I've recently launched AWS Inspector scan across our systems, and one of the findings was:

Finding: The following executable files on instance i-xxxxxx do not support stack cookies: /usr/bin/jq.
Severity: Medium
Description: This rule detects the presence of third-party software that is compiled without support for stack cookies. Stack cookies increase system security by defending against stack-based buffer overflow and other memory corruption attacks.
Recommendation: It is recommended that you uninstall this software from your assessment target if you are not using it, or contact the vendor to get an updated version of this software with stack cookies enabled.

I've then checked latest available release with hardening-includes package:

# ./jq-linux64 --version
jq-1.5
# sha256sum ./jq-linux64
c6b3a7d7d3e7b70c6f51b706a3b90bd01833846c54d32ca32f0027f00226ff6d  ./jq-linux64
# hardening-check ./jq-linux64
./jq-linux64:
 Position Independent Executable: no, normal executable!
 Stack protected: no, not found!
 Fortify Source functions: unknown, no protectable libc functions used
 Read-only relocations: yes
 Immediate binding: no, not found!

Then I've downloaded corresponding source package jq-1.5.tar.gz and compiled it with just ./configure and make. That gave me this result:

# ./jq --version
jq-1.5-1-g940132e-dirty
# hardening-check ./jq
./jq:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no, not found!

After deploying this binary to my hosts, subsequent AWS Inspector scans raised no security issues about jq.

Please consider enabling security features for released binaries by default.