Change version number to 2.0.0 - use Semantic Versioning
This switches flawfinder's version naming conventions to comply with Semantic Versioning. We change the first digit to "2" because there's a subtle change in how CWEs are reported - see the ChangeLog or documentation for more information. Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
This commit is contained in:
David A. Wheeler
parent
8f62d4290b
commit
872109f230
25
ChangeLog
25
ChangeLog
|
|
@ -1,3 +1,28 @@
|
|||
2017-07-29 David A. Wheeler <dwheeler, at, dwheeler.com>
|
||||
* Change version numbers to use Semantic Versioning (x.y.z)
|
||||
* Change version number to 2.0.0, because we have a subtle
|
||||
interface change that won't affect most people but it
|
||||
*may* affect those who use postprocess
|
||||
flawfinder data on CWEs. The fundamental issue is that
|
||||
in some cases a hit corresponds to multiple CWEs. As a result,
|
||||
in some cases flawfinder will list a sequence of CWEs
|
||||
in the format "more-general/more-specific", where the CWE actually
|
||||
being mapped is followed by a "!".
|
||||
This is always done whenever a flaw is not mapped directly to
|
||||
a top 25 CWE, but the mapping is related to such a CWE.
|
||||
So "CWE-119!/CWE-120" means that the vulnerability is mapped
|
||||
to CWE-119 and that CWE-120 is a subset of CWE-119.
|
||||
In contrast, "CWE-362/CWE-367!" means that the hit is mapped to
|
||||
CWE-367, a subset of CWE-362.
|
||||
Note that this is a subtle syntax change from flawfinder
|
||||
version 1.31; in flawfinder version 1.31,
|
||||
the form "more-general:more-specific" meant what is now listed as
|
||||
"more-general!/more-specific", while
|
||||
"more-general/more-specific" meant "more-general/more-specific!".
|
||||
Tools can handle both the version 1.31 and the current format,
|
||||
if they wish, by noting that the older format did not use "!" at all.
|
||||
These mapping mechanisms simplify searching for certain CWEs.
|
||||
|
||||
2014-08-03 David A. Wheeler <dwheeler, at, dwheeler.com>
|
||||
* Release version 1.31, a set of small improvements mostly CWE-related.
|
||||
* Note that flawfinder is officially CWE-compatible.
|
||||
|
|
|
|||
2
README
2
README
|
|
@ -43,6 +43,6 @@ vulnerabilities in programs that cannot be built or cannot be linked.
|
|||
Flawfinder also doesn't get as confused by macro definitions
|
||||
and other oddities that more sophisticated tools have trouble with.
|
||||
|
||||
Flawfinder is released under the GNU GPL license version 2 or later (GPLv2+).
|
||||
Flawfinder is released under the GNU GPL license version 2 or later (GPL-2.0+).
|
||||
See the COPYING file for license information.
|
||||
|
||||
|
|
|
|||
|
|
@ -9,8 +9,8 @@
|
|||
<body>
|
||||
<h1>Flawfinder Results</h1>
|
||||
Here are the security scan results from
|
||||
<a href="http://www.dwheeler.com/flawfinder">Flawfinder version 1.32</a>,
|
||||
(C) 2001-2014 <a href="http://www.dwheeler.com">David A. Wheeler</a>.
|
||||
<a href="http://www.dwheeler.com/flawfinder">Flawfinder version 2.0.0</a>,
|
||||
(C) 2001-2017 <a href="http://www.dwheeler.com">David A. Wheeler</a>.
|
||||
Number of rules (primarily dangerous function names) in C/C++ ruleset: 209
|
||||
<p>
|
||||
Examining test.c <br>
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
Flawfinder version 1.32, (C) 2001-2014 David A. Wheeler.
|
||||
Flawfinder version 2.0.0, (C) 2001-2017 David A. Wheeler.
|
||||
Number of rules (primarily dangerous function names) in C/C++ ruleset: 209
|
||||
Examining test.c
|
||||
Examining test2.c
|
||||
|
|
|
|||
10
flawfinder
10
flawfinder
|
|
@ -8,7 +8,7 @@ from __future__ import division
|
|||
|
||||
See the man page for a description of the options."""
|
||||
|
||||
version="1.32"
|
||||
version="2.0.0"
|
||||
|
||||
# The default output is as follows:
|
||||
# filename:line_number [risk_level] (type) function_name: message
|
||||
|
|
@ -18,9 +18,9 @@ version="1.32"
|
|||
#
|
||||
# Currently this program can only analyze C/C++ code.
|
||||
#
|
||||
# Copyright (C) 2001-2014 David A. Wheeler.
|
||||
# Copyright (C) 2001-2017 David A. Wheeler.
|
||||
# This is released under the
|
||||
# GNU General Public License (GPL) version 2 or later (GPLv2+):
|
||||
# GNU General Public License (GPL) version 2 or later (GPL-2.0+):
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
@ -1523,9 +1523,9 @@ def display_header():
|
|||
print "<h1>Flawfinder Results</h1>"
|
||||
print "Here are the security scan results from"
|
||||
print '<a href="http://www.dwheeler.com/flawfinder">Flawfinder version %s</a>,' % version
|
||||
print '(C) 2001-2014 <a href="http://www.dwheeler.com">David A. Wheeler</a>.'
|
||||
print '(C) 2001-2017 <a href="http://www.dwheeler.com">David A. Wheeler</a>.'
|
||||
else:
|
||||
print "Flawfinder version %s, (C) 2001-2014 David A. Wheeler." % version
|
||||
print "Flawfinder version %s, (C) 2001-2017 David A. Wheeler." % version
|
||||
displayed_header = 1
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -791,10 +791,11 @@ CWE-367, a subset of CWE-362.
|
|||
Note that this is a subtle syntax change from flawfinder version 1.31;
|
||||
in flawfinder version 1.31,
|
||||
the form "more-general:more-specific" meant what is now listed as
|
||||
"more-general!:more-specific", while
|
||||
"more-general!/more-specific", while
|
||||
"more-general/more-specific" meant "more-general/more-specific!".
|
||||
Tools can handle both the version 1.31 and the current format,
|
||||
if they wish, by noting that the older format did not use "!" at all.
|
||||
if they wish, by noting that the older format did not use "!" at all
|
||||
(and thus this is easy to distinguish).
|
||||
These mapping mechanisms simplify searching for certain CWEs.
|
||||
.PP
|
||||
CWE version 2.7 (released June 23, 2014) was used for the mapping.
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
Name: flawfinder
|
||||
Summary: Examines C/C++ source code for security flaws
|
||||
Version: 1.32
|
||||
Version: 2.0.0
|
||||
Release: 1%{?dist}
|
||||
License: GPLv2+
|
||||
Group: Development/Tools
|
||||
|
|
|
|||
7
makefile
7
makefile
|
|
@ -1,5 +1,6 @@
|
|||
# Flawfinder. Released under the General Public License (GPL).
|
||||
# (C) 2001-2014 David A. Wheeler.
|
||||
# Flawfinder.
|
||||
# Released under the General Public License (GPL) version 2 or later.
|
||||
# (C) 2001-2017 David A. Wheeler.
|
||||
|
||||
# To change version number, edit this here, the beginning of the
|
||||
# "flawfinder" script, flawfinder.spec, setup.py, and index.html.
|
||||
|
|
@ -9,7 +10,7 @@
|
|||
# Eventually switch to using DistUtils to autogenerate.
|
||||
|
||||
NAME=flawfinder
|
||||
VERSION=1.32
|
||||
VERSION=2.0.0
|
||||
RPM_VERSION=1
|
||||
VERSIONEDNAME=$(NAME)-$(VERSION)
|
||||
ARCH=noarch
|
||||
|
|
|
|||
4
setup.py
4
setup.py
|
|
@ -25,11 +25,11 @@ import commands
|
|||
|
||||
setup (# Distribution meta-data
|
||||
name = "flawfinder",
|
||||
version = "1.32",
|
||||
version = "2.0.0",
|
||||
description = "a program that examines source code looking for security weaknesses",
|
||||
author = "David A. Wheeler",
|
||||
author_email = "dwheeler@dwheeler.com",
|
||||
license = 'GPL',
|
||||
license = 'GPL-2.0+',
|
||||
long_description = """Flawfinder is a program that can scan
|
||||
C/C++ source code and identify out potential security flaws,
|
||||
ranking them by likely severity.
|
||||
|
|
|
|||
Loading…
Reference in New Issue