flawfinder.1: Clean up man page, esp. option description
This commit is contained in:
David A. Wheeler
parent
5eb5e8411d
commit
bbe7a28ada
49
flawfinder.1
49
flawfinder.1
|
|
@ -33,14 +33,15 @@ flawfinder \- lexically find potential security flaws ("hits") in source code
|
||||||
.RB [ \-\-allowlink ]
|
.RB [ \-\-allowlink ]
|
||||||
.RB [ \-\-followdotdir ]
|
.RB [ \-\-followdotdir ]
|
||||||
.RB [ \-\-nolink ]
|
.RB [ \-\-nolink ]
|
||||||
.RB [ \-\-patch\ \fIfilename\fR | \-P\ \fIfilename\fR ]
|
.RB [ \-\-patch=\fIfilename\fR | \-P\ \fIfilename\fR ]
|
||||||
.br
|
.br
|
||||||
.\" Selecting Hits to Display:
|
.\" Selecting Hits to Display:
|
||||||
.RB [ \-\-inputs | \-I ]
|
.RB [ \-\-inputs | \-I ]
|
||||||
[ \fB\-\-minlevel \fR\fIX\fR | \fB\-m\fR\ \fIX\fR ]
|
[ \fB\-\-minlevel=\fR\fIX\fR | \fB\-m\fR\ \fIX\fR ]
|
||||||
.RB [ \-\-falsepositive | \-F ]
|
.RB [ \-\-falsepositive | \-F ]
|
||||||
.RB [ \-\-neverignore | \-n ]
|
.RB [ \-\-neverignore | \-n ]
|
||||||
.RB [ \-\-regex | \-e ]
|
.br
|
||||||
|
[\fB\-\-regex=\fR\fIPATTERN\fR | \fB\-e\fR \fIPATTERN\fR]
|
||||||
.br
|
.br
|
||||||
.\" Selecting Output Format:
|
.\" Selecting Output Format:
|
||||||
.RB [ \-\-context | \-c ]
|
.RB [ \-\-context | \-c ]
|
||||||
|
|
@ -53,9 +54,9 @@ flawfinder \- lexically find potential security flaws ("hits") in source code
|
||||||
.RB [ \-\-quiet | \-Q ]
|
.RB [ \-\-quiet | \-Q ]
|
||||||
.br
|
.br
|
||||||
.\" Managing hit list.
|
.\" Managing hit list.
|
||||||
[ \fB\-\-loadhitlist\ \fR\fIF\fR ]
|
[\fB\-\-loadhitlist=\fR\fIF\fR]
|
||||||
[ \fB\-\-savehitlist\ \fR\fIF\fR ]
|
[\fB\-\-savehitlist=\fR\fIF\fR]
|
||||||
[ \fB\-\-diffhitlist\ \fR\fIF\fR ]
|
[\fB\-\-diffhitlist=\fR\fIF\fR]
|
||||||
.br
|
.br
|
||||||
.RB [ \-\- ]
|
.RB [ \-\- ]
|
||||||
.I [ source code file or source root directory ]+
|
.I [ source code file or source root directory ]+
|
||||||
|
|
@ -162,7 +163,7 @@ On the other hand, flawfinder can find vulnerabilities in programs that
|
||||||
cannot be linked, and in some cases, cannot even be compiled.
|
cannot be linked, and in some cases, cannot even be compiled.
|
||||||
Flawfinder also doesn't get as confused by macro definitions
|
Flawfinder also doesn't get as confused by macro definitions
|
||||||
and other oddities that more sophisticated tools have trouble with.
|
and other oddities that more sophisticated tools have trouble with.
|
||||||
It can also be useful as a simple
|
Flawfinder can also be useful as a simple
|
||||||
introduction to static analysis tools in general.
|
introduction to static analysis tools in general.
|
||||||
.PP
|
.PP
|
||||||
Any filename given on the command line will be examined (even if
|
Any filename given on the command line will be examined (even if
|
||||||
|
|
@ -288,11 +289,24 @@ select input data,
|
||||||
select which hits to display,
|
select which hits to display,
|
||||||
select the output format,
|
select the output format,
|
||||||
and perform hitlist management.
|
and perform hitlist management.
|
||||||
|
Flawfinder supports the standard syntax defined in the
|
||||||
|
POSIX (Issue 7, 2013 Edition) section ``Utility Conventions''.
|
||||||
|
It also supports the GNU long options
|
||||||
|
(double-dash options of form \-\-\fIoption\fR)
|
||||||
|
as defined in the \fIGNU C Library Reference Manual\fR
|
||||||
|
``Program Argument Syntax Conventions''
|
||||||
|
and \fIGNU Coding Standards\fR ``Standards for Command Line Interfaces''.
|
||||||
|
Long option arguments can be provided as ``--name=value'' or ``-name value''.
|
||||||
|
Some options can only be accessed using the more
|
||||||
|
readable GNU long option conventions;
|
||||||
|
common options are also supported
|
||||||
|
by the older single-letter option convention.
|
||||||
|
|
||||||
.SS "Documentation"
|
.SS "Documentation"
|
||||||
|
|
||||||
.TP 12
|
.TP 12
|
||||||
.BI \-\-help
|
.BI \-\-help
|
||||||
|
.TP
|
||||||
.BI \-h
|
.BI \-h
|
||||||
.\" Leave -? undocumented... it also invokes help.
|
.\" Leave -? undocumented... it also invokes help.
|
||||||
Show usage (help) information.
|
Show usage (help) information.
|
||||||
|
|
@ -341,13 +355,13 @@ include version control private data, configurations, and so on.
|
||||||
.TP
|
.TP
|
||||||
.BI \-\-nolink
|
.BI \-\-nolink
|
||||||
Ignored.
|
Ignored.
|
||||||
Historically this disabled following symbolic links, but this
|
Historically this disabled following symbolic links;
|
||||||
behavior is now the default.
|
this behavior is now the default.
|
||||||
|
|
||||||
.TP 12
|
.TP 12
|
||||||
.BI \-\-patch patchfile
|
\fB\-\-patch=\fR\fIpatchfile\fR
|
||||||
.TP
|
.TP
|
||||||
.BI \-P patchfile
|
\fB\-P\fR \fIpatchfile\fR
|
||||||
Examine the selected files or directories, but only report hits in lines
|
Examine the selected files or directories, but only report hits in lines
|
||||||
that are added or modified by the given patch file.
|
that are added or modified by the given patch file.
|
||||||
The patch file must be in a recognized unified diff format
|
The patch file must be in a recognized unified diff format
|
||||||
|
|
@ -409,9 +423,9 @@ Never ignore security issues, even if they have an ``ignore'' directive
|
||||||
in a comment.
|
in a comment.
|
||||||
|
|
||||||
.TP
|
.TP
|
||||||
.BI \-\-regexp PATTERN
|
\fB\-\-regexp=\fR\fIPATTERN\fR
|
||||||
.TP
|
.TP
|
||||||
.BI -e PATTERN
|
\fB-e\fR \fIPATTERN\fR
|
||||||
Only report hits with text that matches the regular expression pattern PATTERN.
|
Only report hits with text that matches the regular expression pattern PATTERN.
|
||||||
For example, to only report hits containing the text "CWE-120",
|
For example, to only report hits containing the text "CWE-120",
|
||||||
use ``\-\-regex CWE-120''.
|
use ``\-\-regex CWE-120''.
|
||||||
|
|
@ -679,10 +693,9 @@ You can visit the source for any particular error message by moving
|
||||||
to that hit message in the *compilation* buffer or *grep* buffer
|
to that hit message in the *compilation* buffer or *grep* buffer
|
||||||
and typing the return key.
|
and typing the return key.
|
||||||
(Technical note: in the compilation buffer, this invokes
|
(Technical note: in the compilation buffer, this invokes
|
||||||
compile-goto-error).
|
compile-goto-error.)
|
||||||
You can also click the Mouse-2 button on the error message
|
You can also click the Mouse-2 button on the error message
|
||||||
(when using the mouse you don't need to switch to the *compilation* buffer
|
(you don't need to switch to the *compilation* buffer first).
|
||||||
first).
|
|
||||||
.PP
|
.PP
|
||||||
If you want to use grep mode to jump to specific columns of a hit,
|
If you want to use grep mode to jump to specific columns of a hit,
|
||||||
you'll need to specially configure emacs to do this.
|
you'll need to specially configure emacs to do this.
|
||||||
|
|
@ -701,8 +714,8 @@ For (other) IDEs, consult your IDE's set of plug-ins.
|
||||||
The Common Weakness Enumeration (CWE)
|
The Common Weakness Enumeration (CWE)
|
||||||
is ``a formal list or dictionary of common software weaknesses
|
is ``a formal list or dictionary of common software weaknesses
|
||||||
that can occur in software's architecture, design, code or implementation
|
that can occur in software's architecture, design, code or implementation
|
||||||
that can lead to exploitable security vulnerabilities [that]
|
that can lead to exploitable security vulnerabilities...
|
||||||
was created to serve as a common language for
|
created to serve as a common language for
|
||||||
describing software security weaknesses''
|
describing software security weaknesses''
|
||||||
(http://cwe.mitre.org/about/faq.html).
|
(http://cwe.mitre.org/about/faq.html).
|
||||||
For more information on CWEs, see http://cwe.mitre.org.
|
For more information on CWEs, see http://cwe.mitre.org.
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue