Add CMake reference implementation of hardening guide

docs/Compiler-Hardening-Guides/README.md

@@ -9,7 +9,7 @@ The objective of compiler options hardening is to produce application binaries (
 
 ## Usage in Tools
 
-A python script is also provided (in the `compiler-options-scraper` directory) that can fetch the latest version of the OpenSSF compiler hardening guide from the internet, obtain the recommended options tables from it and convert them to a machine readable JSON for usage in tools.
+A python script is also provided that can fetch the latest version of the OpenSSF compiler hardening guide from the internet, obtain the recommended options tables from it and convert them to a machine readable JSON for usage in tools.
 
 ## How to Contribute
 

docs/Compiler-Hardening-Guides/example-cmake/CMakeLists.txt

@@ -0,0 +1,88 @@
+cmake_minimum_required(VERSION 3.27 FATAL_ERROR)
+project(demo LANGUAGES C)
+
+set(CMAKE_C_STANDARD 23)
+set(CMAKE_C_STANDARD_REQUIRED ON)
+
+#
+# compiler hardening
+# 
+
+if(CMAKE_C_COMPILER_ID MATCHES "GNU" AND CMAKE_C_COMPILER_VERSION VERSION_LESS 14.0.0)
+  message(FATAL_ERROR "GCC is outdated: ${CMAKE_C_COMPILER_VERSION}")
+endif()
+if(CMAKE_C_COMPILER_ID MATCHES "Clang" AND CMAKE_C_COMPILER_VERSION VERSION_LESS 16.0.0)
+  message(FATAL_ERROR "Clang is outdated: ${CMAKE_C_COMPILER_VERSION}")
+endif()
+
+add_compile_options(
+  -O2
+  -Wall
+  -Wextra
+  -Wformat
+  -Wformat=2
+  -Wconversion
+  -Wsign-conversion
+  -Wimplicit-fallthrough
+  -Werror=format-security
+  # more portable and explicit than -fhardened
+  -U_FORTIFY_SOURCE
+  -D_FORTIFY_SOURCE=3
+  -D_GLIBCXX_ASSERTIONS
+  -fstrict-flex-arrays=3
+  -fstack-protector-strong
+  # deprecated c calls
+  -Werror=implicit
+  -Werror=incompatible-pointer-types
+  -Werror=int-conversion
+  # multithreading with pthreads
+  -fexceptions
+  # for shared libraries use `-fPIC`
+  -fPIE
+)
+
+# build mode specific
+if(CMAKE_BUILD_TYPE STREQUAL "Release")
+  add_compile_options(
+    -fno-delete-null-pointer-checks -fno-strict-overflow -fno-strict-aliasing -ftrivial-auto-var-init=zero
+  )
+else()
+  add_compile_options(-Werror)
+endif()
+
+# os specific
+if(CMAKE_SYSTEM_NAME STREQUAL "Linux")
+  add_compile_options(-fstack-clash-protection)
+  add_link_options(
+    -pie
+    -Wl,-z,nodlopen
+    -Wl,-z,noexecstack
+    -Wl,-z,relro
+    -Wl,-z,now
+    -Wl,--as-needed
+    -Wl,--no-copy-dt-needed-entries
+  )
+endif()
+
+# compiler specific
+if(CMAKE_C_COMPILER_ID MATCHES "GNU")
+  # from gcc-15 add `-fzero-init-padding-bits=all`
+  add_compile_options(-Wtrampolines -Wbidi-chars=any)
+endif()
+if(CMAKE_C_COMPILER_ID MATCHES "Clang")
+  # nop
+endif()
+
+# architecture specific
+if(CMAKE_SYSTEM_PROCESSOR MATCHES "x86_64|AMD64|i686|i386")
+  add_compile_options(-fcf-protection=full)
+endif()
+if(CMAKE_SYSTEM_PROCESSOR MATCHES "aarch64|arm64|ARM64")
+  add_compile_options(-mbranch-protection=standard)
+endif()
+
+#
+# sources
+#
+
+add_executable(demo demo.c)

docs/Compiler-Hardening-Guides/example-cmake/Dockerfile

@@ -0,0 +1,14 @@
+FROM --platform=linux/amd64 ubuntu:24.04
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    gcc-14 g++-14 \
+    clang-19 \
+    cmake make \
+    valgrind \
+    && update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-14 100 \
+    && update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-14 100 \
+    && update-alternatives --install /usr/bin/clang clang /usr/bin/clang-19 100 \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /workspace
+COPY . /workspace

docs/Compiler-Hardening-Guides/example-cmake/Makefile

@@ -0,0 +1,17 @@
+DOCKER_RUN = docker run --rm -v $(PWD):/workspace main sh -c
+
+.PHONY: build-image
+build-image:
+	docker build -t main .
+
+.PHONY: run-gcc
+run-gcc: build-image
+	$(DOCKER_RUN) "mkdir -p /tmp/gcc-build && cd /tmp/gcc-build && cmake -DCMAKE_C_COMPILER=gcc /workspace && make && ./demo"
+
+.PHONY: run-clang
+run-clang: build-image
+	$(DOCKER_RUN) "mkdir -p /tmp/clang-build && cd /tmp/clang-build && cmake -DCMAKE_C_COMPILER=clang /workspace && make && ./demo"
+
+.PHONY: clean
+clean:
+	docker rmi main

docs/Compiler-Hardening-Guides/example-minimal/demo.c

@@ -0,0 +1,27 @@
+// Test C/C++ hardening flags
+
+// Copyright Open Source Security Foundation (OpenSSF) and its contributors
+// SPDX-License-Identifier: Apache-2.0 OR MIT
+
+#include <stdio.h>
+
+// Linux 5.10 solution:
+#if __has_attribute(__fallthrough__)
+# define fallthrough                    __attribute__((__fallthrough__))
+#else
+# define fallthrough                    do {} while (0)  /* fallthrough */
+#endif
+
+int main(void) {
+	int c = 0;
+	switch (c) {
+		case 1:
+			printf("Hello\n");
+			fallthrough;
+		case 0:
+			printf("Goodbye\n");
+			fallthrough;
+		default:
+			printf("Default\n");
+	}
+}