2018-03-14 07:09:21 +01:00
|
|
|
# About
|
|
|
|
|
|
|
|
This is "flawfinder" by [David A. Wheeler](mailto:dwheeler@dwheeler.com).
|
2014-08-03 04:36:00 +02:00
|
|
|
|
|
|
|
Flawfinder is a simple program that scans C/C++ source code and reports
|
2014-08-03 20:47:47 +02:00
|
|
|
potential security flaws. It can be a useful tool for examining software
|
|
|
|
for vulnerabilities, and it can also serve as a simple introduction to
|
|
|
|
static source code analysis tools more generally. It is designed to
|
|
|
|
be easy to install and use. Flawfinder supports the Common Weakness
|
|
|
|
Enumeration (CWE) and is officially CWE-Compatible.
|
2007-01-16 03:44:45 +01:00
|
|
|
|
2018-10-01 03:35:11 +02:00
|
|
|
For more information, see the [project website](http://dwheeler.com/flawfinder)
|
2018-03-14 07:09:21 +01:00
|
|
|
|
|
|
|
# Platforms
|
2007-01-16 03:44:45 +01:00
|
|
|
|
2014-08-03 20:01:30 +02:00
|
|
|
Flawfinder is designed for use on Unix/Linux/POSIX systems
|
2018-10-01 03:35:11 +02:00
|
|
|
(including Cygwin, Linux-based systems, MacOS, and various BSDs) as a
|
2019-01-21 23:30:28 +01:00
|
|
|
command line tool. It requires either Python 2.7 or Python 3.
|
2014-08-03 20:01:30 +02:00
|
|
|
|
2018-03-14 07:09:21 +01:00
|
|
|
# Installation
|
|
|
|
|
2017-09-03 03:03:02 +02:00
|
|
|
If you just want to *use* it, you can install flawfinder with
|
|
|
|
Python's "pip" or with your system's package manager (flawfinder has
|
2018-01-26 06:07:36 +01:00
|
|
|
packages for many systems). It also supports easy installation
|
2018-03-16 05:55:00 +01:00
|
|
|
following usual `make install` source installation conventions.
|
2018-03-16 06:07:09 +01:00
|
|
|
The file [INSTALL.md](INSTALL.md) has more detailed installation instructions.
|
2014-08-03 20:01:30 +02:00
|
|
|
You don't HAVE to install it to run it, but it's easiest that way.
|
|
|
|
|
2018-03-14 07:09:21 +01:00
|
|
|
# Usage
|
|
|
|
|
2014-08-03 20:01:30 +02:00
|
|
|
To run flawfinder, just give it a list of source files or directories to
|
|
|
|
example. For example, to examine all files in "src/" and down recursively:
|
2017-09-03 03:03:02 +02:00
|
|
|
|
2019-01-21 23:30:28 +01:00
|
|
|
~~~~
|
|
|
|
flawfinder src/
|
|
|
|
~~~~
|
|
|
|
|
|
|
|
To examine all files in the *current* directory and down recursively:
|
|
|
|
|
|
|
|
~~~~
|
|
|
|
flawfinder ./
|
|
|
|
~~~~
|
|
|
|
|
|
|
|
Hits (findings) are given a risk level from 0 (very low risk) to 5 (high risk),
|
|
|
|
By default, findings of risk level 1 or higher are shown.
|
|
|
|
You can show only the hits of risk level 4 or higher in the current
|
|
|
|
directory and down this way:
|
|
|
|
|
|
|
|
~~~~
|
|
|
|
flawfinder --minlevel 4 ./
|
|
|
|
~~~~
|
2017-09-03 03:03:02 +02:00
|
|
|
|
2014-08-03 20:01:30 +02:00
|
|
|
The manual page (flawfinder.1 or flawfinder.pdf) describes how to use
|
|
|
|
flawfinder (including its various options) and related information
|
2018-03-16 05:55:00 +01:00
|
|
|
(such as how it supports CWE). For example, the `--html` option generates
|
|
|
|
output in HTML format. The `--help` option gives a brief list of options.
|
2014-08-03 20:01:30 +02:00
|
|
|
|
2019-10-24 14:22:59 +02:00
|
|
|
# Character Encoding Errors
|
|
|
|
|
|
|
|
Flawfinder must be able to correctly interpret your source code's
|
|
|
|
character encoding.
|
|
|
|
In the vast majority of cases this is not a problem, especially
|
|
|
|
if the source code is correctly encoded using UTF-8 and your system
|
|
|
|
is configured to use UTF-8 (the most common situation by far).
|
|
|
|
|
|
|
|
However, it's possible for flawfinder to halt if there is a
|
|
|
|
character encoding problem and you're running Python3.
|
|
|
|
The usual symptom is error meesages like this:
|
|
|
|
`Error: encoding error in FILENAME 'ENCODING' codec can't decode byte ... in position ...: invalid start byte`
|
|
|
|
|
|
|
|
Unfortunately, Python3 fails to provide useful built-ins to deal with this.
|
|
|
|
Thus, it's non-trivial to deal with this problem without depending on external
|
|
|
|
libraries (which we're trying to avoid).
|
|
|
|
|
|
|
|
If you have this problem, see the flawfinder manual page for a collection
|
|
|
|
of various solutions.
|
|
|
|
One of the simplest is to simply convert the source code and system
|
|
|
|
configuration to UTF-8.
|
|
|
|
You can convert source code to UTF-8 using tools such as the
|
|
|
|
system tool `iconv` or the Python program
|
|
|
|
[`cvt2utf`](https://pypi.org/project/cvt2utf/);
|
|
|
|
you can install `cvt2utf` using `pip install cvt2utf`.
|
|
|
|
|
2018-03-14 07:09:21 +01:00
|
|
|
# Under the hood
|
|
|
|
|
2014-08-03 20:01:30 +02:00
|
|
|
More technically, flawfinder uses lexical scanning to find tokens
|
|
|
|
(such as function names) that suggest likely vulnerabilities, estimates their
|
|
|
|
level of risk (e.g., by the text of function calls), and reports the results.
|
|
|
|
Flawfinder does not use or have access to information about control flow,
|
|
|
|
data flow, or data types. Thus, flawfinder will necessarily
|
|
|
|
produce many false positives for vulnerabilities and fail to report
|
|
|
|
many vulnerabilities. On the other hand, flawfinder can find
|
|
|
|
vulnerabilities in programs that cannot be built or cannot be linked.
|
|
|
|
Flawfinder also doesn't get as confused by macro definitions
|
|
|
|
and other oddities that more sophisticated tools have trouble with.
|
2014-08-03 04:36:00 +02:00
|
|
|
|
2021-06-30 01:28:09 +02:00
|
|
|
# Flawfinder GitHub Action
|
|
|
|
|
|
|
|
There's a GitHub action available for those who use GitHub.
|
2021-06-24 20:56:59 +02:00
|
|
|
|
|
|
|
## Usage
|
|
|
|
|
|
|
|
See [action.yml](https://github.com/david-a-wheeler/flawfinder/blob/main/action.yml)
|
|
|
|
|
|
|
|
Create a .yml file under .github/workflows with the following contents:
|
|
|
|
|
2021-06-30 01:28:09 +02:00
|
|
|
### Basic demo:
|
|
|
|
|
2021-06-25 00:01:02 +02:00
|
|
|
```yml
|
2021-06-24 20:56:59 +02:00
|
|
|
- name: Flawfinder
|
|
|
|
uses: david-a-wheeler/flawfinder@v1.0
|
|
|
|
with:
|
|
|
|
arguments: '--sarif ./'
|
|
|
|
output: 'flawfinder_results.sarif'
|
2021-06-25 00:01:02 +02:00
|
|
|
```
|
|
|
|
|
2021-06-30 01:28:09 +02:00
|
|
|
You can add many other additions to the arguments.
|
|
|
|
For example, `--error-level=4` will cause an error to be returned if
|
|
|
|
flawfinder finds a vulnerability of level 4 or higher.
|
|
|
|
|
2021-06-24 20:56:59 +02:00
|
|
|
### Input options:
|
2021-06-30 01:28:09 +02:00
|
|
|
|
|
|
|
- arguments: [Flawfinder command arguments](ttps://github.com/david-a-wheeler/flawfinder/blob/master/README.md#usage)
|
|
|
|
- output: Flawfinder output file name. Can be uploaded to GitHub.
|
2021-06-24 20:56:59 +02:00
|
|
|
|
2018-03-14 07:09:21 +01:00
|
|
|
# Contributions
|
|
|
|
|
2017-07-31 02:52:42 +02:00
|
|
|
We love contributions! For more information on contributing, see
|
2018-03-14 07:09:21 +01:00
|
|
|
the file [CONTRIBUTING.md](CONTRIBUTING.md).
|
|
|
|
|
|
|
|
# License
|
2017-07-31 02:52:42 +02:00
|
|
|
|
2017-07-29 19:24:25 +02:00
|
|
|
Flawfinder is released under the GNU GPL license version 2 or later (GPL-2.0+).
|
2018-03-14 07:09:21 +01:00
|
|
|
See the [COPYING](COPYING) file for license information.
|