Add extra security check flags on Linux, remove unneeded include.

OhadMeir · OhadMeir · commit 007dcd85808a · 2025-11-09T11:58:33.000+02:00
diff --git a/.github/workflows/buildsCI.yaml b/.github/workflows/buildsCI.yaml
@@ -330,9 +330,10 @@ jobs:
     
     - name: Build
       shell: bash
+      # Adding -DENABLE_SECURITY_FLAGS=true here to also check examples and tools. See RSDSO-RSDSO-20629.
       run: |
         cd build
-        cmake .. -DCMAKE_BUILD_TYPE=${{env.LRS_RUN_CONFIG}} -DBUILD_SHARED_LIBS=false -DBUILD_EXAMPLES=true -DBUILD_TOOLS=true -DCHECK_FOR_UPDATES=true -DBUILD_PYTHON_BINDINGS=true -DPYTHON_EXECUTABLE=$(which python3)
+        cmake .. -DCMAKE_BUILD_TYPE=${{env.LRS_RUN_CONFIG}} -DBUILD_SHARED_LIBS=false -DBUILD_EXAMPLES=true -DBUILD_TOOLS=true -DCHECK_FOR_UPDATES=true -DBUILD_PYTHON_BINDINGS=true -DPYTHON_EXECUTABLE=$(which python3) -DENABLE_SECURITY_FLAGS=true
         cmake --build . -- -j4
 
 
@@ -512,9 +513,10 @@ jobs:
 
     - name: Build
       shell: bash
+      # Adding -DENABLE_SECURITY_FLAGS=true here to also check DDS. See RSDSO-RSDSO-20629.
       run: | 
         cd build
-        cmake .. -DCMAKE_BUILD_TYPE=${{env.LRS_RUN_CONFIG}} -DBUILD_SHARED_LIBS=true -DBUILD_EXAMPLES=false -DBUILD_TOOLS=false -DBUILD_UNIT_TESTS=false -DCHECK_FOR_UPDATES=false -DBUILD_WITH_DDS=true -DBUILD_PYTHON_BINDINGS=true -DPYTHON_EXECUTABLE=$(which python3)
+        cmake .. -DCMAKE_BUILD_TYPE=${{env.LRS_RUN_CONFIG}} -DBUILD_SHARED_LIBS=true -DBUILD_EXAMPLES=false -DBUILD_TOOLS=false -DBUILD_UNIT_TESTS=false -DCHECK_FOR_UPDATES=false -DBUILD_WITH_DDS=true -DBUILD_PYTHON_BINDINGS=true -DPYTHON_EXECUTABLE=$(which python3) -DENABLE_SECURITY_FLAGS=true
         cmake --build . -- -j4
 
     - name: LibCI
diff --git a/CMake/unix_config.cmake b/CMake/unix_config.cmake
@@ -64,11 +64,13 @@ macro(os_set_flags)
         # -z noexecstack: Marks the stack as non-executable to prevent certain types of attacks.
         # -Wl,-z,relro,-z,now: Enables read-only relocations and immediate binding for security.
         # -fstack-protector-strong: Provides stronger stack protection than -fstack-protector.
+        # -Wdate-time: Warns about the use of date/time macros that can affect reproducibility.
         
         # Linker flags
         # -pie: Produces position-independent executables during the linking phase.
         
         # see https://readthedocs.intel.com/SecureCodingStandards/2023.Q2.0/compiler/c-cpp/ for more details
+        # see also RSDSO-20629 for some extra flags
 
         set(SECURITY_COMPILER_FLAGS "-Wformat -Wformat-security -fPIC -fstack-protector -Wno-error=stringop-overflow")
 
@@ -81,7 +83,7 @@ macro(os_set_flags)
             message(STATUS "Configuring for Debug build")
         else() # Release, RelWithDebInfo, or multi configuration generator is being used (aka not specifing build type, or building with VS)
             message(STATUS "Configuring for Release build")
-            set(SECURITY_COMPILER_FLAGS "${SECURITY_COMPILER_FLAGS} -Werror -z noexecstack -Wl,-z,relro,-z,now -fstack-protector-strong")
+            set(SECURITY_COMPILER_FLAGS "${SECURITY_COMPILER_FLAGS} -Werror -z noexecstack -Wl,-z,relro,-z,now -fstack-protector-strong -Wdate-time")
         endif()
         
         push_security_flags()
diff --git a/src/gl/m420-to-rgb-gl.cpp b/src/gl/m420-to-rgb-gl.cpp
@@ -18,7 +18,6 @@
 #include <iostream>
 
 #include <chrono>
-#include <strstream>
 
 #include "synthetic-stream-gl.h"
 
