- Notifications
You must be signed in to change notification settings - Fork1.7k
Build libModSecurity with std C++20#3223
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:v3/master
Are you sure you want to change the base?
Uh oh!
There was an error while loading.Please reload this page.
Conversation
gberkes commentedAug 13, 2024
I don't know whether all LTS Linux distributions containing/supporting ModSecurity have GCC capable of compiling with -std=C++20. I guess users of ModSecurity have little interest in which standard we are using. As a user of a security product, I would be much more interested in the quality of the codebase the product is built from. First of all, IMHO, we should not only focus on what SonarCloud reports but on what the G++ compiler would report with the appropriate compiler and linker flags used throughout development and testing. Currently, we are using almost none of what G++ could provide regarding the quality of our code. Instead, we are relying on Cppcheck, with many suppressions, some without explanations as to why they are false positives. So, IMHO, it would be a better idea to first use something like: g++ -std=c++17 -g -Wall -Wextra -Wconversion -Wshadow -Wpedantic -fsanitize=undefined,address during development and testing, and refactor the code to build warning-free. Besides this, making an effort to eliminate or explain the Cppcheck suppressions would be beneficial. IMHO, we developers and the end users of ModSecurity will benefit more from these refactorings than from using newer language features. For example, until the next release, one of the goals could be to achieve a warning-free build, extend test coverage, and plan which parts of the code would be good to refactor using the new standard's constructs. After that, there's nothing against bumping to C++20, except the supported OSes' GCC standard coverage. Reference: |
eduar-hte commentedAug 13, 2024
I don't disagree. As I stated in the description to this PR, the goal is not to have this integrated now, but rather to document how to update the compiler version in the future and also to provide visibility on whether the codebase compiles with C++20 (as I mentioned, it didn't with C++23 due to a couple of minor issues -that apply in C++17 as well-):
I wouldn't minimize the current state of the codebase, though, as compiling with no warnings and cppcheck (with few suppressions) is significant. Of course, raising the bar is always good and could be a focus for improvement. Earlier this year I proposed using the latest version of With regards to sonarcloud, it's a nice addition as well to the analysis of the codebase. I think it's helpful to focus on issues related to security (and performance) though. In my experience, it's reporting many suggestions on leveraging modern C++ features such as |
airween commentedAug 13, 2024
Hi@eduar-hte,
then may be you should add a small block into the README. With this PR you requested to change the c++ version from 17 to 20. I downloaded your branch into a Debian 11 (which is still a supported system) and I got: So I'm not able to build the library. Note: Debian 11 uses gcc 10.2, Ubuntu Focal (20.04 - this is an LTS system) uses gcc 9.3.
But this PR definitely updates the configuration, doesn't it? |
eduar-hte commentedAug 13, 2024
Yes, but I'm not proposing integrating this PR right now, but at some point in the future. I don't think there's any urgency to move to C++20. Moreover, my main concern would be upgrading to that version and start adopting the I've been building the library myself using the default configuration, but also with newer versions of the standard as well, in order to detect any potential and unnecessary roadblock to upgrading in the future. This PR can easily be rebased as well to keep track of this until the moment is right to integrate it. |
airween commentedAug 13, 2024
Ahh, right - then please feel free to add labels on the right side of the page (now I added |
eduar-hte commentedAug 13, 2024 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
@airween, I cannot set labels. I thought it was clear from the start, or that's what I wrote on thewhy section when submitting the PR anyway. |
airween commentedAug 13, 2024
uhm, sorry. Yes, now I see atriage access needs to apply any label (and let me take the opportunity again and call your attention your pending invitation to developers group :) - with that, you are able to apply labels)
Sorry, I was a bit confused, because the sent modifications would have changed the build system. Sorry again. |
what
Update build configuration to build the library using std C++20
why
The goal of this PR is not necessarily to update this configuration at this time, but rather to document that the library builds correctly at this stage using std C++20 on all platforms.
why not C++23
This PR is limited to C++20 because moving to C++23 is not yet possible on all platforms, as the compilers available in some of the images do not include support for this C++ std. Additionally, the current version of the
ax_cxx_compile_stdcxxautoconfmacro doesn't support C++23 yet either.NOTE: Building the library using std C++23 on Windows found the issue found in PR#3220.
a note on adoption of C++20 ranges
C++20 introduces the ranges library (seehere). The library offers a powerful and expressive way to handle data due to its declarative approach and composability.
However, adoption of the library needs to consider potential performance drawbacks when compared to existing approaches (such as STL algorithms), as library implementations may not be as efficient yet.
For the sake of reference, see:
sonarcloud code analysis on PRs usually recommend replacing existing code with C++20 ranges, but that feedback should be taken with a grain of salt (such as considering performance implications of the changes).
NOTE: This is feedback is unrelated to theRange-based for loop feature introduced in C++11.
references
The library was updated to build with std C++17 in PR#3079 (and the configuration was simplified in PR#3219 to make it easier to upgrade in the future).