039747)

- Annocheck: Add even more glibc function names. (#2037333)

- Annocheck: ARM: Do not fail tests that rely upon annobin notes.

- Annocheck: Extend list of known glibc functions.  (#2037333)

- Annocheck: Ignore gaps that contain the _start symbol (for AArch64).  (#1995224)

- Annocheck: Ignore more glibc special binaries.  (#2037220)

- Annocheck: Do not complaining about missing stack clash notes if the compilation used LTO.  (#2034946)

- Annocheck: Add /usr/lib/ld-linux-aarch64.so.1 to the list of known glibc binaries.  (#2033255)

- Docs: Note that ENDBR is only needed as the landing pad for indirect branches/calls.  (#28705)

- Spec File: Store full	gcc version release string in plugin info file.  (#2030671)

- Annocheck: Add special case for x86_64 RHEL-7 gaps.  (#2031133)

- Annocheck: Do not complaining about missing -mstackrealign notes in LTO mode.  (#2030298)

- GCC Plugin: Do not record missing -mstackrealign in LTO mode.

- Tests: Fix gaps and stat tests to use newly built annobin plugin.  (#2028063)

- Annocheck: Ignore gaps in binaries at least partial built by golang.  (#2028583)

- Annocheck: Allow spaces in gloang symbols.  (#2028583)

- Annocheck: Initial deployment of libannocheck.  (#2028063)

- gcc-plugin: Fix bug creating empty attachments.

- Annocheck: Change MAYB result to SKIP for DT_RPATH.  (#2026300)

- Annocheck: Skip missing fortify/warning notes for ARM32.

* Tue Feb 08 2022 Nick Clifton  <nickc@redhat.com> - 10.29-3

- NVR bump in order to allow rebuilding against latest gcc.  (#2052060)

* Mon Jan 24 2022 Nick Clifton  <nickc@redhat.com> - 10.29-2

- Spec File: Add "Requires: rpm cpio" to annocheck sub-package.  (#2043474)

* Tue Nov 30 2021 Nick Clifton  <nickc@redhat.com> - 10.28-1

- gcc-plugin: Fix bug creating empty attachments.  (#2026944)

- Annocheck: Change MAYB result to SKIP for DT_RPATH.  (#2026300)

* Mon Nov 22 2021 Nick Clifton  <nickc@redhat.com> - 10.27-1

- Annocheck: Skip missing fortify/warning notes for ARM32.

- gcc-plugin: Try another fix for ppc64le section grouping.  (#2023437)

- gcc-plugin: Revert 10.22 change.  (#2023437)

- Annocheck: Add exception for /usr/sbin/ldconfig.  (#2022973)

* Mon Nov 08 2021 Nick Clifton  <nickc@redhat.com> - 10.23-1

- Annocheck: Add a test for unicode characters in identifiers.  (#2017363)

- gcc-plugin: Default to link-order grouping for PPC64LE.  (#2016458)

* Wed Oct 27 2021 Nick Clifton  <nickc@redhat.com> - 10.21-3

- annocheck: Disable LTO test when checking ldconfig (attempt 3).  (#2017039)

* Tue Oct 26 2021 Nick Clifton  <nickc@redhat.com> - 10.21-2

- annocheck: Disable LTO test when checking ldconfig (attempt 2).  (#2017039)

* Tue Oct 26 2021 Nick Clifton  <nickc@redhat.com> - 10.21-1

- annocheck: Disable LTO test when checking ldconfig.  (#2017039)

* Mon Oct 25 2021 Nick Clifton  <nickc@redhat.com> - 10.20-1

- annocheck: Add more glibc function names.  (#2017039)

- gcc-plugin: Fix attaching the .text section to the .text.group section.

- Complain about DT_RPATH for Fedora binaries.

- Better reporting of problems in object files.  (#2013708)

- Add a requirement on llvm-libs for clang and llvm plugins.  (#2014573)

- Fix configuring annocheck without gcc-plugin.

- Annocheck: Better reporting of debuginfod problems.

- Tests: Fix bugs in debuginfod test.

* Mon Oct 18 2021 Nick Clifton  <nickc@redhat.com> - 10.15-2

- Exclude man pages for uninstalled scripts.  (#2013565)

* Wed Oct 13 2021 Nick Clifton  <nickc@redhat.com> - 10.15-1

- Annocheck: Add tests based upon recent bug fixes.

- Annocheck: Another tweak to glibc detection code.

* Mon Oct 11 2021 Nick Clifton  <nickc@redhat.com> - 10.13-1

- Annocheck: Fix memory corruptions when using --debug-path and when a corrupt note is found.  (#20011438)

- Annocheck: Fix MAYB results for mixed GO/C files.

- Annocheck: Move some messages from VERBOSE to VERBOSE2.

- Annocheck: Scan zero-length tool notes.  (#2011818)

* Wed Oct 06 2021 Nick Clifton  <nickc@redhat.com> - 10.11-1

- Annocheck: Fix covscan detected flaws.  (#201129)

- plugins: Add more required build options.  (#2011163)

* Tue Oct 05 2021 Nick Clifton  <nickc@redhat.com> - 10.10-1

- Annocheck: Fix cf-prot test to fail if the CET notes are missing.  (#2010671)

- Annocheck: Skip gaps in the .plt section.  (#2010675)

- Plugins: Add -g option when building LLVM and Clang. (#2010675)

* Mon Oct 04 2021 Nick Clifton  <nickc@redhat.com> - 10.09-1

- Annocheck: Add more cases of glibc startup functions.  (#1981410)

- Annocheck: Fix covscan detected problems.

- Annocheck: Add --profile=el8.

- gcc-plugin: Conditionalize generation of branch protection note.

- Annocheck: Ignore gaps containing NOP instructions.

* Wed Sep 29 2021 Nick Clifton <nickc@redhat.com> - 10.06-1

- Rebase to 10.06.  (#2002351)

- GCC Plugin: Fix detection of running inside the LTO compiler.  (#2004917)

- Annocheck: Do not insist on the DT_AARCH64_PAC_PLT flag being present in AArch64 binaries.

- Annocheck: With gaps at the start/end of the .text section, check for special symbols before displaying a MAYB result.

- Annocheck: Do not set CFLAGS/LDFLAGS when building.  Take from environment instead.

- Annocheck: Fix exit code when tests PASS.

- Documentation: Add node for each hardening test.

- Documentation: Install online.

- Annocheck: Annote FAIL and MAYB results with URL to documentation

- Annocheck: Add --no-urls and --provide-urls options

- Annocheck: Add --help-<tool> option.

- Annocheck: Fix fuzzing detected failures.

- Annocheck: Add --profile option.

- Docs: Document --profile option and rpminspect.yaml.

- Annocheck: Skip GO/CET checks.  Fix fuzzing detected failures.

- LLVM Plugin: Automatically choose the correct tests to run, based upon the version of Clang installed. (#1997444)

- Annocheck: Fix memory corruption.  (#1996963)

- Annocheck: Fix conditionalization of AArch64's PAC+BTI detection.

- Annocheck: Add linker generated function for ppc64le exceptions.  (#1981410)

- LLVM Plugin: Allow checks to be selected from the command line.

- Annocheck: Examine DW_AT_producer for -flto.    

- Annocheck: Conditionalize detection of AArch64's PAC+BTI protection.

- Annocheck: Add linker generated function for s390x exceptions.  (#1981410)

- Annocheck: Generate MAYB results for gaps in notes covering the .text section.  (#1991943)

- Annocheck: Close DWARF file descriptors once the debug info is no longer needed.  (#1981410)

- LLVM Plugin: Update to build with Clang v13.  (Thanks to: Tom Stellard <tstellar@redhat.com>)

- Annocheck: Fix memory corruption.  (#1988715)

- Annocheck: Skip certain tests for kernel modules.

- Annocheck: Detect a missing CET note.  (#1991931)

- Annocheck: Do not report future fails for AArch64 notes.

- Annocheck: Warn about multiple --debug-file, --debug-rpm and --debug-dir options.

- Annocheck: Process files in command line order.  (#1988714)

- Annocheck: Reverse AArch64 PAC+BTI check, ie fail if they are enabled.  (#1984995)

- Annocheck: Add another test exceptions.

- Annocheck: Add some more test exceptions.

- Tests: Skip glibc-notes test if the assembler does not support --generate-missing-build-notes.  (#1978573)

- Tests: Skip objcopy test if objcopy does not support --merge-notes.

- Annocheck: Fix spelling mistake in -mstack-realign failure message.  (#1977349)

- gcc-plugin: Do not record global versions of stack protection settings in LTO mode, if not set.  (#1958954)

- Annocheck: Remove limit on number of input files.

- clang/llvm plugins: Build with correct security options.

- Annocheck: Better detection of GO compiler version.

- Annocheck: Better support for symbolic links.

- Annocheck: In verbose mode, report the reason for skipping specific tests.  (#1969584)

- Annocheck: Improve detection of shared libraries.  (#1958954)

* Mon May 17 2021 Nick Clifton <nickc@redhat.com> - 9.72-1

- Rebase to 9.72.  (#1960299)

- annocheck: Accept 0 as a valid number for gcc minor versions and release numbers.

- gcc-plugin: Add support for ARM and RISCV targets.

- timing: do not initialise the clock if the timing tool is disabled.

- gcc-plugin: Replace ICE messsages with verbose messages.

- Fix the testsuite so that it can be run in parallel.

- Annocheck: WARN if the annobin plugin was built for a newer version of the compiler than the one on which it was run.  (#1950657)

- Annocheck: Improve detection of missing GNU-stack support.

- Correct a package rename (bug #1949570)

- Require docs subpackage by the other ones because of a license

- Build-requiring perl-interpreter is enough

- Fix bz1949570

- Fix anomolies reported by covscan.

- Move documentation into a sub-package.

* Wed Mar 17 2021 Nick Clifton <nickc@redhat.com> - 9.65-1

- gcc-plugin: Use a fixed filename when running in LTO mode.

* Wed Mar 03 2021 Nick Clifton <nickc@redhat.com> - 9.64-1

- Annocheck: Fix detection of special function names.  (#1934189)

- Annocheck: FAIL the deliberate use of -fno-stack-protector, but add some exceptions for glibc.  (#1923439)

- Annocheck: Add colour to some messages.  Skip the deliberate use of -fno-stack-protector.  (#1923439)

- Annocheck: Fix some problems with tests for missing notes.

- Add some GO tests to annocheck.

- Add a future fail for the presence of RPATH in the dynamic tags.

- Add the ability to disable the warning message about -D_FORTIFY_SOURCE being missing.

- Workaround for elflint problems with PPC compiled files.  (#1880634)

- Fix bogus AArch64 test failures.

- Improved testing by annocheck.  Add fixed format message mode.

- Fix inconsistency reporting -fcf-protection and -fstack-clash-protection results.

- Add support for -D_FORTIFY_SOURCE=3.

- annocheck: When a binary is produced both by GAS and GCC, select GAS as the real producer.  (#1906171)

- annocheck: Improve test for LTO compiled binaries that do not have -Wall annotations.  (#1906171)

* Wed Dec 09 2020 Nick Clifton <nickc@redhat.com> - 9.50-1

- annocheck: Mark a missining -D_FORTIFY_SOURCE as a FAIL.

* Tue Dec 08 2020 Nick Clifton <nickc@redhat.com> - 9.49-1

- annocheck: Fix notes analyzer to accept empty PPC64 notes.

- gcc plugin: Tweak generation of end symbols for PPC64 when LTO is active.  (#1898075)(#1904479)

- gcc plugin: Add support for GCC 11's cl_vars array.

* Mon Nov 30 2020 Nick Clifton <nickc@redhat.com> - 9.46-1

- Annocheck: Support enabling/disabling future fails.

- GCC plugin: Always record global notes for the .text.startup,

  .text.exit, .text.hot and .text.cold sections.

- Clang plugin: Add -lLLVM to the build command line.

- Annocheck: Improve reporting of missing -D_FORTIFY_SOURCE option.  (#1898075)

- Annocheck: Improve reporting of missing LTO option.

- Add detecting of gimple compiled binaries.

- Add --without-gcc-plugin option.

- Annocheck: Fix bug parsing DW_AT_producer.

- Add test of .note.gnu.property section for PowerPC.

- Add test of objcopy's ability to merge notes.

- Record the -flto setting and produce a soft warning if it is absent.

- Suppress warnings about _D_GLIBCXX_ASSERTIONS if the source code is known to be something other than C++.

* Wed Oct 21 2020 Nick Clifton <nickc@redhat.com> - 9.35-3

- NVR bump to allow building on ELN sidetag.

* Tue Oct 13 2020 Nick Clifton <nickc@redhat.com> - 9.35-2

- Correct the directory chosen for 32-bit LLVM and Clang plugins.  (#1884951)

- Allow the use of the SHF_LINK_ORDER section flag to discard unused notes.  (Experimental).

- gcc-plugin: Fix test for empty PowerPC sections.  (#1880634)

* Thu Sep 10 2020 Nick Clifton <nickc@redhat.com> - 9.32-1

- annocheck: Add tests for the AArch64 BTI and PAC security features.  (#1862478)

- gcc plugin: Use a 4 byte offset for PowerPC start symbols, so that they do not break disassemblies.

- gcc plugin: Correct the detection of 32-bit x86 builds.  (#1876197)

* Tue Sep 08 2020 Nick Clifton <nickc@redhat.com> - 9.29-1

- gcc plugin: Detect any attempt to access the global_options array.

- gcc plugin: Do not complain about missing pre-processor options when examining a preprocessed input file.  (#1862718)

- Use more robust checks for AArch64 options.

- Detect CLANG compiled assembler that is missing IBT support.

- Improved target pointer size discovery.

- Add support for installing clang and llvm plugins.

- Temporary suppression of aarch64 pointer size check.  (#1860549)

* Wed Jul 01 2020 Nick Clifton <nickc@redhat.com> - 9.23-1

- Annocheck: Do not skip tests of the short-enums notes.  (#1743635)

* Thu Apr 23 2020 Nick Clifton <nickc@redhat.com> - 9.21-1

- Annobin: Fall back on using the flags if the option cannot be found in cl_options.  (#1817659)

- Annocheck: Detect Fortran compiled programs.  (#1824393)

* Mon Apr 06 2020 Nick Clifton <nickc@redhat.com> - 9.19-1

- Annobin: If option name mismatch occurs, seach for the real option.  (#1817452)

- Annocheck: Fix a division by zero error when parsing GO binaries.  (#1818863)

- Annobin: Fix access to the -flto and -fsanitize flags.

- Annobin: Use offsets stored in gcc's cl_option structure to access the global_options array, thus removing the need to check for changes in the size of this structure.

- Rename gcc plugin directory to gcc-plugin.

- Stop annocheck from complaining about missing options when the binary has been built in a mixed environment.

- Improve builtby tool.

- Stop annocheck complaining about missing notes when the binary is not compiled by either gcc or clang.

- Skip the check of the ENTRY instruction for binaries not compiled by gcc or clang.  (#1809656)

- Fix infinite loop hangup in annocheck.

- Disable debuginfod support by default.

- Improve parsing of .comment section.

- Fix clang plugin to use hidden symbols.

- Add ability to build clang plugin (disabled by default).

- Annocheck: Fix error printing out the version number.

- Annobin: Add checks of the exact location of the examined switches.

- Annobin: Note when stack clash notes are generated.  (#1803173, #1828797)

- Annocheck: Handle multiple builder IDs in the .comment section.

- Add configure option to suppress building annocheck.

- Fix debuginfod test.

- Correct the build requirement for building with debuginfod support.

- Add debuginfod support.

- Add clang plugin (experimental).

- Have annocheck ignore notes with an end address of 0.

- Improve checking of gcc versions.

* Fri Nov 15 2019 Nick Clifton <nickc@redhat.com> - 8.90-1