walkero
/
flawfinder
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

Minor update of man page 

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
This commit is contained in:
David A. Wheeler 2017-08-26 14:55:09 -04:00
parent b5c17e2969
commit 58e56cad03
1 changed files with 8 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
flawfinder.1
View File

@ -19,7 +19,7 @@
.\"
.\" Man page created 17 May 2001 by David A. Wheeler (dwheeler@dwheeler.com)
.\"
.TH FLAWFINDER 1 "3 Aug 2014" "Flawfinder" "Flawfinder"
.TH FLAWFINDER 1 "26 Aug 2017" "Flawfinder" "Flawfinder"
.SH NAME
flawfinder \- lexically find potential security flaws ("hits") in source code
.SH SYNOPSIS
@ -73,6 +73,8 @@ in that directory (and its subdirectories, recursively) will be examined.
Thus, for most projects, simply give flawfinder the name of the source
code's topmost directory (use ``.'' for the current directory),
and flawfinder will examine all of the project's C/C++ source code.
Flawfinder does \fInot\fR require that you be able to build your software,
so it can be used even with incomplete source code.
If you only want to have \fIchanges\fR reviewed, save a unified diff
of those changes (created by GNU "diff -u" or "svn diff" or "git diff")
in a patch file and use the \-\-patch (\-P) option.
@ -94,7 +96,7 @@ the number of false hits in internationalized programs.
Flawfinder will do the same sort of thing with _T() and _TEXT(),
common Microsoft macros for handling internationalized programs.
.\" For more info, see: http://www.rpi.edu/~pudeyo/articles/unicode.html
Flawfinder correctly ignores most text inside comments and strings.
Flawfinder correctly ignores text inside comments and strings.
Normally flawfinder shows all hits with a risk level of at least 1,
but you can use the \-\-minlevel option
to show only hits with higher risk levels if you wish.
@ -223,6 +225,7 @@ Flawfinder works similarly to another program, ITS4, which is not
fully open source software (as defined in the Open Source Definition)
nor free software (as defined by the Free Software Foundation).
The author of Flawfinder has never seen ITS4's source code.
Flawfinder is similar in many ways to RATS, if you are familiar with RATS.
.SH "BRIEF TUTORIAL"
@ -493,9 +496,10 @@ The headers are mostly self-explanatory.
"Note" is other explanatory notes,
"CWEs" is the list of one or more CWEs,
"Context" is the source code line triggering the hit,
and "Fingerprint" is the SHA-256 hash of the context once its leading and trailing whitespace
have been removed
and "Fingerprint" is the SHA-256 hash of the context once
its leading and trailing whitespace have been removed
(the fingerprint may help detect and eliminate later duplications).
If you use Python3, the hash is of the context when encoded as UTF-8.
.TP
.BI "\-\-dataonly"
@ -565,7 +569,6 @@ The difference algorithm is conservative;
hits are only considered the ``same'' if they have the same
filename, line number, column position, function name, and risk level.
.SH EXAMPLES
Here are various examples of how to invoke flawfinder.