walkero
/
flawfinder
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

Update documentation 

Document that we now support GitHub.  Also, change .md files
to use ~~~~ instead of `...` because that's friendlier to
people who want to cut-and-paste commands.

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
This commit is contained in:
David A. Wheeler 2019-01-21 17:30:28 -05:00
parent 49a2289fe3
commit 9206c93517
4 changed files with 94 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
CONTRIBUTING.md
View File

@ -3,13 +3,24 @@
We love contributions! Here's how to do them in a way that will We love contributions! Here's how to do them in a way that will
make everyone's lives easy. make everyone's lives easy.
Flawfinder has long been maintained on SourceForge.
We now support reporting and changes using either SourceForge or GitHub.
## Reporting ## Reporting
For normal problems, bugs, and feature requests, please file a For normal problems, bugs, and feature requests, *except* for
[ticket](https://sourceforge.net/p/flawfinder/_list/tickets). vulnerabilities, please file a
[GitHub issue](https://github.com/david-a-wheeler/flawfinder/issues) or
[SourceForge ticket](https://sourceforge.net/p/flawfinder/_list/tickets).
If you find a vulnerability, please separately send a private email to If you find a vulnerability, please separately send a private email to
[David A. Wheeler](https://dwheeler.com/contactme.html). [David A. Wheeler](https://dwheeler.com/contactme.html).
To maintain confidentiality,
please use an email system that implements STARTTLS hop-by-hop email
encryption on outgoing email (many do, including
Gmail, hotmail.com, live.com, outlook.com, and runbox.com).
For more about STARTTLS, see the
EFF's [STARTTLS Everywhere](https://www.starttls-everywhere.org/) project.
We plan to handle vulnerabilities separately, fixing them and *then* We plan to handle vulnerabilities separately, fixing them and *then*
telling the world. We will gladly provide credit to vulnerability reporters telling the world. We will gladly provide credit to vulnerability reporters
(unless you don't want the credit). We've never had a vulnerability (unless you don't want the credit). We've never had a vulnerability
@ -19,9 +30,13 @@ report, so this is theoretical at this time.
We use "git" to track changes. To propose a change, create a fork We use "git" to track changes. To propose a change, create a fork
(copy) of the repository, make your changes, and create a (copy) of the repository, make your changes, and create a
merge request (also called a pull request). GitHub pull request or SourceForge merge request (they are the same thing).
If you're not familiar with the process, here's some If you're not familiar with the process, here's some
[documentation](https://sourceforge.net/p/forge/documentation/Git/). documentation for
[GitHub](https://help.github.com/articles/about-pull-requests/)
and
[SourceForge](https://sourceforge.net/p/forge/documentation/Git/).
## License and DCO ## License and DCO
@ -55,15 +70,21 @@ An easy way to install pylint is to use pip.
Most python installs have pip, but if yours does not Most python installs have pip, but if yours does not
(e.g., Cygwin), install pip with: (e.g., Cygwin), install pip with:
`python -m ensurepip` ~~~~
python -m ensurepip
~~~~
You may want to upgrade pip with: You may want to upgrade pip with:
`pip install --upgrade pip` ~~~~
pip install --upgrade pip
~~~~
Finally, you can actually install pylint using: Finally, you can actually install pylint using:
`pip install pylint` ~~~~
pip install pylint
~~~~
## Code Conventions ## Code Conventions
@ -80,12 +101,16 @@ patches to improve that are often welcome.
The code must run on both Python 2.7 and Python 3. The code must run on both Python 2.7 and Python 3.
To check that it works on both, run: To check that it works on both, run:
`make check` ~~~~
make check
~~~~
We use "pylint" to check for style and other generic quality problems. We use "pylint" to check for style and other generic quality problems.
To check that the code passes these quality tests, run: To check that the code passes these quality tests, run:
`make pylint` ~~~~
make pylint
~~~~
We require that the pylint results for contributions be at least 9.5/10 as We require that the pylint results for contributions be at least 9.5/10 as
configured with the provided "pylintrc" file, without any errors ("E"). configured with the provided "pylintrc" file, without any errors ("E").
@ -108,5 +133,12 @@ the automated test suite.
## Other ## Other
Project documentation tends to be in markdown (.md) format.
We use "~~~~" so that it's easy to cut-and-paste commands if desired.
The main document is a man page, which is then converted to PDF.
Avoid trailing space or tab on a line in source files - those can create
hard-to-understand "differences" on lines.
We have earned a We have earned a
[CII Best Practices Badge](https://bestpractices.coreinfrastructure.org/projects/323)... make sure we keep it! [CII Best Practices Badge](https://bestpractices.coreinfrastructure.org/projects/323)... make sure we keep it!

17
INSTALL.md
View File

@ -12,7 +12,9 @@ For many, the simple approach is to first install Python
Then use `pip` to install flawfinder Then use `pip` to install flawfinder
(this will normally download the package): (this will normally download the package):
`pip install flawfinder` ~~~~
pip install flawfinder
~~~~
One advantage for using pip is that you'll generally get the One advantage for using pip is that you'll generally get the
*current* released version. *current* released version.
@ -28,7 +30,10 @@ For a ports-based system where you have a current port, just use that.
This will work out-of-the-box; it may not be the most recent version. This will work out-of-the-box; it may not be the most recent version.
One way to accomplish this is: One way to accomplish this is:
`sudo apt install flawfinder`
~~~~
sudo apt install flawfinder
~~~~
## 3. TARBALL (SOURCE INSTALL) ## 3. TARBALL (SOURCE INSTALL)
@ -37,7 +42,9 @@ QUICK START:
The quick way to install flawfinder from the tarball is to The quick way to install flawfinder from the tarball is to
unpack the tarball and type in something like this on the command line: unpack the tarball and type in something like this on the command line:
`sudo make prefix=/usr install` ~~~~
sudo make prefix=/usr install
~~~~
Omit prefix=/usr to install in /usr/local instead. Omit prefix=/usr to install in /usr/local instead.
Omit "sudo" if you are already root. Omit "sudo" if you are already root.
@ -119,4 +126,6 @@ Not enough? Here are more detailed step-by-step instructions and options.
You can also simply run the program in the directory you've unpacked it You can also simply run the program in the directory you've unpacked it
into. It's a simple Python program, just type into a command line: into. It's a simple Python program, just type into a command line:
`./flawfinder files_or_directory` ~~~~
./flawfinder FILES-OR-DIRECTORY
~~~~

21
README.md
View File

@ -15,7 +15,7 @@ For more information, see the [project website](http://dwheeler.com/flawfinder)
Flawfinder is designed for use on Unix/Linux/POSIX systems Flawfinder is designed for use on Unix/Linux/POSIX systems
(including Cygwin, Linux-based systems, MacOS, and various BSDs) as a (including Cygwin, Linux-based systems, MacOS, and various BSDs) as a
command line tool. It requires Python 2.7 or Python 3. command line tool. It requires either Python 2.7 or Python 3.
# Installation # Installation
@ -31,7 +31,24 @@ You don't HAVE to install it to run it, but it's easiest that way.
To run flawfinder, just give it a list of source files or directories to To run flawfinder, just give it a list of source files or directories to
example. For example, to examine all files in "src/" and down recursively: example. For example, to examine all files in "src/" and down recursively:
`flawfinder src/` ~~~~
flawfinder src/
~~~~
To examine all files in the *current* directory and down recursively:
~~~~
flawfinder ./
~~~~
Hits (findings) are given a risk level from 0 (very low risk) to 5 (high risk),
By default, findings of risk level 1 or higher are shown.
You can show only the hits of risk level 4 or higher in the current
directory and down this way:
~~~~
flawfinder --minlevel 4 ./
~~~~
The manual page (flawfinder.1 or flawfinder.pdf) describes how to use The manual page (flawfinder.1 or flawfinder.pdf) describes how to use
flawfinder (including its various options) and related information flawfinder (including its various options) and related information

28
release_process.md
View File

@ -15,23 +15,33 @@ setup.py
index.html index.html
Then run: Then run:
`make test && make test-is-correct` # update version number in tests
~~~~
make test && make test-is-correct # update version number in tests
~~~~
## Test it ## Test it
`make check` # Run tests in Python 2 and 3 ~~~~
make check # Run tests in Python 2 and 3
~~~~
## Tag version ## Tag version
Once you're sure this is the *real* version, tag it: Once you're sure this is the *real* version, tag it:
`git tag VERSION` ~~~~
`git push --tags` git tag VERSION
git push --tags
~~~~
## Create tarball ## Create tarball
Run: Run:
`make distribute`
~~~~
make distribute
~~~~
## Post tarball ## Post tarball
@ -46,8 +56,12 @@ the usual places:
Create a PyPi distribution package: Create a PyPi distribution package:
`make pypi` ~~~~
make pypi
~~~~
And upload it: And upload it:
`make upload-pypi` ~~~~
make upload-pypi
~~~~