From 6f513af900f2f73bd672ddfbd54b8eb95caab4f1 Mon Sep 17 00:00:00 2001 From: "David A. Wheeler" Date: Sat, 23 Sep 2017 20:36:50 -0400 Subject: [PATCH] Always report hit counts correctly, even if ignored using -m This commit means that the output provides useful summary data, even if the lower-level hits are suppressed. Note that this does use a little more memory when some hits are supressed, since the hitlist is fully created even if only parts are displayed. However, modern systems have lots of memory. Hopefully we'll never analyze software with so many problems that this is a problem itself :-). If someone ever has that problem, they can output everything and filter it separately. Signed-off-by: David A. Wheeler --- correct-results.html | 6 +++--- correct-results.txt | 6 +++--- flawfinder | 23 ++++++++++++----------- makefile | 4 ++-- 4 files changed, 20 insertions(+), 19 deletions(-) diff --git a/correct-results.html b/correct-results.html index 3c0c0ba..8107923 100644 --- a/correct-results.html +++ b/correct-results.html @@ -311,9 +311,9 @@ Lines analyzed = 118
Physical Source Lines of Code (SLOC) = 80
-Hits@level = [0] 0 [1] 9 [2] 7 [3] 3 [4] 10 [5] 7
-Hits@level+ = [0+] 36 [1+] 36 [2+] 27 [3+] 20 [4+] 17 [5+] 7
-Hits/KSLOC@level+ = [0+] 450 [1+] 450 [2+] 337.5 [3+] 250 [4+] 212.5 [5+] 87.5
+Hits@level = [0] 16 [1] 9 [2] 7 [3] 3 [4] 10 [5] 7
+Hits@level+ = [0+] 52 [1+] 36 [2+] 27 [3+] 20 [4+] 17 [5+] 7
+Hits/KSLOC@level+ = [0+] 650 [1+] 450 [2+] 337.5 [3+] 250 [4+] 212.5 [5+] 87.5
Suppressed hits = 2 (use --neverignore to show them)
Minimum risk level = 1 diff --git a/correct-results.txt b/correct-results.txt index aed12f6..6a6c122 100644 --- a/correct-results.txt +++ b/correct-results.txt @@ -143,9 +143,9 @@ ANALYSIS SUMMARY: Hits = 36 Lines analyzed = 118 Physical Source Lines of Code (SLOC) = 80 -Hits@level = [0] 0 [1] 9 [2] 7 [3] 3 [4] 10 [5] 7 -Hits@level+ = [0+] 36 [1+] 36 [2+] 27 [3+] 20 [4+] 17 [5+] 7 -Hits/KSLOC@level+ = [0+] 450 [1+] 450 [2+] 337.5 [3+] 250 [4+] 212.5 [5+] 87.5 +Hits@level = [0] 16 [1] 9 [2] 7 [3] 3 [4] 10 [5] 7 +Hits@level+ = [0+] 52 [1+] 36 [2+] 27 [3+] 20 [4+] 17 [5+] 7 +Hits/KSLOC@level+ = [0+] 650 [1+] 450 [2+] 337.5 [3+] 250 [4+] 212.5 [5+] 87.5 Suppressed hits = 2 (use --neverignore to show them) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. diff --git a/flawfinder b/flawfinder index 7394946..58249d4 100755 --- a/flawfinder +++ b/flawfinder @@ -476,13 +476,12 @@ def add_warning(hit): if required_regex and (required_regex_compiled.search(hit.warning) is None): return - if hit.level >= minimum_level: - if linenumber == ignoreline: - num_ignored_hits = num_ignored_hits + 1 - else: - hitlist.append(hit) - if show_immediately: - hit.show() + if linenumber == ignoreline: + num_ignored_hits = num_ignored_hits + 1 + else: + hitlist.append(hit) + if show_immediately: + hit.show() def internal_warn(message): @@ -2039,9 +2038,10 @@ def show_final_results(): print("") diff_file.close() @@ -2049,11 +2049,12 @@ def show_final_results(): if output_format: print("") - count = len(hitlist) # Done with list, show the post-hitlist summary. if showheading: if output_format: diff --git a/makefile b/makefile index 8816ee4..13796ee 100644 --- a/makefile +++ b/makefile @@ -169,10 +169,10 @@ test_005: flawfinder test-diff-005.patch test-patched.c test_006: flawfinder test.c @echo 'test_006 (save/load hitlist)' - @$(PYTHON) ./flawfinder -m 5 -S -DC --quiet \ + @$(PYTHON) ./flawfinder -S -DC --quiet \ --savehitlist test-saved-hitlist-006.txt \ test.c > test-junk-006.txt - @$(PYTHON) ./flawfinder -SQDC \ + @$(PYTHON) ./flawfinder -SQDC -m 5 \ --loadhitlist test-saved-hitlist-006.txt > \ test-results-006.txt @diff -u correct-results-006.txt test-results-006.txt