Restore most OpenSSF hardening for abseil-cpp-dependent packages

We only need to override -fno-delete-null-pointer-checks for these packages to build. Add explicit build-deps on openssf-compiler-options so that CI orders the builds correctly. Also fix some incorrect issue links. Signed-off-by: dann frazier <[email protected]>
wolfi-dev · Jan 5, 2025 · e1ecd09 · e1ecd09
1 parent 73fe0a3
commit e1ecd09
Show file tree

Hide file tree

Showing 10 changed files with 50 additions and 34 deletions.
diff --git a/falco-no-driver.yaml b/falco-no-driver.yaml
@@ -1,7 +1,7 @@
 package:
-  name: falco-no-driver
+  name: falco-no-driver # On update, please check if -fdelete-null-pointer-checks is still required
   version: 0.39.2
-  epoch: 0
+  epoch: 1
   description: Cloud Native Runtime Security
   copyright:
     - license: Apache-2.0
@@ -31,14 +31,15 @@ environment:
       - libelf-static
       - libtool
       - mpc-dev
+      - openssf-compiler-options
       - openssl-dev
       - pkgconf
       - protobuf-dev
       - yaml-cpp-dev
       - zlib-dev
   environment:
     # See https://github.com/wolfi-dev/os/issues/34075
-    GCC_SPEC_FILE: "/dev/null"
+    CMAKE_CXX_FLAGS: -fdelete-null-pointer-checks
 
 pipeline:
   - uses: git-checkout
@@ -60,6 +61,7 @@ pipeline:
       mkdir build && cd build
       cmake \
         -DCMAKE_BUILD_TYPE=Release \
+        -DCMAKE_CXX_FLAGS="$CMAKE_CXX_FLAGS" \
         -DUSE_BUNDLED_DEPS=On \
         -DFALCO_ETC_DIR=/etc/falco \
         -DBUILD_FALCO_MODERN_BPF=ON \

diff --git a/grpc-1.66.yaml b/grpc-1.66.yaml
@@ -1,7 +1,7 @@
 package:
-  name: grpc-1.66
+  name: grpc-1.66 # On update, please check if -fdelete-null-pointer-checks is still required
   version: 1.66.2
-  epoch: 3
+  epoch: 4
   description: The C based gRPC
   copyright:
     - license: Apache-2.0 AND BSD-3-Clause AND MIT
@@ -38,6 +38,7 @@ environment:
       - libsystemd
       - libtool
       - linux-headers
+      - openssf-compiler-options
       - openssl-dev
       - protobuf-dev
       - py3-setuptools
@@ -52,8 +53,8 @@ environment:
       - yaml-dev
       - zlib-dev
   environment:
-    # https://github.com/wolfi-dev/os/issues/34568
-    GCC_SPEC_FILE: /dev/null
+    # https://github.com/wolfi-dev/os/issues/34075
+    CMAKE_CXX_FLAGS: -fdelete-null-pointer-checks
 
 pipeline:
   - uses: git-checkout
@@ -71,7 +72,8 @@ pipeline:
       cmake -B _build -G Ninja \
       	-DCMAKE_BUILD_TYPE=None \
       	-DCMAKE_INSTALL_PREFIX=/usr \
-      	-DCMAKE_CXX_STANDARD=17 \
+        -DCMAKE_CXX_FLAGS="$CMAKE_CXX_FLAGS" \
+        -DCMAKE_CXX_STANDARD=17 \
       	-DBUILD_SHARED_LIBS=True \
       	-DgRPC_INSTALL=ON \
       	-DgRPC_CARES_PROVIDER=package \

diff --git a/grpc-1.67.yaml b/grpc-1.67.yaml
@@ -1,7 +1,7 @@
 package:
-  name: grpc-1.67
+  name: grpc-1.67 # On update, please check if -fdelete-null-pointer-checks is still required
   version: 1.67.1
-  epoch: 4
+  epoch: 5
   description: The C based gRPC
   copyright:
     - license: Apache-2.0 AND BSD-3-Clause AND MIT
@@ -49,6 +49,7 @@ environment:
       - libsystemd
       - libtool
       - linux-headers
+      - openssf-compiler-options
       - openssl-dev
       - protobuf-dev
       - py3-supported-build-base
@@ -64,8 +65,8 @@ environment:
       - yaml-dev
       - zlib-dev
   environment:
-    # https://github.com/wolfi-dev/os/issues/34568
-    GCC_SPEC_FILE: /dev/null
+    # https://github.com/wolfi-dev/os/issues/34075
+    CMAKE_CXX_FLAGS: -fdelete-null-pointer-checks
 
 pipeline:
   - uses: git-checkout
@@ -83,6 +84,7 @@ pipeline:
       cmake -B _build -G Ninja \
       	-DCMAKE_BUILD_TYPE=None \
       	-DCMAKE_INSTALL_PREFIX=/usr \
+        -DCMAKE_CXX_FLAGS="$CMAKE_CXX_FLAGS" \
       	-DCMAKE_CXX_STANDARD=17 \
       	-DBUILD_SHARED_LIBS=True \
       	-DgRPC_INSTALL=ON \

diff --git a/grpc-1.68.yaml b/grpc-1.68.yaml
@@ -1,7 +1,7 @@
 package:
-  name: grpc-1.68
+  name: grpc-1.68 # On update, please check if -fdelete-null-pointer-checks is still required
   version: 1.68.2
-  epoch: 2
+  epoch: 3
   description: The C based gRPC
   copyright:
     - license: Apache-2.0 AND BSD-3-Clause AND MIT
@@ -49,6 +49,7 @@ environment:
       - libsystemd
       - libtool
       - linux-headers
+      - openssf-compiler-options
       - openssl-dev
       - protobuf-dev
       - py3-supported-build-base
@@ -64,8 +65,8 @@ environment:
       - yaml-dev
       - zlib-dev
   environment:
-    # https://github.com/wolfi-dev/os/issues/34568
-    GCC_SPEC_FILE: /dev/null
+    # https://github.com/wolfi-dev/os/issues/34075
+    CMAKE_CXX_FLAGS: -fdelete-null-pointer-checks
 
 pipeline:
   - uses: git-checkout
@@ -83,6 +84,7 @@ pipeline:
       cmake -B _build -G Ninja \
       	-DCMAKE_BUILD_TYPE=None \
       	-DCMAKE_INSTALL_PREFIX=/usr \
+        -DCMAKE_CXX_FLAGS="$CMAKE_CXX_FLAGS" \
       	-DCMAKE_CXX_STANDARD=17 \
       	-DBUILD_SHARED_LIBS=True \
       	-DgRPC_INSTALL=ON \

diff --git a/libreoffice-24.8.yaml b/libreoffice-24.8.yaml
@@ -1,7 +1,7 @@
 package:
-  name: libreoffice-24.8
+  name: libreoffice-24.8 # On update, please check if -fdelete-null-pointer-checks is still required
   version: 24.8.4.2
-  epoch: 0
+  epoch: 1
   description:
   # https://www.libreoffice.org/about-us/licenses
   copyright:
@@ -81,6 +81,7 @@ environment:
       - nasm
       - openjdk-${{vars.java-version}}
       - openjdk-${{vars.java-version}}-default-jvm
+      - openssf-compiler-options
       - openssl-dev
       - orc-dev
       - pango-dev
@@ -93,7 +94,7 @@ environment:
       - zip
   environment:
     # https://github.com/wolfi-dev/os/issues/34075
-    GCC_SPEC_FILE: /dev/null
+    CXXFLAGS: -fdelete-null-pointer-checks
     JAVA_HOME: ${{vars.java-home}}
 
 pipeline:

diff --git a/nodejs-22.yaml b/nodejs-22.yaml
@@ -1,7 +1,7 @@
 package:
   name: nodejs-22
-  version: 22.12.0
-  epoch: 1
+  version: 22.12.0 # On update, please check if -fdelete-null-pointer-checks is still required
+  epoch: 2
   description: "JavaScript runtime built on V8 engine"
   dependencies:
     provides:
@@ -27,6 +27,7 @@ environment:
       - libuv-dev
       - linux-headers
       - nghttp2-dev
+      - openssf-compiler-options
       - openssl-dev
       - py${{vars.py-version}}-jinja2
       - py${{vars.py-version}}-setuptools
@@ -35,7 +36,8 @@ environment:
       - wolfi-base
       - zlib-dev
   environment:
-    GCC_SPEC_FILE: /dev/null # https://github.com/wolfi-dev/os/issues/34075
+    # https://github.com/wolfi-dev/os/issues/34075
+    CXXFLAGS: -fdelete-null-pointer-checks
 
 pipeline:
   - uses: git-checkout

diff --git a/nodejs-23.yaml b/nodejs-23.yaml
@@ -1,7 +1,7 @@
 package:
   name: nodejs-23
-  version: 23.5.0
-  epoch: 1
+  version: 23.5.0 # On update, please check if -fdelete-null-pointer-checks is still required
+  epoch: 2
   description: "JavaScript runtime built on V8 engine"
   dependencies:
     provides:
@@ -27,6 +27,7 @@ environment:
       - libuv-dev
       - linux-headers
       - nghttp2-dev
+      - openssf-compiler-options
       - openssl-dev
       - py${{vars.py-version}}-jinja2
       - py${{vars.py-version}}-setuptools
@@ -35,7 +36,8 @@ environment:
       - wolfi-base
       - zlib-dev
   environment:
-    GCC_SPEC_FILE: /dev/null # https://github.com/wolfi-dev/os/issues/34075
+    # https://github.com/wolfi-dev/os/issues/34075
+    CXXFLAGS: -fdelete-null-pointer-checks
 
 pipeline:
   - uses: git-checkout

diff --git a/protobuf-c.yaml b/protobuf-c.yaml
@@ -1,7 +1,7 @@
 package:
   name: protobuf-c
-  version: 1.5.0
-  epoch: 12
+  version: 1.5.0 # On update, please check if -fdelete-null-pointer-checks is still required
+  epoch: 13
   description: Protocol Buffers implementation in C
   copyright:
     - license: BSD-2-Clause
@@ -16,10 +16,11 @@ environment:
       - busybox
       - ca-certificates-bundle
       - libtool
+      - openssf-compiler-options
       - protobuf-dev
   environment:
     # https://github.com/wolfi-dev/os/issues/34075
-    GCC_SPEC_FILE: /dev/null
+    CXXFLAGS: -fdelete-null-pointer-checks
 
 pipeline:
   - uses: git-checkout

diff --git a/protobuf.yaml b/protobuf.yaml
@@ -1,7 +1,7 @@
 package:
   name: protobuf
-  version: 3.29.2
-  epoch: 0
+  version: 3.29.2 # On update, please check if -fdelete-null-pointer-checks is still required
+  epoch: 1
   description: Library for extensible, efficient structure packing
   copyright:
     - license: BSD-3-Clause
@@ -26,11 +26,12 @@ environment:
       - cmake
       - git
       - libtool
+      - openssf-compiler-options
       - samurai
       - zlib-dev
   environment:
     # https://github.com/wolfi-dev/os/issues/34075
-    GCC_SPEC_FILE: /dev/null
+    CMAKE_CXX_FLAGS: -fdelete-null-pointer-checks
 
 pipeline:
   - uses: git-checkout
@@ -49,6 +50,7 @@ pipeline:
       cmake -B build -G Ninja \
         -DCMAKE_INSTALL_PREFIX=/usr \
         -DCMAKE_INSTALL_LIBDIR=lib \
+        -DCMAKE_CXX_FLAGS="$CMAKE_CXX_FLAGS" \
         -DBUILD_SHARED_LIBS=True \
         -DCMAKE_BUILD_TYPE=Release \
         -Dprotobuf_ABSL_PROVIDER=package \

diff --git a/py3-grpcio-tools.yaml b/py3-grpcio-tools.yaml
@@ -1,7 +1,7 @@
 package:
   name: py3-grpcio-tools
-  version: 1.69.0
-  epoch: 0
+  version: 1.69.0 # On update, please check if -fdelete-null-pointer-checks is still required
+  epoch: 1
   description: Protobuf code generator for gRPC
   copyright:
     - license: Apache-2.0
@@ -36,7 +36,7 @@ environment:
       - wolfi-base
   environment:
     # https://github.com/wolfi-dev/os/issues/34075
-    GCC_SPEC_FILE: /dev/null
+    CXXFLAGS: -fdelete-null-pointer-checks
     GRPC_PYTHON_BUILD_WITH_CYTHON: 1
 
 pipeline: