Unsatisfied secure compilation options -fPIE -pie

[JunXie-ZH]

I used a scanning tool to scan the nebula-graphd file and found Unsatisfied secure compilation options -fPIE -pie. I saw a related reply in the community: Nebula relies on static libraries and does not need this option. (https://discuss.nebula-graph.com.cn/t/topic/2846/2)

Is there a formal conclusion and reason for this?

[Shinji-IkariG]

In the current source code we use the -fPIC option, what scanning tool are you using? I want to reproduce this scan result.
Both nebula and nebula-third-party use the -fPIC option, so I want to know which part is showing up -fPIE

[dutor]

The replies in the mentioned post are not correct.

The -no-pie linker option was introduced by me long long ago. I am not sure about the exact reason to do this. But it must be related with a crash bug if PIE is enabled by default. I simply reviewed my commit history to locate the original PR but with no luck.

[JunXie-ZH]

Yes, my code exists -fPIE -pie . But I used the security tool to scan nebula-graphd, the result showed that the -fPIE -pie not activated. I'd like to consult the reasons and the security risks.

-DCMAKE_C_FLAGS="-fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wl,-z,relro,-z,now,-z,noexecstack -s -fPIE -pie -fPIC -pie -Wl,--disable-new-dtags ${CMAKE_C_FLAGS}"

-DCMAKE_CXX_FLAGS="-fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wl,-z,relro,-z,now,-z,noexecstack -s -fPIE -pie -fPIC -pie -Wl,--disable-new-dtags ${CMAKE_CXX_FLAGS}"

[dutor]

I already explained the reason.

What PIE does explains the risks.