openhpc
Obsolete ( 7 years old) gcc compiler included in pdtoolkit
Maybe I am misreading this, but when running OpnHPC packages through a security scanner, an old version of gcc is found in pdtoolkit. This seems to indeed be the case:
/opt/ohpc/pub/libs/intel/pdtoolkit/3.24/x86_64/bin/pdt_gfortran/cc1 --version GNU C version 4.0.2 (University of Oregon, TAU, PDT (r128 - built Thu Jun 3 10:03:11 PDT 2010)) (x86_64-unknown-linux-gnu) compiled by GNU C version 3.4.6 20060404 (Red Hat 3.4.6-11). GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
I am not familiar with pdtoolkit, so I am not sure if this is intended or not. But it is not good to have an obsolete compiler with known security issues included.
This collateral does get included when enabling pdtoolkit support. I'm reaching out to the upstream developer to get their comments.
Response from upstream developer (Sameer @ U. Oregon):
This is a patched gfortran compiler that doesn’t really generate object files, but Program Database (PDB) files. These PDB files have information about location of functions and TAU uses this output to generate instrumented source code which is then compiled with the latest Intel or GCC system compilers. So, it poses minimal risks. Also, we have updated PDT to use gcc 4.8.5, so you may safely delete these binaries if you wish and TAU will pick up the 4.8.5 binaries by default.
Isn't there a chance that the PDB files contain information a more recent compiler would consider 'wrong' or 'outdated' causing some sort of malfunction when doing the instrumentation? Depending on the type of possible mismatches, the instrumentation could even be "silently" wrong?
