Adopt the OpenSSF Compiler Options Hardening Guide for C and C++

philippeVerney · philippeVerney · commit b99f54ecffcc · 2026-03-23T10:59:07.000+01:00
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -52,16 +52,13 @@ endif (BUILD_SHARED_LIBS)
 add_library (${PROJECT_NAME} ${LIB_TYPE} "") 
 
 # Define the compile options according to the compiler
+include(${CMAKE_CURRENT_SOURCE_DIR}/cmake/cmake-harden.cmake)
+harden(${PROJECT_NAME} CXX RUNTIME)
 target_compile_options(${PROJECT_NAME}	PRIVATE
 	$<$<CXX_COMPILER_ID:MSVC>:/bigobj>
 	$<$<CXX_COMPILER_ID:MSVC>:/MP>
 	$<$<CXX_COMPILER_ID:MSVC>:/W4>
 	$<$<CXX_COMPILER_ID:MSVC>:/utf-8> # Necessary for fmt library which AVRO depends on
-	$<$<CXX_COMPILER_ID:GNU>:-Wall>
-	$<$<CXX_COMPILER_ID:GNU>:-Wextra>
-	$<$<CXX_COMPILER_ID:GNU>:-Wcast-qual>
-	$<$<CXX_COMPILER_ID:GNU>:-pedantic>
-	$<$<CXX_COMPILER_ID:CLANG>:-Weverything>
 )
 
 if (WIN32)
diff --git a/cmake/cmake-harden.cmake b/cmake/cmake-harden.cmake
@@ -0,0 +1,159 @@
+# Copyright 2025 Holepunch Inc
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Downloaded on 2026-03-16 from https://github.com/holepunchto/cmake-harden/blob/main/cmake-harden.cmake
+# Changelog
+# 2026-03-16
+# add -Wextra
+# add -Wsign-conversion
+# add -Wbidi-chars=any
+# add -U_FORTIFY_SOURCE
+# add -D_FORTIFY_SOURCE=3
+# add -D_GLIBCXX_ASSERTIONS
+# add -fcf-protection=full
+# add -mbranch-protection=standard on aarch64|arm64 architecture
+# add -Wl,-z,nodlopen as a comment since we need dlopen for SWIG
+# add -Wl,--as-needed
+# add -Wl,--no-copy-dt-needed-entries
+# add fexceptions
+# add fhardened
+# rename GCC compiler to GNU compiler to apply to gcc and g++
+# Check Linker Flag and use LINKER: prefix
+
+cmake_minimum_required(VERSION 3.19)
+
+include_guard()
+
+include(CheckCompilerFlag)
+include(CheckLinkerFlag)
+
+# https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
+
+macro(add_hardened_compiler_flags)
+  foreach(flag ${ARGV})
+    check_compiler_flag(${lang} ${flag} supports_${flag})
+
+    if(supports_${flag})
+      target_compile_options(${target} PRIVATE ${flag})
+    endif()
+  endforeach()
+endmacro()
+
+macro(add_hardened_linker_flags)
+  foreach(flag ${ARGV})
+    check_linker_flag(${lang} LINKER:${flag} supports_${flag})
+  
+    if(supports_${flag})
+      target_link_options(${target} PRIVATE LINKER:${flag})
+    endif()
+  endforeach()
+endmacro()
+
+macro(harden_posix)
+  add_hardened_compiler_flags(
+    -Wall
+    -Wextra
+    -Wformat
+    -Wformat=2
+    -Wconversion
+    -Wsign-conversion
+    -Wimplicit-fallthrough
+	-Wbidi-chars=any
+    -Werror=format-security
+    -Werror=implicit
+    -Werror=incompatible-pointer-types
+    -Werror=int-conversion
+	-U_FORTIFY_SOURCE
+	-D_FORTIFY_SOURCE=3
+	-D_GLIBCXX_ASSERTIONS
+    -fstrict-flex-arrays=3
+	-fcf-protection=full
+    -fno-delete-null-pointer-checks
+    -fno-strict-overflow
+    -fno-strict-aliasing
+    -ftrivial-auto-var-init=zero
+	-fexceptions
+	-fhardened
+  )
+ 
+if(CMAKE_SYSTEM_PROCESSOR MATCHES "aarch64|arm64")
+  add_hardened_compiler_flags( 
+    -mbranch-protection=standard
+  )
+endif()
+
+  # The SHARED and MODULE library targets have by default position independent code enabled : https://cmake.org/cmake/help/latest/variable/CMAKE_POSITION_INDEPENDENT_CODE.html
+  add_hardened_linker_flags(
+# dlopen is needed for JAVA and Python swig port.
+#   -z,nodlopen
+    -z,noexecstack
+    -z,relro
+    -z,now
+    --as-needed
+    --no-copy-dt-needed-entries
+  )
+
+  if(runtime)
+    add_hardened_compiler_flags(
+      -fstack-clash-protection
+      -fstack-protector-strong
+    )
+  endif()
+endmacro()
+
+macro(harden_clang)
+  harden_posix()
+endmacro()
+
+macro(harden_gnu)
+  harden_posix()
+
+  add_hardened_compiler_flags(
+    -Wtrampolines
+  )
+endmacro()
+
+macro(harden_msvc)
+#  message(WARNING "Compiler hardening is not yet supported for MSVC")
+endmacro()
+
+function(harden target)
+  set(option_keywords
+    C
+    CXX
+    RUNTIME
+  )
+
+  cmake_parse_arguments(
+    PARSE_ARGV 1 ARGV "${option_keywords}" "" ""
+  )
+
+  set(runtime ${ARGV_RUNTIME})
+
+  if(ARGV_CXX)
+    set(lang CXX)
+  else()
+    set(lang C)
+  endif()
+
+  set(compiler ${CMAKE_${lang}_COMPILER_ID})
+
+  if(compiler MATCHES "Clang")
+    harden_clang()
+  elseif(compiler MATCHES "GNU")
+    harden_gnu()
+  elseif(compiler MATCHES "MSVC")
+    harden_msvc()
+  endif()
+endfunction()
diff --git a/cs/CMakeLists.txt b/cs/CMakeLists.txt
@@ -36,6 +36,12 @@ message("SWIG C# files have been generated.")
 #Add the swig cpp file to the FesapiCpp
 target_sources(${PROJECT_NAME} PRIVATE ${CMAKE_SOURCE_DIR}/swig/swigGeneratedCsWrapper.cpp)
 target_sources(${PROJECT_NAME} PRIVATE ${CMAKE_SOURCE_DIR}/swig/swigGeneratedCsWrapper.h)
+# Disable warnings on SWIG generated file which we do not control
+if (WIN32)
+	set_source_files_properties(${CMAKE_SOURCE_DIR}/swig/swigGeneratedCsWrapper.cpp PROPERTIES COMPILE_OPTIONS "/W0")
+else()
+	set_source_files_properties(${CMAKE_SOURCE_DIR}/swig/swigGeneratedCsWrapper.cpp PROPERTIES COMPILE_OPTIONS "-w")
+endif()
 
 # Create the Visual Studio project from a template file
 set (CS_LIBRARY_NAME FetpapiCs)
diff --git a/java/CMakeLists.txt b/java/CMakeLists.txt
@@ -90,6 +90,12 @@ endif (SWIG_LINKED_TO_RELEASE)
 
 target_sources(${PROJECT_NAME} PRIVATE ${CMAKE_SOURCE_DIR}/swig/swigGeneratedJavaWrapper.cpp)
 target_sources(${PROJECT_NAME} PRIVATE ${CMAKE_SOURCE_DIR}/swig/swigGeneratedJavaWrapper.h)
+# Disable warnings on SWIG generated file which we do not control
+if (WIN32)
+	set_source_files_properties(${CMAKE_SOURCE_DIR}/swig/swigGeneratedJavaWrapper.cpp PROPERTIES COMPILE_OPTIONS "/W0")
+else()
+	set_source_files_properties(${CMAKE_SOURCE_DIR}/swig/swigGeneratedJavaWrapper.cpp PROPERTIES COMPILE_OPTIONS "-w")
+endif()
 
 target_include_directories(${PROJECT_NAME} PUBLIC ${JAVA_INCLUDE_PATH} ${JAVA_INCLUDE_PATH2})
 
diff --git a/src/etp/EtpMessages.h b/src/etp/EtpMessages.h
@@ -575,7 +575,7 @@ namespace Energistics {
 namespace avro {
 	template<> struct codec_traits<Energistics::Etp::v12::Datatypes::AnyArrayType> {
 		static void encode(Encoder& e, const Energistics::Etp::v12::Datatypes::AnyArrayType& v) {
-			e.encodeEnum(static_cast<std::underlying_type<Energistics::Etp::v12::Datatypes::AnyArrayType>::type>(v));
+			e.encodeEnum(static_cast<std::size_t>(v));
 		}
 		static void decode(Decoder& d, Energistics::Etp::v12::Datatypes::AnyArrayType& v) {
 			v = static_cast<Energistics::Etp::v12::Datatypes::AnyArrayType>(d.decodeEnum());
@@ -616,7 +616,7 @@ namespace Energistics {
 namespace avro {
 	template<> struct codec_traits<Energistics::Etp::v12::Datatypes::AnyLogicalArrayType> {
 		static void encode(Encoder& e, const Energistics::Etp::v12::Datatypes::AnyLogicalArrayType& v) {
-			e.encodeEnum(static_cast<std::underlying_type<Energistics::Etp::v12::Datatypes::AnyLogicalArrayType>::type>(v));
+			e.encodeEnum(static_cast<std::size_t>(v));
 		}
 		static void decode(Decoder& d, Energistics::Etp::v12::Datatypes::AnyLogicalArrayType& v) {
 			v = static_cast<Energistics::Etp::v12::Datatypes::AnyLogicalArrayType>(d.decodeEnum());
@@ -1151,7 +1151,7 @@ namespace Energistics {
 namespace avro {
 	template<> struct codec_traits<Energistics::Etp::v12::Datatypes::DataObjectCapabilityKind> {
 		static void encode(Encoder& e, const Energistics::Etp::v12::Datatypes::DataObjectCapabilityKind& v) {
-			e.encodeEnum(static_cast<std::underlying_type<Energistics::Etp::v12::Datatypes::DataObjectCapabilityKind>::type>(v));
+			e.encodeEnum(static_cast<std::size_t>(v));
 		}
 		static void decode(Decoder& d, Energistics::Etp::v12::Datatypes::DataObjectCapabilityKind& v) {
 			v = static_cast<Energistics::Etp::v12::Datatypes::DataObjectCapabilityKind>(d.decodeEnum());
@@ -1587,7 +1587,7 @@ namespace Energistics {
 namespace avro {
 	template<> struct codec_traits<Energistics::Etp::v12::Datatypes::EndpointCapabilityKind> {
 		static void encode(Encoder& e, const Energistics::Etp::v12::Datatypes::EndpointCapabilityKind& v) {
-			e.encodeEnum(static_cast<std::underlying_type<Energistics::Etp::v12::Datatypes::EndpointCapabilityKind>::type>(v));
+			e.encodeEnum(static_cast<std::size_t>(v));
 		}
 		static void decode(Decoder& d, Energistics::Etp::v12::Datatypes::EndpointCapabilityKind& v) {
 			v = static_cast<Energistics::Etp::v12::Datatypes::EndpointCapabilityKind>(d.decodeEnum());
@@ -1696,7 +1696,7 @@ namespace Energistics {
 namespace avro {
 	template<> struct codec_traits<Energistics::Etp::v12::Datatypes::ProtocolCapabilityKind> {
 		static void encode(Encoder& e, const Energistics::Etp::v12::Datatypes::ProtocolCapabilityKind& v) {
-			e.encodeEnum(static_cast<std::underlying_type<Energistics::Etp::v12::Datatypes::ProtocolCapabilityKind>::type>(v));
+			e.encodeEnum(static_cast<std::size_t>(v));
 		}
 		static void decode(Decoder& d, Energistics::Etp::v12::Datatypes::ProtocolCapabilityKind& v) {
 			v = static_cast<Energistics::Etp::v12::Datatypes::ProtocolCapabilityKind>(d.decodeEnum());
@@ -2382,7 +2382,7 @@ namespace Energistics {
 namespace avro {
 	template<> struct codec_traits<Energistics::Etp::v12::Datatypes::ChannelData::ChannelDataKind> {
 		static void encode(Encoder& e, const Energistics::Etp::v12::Datatypes::ChannelData::ChannelDataKind& v) {
-			e.encodeEnum(static_cast<std::underlying_type<Energistics::Etp::v12::Datatypes::ChannelData::ChannelDataKind>::type>(v));
+			e.encodeEnum(static_cast<std::size_t>(v));
 		}
 		static void decode(Decoder& d, Energistics::Etp::v12::Datatypes::ChannelData::ChannelDataKind& v) {
 			v = static_cast<Energistics::Etp::v12::Datatypes::ChannelData::ChannelDataKind>(d.decodeEnum());
@@ -2451,7 +2451,7 @@ namespace Energistics {
 namespace avro {
 	template<> struct codec_traits<Energistics::Etp::v12::Datatypes::ChannelData::ChannelIndexKind> {
 		static void encode(Encoder& e, const Energistics::Etp::v12::Datatypes::ChannelData::ChannelIndexKind& v) {
-			e.encodeEnum(static_cast<std::underlying_type<Energistics::Etp::v12::Datatypes::ChannelData::ChannelIndexKind>::type>(v));
+			e.encodeEnum(static_cast<std::size_t>(v));
 		}
 		static void decode(Decoder& d, Energistics::Etp::v12::Datatypes::ChannelData::ChannelIndexKind& v) {
 			v = static_cast<Energistics::Etp::v12::Datatypes::ChannelData::ChannelIndexKind>(d.decodeEnum());
@@ -2502,7 +2502,7 @@ namespace Energistics {
 namespace avro {
 	template<> struct codec_traits<Energistics::Etp::v12::Datatypes::ChannelData::IndexDirection> {
 		static void encode(Encoder& e, const Energistics::Etp::v12::Datatypes::ChannelData::IndexDirection& v) {
-			e.encodeEnum(static_cast<std::underlying_type<Energistics::Etp::v12::Datatypes::ChannelData::IndexDirection>::type>(v));
+			e.encodeEnum(static_cast<std::size_t>(v));
 		}
 		static void decode(Decoder& d, Energistics::Etp::v12::Datatypes::ChannelData::IndexDirection& v) {
 			v = static_cast<Energistics::Etp::v12::Datatypes::ChannelData::IndexDirection>(d.decodeEnum());
@@ -2527,7 +2527,7 @@ namespace Energistics {
 namespace avro {
 	template<> struct codec_traits<Energistics::Etp::v12::Datatypes::ChannelData::PassDirection> {
 		static void encode(Encoder& e, const Energistics::Etp::v12::Datatypes::ChannelData::PassDirection& v) {
-			e.encodeEnum(static_cast<std::underlying_type<Energistics::Etp::v12::Datatypes::ChannelData::PassDirection>::type>(v));
+			e.encodeEnum(static_cast<std::size_t>(v));
 		}
 		static void decode(Decoder& d, Energistics::Etp::v12::Datatypes::ChannelData::PassDirection& v) {
 			v = static_cast<Energistics::Etp::v12::Datatypes::ChannelData::PassDirection>(d.decodeEnum());
@@ -3279,7 +3279,7 @@ namespace Energistics {
 namespace avro {
 	template<> struct codec_traits<Energistics::Etp::v12::Datatypes::Object::ActiveStatusKind> {
 		static void encode(Encoder& e, const Energistics::Etp::v12::Datatypes::Object::ActiveStatusKind& v) {
-			e.encodeEnum(static_cast<std::underlying_type<Energistics::Etp::v12::Datatypes::Object::ActiveStatusKind>::type>(v));
+			e.encodeEnum(static_cast<std::size_t>(v));
 		}
 		static void decode(Decoder& d, Energistics::Etp::v12::Datatypes::Object::ActiveStatusKind& v) {
 			v = static_cast<Energistics::Etp::v12::Datatypes::Object::ActiveStatusKind>(d.decodeEnum());
@@ -3359,7 +3359,7 @@ namespace Energistics {
 namespace avro {
 	template<> struct codec_traits<Energistics::Etp::v12::Datatypes::Object::ContextScopeKind> {
 		static void encode(Encoder& e, const Energistics::Etp::v12::Datatypes::Object::ContextScopeKind& v) {
-			e.encodeEnum(static_cast<std::underlying_type<Energistics::Etp::v12::Datatypes::Object::ContextScopeKind>::type>(v));
+			e.encodeEnum(static_cast<std::size_t>(v));
 		}
 		static void decode(Decoder& d, Energistics::Etp::v12::Datatypes::Object::ContextScopeKind& v) {
 			v = static_cast<Energistics::Etp::v12::Datatypes::Object::ContextScopeKind>(d.decodeEnum());
@@ -4129,7 +4129,7 @@ namespace Energistics {
 namespace avro {
 	template<> struct codec_traits<Energistics::Etp::v12::Datatypes::Object::ObjectChangeKind> {
 		static void encode(Encoder& e, const Energistics::Etp::v12::Datatypes::Object::ObjectChangeKind& v) {
-			e.encodeEnum(static_cast<std::underlying_type<Energistics::Etp::v12::Datatypes::Object::ObjectChangeKind>::type>(v));
+			e.encodeEnum(static_cast<std::size_t>(v));
 		}
 		static void decode(Decoder& d, Energistics::Etp::v12::Datatypes::Object::ObjectChangeKind& v) {
 			v = static_cast<Energistics::Etp::v12::Datatypes::Object::ObjectChangeKind>(d.decodeEnum());
@@ -4270,7 +4270,7 @@ namespace Energistics {
 namespace avro {
 	template<> struct codec_traits<Energistics::Etp::v12::Datatypes::Object::RelationshipKind> {
 		static void encode(Encoder& e, const Energistics::Etp::v12::Datatypes::Object::RelationshipKind& v) {
-			e.encodeEnum(static_cast<std::underlying_type<Energistics::Etp::v12::Datatypes::Object::RelationshipKind>::type>(v));
+			e.encodeEnum(static_cast<std::size_t>(v));
 		}
 		static void decode(Decoder& d, Energistics::Etp::v12::Datatypes::Object::RelationshipKind& v) {
 			v = static_cast<Energistics::Etp::v12::Datatypes::Object::RelationshipKind>(d.decodeEnum());
