Make inline links into references in footnotes

Signed-off-by: Thomas Nyman <[email protected]>
ossf · Nov 1, 2023 · f58dfda · f58dfda
1 parent 6ef3ba5
commit f58dfda
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md b/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md
@@ -85,8 +85,6 @@ Similarly, running `cc -O2 -dM -E - < /dev/null` will produce a comprehensive li
 
 It's important to note that sourcing GCC from third-party vendor may result in your instance of GCC being preconfigured with certain default flags enabled or disabled. These flags can significantly impact the security of your compiled code. Therefore, it's essential to review the default flags if GCC is sourced through a Package Manager, Linux Distribution, or otherwise. We recommend explicitly enabling desired compiler flags in your build scripts or build system configuration rather than relying on the toolchain defaults. If you are creating packages for Linux distributions the distributions maintainers may have their own recommended ways of incorporating build flags. In such cases refer to the corresponding distribution documentation for, e.g., Debian[^debian-hardening], Gentoo[^gentoo-hardening], Fedora[^fedora-hardening], OpenSUSE[^opensuse-hardening], or Ubuntu[^ubuntu-hardening].
 
-Typical compiler configurations do not report warnings from system headers, since application developers typically don't control those headers.  In GCC this is because `-Wno-system-headers` is on by default, and [clang also normally suppresses warnings from system headers](https://clang.llvm.org/docs/UsersManual.html#controlling-diagnostics-in-system-headers). You will probably want to also mark third party include files as system headers so you can strongly increase the warning levels. Directories added with the command line option `-isystem` are treated as system header directories by [GCC](https://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html) and [clang](https://clang.llvm.org/docs/ClangCommandLineReference.html). In a [cmake configuration file you can do this with `include_directories` by adding `SYSTEM` before its parameter](https://cmake.org/cmake/help/latest/command/include_directories.html). There are trade-offs. Silencing warnings from system headers and third party libraries may hide vulnerabilities in them that affect the application. On the other hand, *not* silencing them focuses efforts on issues that the developer typically cannot control, impede progress when using `-Werror` in CI jobs, and often make it difficult to support building with older versions of third party code.
-
 [^debian-hardening]: Software in the Public Interest, [Hardening in Debian](https://wiki.debian.org/Hardening), Debian Wiki, 2022-01-07.
 
 [^gentoo-hardening]: Gentoo Foundation, [Hardening in Gentoo](https://wiki.gentoo.org/wiki/Hardened/Toolchain), Gentoo Wiki, 2023-03-08.
@@ -97,6 +95,16 @@ Typical compiler configurations do not report warnings from system headers, sinc
 
 [^ubuntu-hardening]: Ubuntu, [Ubuntu Security Features](https://wiki.ubuntu.com/Security/Features), Ubuntu Wiki, 2023-08-07.
 
+Typical compiler configurations do not report warnings from system headers, since application developers typically don't control those headers.  In GCC this is because `-Wno-system-headers` is on by default, and clang also normally suppresses warnings from system headers [^clang-system-headers]. You will probably want to also mark third party include files as system headers so you can strongly increase the warning levels. Directories added with the command line option `-isystem` are treated as system header directories by GCC [^gcc-directory-search] and Clang [^clang-isystem]. In a Cmake configuration file you can do this with `include_directories` by adding `SYSTEM` before its parameter [^cmake-include-directories]. There are trade-offs. Silencing warnings from system headers and third party libraries may hide vulnerabilities in them that affect the application. On the other hand, *not* silencing them focuses efforts on issues that the developer typically cannot control, impede progress when using `-Werror` in CI jobs, and often make it difficult to support building with older versions of third party code.
+
+[^clang-system-headers]: LLVM team, [Controlling Diagnostics in System Headers](https://clang.llvm.org/docs/UsersManual.html#controlling-diagnostics-in-system-headers), Clang Compiler User's Manual, 2017-03-08.
+
+[^gcc-directory-search] GCC team, [Options for Directory Search](https://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html), GCC Manual, 2023-07-27.
+
+[^clang-isystem]: LLVM team, [Clang command line argument reference¶: -isystem\<directory\>](https://clang.llvm.org/docs/ClangCommandLineReference.html#cmdoption-clang-isystem-directory), Clang documentation, 2017-09-05.
+
+[^cmake-include-directories]: Kitware, [include_directories¶](https://cmake.org/cmake/help/latest/command/include_directories.html), Cmake Documentation, 2023-10-23.
+
 Compile-time checks enabled by options in Table 1 do not have an impact on the binary code generated by the compiler and consequently do not incur any tradeoffs in terms of performance or other run-time characteristics. Rather, they only issue warnings (or errors if the `-Werror` option is enabled) that inform of potential defects found in the source code.
 
 When such additional warnings are enabled, developers should take time to understand the underlying issues that are flagged by the compiler and address them.