Tell users how to disable false positives

If there are >0 hits, tell users how to ignore them in the output. This resolves: https://github.com/david-a-wheeler/flawfinder/issues/24 Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
2021-01-09 12:55:44 -05:00 · 2021-01-09 12:55:44 -05:00 · 41857c6364
parent 48ebb4023e
commit 41857c6364
4 changed files with 19 additions and 0 deletions
--- a/8
+++ b/8
@ -2243,10 +2243,18 @@ def show_final_results():
        print("Minimum risk level = %d" % minimum_level)
        if output_format:
            print("<br>")
+        else:
+            print()
        if count > 0:
            print("Not every hit is necessarily a security vulnerability.")
+            print("You can inhibit a report by adding a comment in this form:")
+            print("// flawfinder: ignore")
+            print("Make *sure* it's a false positive!")
+            print("You can use the option --neverignore to show these.")
            if output_format:
                print("<br>")
+            else:
+                print()
        print("There may be other security vulnerabilities; review your code!")
        if output_format:
            print("<br>")
--- a/test/correct-results-008.txt
+++ b/test/correct-results-008.txt
@ -12,6 +12,7 @@ Hits@level+ = [0+]   0 [1+]   0 [2+]   0 [3+]   0 [4+]   0 [5+]   0
 Hits/KSLOC@level+ = [0+]   0 [1+]   0 [2+]   0 [3+]   0 [4+]   0 [5+]   0
 Suppressed hits = 2 (use --neverignore to show them)
 Minimum risk level = 1
+
 There may be other security vulnerabilities; review your code!
 See 'Secure Programming HOWTO'
 (https://dwheeler.com/secure-programs) for more information.
--- a/test/correct-results.html
+++ b/test/correct-results.html
@ -335,6 +335,10 @@ Suppressed hits = 2 (use --neverignore to show them)
 Minimum risk level = 1
 <br>
 Not every hit is necessarily a security vulnerability.
+You can inhibit a report by adding a comment in this form:
+// flawfinder: ignore
+Make *sure* it's a false positive!
+You can use the option --neverignore to show these.
 <br>
 There may be other security vulnerabilities; review your code!
 <br>
--- a/test/correct-results.txt
+++ b/test/correct-results.txt
@ -154,7 +154,13 @@ Hits@level+ = [0+]  54 [1+]  38 [2+]  29 [3+]  20 [4+]  17 [5+]   7
 Hits/KSLOC@level+ = [0+] 642.857 [1+] 452.381 [2+] 345.238 [3+] 238.095 [4+] 202.381 [5+] 83.3333
 Suppressed hits = 2 (use --neverignore to show them)
 Minimum risk level = 1
+
 Not every hit is necessarily a security vulnerability.
+You can inhibit a report by adding a comment in this form:
+// flawfinder: ignore
+Make *sure* it's a false positive!
+You can use the option --neverignore to show these.
+
 There may be other security vulnerabilities; review your code!
 See 'Secure Programming HOWTO'
 (https://dwheeler.com/secure-programs) for more information.