Commit 47bc3b75 authored by Paal Kvamme's avatar Paal Kvamme
Browse files

Merge branch 'kvamme62/vulnerability' into 'master'

Avoid false positives from the vulnerability scanner.

See merge request !99
parents c67fcfef ed3af72b
Pipeline #73474 passed with stages
in 13 minutes and 22 seconds
......@@ -86,13 +86,21 @@ endif
# Handle ZFP similar to Seismic Store, except that here we need to
# build the package in addition to unpacking it.
# The following sed command line is a messy way of suppressing a false
# positive from the vulnerability scanner we are using. The scanner
# doesn't realize that "access" is a member function, not ::access
# from libc. So the code could be patched to rename it. Currently not
# enabled (it needs to go right after the tar unpack) because it is
# just too ugly.
#sed -i -e 's/access *(/access_(/' `grep -rl 'access *(' $(ZFP_BUILDDIR)`
ifneq ($(strip $(HAVE_ZFP)),)
ZFPCMAKE = $(if $(wildcard /usr/bin/cmake3),/usr/bin/cmake3,/usr/bin/cmake)
$(ZFP_SENTINEL) $(ZFP_LIBRARY): $(ZFP_ZIPFILE) Makefile | $(BIN_DIR)
$(RM) -rf $(ZFP_BUILDDIR)
/bin/mkdir -p $(ZFP_BUILDDIR)/build
/bin/tar -C $(ZFP_BUILDDIR) --strip-components=1 -xzf $(ZFP_ZIPFILE)
(cd $(ZFP_BUILDDIR)/build; $(ZFPCMAKE) -DBUILD_ZFPY=OFF -DBUILD_SHARED_LIBS=ON .. && make)
/bin/tar -C $(ZFP_BUILDDIR) --strip-components=1 -xzf $(ZFP_ZIPFILE) --exclude examples --exclude utils
(cd $(ZFP_BUILDDIR)/build; $(ZFPCMAKE) -DBUILD_ZFPY=OFF -DBUILD_SHARED_LIBS=ON -DBUILD_UTILITIES=OFF .. && make)
test -d $(ZFP_BUILDDIR)/build/lib64/. || ln -s lib $(ZFP_BUILDDIR)/build/lib64
touch $(ZFP_SENTINEL)
else
......
......@@ -56,6 +56,11 @@
#undef HAVE_GETOPT
#endif
// Enable the --dropcache option for testing on-prem I/O.
// It is not normally present because execuring an external
// program will be flagged as a potential vulnerability.
//#define HAVE_DROPCACHE 1
/*
* OpenMP note:
* Most of the Linux configs I am currently building have OpenMP 2015.11.
......@@ -90,7 +95,9 @@ public:
bool alpha; // Still unused.
bool dumpsqnr; // Still unused.
bool native;
#if HAVE_DROPCACHE
bool dropcache;
#endif
bool ordered_write;
std::string sigpipe;
std::string input;
......@@ -122,7 +129,9 @@ public:
, alpha(false)
, dumpsqnr(false)
, native(true)
#if HAVE_DROPCACHE
, dropcache(false)
#endif
, ordered_write(false)
, sigpipe()
, input()
......@@ -174,7 +183,9 @@ public:
//"-D, --dumpsqnr: *Dump table of sqnr vs. compression ratio.",
"-N, --native: Read/write as file's type (default).",
"-F, --float: Read/write as float.",
#if HAVE_DROPCACHE
"-U, --dropcache: Invoke \"dropcache\" before finalize.",
#endif
"-p, --sigpipe SIGPIPE disposition.",
"-i, --input FILE.zgy: Input file name. If missing, use random data.",
"-o, --output FILE.zgy: Output file name. If missing, discard data.",
......@@ -217,7 +228,9 @@ public:
<< (alpha ? "--alpha " : "")
<< (dumpsqnr ? "--dumpsqnr " : "")
<< (native ? "--native " : "--float ")
#if HAVE_DROPCACHE
<< (dropcache ? "--dropcache " : "")
#endif
<< (sigpipe.empty() ? "" : ("--sigpipe " + sigpipe + " "))
<< (noisefactor ? "--noise " + std::to_string(noisefactor) : std::string())
<< (src_sdurl.empty() ? "" : "--src-sdurl " + src_sdurl)
......@@ -433,7 +446,9 @@ public:
{"dumpsqnr", no_argument, 0, 'D' },
{"native", no_argument, 0, 'N' },
{"float", no_argument, 0, 'F' },
#if HAVE_DROPCACHE
{"dropcache", no_argument, 0, 'U' },
#endif
{"sigpipe", required_argument, 0, 'p' },
{"input", required_argument, 0, 'i' },
{"output", required_argument, 0, 'o' },
......@@ -479,7 +494,9 @@ public:
case 'D': throw std::runtime_error("--dumpsqnr not supported"); //dumpsqnr = true; break;
case 'N': native = true; break;
case 'F': native = false; break;
#if HAVE_DROPCACHE
case 'U': dropcache = true; break;
#endif
case 'p': sigpipe = optarg; break;
case 'i':
......@@ -1293,11 +1310,13 @@ copy(const Options& opt, SummaryPrintingTimerEx& rtimer, SummaryPrintingTimerEx&
w->close_incomplete();
}
else {
#if HAVE_DROPCACHE
// dropcache simulates having files so huge that the Linux
// buffer cache won't keep the entire output file in memory.
// so there will be a significant I/O cost reading back LOD0.
if (opt.dropcache)
system("/usr/local/bin/dropcache");
#endif
// Don't report timing for finalizing a mocked output file.
// Yes it does actually have a (tiny) cost but the user won't
// expect to see finalize reported at all when discarding the output.
......@@ -1402,8 +1421,10 @@ int main(int argc, char **argv)
try {
Options options(argc, argv);
verbose = options.verbose;
#if HAVE_DROPCACHE
if (options.dropcache)
system("/usr/local/bin/dropcache");
#endif
signals(options);
openmp_config(options);
SummaryPrintingTimerEx stimer("Tool.sync");
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment