From 5ad5a17034df7f4706ffa3bbd6eb0a55392c56ba Mon Sep 17 00:00:00 2001 From: "David A. Wheeler" Date: Sun, 30 Jul 2017 23:29:36 -0400 Subject: [PATCH] Make minor improvements to flawfinder man page Signed-off-by: David A. Wheeler --- flawfinder.1 | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/flawfinder.1 b/flawfinder.1 index 18e4ba4..10c092a 100644 --- a/flawfinder.1 +++ b/flawfinder.1 @@ -78,7 +78,8 @@ of those changes (created by GNU "diff -u" or "svn diff" or "git diff") in a patch file and use the \-\-patch (\-P) option. .PP Flawfinder will produce a list of ``hits'' (potential -security flaws), sorted by risk; the riskiest hits are shown first. +security flaws, also called findings), +sorted by risk; the riskiest hits are shown first. The risk level is shown inside square brackets and varies from 0, very little risk, to 5, great risk. This risk level depends not only on the function, but on the values of the @@ -106,7 +107,7 @@ banned list of functions released by Microsoft; see http://msdn.microsoft.com/en-us/library/bb288454.aspx for more information about banned functions. .PP -Not every hit is actually a security vulnerability, +Not every hit (aka finding) is actually a security vulnerability, and not every security vulnerability is necessarily found. Nevertheless, flawfinder can be an aid in finding and removing security vulnerabilities. @@ -971,7 +972,7 @@ Also, do not use the \-\-allowlink option in such cases; attackers could create malicious symbolic links to files outside of their source code area (such as /etc/passwd). .PP -Source code management systems (like SourceForge and Savannah) +Source code management systems (like GitHub, SourceForge, and Savannah) definitely fall into this category; if you're maintaining one of those systems, first copy or extract the files into a separate directory (that can't be controlled by attackers) @@ -1026,7 +1027,7 @@ most of the bugs listed here. On the positive side, flawfinder doesn't get confused by many complicated preprocessor sequences that other tools sometimes choke on; flawfinder can often handle code that cannot link, and sometimes -cannot even build. +cannot even compile or build. .PP Flawfinder is currently limited to C/C++. In addition, when analyzing C++ it focuses primarily on the C subset of C++. @@ -1092,13 +1093,15 @@ analyzing programs that aren't application-layer code The techniques may still be useful; feel free to replace the database if your situation is significantly different from normal. .PP -Flawfinder's output format (filename:linenumber, followed optionally +Flawfinder's default output format (filename:linenumber, followed optionally by a :columnnumber) can be misunderstood if any source files have very weird filenames. Filenames embedding a newline/linefeed character will cause odd breaks, and filenames including colon (:) are likely to be misunderstood. This is especially important if flawfinder's output is being used by other tools, such as filters or text editors. +If you are using flawfinder's output in other tools, consider using its +CSV format instead (which can handle this). If you're looking at new code, examine the files for such characters. It's incredibly unwise to have such filenames anyway; many tools can't handle such filenames at all. @@ -1119,7 +1122,7 @@ to report hits, so that they can be examined further, instead of silently ignoring them. Thus, flawfinder prefers to have false positives (reports that turn out to not be problems) rather than false negatives -(failure to report on a security vulnerability). +(failures to report security vulnerabilities). But this is a generality; flawfinder uses simplistic heuristics and simply can't get everything "right". .PP