walkero
/
flawfinder
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

flawfinder.1: Minor text cleanup about CWEs

This commit is contained in:
David A. Wheeler 2014-07-13 13:30:29 -04:00
parent ba451aceb7
commit e97d0e6c18
1 changed files with 11 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
flawfinder.1
View File

@ -694,30 +694,27 @@ of compilation error messages.
.SH COMMON WEAKNESS ENUMERATION (CWE) .SH COMMON WEAKNESS ENUMERATION (CWE)
.PP .PP
The Common Weakness Enumeration (CWE) The Common Weakness Enumeration (CWE)
is "a formal list or dictionary of common software weaknesses is ``a formal list or dictionary of common software weaknesses
that can occur in software's architecture, design, code or implementation that can occur in software's architecture, design, code or implementation
that can lead to exploitable security vulnerabilities [that] that can lead to exploitable security vulnerabilities [that]
was created to serve as a common language for was created to serve as a common language for
describing software security weaknesses" describing software security weaknesses''
(http://cwe.mitre.org/about/faq.html). (http://cwe.mitre.org/about/faq.html).
For more information on CWEs, see http://cwe.mitre.org. For more information on CWEs, see http://cwe.mitre.org.
.PP .PP
Flawfinder supports CWE. Flawfinder supports the CWE.
Hit descriptions typically a relevant Hit descriptions typically include a relevant
Common Weakness Enumeration (CWE) identifier in parentheses Common Weakness Enumeration (CWE) identifier in parentheses
where there is known to be a relevant CWE. where there is known to be a relevant CWE.
For example, many of the buffer-related hits mention For example, many of the buffer-related hits mention
CWE-120, the CWE identifier for CWE-120, the CWE identifier for
``buffer copy without checking size of input'' ``buffer copy without checking size of input''
(aka ``Classic Buffer Overflow''). (aka ``Classic Buffer Overflow'').
Flawfinder is designed to meet the CWE-Output requirement. In this way, flawfinder is designed to meet the CWE-Output requirement.
CWE version 2.7 (released June 23, 2014) was used for the mapping.
Note that many of these CWEs are identified in the CWE/SANS top 25 list Note that many of these CWEs are identified in the CWE/SANS top 25 list
(http://cwe.mitre.org/top25/). (http://cwe.mitre.org/top25/).
.PP
.PP .PP
Flawfinder can report on the following CWEs Flawfinder can report on the following CWEs
(these are the CWEs that flawfinder covers): (these are the CWEs that flawfinder covers):
@ -735,17 +732,16 @@ CWE-676
CWE-732 CWE-732
CWE-807 CWE-807
CWE-829. CWE-829.
CWE version 2.7 (released June 23, 2014) was used for the mapping.
.PP .PP
Flawfinder may fail to find a Flawfinder may fail to find a vulnerability, even if flawfinder covers
vulnerability, even if the vulnerability one of these CWE weaknesses listed above.
is covered by one of these CWE weaknesses listed above.
That said, flawfinder does find vulnerabilities listed by the CWEs it covers, That said, flawfinder does find vulnerabilities listed by the CWEs it covers,
and it will not report lines without those vulnerabilities in many cases. and it will not report lines without those vulnerabilities in many cases.
Thus, flawfinder has a rate of false positives less than 100%, Thus, as required for any tool intending to be CWE compatible,
and a rate of false negatives less than 100%, as required for flawfinder has a rate of false positives less than 100%
any tool intending to be CWE compatible. and a rate of false negatives less than 100%.
.PP .PP
You can select a specific subset of CWEs to report by using You can select a specific subset of CWEs to report by using