Skip to content

Instantly share code, notes, and snippets.

@sueszli

sueszli/robust_compiler_options.py

Last active September 29, 2025 14:02
Show Gist options
  • Save sueszli/b89ed01a42bb4403d482fcfb276b6bd5 to your computer and use it in GitHub Desktop.
Save sueszli/b89ed01a42bb4403d482fcfb276b6bd5 to your computer and use it in GitHub Desktop.
Download ZIP
make your compiler mighty strong hehehhe
Raw
robust_compiler_options.py
#
# Usage: `uv run robust_compiler_options.py > options.json`
# See: https://docs.astral.sh/uv/guides/scripts/#declaring-script-dependencies
#
#
# /// script
# requires-python = ">=3.10"
# dependencies = [
# "requests==2.32.4",
# "markdown==3.6",
# "beautifulsoup4==4.12.3",
# ]
# ///
import json
import re
import sys
from pathlib import Path
from typing import Any, Dict, List, Tuple
import markdown
import requests
from bs4 import BeautifulSoup
__author__ = "Yahya Jabary"
__copyright__ = "The OpenSSF Best Practices WG"
__license__ = "Apache-2.0"
def extract_versions(input_string: str) -> Dict[str, str]:
version_patterns = {
"gcc": r"GCC\s+(\d+\.\d+\.\d)",
"clang": r"Clang\s+(\d+\.\d+\.\d)",
"binutils": r"Binutils\s+(\d+\.\d+\.\d)",
"libc++": r"libc\+\+\s+(\d+\.\d+\.\d)",
"libstdc++": r"libstdc\+\+\s+(\d+\.\d+\.\d)",
}
return {key: match.group(1) for key, pattern in version_patterns.items() if (match := re.search(pattern, input_string))}
def get_desc_preq_pair(desc: str) -> Tuple[str, str]:
split_index = desc.find("Requires")
return (desc[:split_index], desc[split_index:]) if split_index != -1 else (desc, "")
def create_option_dict(row_data: Dict[str, str]) -> Dict[str, Any]:
description, prerequisite = get_desc_preq_pair(row_data["Description"])
option_dict = {
"option": row_data["Compiler Flag"],
"description": description,
"requires": extract_versions(row_data["Supported since"]),
}
if prerequisite:
option_dict["prerequisite"] = prerequisite
return option_dict
def table_to_dict(table: BeautifulSoup) -> List[Dict[str, Any]]:
headers = [header.get_text().strip() for header in table.find_all("th")]
rows = table.find_all("tr")[1:]
header_value_dicts = [dict(zip(headers, [cell.get_text().strip() for cell in row.find_all("td")])) for row in rows]
return [create_option_dict(row_data) for row_data in header_value_dicts]
def get_content() -> str:
filename = "Compiler-Options-Hardening-Guide-for-C-and-C++.md"
cwd_files = list(Path().cwd().glob(filename))
if cwd_files:
return cwd_files[0].read_text()
# remote fallback if not found in current working directory
fallback = "https://raw.githubusercontent.com/ossf/wg-best-practices-os-developers/refs/heads/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C%2B%2B.md"
response = requests.get(fallback)
assert response.status_code == 200
return response.text
if __name__ == "__main__":
content = get_content()
html = markdown.markdown(content, extensions=["tables"])
soup = BeautifulSoup(html, "html.parser")
tables = soup.find_all("table")
version = re.search(r"\b\d{4}-\d{2}-\d{2}\b", content).group(0)
compile_time_options = table_to_dict(tables[1])
runtime_options = table_to_dict(tables[2])
output = {"version": version, "options": compile_time_options + runtime_options}
json.dump(output, fp=sys.stdout, indent=4)
@sueszli
Copy link
Author

sueszli commented Sep 29, 2025 

{
    "version": "2025-09-04",
    "options": [
        {
            "option": "-Wall-Wextra",
            "description": "Enable warnings for constructs often associated with defects",
            "requires": {
                "gcc": "2.95.3",
                "clang": "4.0.0"
            }
        },
        {
            "option": "-Wformat-Wformat=2",
            "description": "Enable additional format function warnings",
            "requires": {
                "gcc": "2.95.3",
                "clang": "4.0.0"
            }
        },
        {
            "option": "-Wconversion-Wsign-conversion",
            "description": "Enable implicit conversion warnings",
            "requires": {
                "gcc": "2.95.3",
                "clang": "4.0.0"
            }
        },
        {
            "option": "-Wtrampolines",
            "description": "Enable warnings about trampolines that require executable stacks",
            "requires": {
                "gcc": "4.3.0"
            }
        },
        {
            "option": "-Wimplicit-fallthrough",
            "description": "Warn when a switch case falls through",
            "requires": {
                "gcc": "7.0.0",
                "clang": "4.0.0"
            }
        },
        {
            "option": "-Wbidi-chars=any",
            "description": "Enable warnings for possibly misleading Unicode bidirectional control characters",
            "requires": {
                "gcc": "12.0.0"
            }
        },
        {
            "option": "-Werror-Werror=<warning-flag>",
            "description": "Treat all or selected compiler warnings as errors. Use the blanket form -Werror only during development, not in source distribution.",
            "requires": {
                "gcc": "2.95.3",
                "clang": "2.6.0"
            }
        },
        {
            "option": "-Werror=format-security",
            "description": "Treat format strings that are not string literals and used without arguments as errors",
            "requires": {
                "gcc": "2.95.3",
                "clang": "4.0.0"
            }
        },
        {
            "option": "-Werror=implicit-Werror=incompatible-pointer-types-Werror=int-conversion",
            "description": "Treat obsolete C constructs as errors",
            "requires": {
                "gcc": "2.95.3",
                "clang": "2.6.0"
            }
        },
        {
            "option": "-D_FORTIFY_SOURCE=3",
            "description": "Fortify sources with compile- and run-time checks for unsafe libc usage and buffer overflows. Some fortification levels can impact performance. ",
            "requires": {
                "gcc": "12.0.0",
                "clang": "9.0.0"
            },
            "prerequisite": "Requires -O1 or higher, may require prepending -U_FORTIFY_SOURCE."
        },
        {
            "option": "-D_GLIBCXX_ASSERTIONS",
            "description": "Precondition checks for C++ standard library calls. Can impact performance.",
            "requires": {
                "libstdc++": "6.0.0"
            }
        },
        {
            "option": "-fstrict-flex-arrays=3",
            "description": "Consider a trailing array in a struct as a flexible array if declared as []",
            "requires": {
                "gcc": "13.0.0",
                "clang": "16.0.0"
            }
        },
        {
            "option": "-fstack-clash-protection",
            "description": "Enable run-time checks for variable-size stack allocation validity. Can impact performance.",
            "requires": {
                "gcc": "8.0.0",
                "clang": "11.0.0"
            }
        },
        {
            "option": "-fstack-protector-strong",
            "description": "Enable run-time checks for stack-based buffer overflows. Can impact performance.",
            "requires": {
                "gcc": "4.9.0",
                "clang": "6.0.0"
            }
        },
        {
            "option": "-fcf-protection=full",
            "description": "Enable control-flow protection against return-oriented programming (ROP) and jump-oriented programming (JOP) attacks on x86_64",
            "requires": {
                "gcc": "8.0.0",
                "clang": "7.0.0"
            }
        },
        {
            "option": "-mbranch-protection=standard",
            "description": "Enable branch protection against ROP and JOP attacks on AArch64",
            "requires": {
                "gcc": "9.0.0",
                "clang": "8.0.0"
            }
        },
        {
            "option": "-Wl,-z,nodlopen",
            "description": "Restrict dlopen(3) calls to shared objects",
            "requires": {
                "binutils": "2.10.0"
            }
        },
        {
            "option": "-Wl,-z,noexecstack",
            "description": "Enable data execution prevention by marking stack memory as non-executable",
            "requires": {
                "binutils": "2.14.0"
            }
        },
        {
            "option": "-Wl,-z,relro-Wl,-z,now",
            "description": "Mark relocation table entries resolved at load-time as read-only. -Wl,-z,now can impact startup performance.",
            "requires": {
                "binutils": "2.15.0"
            }
        },
        {
            "option": "-fPIE -pie",
            "description": "Build as position-independent executable. Can impact performance on 32-bit architectures.",
            "requires": {
                "clang": "5.0.0",
                "binutils": "2.16.0"
            }
        },
        {
            "option": "-fPIC -shared",
            "description": "Build as position-independent code. Can impact performance on 32-bit architectures.",
            "requires": {
                "clang": "5.0.0",
                "binutils": "2.6.0"
            }
        },
        {
            "option": "-fno-delete-null-pointer-checks",
            "description": "Force retention of null pointer checks",
            "requires": {
                "gcc": "3.0.0",
                "clang": "7.0.0"
            }
        },
        {
            "option": "-fno-strict-overflow",
            "description": "Define behavior for signed integer and pointer arithmetic overflows",
            "requires": {
                "gcc": "4.2.0"
            }
        },
        {
            "option": "-fno-strict-aliasing",
            "description": "Do not assume strict aliasing",
            "requires": {
                "gcc": "2.95.3",
                "clang": "2.9.0"
            }
        },
        {
            "option": "-ftrivial-auto-var-init",
            "description": "Perform trivial auto variable initialization",
            "requires": {
                "gcc": "12.0.0",
                "clang": "8.0.0"
            }
        },
        {
            "option": "-fexceptions",
            "description": "Enable exception propagation to harden multi-threaded C code",
            "requires": {
                "gcc": "2.95.3",
                "clang": "2.6.0"
            }
        },
        {
            "option": "-fhardened",
            "description": "Enable pre-determined set of hardening options in GCC",
            "requires": {
                "gcc": "14.0.0"
            }
        },
        {
            "option": "-Wl,--as-needed-Wl,--no-copy-dt-needed-entries",
            "description": "Allow linker to omit libraries specified on the command line to link against if they are not used",
            "requires": {
                "binutils": "2.20.0"
            }
        },
        {
            "option": "-fzero-init-padding-bits=all",
            "description": "Guarantee zero initialization of padding bits in all automatic variable initializers",
            "requires": {
                "gcc": "15.0.0"
            }
        }
    ]
}

@sueszli
Copy link
Author

sueszli commented Sep 29, 2025

See: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C%2B%2B.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment