try removing third party specification, other issues addressed

Author: AviaAv

CMake/external_libcurl.cmake

@@ -1,7 +1,7 @@
 if(CHECK_FOR_UPDATES)
 
-    string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}")
-    string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}")
+    string(REPLACE "${SECURITY_COMPILER_FLAGS}" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") # remove flags
+    string(REPLACE "${SECURITY_COMPILER_FLAGS}" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}")
     include(ExternalProject)
     message(STATUS "Building libcurl enabled")
 
@@ -63,6 +63,6 @@ if(CHECK_FOR_UPDATES)
         endif()
     endif()
 
-    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}")
-    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}")
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${SECURITY_COMPILER_FLAGS}")
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${SECURITY_COMPILER_FLAGS}")
 endif() #CHECK_FOR_UPDATES

CMake/unix_config.cmake

@@ -47,60 +47,49 @@ macro(os_set_flags)
         set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -pthread")
     endif()
 
-    ###############
-    # According to SDLE we need to add the following flags for additional security:
-    # Debug & Release:
-    # -Wformat: Checks for format string vulnerabilities.
-    # -Wformat-security: Ensures format strings are not vulnerable to attacks.
-    # -fPIC: Generates position-independent code (PIC) suitable for shared libraries.
-    # -fPIE: Generates position-independent executable (PIE) code.
-    # -pie: Links the output as a position-independent executable.
-    # -D_FORTIFY_SOURCE=2: Adds extra checks for buffer overflows.
-    # -mfunction-return=thunk: Mitigates return-oriented programming (ROP) attacks. (Added flag -fcf-protection=none to allow it)
-    # -mindirect-branch=thunk: Mitigates indirect branch attacks.
-    # -mindirect-branch-register: Uses registers for indirect branches to mitigate attacks.
-    # -fstack-protector: Adds stack protection to detect buffer overflows.
+    
+    if (CMAKE_CXX_COMPILER_ID STREQUAL "GNU")
+        # Due to security reasons  we need to add the following flags for additional security:
+        # Debug & Release:
+        # -Wformat: Checks for format string vulnerabilities.
+        # -Wformat-security: Ensures format strings are not vulnerable to attacks.
+        # -fPIC: Generates position-independent code during the compilation phase.
+        # -fPIE: Generates position-independent executables during the compilation phase.
+        # -D_FORTIFY_SOURCE=2: Adds extra checks for buffer overflows.
+        # -fstack-protector: Adds stack protection to detect buffer overflows.
 
-    # Release only
-    # -Werror: Treats all warnings as errors.
-    # -Werror=format-security: Treats format security warnings as errors.
-    # -z noexecstack: Marks the stack as non-executable to prevent certain types of attacks.
-    # -Wl,-z,relro,-z,now: Enables read-only relocations and immediate binding for security.
-    # -fstack-protector-strong: Provides stronger stack protection than -fstack-protector.
-	
-    # see https://readthedocs.intel.com/SecureCodingStandards/2023.Q2.0/compiler/c-cpp/ for more details
+        # Release only
+        # -Werror: Treats all warnings as errors.
+        # -Werror=format-security: Treats format security warnings as errors.
+        # -z noexecstack: Marks the stack as non-executable to prevent certain types of attacks.
+        # -Wl,-z,relro,-z,now: Enables read-only relocations and immediate binding for security.
+        # -fstack-protector-strong: Provides stronger stack protection than -fstack-protector.
+        
+        # Linker flags
+        # -pie: Produces position-independent executables during the linking phase.
+        
+        # see https://readthedocs.intel.com/SecureCodingStandards/2023.Q2.0/compiler/c-cpp/ for more details
 
-    if (CMAKE_SYSTEM_PROCESSOR MATCHES "aarch64|armv7l" OR APPLE OR  # Some flags are not recognized or some systems / gcc versions
-       (CMAKE_CXX_COMPILER_ID STREQUAL "GNU" AND CMAKE_CXX_COMPILER_VERSION VERSION_LESS "9.0")) # 
-        set(ADDITIONAL_COMPILER_FLAGS "-Wformat -Wformat-security -fPIC -fstack-protector")
-    else()
-        #‘-mfunction-return’ and ‘-fcf-protection’ are not compatible, so specifing -fcf-protection=none
-        set(ADDITIONAL_COMPILER_FLAGS "-Wformat -Wformat-security -fPIC -fcf-protection=none -mfunction-return=thunk -mindirect-branch=thunk -mindirect-branch-register -fstack-protector")
-    endif()
-    set(CMAKE_LINKER_FLAGS "${CMAKE_LINKER_FLAGS} -pie")
-	
-	set(ADDITIONAL_COMPILER_FLAGS "${ADDITIONAL_COMPILER_FLAGS} -Wno-error=stringop-overflow")
+        set(SECURITY_COMPILER_FLAGS "-Wformat -Wformat-security -fPIC -fstack-protector -Wno-error=stringop-overflow")
 
-    string(FIND "${CMAKE_CXX_FLAGS}" "-D_FORTIFY_SOURCE" _index)
-    if (${_index} EQUAL -1) # Define D_FORTIFY_SOURCE is undefined
-        set(ADDITIONAL_COMPILER_FLAGS "${ADDITIONAL_COMPILER_FLAGS} -D_FORTIFY_SOURCE=2")
-    endif()
+        string(FIND "${CMAKE_CXX_FLAGS}" "-D_FORTIFY_SOURCE" _index)
+        if (${_index} EQUAL -1) # Define D_FORTIFY_SOURCE if undefined
+            set(SECURITY_COMPILER_FLAGS "${SECURITY_COMPILER_FLAGS} -D_FORTIFY_SOURCE=2")
+        endif()
 
-    if(CMAKE_BUILD_TYPE STREQUAL "Debug")
-        message(STATUS "Configuring for Debug build")
-    else() # Release, RelWithDebInfo, or multi configuration generator is being used (aka not specifing build type, or building with VS)
-        message(STATUS "Configuring for Release build")
-        set(ADDITIONAL_COMPILER_FLAGS "${ADDITIONAL_COMPILER_FLAGS} -Werror -z noexecstack -Wl,-z,relro,-z,now -fstack-protector-strong")
-    endif()
-	
-    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}")
-    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}")
-	
-	
-    set_directory_properties(PROPERTIES DIRECTORY third-party/ COMPILE_OPTIONS "-w")
-    set_source_files_properties(third-party/*.* PROPERTIES COMPILE_OPTIONS "-w")
+        if(CMAKE_BUILD_TYPE STREQUAL "Debug")
+            message(STATUS "Configuring for Debug build")
+        else() # Release, RelWithDebInfo, or multi configuration generator is being used (aka not specifing build type, or building with VS)
+            message(STATUS "Configuring for Release build")
+            set(SECURITY_COMPILER_FLAGS "${SECURITY_COMPILER_FLAGS} -Werror -z noexecstack -Wl,-z,relro,-z,now -fstack-protector-strong")
+        endif()
+        
+        set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${SECURITY_COMPILER_FLAGS}")
+        set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${SECURITY_COMPILER_FLAGS}")
+        
+        set(CMAKE_LINKER_FLAGS "${CMAKE_LINKER_FLAGS} -pie")
 
-    #################
+    endif()
 
     if(APPLE)
         set(FORCE_RSUSB_BACKEND ON)

CMake/windows_config.cmake

@@ -41,35 +41,37 @@ macro(os_set_flags)
         set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /MP")
 
         ###############
-        # According to SDLE we need to add the following flags for additional security:
+        # Due to security reasons we need to add the following flags for additional security:
         # Debug & Release:
         # /Gy: Enables function-level linking to reduce executable size.
         # /DYNAMICBASE: Enables Address Space Layout Randomization (ASLR) to improve security.
         # /GS: Enables buffer security checks to prevent buffer overflows.
 
         # Release only:
         # /WX: Treats all warnings as errors.
-        # /LTCG (/GL): Enables Link Time Code Generation to improve performance.
         # /sdl: Enables additional security checks.
+        
+        # Release only linker flags:
+        # /LTCG (/GL): Enables Link Time Code Generation to improve performance.
         # /NXCOMPAT: Enables Data Execution Prevention (DEP) to prevent code execution in data areas.	
 
         # see https://readthedocs.intel.com/SecureCodingStandards/2023.Q2.0/compiler/c-cpp/ for more details
 
-        set(ADDITIONAL_COMPILER_FLAGS "/Gy /DYNAMICBASE /GS /wd4101")
+        set(SECURITY_COMPILER_FLAGS "/Gy /DYNAMICBASE /GS /wd4101")
 
         if(CMAKE_BUILD_TYPE STREQUAL "Debug")
             message(STATUS "Configuring for Debug build")
         else() # Release, RelWithDebInfo, or multi configuration generator is being used (aka not specifing build type, or building with VS)
             message(STATUS "Configuring for Release build")
-            set(ADDITIONAL_COMPILER_FLAGS "${ADDITIONAL_COMPILER_FLAGS} /WX /sdl") 
-            set(CMAKE_LINKER_FLAGS "${CMAKE_LINKER_FLAGS} /INCREMENTAL:NO /LTCG /NXCOMPAT") # ignoring '/INCREMENTAL' due to '/LTCG' specification
+            set(SECURITY_COMPILER_FLAGS "${SECURITY_COMPILER_FLAGS} /WX /sdl") 
         endif()
 
-        set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}")
-        set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}")
-		
-        set_directory_properties(PROPERTIES DIRECTORY third-party/ COMPILE_OPTIONS "/W0")
-        set_source_files_properties(third-party/*.* PROPERTIES COMPILE_OPTIONS "/W0")
+        set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${SECURITY_COMPILER_FLAGS}")
+        set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${SECURITY_COMPILER_FLAGS}")
+        
+        if(NOT CMAKE_BUILD_TYPE STREQUAL "Debug")
+            set(CMAKE_LINKER_FLAGS "${CMAKE_LINKER_FLAGS} /INCREMENTAL:NO /LTCG /NXCOMPAT") # ignoring '/INCREMENTAL' due to '/LTCG' specification
+        endif()
 
         #################
 

examples/CMakeLists.txt

@@ -7,7 +7,7 @@ set(CMAKE_EXPORT_COMPILE_COMMANDS 1)
 # View the makefile commands during build
 #set(CMAKE_VERBOSE_MAKEFILE on)
 
-string(REPLACE "-fPIC" "-fPIE" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") # examples are exeutables so we want position indepandent exeutables and not libraries
+string(REPLACE "-fPIC" "-fPIE" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") # examples are executables so we want position indepandent executables and not libraries
 
 set( DEPENDENCIES ${LRS_TARGET} )
 if(BUILD_GRAPHICAL_EXAMPLES)

src/hid/hid-device.cpp

@@ -334,7 +334,7 @@ namespace librealsense
             //we want to change the sensitivity values only in gyro, for FW version >= 5.16
             if( featureReport.reportId == REPORT_ID_GYROMETER_3D
                 && _realsense_hid_report_actual_size == sizeof( REALSENSE_HID_REPORT ) )
-                featureReport.sensitivity = (unsigned short)sensitivity;
+                featureReport.sensitivity = static_cast<unsigned short>(sensitivity);
 
 
             res = dev->control_transfer(USB_REQUEST_CODE_SET,

src/uvc/uvc-device.cpp

@@ -177,7 +177,7 @@ namespace librealsense
                     switch(state)
                     {
                         case D0:
-                            _messenger = _usb_device->open((uint8_t)_info.mi);
+                            _messenger = _usb_device->open(static_cast<uint8_t>(_info.mi));
                             if (_messenger)
                             {
                                 try{
@@ -654,7 +654,7 @@ namespace librealsense
 
         void rs_uvc_device::listen_to_interrupts()
         {
-            auto ctrl_interface = _usb_device->get_interface((uint8_t)_info.mi);
+            auto ctrl_interface = _usb_device->get_interface(static_cast<uint8_t>(_info.mi));
             if (!ctrl_interface)
                 return;
             auto iep = ctrl_interface->first_endpoint(RS2_USB_ENDPOINT_DIRECTION_READ, RS2_USB_ENDPOINT_INTERRUPT);
@@ -856,7 +856,7 @@ namespace librealsense
                                 req,
                                 probe ? (UVC_VS_PROBE_CONTROL << 8) : (UVC_VS_COMMIT_CONTROL << 8),
                                 ctrl->bInterfaceNumber, // When requestType is directed to an interface, the driver automatically passes the interface number in the low byte of index
-                                buf, (uint32_t)len, transferred, 0);
+                                buf, static_cast<uint32_t>(len), transferred, 0);
                     } while (sts != RS2_USB_STATUS_SUCCESS && retries++ < 5);
                 }
             }, [this](){ return !_messenger; });

src/uvc/uvc-streamer.cpp

@@ -28,7 +28,7 @@ namespace librealsense
 
             _action_dispatcher.start();
 
-            _watchdog_timeout = (int64_t)((1000.0 / _context.profile.fps) * 10);
+            _watchdog_timeout = static_cast<int64_t>(((1000.0 / _context.profile.fps) * 10));
 
             init();
         }

tools/CMakeLists.txt

@@ -7,7 +7,7 @@ set(CMAKE_EXPORT_COMPILE_COMMANDS 1)
 # View the makefile commands during build
 #set(CMAKE_VERBOSE_MAKEFILE on)
 
-string(REPLACE "-fPIC" "-fPIE" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") # tools are exeutables so we want position indepandent exeutables and not libraries
+string(REPLACE "-fPIC" "-fPIE" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") # tools are executables so we want position indepandent executables and not libraries
 
 list( APPEND DEPENDENCIES ${LRS_TARGET} tclap )