nebula
nebula copied to clipboard
vesoft-inc
Unsatisfied secure compilation options -fPIE -pie
I used a scanning tool to scan the nebula-graphd file and found Unsatisfied secure compilation options -fPIE -pie. I saw a related reply in the community: Nebula relies on static libraries and does not need this option. (https://discuss.nebula-graph.com.cn/t/topic/2846/2)
Is there a formal conclusion and reason for this?
In the current source code we use the -fPIC option, what scanning tool are you using? I want to reproduce this scan result. Both nebula and nebula-third-party use the -fPIC option, so I want to know which part is showing up -fPIE
The replies in the mentioned post are not correct.
The -no-pie linker option was introduced by me long long ago. I am not sure about the exact reason to do this. But it must be related with a crash bug if PIE is enabled by default. I simply reviewed my commit history to locate the original PR but with no luck.
Yes, my code exists -fPIE -pie . But I used the security tool to scan nebula-graphd, the result showed that the -fPIE -pie not activated. I'd like to consult the reasons and the security risks.
-DCMAKE_C_FLAGS="-fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wl,-z,relro,-z,now,-z,noexecstack -s -fPIE -pie -fPIC -pie -Wl,--disable-new-dtags ${CMAKE_C_FLAGS}"
-DCMAKE_CXX_FLAGS="-fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wl,-z,relro,-z,now,-z,noexecstack -s -fPIE -pie -fPIC -pie -Wl,--disable-new-dtags ${CMAKE_CXX_FLAGS}"