From 428fbf6b02cb196b45a3122c8b368e5bf17f545a Mon Sep 17 00:00:00 2001 From: "David A. Wheeler" Date: Sun, 30 May 2021 19:03:37 -0400 Subject: [PATCH] Make --error-level more obvious in the man page The --error-level option is useful in continuous integration (CI) pipelines. Make it even more obvious in the documentation. Signed-off-by: David A. Wheeler --- flawfinder.1 | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/flawfinder.1 b/flawfinder.1 index 5051437..6a74c48 100644 --- a/flawfinder.1 +++ b/flawfinder.1 @@ -222,7 +222,10 @@ Not every hit is necessarily a security vulnerability, and there may be other security vulnerabilities not reported by the tool. .PP Flawfinder can easily integrate into a continuous integration system. -You might want to check out the \-\-error\-level option to help do that. +You might want to check out the \-\-error\-level option to help do that, e.g., +using \-\-error\-level=4 will cause an error to be returned if flawfinder +finds a vulnerability of level 4 or higher. + .PP Flawfinder is released under the GNU GPL license version 2 or later (GPLv2+). .PP @@ -733,6 +736,14 @@ reporting on all hits found. By default flawfinder will skip symbolic links and directories with names that start with a period. +.TP +.B "flawfinder \-\-error-level=4 ." +Examine all the C/C++ files in the current directory +and its subdirectories (recursively); +return an error code if there are vulnerabilities +level 4 and up (the two highest risk levels). +This is a plausible way to use flawfinder in a continuous integration system. + .TP .B "flawfinder \-\-minlevel=4 ." Examine all the C/C++ files in the current directory