Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-36308

rpminspect: annocheck 'hardened' test fails for go binaries [rhel-10]

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • rhel-10.0.beta
    • rhel-10.0.beta
    • annobin
    • None
    • annobin-12.55-1.el10
    • None
    • None
    • 1
    • sst_pt_gcc
    • ssg_platform_tools
    • 13
    • 15
    • 1
    • False
    • Hide

      None

      Show
      None
    • No
    • GCC Sprint 4
    • Unspecified Release Note Type - Unknown
    • None

      Several go binaries and testdata fail the rpminspect annocheck 'hardened' test (more specifically "gaps test because no annobin notes were detected") with golang-1.22.2-7.el10:

      annocheck 'hardened' test fails for /usr/lib/golang/bin/gofmt on aarch64
Anyone
Suggested remedy:
Ensure all object files are compiled with '-O2 -D_FORTIFY_SOURCE=2', and that all appropriate headers are included (no implicit function declarations). Symbols may also appear as unfortified if the compiler is unable to determine the size of a buffer, which is not necessarily an error.

Command: annocheck --ignore-unknown --verbose --profile=el10 /usr/lib/golang/bin/gofmt
Exit Code: 1
    compared with the output of:
Command: annocheck --ignore-unknown --verbose --profile=el10 /usr/lib/golang/bin/gofmt
Exit Code: 1

annocheck: Version 12.52.
Hardened: /usr/lib/golang/bin/gofmt: PASS: go-revision test because GO compiler revision is sufficient 
Hardened: /usr/lib/golang/bin/gofmt: info: Command line options not recorded in DWARF DW_AT_producer variable.
Hardened: /usr/lib/golang/bin/gofmt: PASS: fips test because the binary was built with CGO_ENABLED=1 
Hardened: /usr/lib/golang/bin/gofmt: PASS: gnu-stack test because stack segment exists with the correct permissions 
Hardened: /usr/lib/golang/bin/gofmt: skip: notes test because binary created by a GO compiler 
Hardened: /usr/lib/golang/bin/gofmt: FAIL: gaps test because no annobin notes were detected 
Hardened: /usr/lib/golang/bin/gofmt: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-gaps.html
Hardened: /usr/lib/golang/bin/gofmt: skip: bind-now test because no dynamic segment present 
Hardened: /usr/lib/golang/bin/gofmt: skip: branch-protection test because GO binaries do not support branch protection 
Hardened: /usr/lib/golang/bin/gofmt: skip: cf-protection test because not an x86_64 binary 
Hardened: /usr/lib/golang/bin/gofmt: PASS: dynamic-segment test 
Hardened: /usr/lib/golang/bin/gofmt: skip: dynamic-tags test because GO compilation does not support branch protection 
Hardened: /usr/lib/golang/bin/gofmt: PASS: entry test 
Hardened: /usr/lib/golang/bin/gofmt: PASS: fast test 
Hardened: /usr/lib/golang/bin/gofmt: skip: fortify test because GO compilation does not use the C preprocessor 
Hardened: /usr/lib/golang/bin/gofmt: skip: glibcxx-assertions test because source language not C++ 
Hardened: /usr/lib/golang/bin/gofmt: skip: gnu-relro test because built by GO 
Hardened: /usr/lib/golang/bin/gofmt: skip: implicit-values test because  These tests are only relevent to C source code 
Hardened: /usr/lib/golang/bin/gofmt: PASS: instrumentation test 
Hardened: /usr/lib/golang/bin/gofmt: skip: lto test because at least part of the binary is compield GO 
Hardened: /usr/lib/golang/bin/gofmt: PASS: openssl-engine test 
Hardened: /usr/lib/golang/bin/gofmt: skip: optimization test because GO does not need/use this feature 
Hardened: /usr/lib/golang/bin/gofmt: skip: pic test because GO binaries are safe without PIC 
Hardened: /usr/lib/golang/bin/gofmt: skip: pie test because GO binaries are safe without PIE 
Hardened: /usr/lib/golang/bin/gofmt: PASS: production test 
Hardened: /usr/lib/golang/bin/gofmt: skip: property-note test because property notes not needed for GO binaries 
Hardened: /usr/lib/golang/bin/gofmt: PASS: run-path test 
Hardened: /usr/lib/golang/bin/gofmt: PASS: rwx-seg test 
Hardened: /usr/lib/golang/bin/gofmt: PASS: short-enums test 
Hardened: /usr/lib/golang/bin/gofmt: skip: stack-clash test because GO is stack safe 
Hardened: /usr/lib/golang/bin/gofmt: skip: stack-prot test because GO is stack safe 
Hardened: /usr/lib/golang/bin/gofmt: skip: stack-realign test because not an i686 executable 
Hardened: /usr/lib/golang/bin/gofmt: PASS: textrel test 
Hardened: /usr/lib/golang/bin/gofmt: PASS: threads test 
Hardened: /usr/lib/golang/bin/gofmt: PASS: unicode test 
Hardened: /usr/lib/golang/bin/gofmt: skip: warnings test because GO compilation does not use the C preprocessor 
Hardened: /usr/lib/golang/bin/gofmt: PASS: writable-got test 
Hardened: /usr/lib/golang/bin/gofmt: Overall: FAIL.

      https://artifacts.osci.redhat.com/testing-farm/bc9f62fc-705c-4621-98e8-daebc856aaa0/

      The list of failing binaries:

      /usr/lib/golang/pkg/tool/linux_arm64/addr2line on aarch64
/usr/lib/golang/pkg/tool/linux_arm64/asm on aarch64
/usr/lib/golang/pkg/tool/linux_arm64/cgo on aarch64
/usr/lib/golang/pkg/tool/linux_arm64/covdata on aarch64
/usr/lib/golang/pkg/tool/linux_arm64/dist on aarch64
/usr/lib/golang/pkg/tool/linux_arm64/doc on aarch64
/usr/lib/golang/pkg/tool/linux_arm64/fix on aarch64
/usr/lib/golang/pkg/tool/linux_arm64/link on aarch64
/usr/lib/golang/pkg/tool/linux_arm64/nm on aarch64
/usr/lib/golang/pkg/tool/linux_arm64/objdump on aarch64
/usr/lib/golang/pkg/tool/linux_arm64/pack on aarch64
/usr/lib/golang/pkg/tool/linux_arm64/test2json on aarch64
/usr/lib/golang/src/crypto/internal/boring/syso/goboringcrypto_linux_amd64.syso on noarch
/usr/lib/golang/src/crypto/internal/boring/syso/goboringcrypto_linux_arm64.syso on noarch
/usr/lib/golang/src/runtime/race/internal/amd64v1/race_freebsd.syso on noarch
/usr/lib/golang/src/runtime/race/internal/amd64v1/race_linux.syso on noarch
/usr/lib/golang/src/runtime/race/internal/amd64v1/race_netbsd.syso on noarch
/usr/lib/golang/src/runtime/race/internal/amd64v1/race_openbsd.syso on noarch
/usr/lib/golang/src/runtime/race/internal/amd64v3/race_linux.syso on noarch
/usr/lib/golang/src/runtime/race/race_linux_arm64.syso on noarch
/usr/lib/golang/src/runtime/race/race_linux_ppc64le.syso on noarch
/usr/lib/golang/src/runtime/race/race_linux_s390x.syso on noarch
/usr/lib/golang/src/debug/dwarf/testdata/bitfields.elf4 on noarch
/usr/lib/golang/src/debug/dwarf/testdata/cppunsuptypes.elf on noarch
/usr/lib/golang/src/debug/dwarf/testdata/cycle.elf on noarch
/usr/lib/golang/src/debug/dwarf/testdata/line-clang-dwarf5.elf on noarch
/usr/lib/golang/src/debug/dwarf/testdata/line-clang.elf on noarch
/usr/lib/golang/src/debug/dwarf/testdata/line-gcc-dwarf5.elf on noarch
/usr/lib/golang/src/debug/dwarf/testdata/line-gcc-zstd.elf on noarch
/usr/lib/golang/src/debug/dwarf/testdata/line-gcc.elf on noarch
/usr/lib/golang/src/debug/dwarf/testdata/ranges.elf on noarch
/usr/lib/golang/src/debug/dwarf/testdata/rnglistx.elf on noarch
/usr/lib/golang/src/debug/dwarf/testdata/split.elf on noarch
/usr/lib/golang/src/debug/dwarf/testdata/typedef.elf on noarch
/usr/lib/golang/src/debug/dwarf/testdata/typedef.elf4 on noarch
/usr/lib/golang/src/debug/dwarf/testdata/typedef.elf5 on noarch
/usr/lib/golang/src/debug/elf/testdata/compressed-64.obj on noarch
/usr/lib/golang/src/debug/elf/testdata/gcc-amd64-linux-exec on noarch
/usr/lib/golang/src/debug/elf/testdata/gcc-amd64-openbsd-debug-with-rela.obj on noarch
/usr/lib/golang/src/debug/elf/testdata/go-relocation-test-clang-arm.obj on noarch
/usr/lib/golang/src/debug/elf/testdata/go-relocation-test-gcc424-x86-64.obj on noarch
/usr/lib/golang/src/debug/elf/testdata/go-relocation-test-gcc441-x86-64.obj on noarch
/usr/lib/golang/src/debug/elf/testdata/go-relocation-test-gcc482-aarch64.obj on noarch
/usr/lib/golang/src/debug/elf/testdata/go-relocation-test-gcc482-ppc64le.obj on noarch
/usr/lib/golang/src/debug/elf/testdata/go-relocation-test-gcc492-arm.obj on noarch
/usr/lib/golang/src/debug/elf/testdata/go-relocation-test-gcc492-mips64.obj on noarch
/usr/lib/golang/src/debug/elf/testdata/go-relocation-test-gcc492-mipsle.obj on noarch
/usr/lib/golang/src/debug/elf/testdata/go-relocation-test-gcc493-mips64le.obj on noarch
/usr/lib/golang/src/debug/elf/testdata/go-relocation-test-gcc5-ppc.obj on noarch
/usr/lib/golang/src/debug/elf/testdata/go-relocation-test-gcc531-s390x.obj on noarch
/usr/lib/golang/src/debug/elf/testdata/go-relocation-test-gcc540-mips.obj on noarch
/usr/lib/golang/src/debug/elf/testdata/go-relocation-test-gcc620-sparc64.obj on noarch
/usr/lib/golang/src/debug/elf/testdata/go-relocation-test-gcc720-riscv64.obj on noarch
/usr/lib/golang/src/debug/elf/testdata/zdebug-test-gcc484-x86-64.obj on noarch
/usr/lib/golang/src/runtime/pprof/testdata/test32be on noarch
/usr/lib/golang/src/runtime/pprof/testdata/test64 on noarch
/usr/lib/golang/src/runtime/pprof/testdata/test64be on noarch
/usr/lib/golang/bin/gofmt on ppc64le
/usr/lib/golang/pkg/tool/linux_ppc64le/addr2line on ppc64le
/usr/lib/golang/pkg/tool/linux_ppc64le/asm on ppc64le
/usr/lib/golang/pkg/tool/linux_ppc64le/cgo on ppc64le
/usr/lib/golang/pkg/tool/linux_ppc64le/covdata on ppc64le
/usr/lib/golang/pkg/tool/linux_ppc64le/dist on ppc64le
/usr/lib/golang/pkg/tool/linux_ppc64le/doc on ppc64le
/usr/lib/golang/pkg/tool/linux_ppc64le/fix on ppc64le
/usr/lib/golang/pkg/tool/linux_ppc64le/link on ppc64le
/usr/lib/golang/pkg/tool/linux_ppc64le/nm on ppc64le
/usr/lib/golang/pkg/tool/linux_ppc64le/objdump on ppc64le
/usr/lib/golang/pkg/tool/linux_ppc64le/pack on ppc64le
/usr/lib/golang/pkg/tool/linux_ppc64le/test2json on ppc64le
/usr/lib/golang/bin/gofmt on x86_64
/usr/lib/golang/pkg/tool/linux_amd64/addr2line on x86_64
/usr/lib/golang/pkg/tool/linux_amd64/asm on x86_64
/usr/lib/golang/pkg/tool/linux_amd64/cgo on x86_64
/usr/lib/golang/pkg/tool/linux_amd64/covdata on x86_64
/usr/lib/golang/pkg/tool/linux_amd64/dist on x86_64
/usr/lib/golang/pkg/tool/linux_amd64/doc on x86_64
/usr/lib/golang/pkg/tool/linux_amd64/fix on x86_64
/usr/lib/golang/pkg/tool/linux_amd64/link on x86_64
/usr/lib/golang/pkg/tool/linux_amd64/nm on x86_64
/usr/lib/golang/pkg/tool/linux_amd64/objdump on x86_64
/usr/lib/golang/pkg/tool/linux_amd64/pack on x86_64
/usr/lib/golang/pkg/tool/linux_amd64/test2json on x86_64
/usr/lib/golang/bin/gofmt on s390x
/usr/lib/golang/pkg/tool/linux_s390x/addr2line on s390x
/usr/lib/golang/pkg/tool/linux_s390x/asm on s390x
/usr/lib/golang/pkg/tool/linux_s390x/cgo on s390x
/usr/lib/golang/pkg/tool/linux_s390x/covdata on s390x
/usr/lib/golang/pkg/tool/linux_s390x/dist on s390x
/usr/lib/golang/pkg/tool/linux_s390x/doc on s390x
/usr/lib/golang/pkg/tool/linux_s390x/fix on s390x
/usr/lib/golang/pkg/tool/linux_s390x/link on s390x
/usr/lib/golang/pkg/tool/linux_s390x/nm on s390x
/usr/lib/golang/pkg/tool/linux_s390x/objdump on s390x
/usr/lib/golang/pkg/tool/linux_s390x/pack on s390x
/usr/lib/golang/pkg/tool/linux_s390x/test2json on s390x

            nickc@redhat.com Nick Clifton
            rhn-support-emachado Edjunior Machado
            Nick Clifton Nick Clifton
            Vaclav Kadlcik Vaclav Kadlcik
            Votes:
            0 Vote for this issue
            Watchers:
            15 Start watching this issue

              Created:
              Updated: