From e522ea7291596f05e5fe2c599c8c1f5c5b9fc2ba Mon Sep 17 00:00:00 2001 From: Jon Hood Date: Thu, 7 Sep 2017 13:47:10 -0500 Subject: [PATCH] add detection of crypt_r function --- flawfinder | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/flawfinder b/flawfinder index e99c2c9..7cc816d 100755 --- a/flawfinder +++ b/flawfinder @@ -1158,13 +1158,13 @@ c_ruleset = { "Use a more secure technique for acquiring random values", "random", "", {}), - "crypt": + "crypt|crypt_r": (normal, 4, - "Function crypt is a poor one-way hashing algorithm; " + - "since it only accepts passwords of 8 characters or less, " + - "and only a two-byte salt, it is excessively vulnerable to " + + "The crypt functions use a poor one-way hashing algorithm; " + + "since they only accept passwords of 8 characters or fewer " + + "and only a two-byte salt, they are excessively vulnerable to " + "dictionary attacks given today's faster computing equipment (CWE-327)", - "Use a different algorithm, such as SHA-256, with a larger " + + "Use a different algorithm, such as SHA-256, with a larger, " + "non-repeating salt", "crypto", "", {}),