Change version number to 2.0.0 - use Semantic Versioning
This switches flawfinder's version naming conventions to comply with Semantic Versioning. We change the first digit to "2" because there's a subtle change in how CWEs are reported - see the ChangeLog or documentation for more information. Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
This commit is contained in:
parent
8f62d4290b
commit
872109f230
25
ChangeLog
25
ChangeLog
|
@ -1,3 +1,28 @@
|
||||||
|
2017-07-29 David A. Wheeler <dwheeler, at, dwheeler.com>
|
||||||
|
* Change version numbers to use Semantic Versioning (x.y.z)
|
||||||
|
* Change version number to 2.0.0, because we have a subtle
|
||||||
|
interface change that won't affect most people but it
|
||||||
|
*may* affect those who use postprocess
|
||||||
|
flawfinder data on CWEs. The fundamental issue is that
|
||||||
|
in some cases a hit corresponds to multiple CWEs. As a result,
|
||||||
|
in some cases flawfinder will list a sequence of CWEs
|
||||||
|
in the format "more-general/more-specific", where the CWE actually
|
||||||
|
being mapped is followed by a "!".
|
||||||
|
This is always done whenever a flaw is not mapped directly to
|
||||||
|
a top 25 CWE, but the mapping is related to such a CWE.
|
||||||
|
So "CWE-119!/CWE-120" means that the vulnerability is mapped
|
||||||
|
to CWE-119 and that CWE-120 is a subset of CWE-119.
|
||||||
|
In contrast, "CWE-362/CWE-367!" means that the hit is mapped to
|
||||||
|
CWE-367, a subset of CWE-362.
|
||||||
|
Note that this is a subtle syntax change from flawfinder
|
||||||
|
version 1.31; in flawfinder version 1.31,
|
||||||
|
the form "more-general:more-specific" meant what is now listed as
|
||||||
|
"more-general!/more-specific", while
|
||||||
|
"more-general/more-specific" meant "more-general/more-specific!".
|
||||||
|
Tools can handle both the version 1.31 and the current format,
|
||||||
|
if they wish, by noting that the older format did not use "!" at all.
|
||||||
|
These mapping mechanisms simplify searching for certain CWEs.
|
||||||
|
|
||||||
2014-08-03 David A. Wheeler <dwheeler, at, dwheeler.com>
|
2014-08-03 David A. Wheeler <dwheeler, at, dwheeler.com>
|
||||||
* Release version 1.31, a set of small improvements mostly CWE-related.
|
* Release version 1.31, a set of small improvements mostly CWE-related.
|
||||||
* Note that flawfinder is officially CWE-compatible.
|
* Note that flawfinder is officially CWE-compatible.
|
||||||
|
|
2
README
2
README
|
@ -43,6 +43,6 @@ vulnerabilities in programs that cannot be built or cannot be linked.
|
||||||
Flawfinder also doesn't get as confused by macro definitions
|
Flawfinder also doesn't get as confused by macro definitions
|
||||||
and other oddities that more sophisticated tools have trouble with.
|
and other oddities that more sophisticated tools have trouble with.
|
||||||
|
|
||||||
Flawfinder is released under the GNU GPL license version 2 or later (GPLv2+).
|
Flawfinder is released under the GNU GPL license version 2 or later (GPL-2.0+).
|
||||||
See the COPYING file for license information.
|
See the COPYING file for license information.
|
||||||
|
|
||||||
|
|
|
@ -9,8 +9,8 @@
|
||||||
<body>
|
<body>
|
||||||
<h1>Flawfinder Results</h1>
|
<h1>Flawfinder Results</h1>
|
||||||
Here are the security scan results from
|
Here are the security scan results from
|
||||||
<a href="http://www.dwheeler.com/flawfinder">Flawfinder version 1.32</a>,
|
<a href="http://www.dwheeler.com/flawfinder">Flawfinder version 2.0.0</a>,
|
||||||
(C) 2001-2014 <a href="http://www.dwheeler.com">David A. Wheeler</a>.
|
(C) 2001-2017 <a href="http://www.dwheeler.com">David A. Wheeler</a>.
|
||||||
Number of rules (primarily dangerous function names) in C/C++ ruleset: 209
|
Number of rules (primarily dangerous function names) in C/C++ ruleset: 209
|
||||||
<p>
|
<p>
|
||||||
Examining test.c <br>
|
Examining test.c <br>
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
Flawfinder version 1.32, (C) 2001-2014 David A. Wheeler.
|
Flawfinder version 2.0.0, (C) 2001-2017 David A. Wheeler.
|
||||||
Number of rules (primarily dangerous function names) in C/C++ ruleset: 209
|
Number of rules (primarily dangerous function names) in C/C++ ruleset: 209
|
||||||
Examining test.c
|
Examining test.c
|
||||||
Examining test2.c
|
Examining test2.c
|
||||||
|
|
10
flawfinder
10
flawfinder
|
@ -8,7 +8,7 @@ from __future__ import division
|
||||||
|
|
||||||
See the man page for a description of the options."""
|
See the man page for a description of the options."""
|
||||||
|
|
||||||
version="1.32"
|
version="2.0.0"
|
||||||
|
|
||||||
# The default output is as follows:
|
# The default output is as follows:
|
||||||
# filename:line_number [risk_level] (type) function_name: message
|
# filename:line_number [risk_level] (type) function_name: message
|
||||||
|
@ -18,9 +18,9 @@ version="1.32"
|
||||||
#
|
#
|
||||||
# Currently this program can only analyze C/C++ code.
|
# Currently this program can only analyze C/C++ code.
|
||||||
#
|
#
|
||||||
# Copyright (C) 2001-2014 David A. Wheeler.
|
# Copyright (C) 2001-2017 David A. Wheeler.
|
||||||
# This is released under the
|
# This is released under the
|
||||||
# GNU General Public License (GPL) version 2 or later (GPLv2+):
|
# GNU General Public License (GPL) version 2 or later (GPL-2.0+):
|
||||||
#
|
#
|
||||||
# This program is free software; you can redistribute it and/or modify
|
# This program is free software; you can redistribute it and/or modify
|
||||||
# it under the terms of the GNU General Public License as published by
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
@ -1523,9 +1523,9 @@ def display_header():
|
||||||
print "<h1>Flawfinder Results</h1>"
|
print "<h1>Flawfinder Results</h1>"
|
||||||
print "Here are the security scan results from"
|
print "Here are the security scan results from"
|
||||||
print '<a href="http://www.dwheeler.com/flawfinder">Flawfinder version %s</a>,' % version
|
print '<a href="http://www.dwheeler.com/flawfinder">Flawfinder version %s</a>,' % version
|
||||||
print '(C) 2001-2014 <a href="http://www.dwheeler.com">David A. Wheeler</a>.'
|
print '(C) 2001-2017 <a href="http://www.dwheeler.com">David A. Wheeler</a>.'
|
||||||
else:
|
else:
|
||||||
print "Flawfinder version %s, (C) 2001-2014 David A. Wheeler." % version
|
print "Flawfinder version %s, (C) 2001-2017 David A. Wheeler." % version
|
||||||
displayed_header = 1
|
displayed_header = 1
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -791,10 +791,11 @@ CWE-367, a subset of CWE-362.
|
||||||
Note that this is a subtle syntax change from flawfinder version 1.31;
|
Note that this is a subtle syntax change from flawfinder version 1.31;
|
||||||
in flawfinder version 1.31,
|
in flawfinder version 1.31,
|
||||||
the form "more-general:more-specific" meant what is now listed as
|
the form "more-general:more-specific" meant what is now listed as
|
||||||
"more-general!:more-specific", while
|
"more-general!/more-specific", while
|
||||||
"more-general/more-specific" meant "more-general/more-specific!".
|
"more-general/more-specific" meant "more-general/more-specific!".
|
||||||
Tools can handle both the version 1.31 and the current format,
|
Tools can handle both the version 1.31 and the current format,
|
||||||
if they wish, by noting that the older format did not use "!" at all.
|
if they wish, by noting that the older format did not use "!" at all
|
||||||
|
(and thus this is easy to distinguish).
|
||||||
These mapping mechanisms simplify searching for certain CWEs.
|
These mapping mechanisms simplify searching for certain CWEs.
|
||||||
.PP
|
.PP
|
||||||
CWE version 2.7 (released June 23, 2014) was used for the mapping.
|
CWE version 2.7 (released June 23, 2014) was used for the mapping.
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
Name: flawfinder
|
Name: flawfinder
|
||||||
Summary: Examines C/C++ source code for security flaws
|
Summary: Examines C/C++ source code for security flaws
|
||||||
Version: 1.32
|
Version: 2.0.0
|
||||||
Release: 1%{?dist}
|
Release: 1%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: Development/Tools
|
Group: Development/Tools
|
||||||
|
|
7
makefile
7
makefile
|
@ -1,5 +1,6 @@
|
||||||
# Flawfinder. Released under the General Public License (GPL).
|
# Flawfinder.
|
||||||
# (C) 2001-2014 David A. Wheeler.
|
# Released under the General Public License (GPL) version 2 or later.
|
||||||
|
# (C) 2001-2017 David A. Wheeler.
|
||||||
|
|
||||||
# To change version number, edit this here, the beginning of the
|
# To change version number, edit this here, the beginning of the
|
||||||
# "flawfinder" script, flawfinder.spec, setup.py, and index.html.
|
# "flawfinder" script, flawfinder.spec, setup.py, and index.html.
|
||||||
|
@ -9,7 +10,7 @@
|
||||||
# Eventually switch to using DistUtils to autogenerate.
|
# Eventually switch to using DistUtils to autogenerate.
|
||||||
|
|
||||||
NAME=flawfinder
|
NAME=flawfinder
|
||||||
VERSION=1.32
|
VERSION=2.0.0
|
||||||
RPM_VERSION=1
|
RPM_VERSION=1
|
||||||
VERSIONEDNAME=$(NAME)-$(VERSION)
|
VERSIONEDNAME=$(NAME)-$(VERSION)
|
||||||
ARCH=noarch
|
ARCH=noarch
|
||||||
|
|
4
setup.py
4
setup.py
|
@ -25,11 +25,11 @@ import commands
|
||||||
|
|
||||||
setup (# Distribution meta-data
|
setup (# Distribution meta-data
|
||||||
name = "flawfinder",
|
name = "flawfinder",
|
||||||
version = "1.32",
|
version = "2.0.0",
|
||||||
description = "a program that examines source code looking for security weaknesses",
|
description = "a program that examines source code looking for security weaknesses",
|
||||||
author = "David A. Wheeler",
|
author = "David A. Wheeler",
|
||||||
author_email = "dwheeler@dwheeler.com",
|
author_email = "dwheeler@dwheeler.com",
|
||||||
license = 'GPL',
|
license = 'GPL-2.0+',
|
||||||
long_description = """Flawfinder is a program that can scan
|
long_description = """Flawfinder is a program that can scan
|
||||||
C/C++ source code and identify out potential security flaws,
|
C/C++ source code and identify out potential security flaws,
|
||||||
ranking them by likely severity.
|
ranking them by likely severity.
|
||||||
|
|
Loading…
Reference in New Issue