walkero
/
flawfinder
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

Document CWEs covered by flawfinder

This commit is contained in:
David A. Wheeler 2014-07-13 09:53:15 -04:00
parent 289f341f90
commit 620a6df894
2 changed files with 42 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
flawfinder.1
View File

@ -92,17 +92,9 @@ Flawfinder correctly ignores most text inside comments and strings.
Normally flawfinder shows all hits with a risk level of at least 1, Normally flawfinder shows all hits with a risk level of at least 1,
but you can use the \-\-minlevel option but you can use the \-\-minlevel option
to show only hits with higher risk levels if you wish. to show only hits with higher risk levels if you wish.
.PP Hit descriptions also note the relevant
Hit descriptions typically include a relevant Common Weakness Enumeration (CWE) identifier(s) in parentheses,
Common Weakness Enumeration (CWE) identifier in parentheses. as discussed below.
For example, many of the buffer-related hits mention
CWE-120, the CWE identifier for
``buffer copy without checking size of input''
(aka ``Classic Buffer Overflow'').
For more information on CWEs, see http://cwe.mitre.org.
CWEs were preferentially assigned from the CWE/SANS top 25 list
(http://cwe.mitre.org/top25/),
though in some cases a more specific or general CWE is used.
.PP .PP
Not every hit is actually a security vulnerability, Not every hit is actually a security vulnerability,
and not every security vulnerability is necessarily found. and not every security vulnerability is necessarily found.
@ -218,6 +210,7 @@ Flawfinder works similarly to another program, ITS4, which is not
fully open source software (as defined in the Open Source Definition) fully open source software (as defined in the Open Source Definition)
nor free software (as defined by the Free Software Foundation). nor free software (as defined by the Free Software Foundation).
The author of Flawfinder has never seen ITS4's source code. The author of Flawfinder has never seen ITS4's source code.
.SH "BRIEF TUTORIAL" .SH "BRIEF TUTORIAL"
Here's a brief example of how flawfinder might be used. Here's a brief example of how flawfinder might be used.
@ -686,6 +679,43 @@ parse output of a "grep" command, similar to the
variable "compilation-error-regexp-alist" which lists various formats variable "compilation-error-regexp-alist" which lists various formats
of compilation error messages. of compilation error messages.
.SH COMMON WEAKNESS ENUMERATION (CWE)
.PP
Hit descriptions typically include a relevant
Common Weakness Enumeration (CWE) identifier in parentheses.
For example, many of the buffer-related hits mention
CWE-120, the CWE identifier for
``buffer copy without checking size of input''
(aka ``Classic Buffer Overflow'').
CWE version 2.7 (released June 23, 2014) was used.
Note that many of these CWEs are identified in the CWE/SANS top 25 list
(http://cwe.mitre.org/top25/).
.PP
Flawfinder can report the following CWEs:
CWE-22
CWE-78
CWE-119
CWE-120
CWE-134
CWE-190
CWE-250
CWE-327
CWE-362
CWE-377
CWE-676
CWE-732
CWE-807
CWE-829.
.PP
Flawfinder may fail to find a
vulnerability, even if it is covered by one of these weaknesses.
.PP
For more information on CWEs, see http://cwe.mitre.org.
.SH SECURITY .SH SECURITY
You should always analyze a \fIcopy\fP of the source program being analyzed, You should always analyze a \fIcopy\fP of the source program being analyzed,

2
makefile
View File

@ -151,7 +151,7 @@ my_install: flawfinder.pdf flawfinder.ps
show-cwes: show-cwes:
flex -o cwe.c cwe.l flex -o cwe.c cwe.l
gcc -o cwe cwe.c -lfl gcc -o cwe cwe.c -lfl
./cwe < flawfinder | sort -u ./cwe < flawfinder | sort -u -V
.PHONY: install clean test check profile test-is-correct rpm uninstall distribute .PHONY: install clean test check profile test-is-correct rpm uninstall distribute