README: Rewrite to explain more.
This commit is contained in:
parent
ba844e7eea
commit
d30fc2c1ac
44
README
44
README
|
@ -4,21 +4,45 @@ Flawfinder is a simple program that scans C/C++ source code and reports
|
||||||
potential security problems. It can be a useful tool for examining
|
potential security problems. It can be a useful tool for examining
|
||||||
software, and it can also serve as a simple introduction to static source code
|
software, and it can also serve as a simple introduction to static source code
|
||||||
analysis tools more generally. It is designed to be easy to install and use.
|
analysis tools more generally. It is designed to be easy to install and use.
|
||||||
|
Flawfinder supports the Common Weakness Enumeration (CWE) and is
|
||||||
More technically, flawfinder uses lexical scanning to find tokens
|
officially CWE-Compatible.
|
||||||
(such as function names) that suggest likely problems, estimates their
|
|
||||||
level of risk (e.g., by the text of function calls), and reports the results.
|
|
||||||
|
|
||||||
For more information, see:
|
For more information, see:
|
||||||
http://www.dwheeler.com/flawfinder
|
http://www.dwheeler.com/flawfinder
|
||||||
|
|
||||||
On Unix/Linux/POSIX systems, you can typically install it by extracting
|
Flawfinder is designed for use on Unix/Linux/POSIX systems
|
||||||
its files, using "cd" to enter its directory, and then run this:
|
(including Cygwin, Linux-based systems, MacOS, and *BSDs) as a
|
||||||
sudo make prefix=/usr install
|
command line tool. It requires Python 2 (version 2.5 or later).
|
||||||
|
|
||||||
|
You can typically install flawfinder from its source code by doing this:
|
||||||
|
tar xvzf FILENAME.tar.gz # Uncompress distribution file
|
||||||
|
cd flawfinder-* # cd into it.
|
||||||
|
sudo make prefix=/usr install # Install in /usr
|
||||||
|
This installs the program as "/usr/bin/flawfinder" as well as the man page.
|
||||||
You can omit the "prefix=/usr"; it will then install under "/usr/local".
|
You can omit the "prefix=/usr"; it will then install under "/usr/local".
|
||||||
The file INSTALL.txt has more detailed installation instructions.
|
The file INSTALL.txt has more detailed installation instructions;
|
||||||
Flawfinder requires Python 2 (version 2.5 or later).
|
flawfinder supports the usual conventions (prefix, DESTDIR, etc.).
|
||||||
|
You don't HAVE to install it to run it, but it's easiest that way.
|
||||||
|
|
||||||
|
To run flawfinder, just give it a list of source files or directories to
|
||||||
|
example. For example, to examine all files in "src/" and down recursively:
|
||||||
|
flawfinder src/
|
||||||
|
The manual page (flawfinder.1 or flawfinder.pdf) describes how to use
|
||||||
|
flawfinder (including its various options) and related information
|
||||||
|
(such as how it supports CWE). For example, the "--html" option generates
|
||||||
|
output in HTML format. The "--help" option gives a brief list of options.
|
||||||
|
|
||||||
|
More technically, flawfinder uses lexical scanning to find tokens
|
||||||
|
(such as function names) that suggest likely vulnerabilities, estimates their
|
||||||
|
level of risk (e.g., by the text of function calls), and reports the results.
|
||||||
|
Flawfinder does not use or have access to information about control flow,
|
||||||
|
data flow, or data types. Thus, flawfinder will necessarily
|
||||||
|
produce many false positives for vulnerabilities and fail to report
|
||||||
|
many vulnerabilities. On the other hand, flawfinder can find
|
||||||
|
vulnerabilities in programs that cannot be built or cannot be linked.
|
||||||
|
Flawfinder also doesn't get as confused by macro definitions
|
||||||
|
and other oddities that more sophisticated tools have trouble with.
|
||||||
|
|
||||||
Flawfinder is released under the GNU GPL license version 2 or later (GPLv2+).
|
Flawfinder is released under the GNU GPL license version 2 or later (GPLv2+).
|
||||||
See the COPYING file for more license information.
|
See the COPYING file for license information.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue