From 620a6df8945c3101d32e02e70bfdf94b89f85df5 Mon Sep 17 00:00:00 2001
From: "David A. Wheeler" <dwheeler@dwheeler.com>
Date: Sun, 13 Jul 2014 09:53:15 -0400
Subject: [PATCH] Document CWEs covered by flawfinder

---
 flawfinder.1 | 52 +++++++++++++++++++++++++++++++++++++++++-----------
 makefile     |  2 +-
 2 files changed, 42 insertions(+), 12 deletions(-)

diff --git a/flawfinder.1 b/flawfinder.1
index 6d49d13..66cef9b 100644
--- a/flawfinder.1
+++ b/flawfinder.1
@@ -92,17 +92,9 @@ Flawfinder correctly ignores most text inside comments and strings.
 Normally flawfinder shows all hits with a risk level of at least 1,
 but you can use the \-\-minlevel option
 to show only hits with higher risk levels if you wish.
-.PP
-Hit descriptions typically include a relevant
-Common Weakness Enumeration (CWE) identifier in parentheses.
-For example, many of the buffer-related hits mention
-CWE-120, the CWE identifier for
-``buffer copy without checking size of input''
-(aka ``Classic Buffer Overflow'').
-For more information on CWEs, see http://cwe.mitre.org.
-CWEs were preferentially assigned from the CWE/SANS top 25 list
-(http://cwe.mitre.org/top25/),
-though in some cases a more specific or general CWE is used.
+Hit descriptions also note the relevant
+Common Weakness Enumeration (CWE) identifier(s) in parentheses,
+as discussed below.
 .PP
 Not every hit is actually a security vulnerability, 
 and not every security vulnerability is necessarily found.
@@ -218,6 +210,7 @@ Flawfinder works similarly to another program, ITS4, which is not
 fully open source software (as defined in the Open Source Definition)
 nor free software (as defined by the Free Software Foundation).
 The author of Flawfinder has never seen ITS4's source code.
+
 .SH "BRIEF TUTORIAL"
 
 Here's a brief example of how flawfinder might be used.
@@ -686,6 +679,43 @@ parse output of a "grep" command, similar to the
 variable "compilation-error-regexp-alist" which lists various formats
 of compilation error messages.
 
+
+.SH COMMON WEAKNESS ENUMERATION (CWE)
+.PP
+Hit descriptions typically include a relevant
+Common Weakness Enumeration (CWE) identifier in parentheses.
+For example, many of the buffer-related hits mention
+CWE-120, the CWE identifier for
+``buffer copy without checking size of input''
+(aka ``Classic Buffer Overflow'').
+CWE version 2.7 (released June 23, 2014) was used.
+Note that many of these CWEs are identified in the CWE/SANS top 25 list
+(http://cwe.mitre.org/top25/).
+
+.PP
+Flawfinder can report the following CWEs:
+CWE-22
+CWE-78
+CWE-119
+CWE-120
+CWE-134
+CWE-190
+CWE-250
+CWE-327
+CWE-362
+CWE-377
+CWE-676
+CWE-732
+CWE-807
+CWE-829.
+
+.PP
+Flawfinder may fail to find a
+vulnerability, even if it is covered by one of these weaknesses.
+
+.PP
+For more information on CWEs, see http://cwe.mitre.org.
+
 .SH SECURITY
 
 You should always analyze a \fIcopy\fP of the source program being analyzed,
diff --git a/makefile b/makefile
index ac9bb18..019a0e1 100644
--- a/makefile
+++ b/makefile
@@ -151,7 +151,7 @@ my_install: flawfinder.pdf flawfinder.ps
 show-cwes:
 	flex -o cwe.c cwe.l
 	gcc -o cwe cwe.c -lfl
-	./cwe < flawfinder | sort -u
+	./cwe < flawfinder | sort -u -V
 
 
 .PHONY: install clean test check profile test-is-correct rpm uninstall distribute