From 58e56cad03c63d943276bf948466843fd4a6f803 Mon Sep 17 00:00:00 2001 From: "David A. Wheeler" Date: Sat, 26 Aug 2017 14:55:09 -0400 Subject: [PATCH] Minor update of man page Signed-off-by: David A. Wheeler --- flawfinder.1 | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/flawfinder.1 b/flawfinder.1 index eff84a0..6303601 100644 --- a/flawfinder.1 +++ b/flawfinder.1 @@ -19,7 +19,7 @@ .\" .\" Man page created 17 May 2001 by David A. Wheeler (dwheeler@dwheeler.com) .\" -.TH FLAWFINDER 1 "3 Aug 2014" "Flawfinder" "Flawfinder" +.TH FLAWFINDER 1 "26 Aug 2017" "Flawfinder" "Flawfinder" .SH NAME flawfinder \- lexically find potential security flaws ("hits") in source code .SH SYNOPSIS @@ -73,6 +73,8 @@ in that directory (and its subdirectories, recursively) will be examined. Thus, for most projects, simply give flawfinder the name of the source code's topmost directory (use ``.'' for the current directory), and flawfinder will examine all of the project's C/C++ source code. +Flawfinder does \fInot\fR require that you be able to build your software, +so it can be used even with incomplete source code. If you only want to have \fIchanges\fR reviewed, save a unified diff of those changes (created by GNU "diff -u" or "svn diff" or "git diff") in a patch file and use the \-\-patch (\-P) option. @@ -94,7 +96,7 @@ the number of false hits in internationalized programs. Flawfinder will do the same sort of thing with _T() and _TEXT(), common Microsoft macros for handling internationalized programs. .\" For more info, see: http://www.rpi.edu/~pudeyo/articles/unicode.html -Flawfinder correctly ignores most text inside comments and strings. +Flawfinder correctly ignores text inside comments and strings. Normally flawfinder shows all hits with a risk level of at least 1, but you can use the \-\-minlevel option to show only hits with higher risk levels if you wish. @@ -223,6 +225,7 @@ Flawfinder works similarly to another program, ITS4, which is not fully open source software (as defined in the Open Source Definition) nor free software (as defined by the Free Software Foundation). The author of Flawfinder has never seen ITS4's source code. +Flawfinder is similar in many ways to RATS, if you are familiar with RATS. .SH "BRIEF TUTORIAL" @@ -493,9 +496,10 @@ The headers are mostly self-explanatory. "Note" is other explanatory notes, "CWEs" is the list of one or more CWEs, "Context" is the source code line triggering the hit, -and "Fingerprint" is the SHA-256 hash of the context once its leading and trailing whitespace -have been removed +and "Fingerprint" is the SHA-256 hash of the context once +its leading and trailing whitespace have been removed (the fingerprint may help detect and eliminate later duplications). +If you use Python3, the hash is of the context when encoded as UTF-8. .TP .BI "\-\-dataonly" @@ -565,7 +569,6 @@ The difference algorithm is conservative; hits are only considered the ``same'' if they have the same filename, line number, column position, function name, and risk level. - .SH EXAMPLES Here are various examples of how to invoke flawfinder.