SQ18108
Detected Linux executable files without any fortified functions.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
| None | pass | low | medium | None | hardening: pass Reason: low priority mitigation issues |
About the issueโ
Fortified functions are usually wrappers around standard glibc functions (such as memcpy) which perform boundary checks either at compile time or run time to determine if a memory violation has occurred. The compiler needs additional context to generate such calls (for example, array size that needs to be known at compile time). Because of this, the compiler will virtually never substitute all viable functions with their fortified counterparts in complex programs. However, lack of any fortified functions may indicate that this compiler feature was not used at all.
How to resolve the issueโ
- In GCC, you can enable fortified functions with -D_FORTIFY_SOURCE=2 flag, while using at least -O1 optimization level.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.
For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.
The percentages are calculated from the total amount of packages analyzed:
- RubyGems: 174K
- Nuget: 189K
- PyPi: 403K
- NPM: 2.1M
Recommended readingโ
- GCC's new fortification level: The gains and costs (External resource - Red Hat Developer)