Compare commits
2 Commits
e95918cd7f
...
248c4449fb
Author | SHA1 | Date |
---|---|---|
George Sokianos | 248c4449fb | |
George Sokianos | 0387fab1c7 |
|
@ -0,0 +1,20 @@
|
|||
#
|
||||
# Project: flawfinder
|
||||
# Created by George "walkero" Sokianos
|
||||
# 2022-07-25
|
||||
#
|
||||
|
||||
release: clean
|
||||
mkdir -p release/flawfinder
|
||||
cp -r release_files/* release/flawfinder/
|
||||
cp flawfinder.py release/flawfinder/flawfinder
|
||||
protect release/flawfinder/flawfinder srwed
|
||||
cp -r simplejson release/flawfinder
|
||||
cp ChangeLog release/flawfinder/
|
||||
cp README.md release/flawfinder/
|
||||
cp COPYING release/flawfinder/
|
||||
lha -aeqr3 a flawfinder.lha release/
|
||||
|
||||
clean:
|
||||
rm -f simplejson/#?.pyc
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
#!/usr/bin/env python
|
||||
#!python
|
||||
|
||||
"""flawfinder: Find potential security flaws ("hits") in source code.
|
||||
Usage:
|
||||
|
@ -40,7 +40,7 @@
|
|||
# That *finally* makes it possible to semi-gracefully transition.
|
||||
|
||||
from __future__ import division
|
||||
from __future__ import print_function
|
||||
# from __future__ import print_function
|
||||
import functools
|
||||
import sys
|
||||
import re
|
||||
|
@ -53,7 +53,7 @@ import operator # To support filename expansion on Windows
|
|||
import time
|
||||
import csv # To support generating CSV format
|
||||
import hashlib
|
||||
import json
|
||||
import simplejson as json
|
||||
|
||||
version = "2.0.19"
|
||||
|
||||
|
@ -488,16 +488,16 @@ def print_multi_line(text):
|
|||
prefix = " "
|
||||
starting_position = len(prefix) + 1
|
||||
#
|
||||
print(prefix, end='')
|
||||
print(prefix),
|
||||
position = starting_position
|
||||
#
|
||||
for w in text.split():
|
||||
if len(w) + position >= width:
|
||||
print()
|
||||
print(prefix, end='')
|
||||
print '\n',
|
||||
print(prefix),
|
||||
position = starting_position
|
||||
print(' ', end='')
|
||||
print(w, end='')
|
||||
# print(' '),
|
||||
print(w),
|
||||
position += len(w) + 1
|
||||
|
||||
|
||||
|
@ -608,44 +608,44 @@ class Hit(object):
|
|||
if sarif_output:
|
||||
return
|
||||
if output_format:
|
||||
print("<li>", end='')
|
||||
print("<li>"),
|
||||
sys.stdout.write(h(self.filename))
|
||||
|
||||
if show_columns:
|
||||
print(":%(line)s:%(column)s:" % self, end='')
|
||||
print(":%(line)s:%(column)s:" % self),
|
||||
else:
|
||||
print(":%(line)s:" % self, end='')
|
||||
print(":%(line)s:" % self),
|
||||
|
||||
if output_format:
|
||||
print(" <b>", end='')
|
||||
print(" <b>"),
|
||||
# Extra space before risk level in text, makes it easier to find:
|
||||
print(" [%(level)s]" % self, end=' ')
|
||||
print(" [%(level)s] " % self),
|
||||
if output_format:
|
||||
print("</b> ", end='')
|
||||
print("(%(category)s)" % self, end=' ')
|
||||
print("</b> "),
|
||||
print("(%(category)s) " % self),
|
||||
if output_format:
|
||||
print("<i> ", end='')
|
||||
print(h("%(name)s:" % self), end='')
|
||||
print("<i> "),
|
||||
print(h("%(name)s:" % self)),
|
||||
main_text = h("%(warning)s. " % self)
|
||||
if output_format: # Create HTML link to CWE definitions
|
||||
main_text = link_cwe_pattern.sub(
|
||||
r'<a href="https://cwe.mitre.org/data/definitions/\2.html">\1</a>\3',
|
||||
main_text)
|
||||
if single_line:
|
||||
print(main_text, end='')
|
||||
print(main_text),
|
||||
if self.suggestion:
|
||||
print(" " + h(self.suggestion) + ".", end='')
|
||||
print(' ' + h(self.note), end='')
|
||||
print(" " + h(self.suggestion) + "."),
|
||||
print(' ' + h(self.note)),
|
||||
else:
|
||||
if self.suggestion:
|
||||
main_text += h(self.suggestion) + ". "
|
||||
main_text += h(self.note)
|
||||
print()
|
||||
print '\n',
|
||||
print_multi_line(main_text)
|
||||
if output_format:
|
||||
print(" </i>", end='')
|
||||
print("</li>", end='')
|
||||
print()
|
||||
print(" </i>"),
|
||||
print("</li>"),
|
||||
print '\n',
|
||||
if show_context:
|
||||
if output_format:
|
||||
print("<pre>")
|
||||
|
@ -676,7 +676,8 @@ def add_warning(hit):
|
|||
|
||||
|
||||
def internal_warn(message):
|
||||
print(h(message), file=sys.stderr)
|
||||
# print(h(message), file=sys.stderr)
|
||||
print h(message)
|
||||
|
||||
|
||||
# C Language Specific
|
||||
|
@ -1756,9 +1757,9 @@ def process_c_file(f, patch_infos):
|
|||
|
||||
if not quiet:
|
||||
if output_format:
|
||||
print("Examining", h(f), "<br>")
|
||||
print 'Examining %s<br>' % (h(f))
|
||||
else:
|
||||
print("Examining", f)
|
||||
print 'Examining %s' % (h(f))
|
||||
sys.stdout.flush()
|
||||
|
||||
# Python3 is often configured to use only UTF-8, and presumes
|
||||
|
@ -1767,10 +1768,10 @@ def process_c_file(f, patch_infos):
|
|||
# in such cases - with some hints on how to solve it.
|
||||
try:
|
||||
text = "".join(my_input.readlines())
|
||||
except UnicodeDecodeError as err:
|
||||
except UnicodeDecodeError, err:
|
||||
print('Error: encoding error in', h(f))
|
||||
print(err)
|
||||
print()
|
||||
print '\n',
|
||||
print('Python3 requires input character data to be perfectly encoded;')
|
||||
print('it also requires perfectly correct system encoding settings.')
|
||||
print('Unfortunately, your data and/or system settings are not.')
|
||||
|
@ -1948,8 +1949,7 @@ def display_ruleset(ruleset):
|
|||
def initialize_ruleset():
|
||||
expand_ruleset(c_ruleset)
|
||||
if showheading:
|
||||
print("Number of rules (primarily dangerous function names) in C/C++ ruleset:", len(
|
||||
c_ruleset))
|
||||
print 'Number of rules (primarily dangerous function names) in C/C++ ruleset: %d' % len(c_ruleset)
|
||||
if output_format:
|
||||
print("<p>")
|
||||
if list_rules:
|
||||
|
@ -2313,7 +2313,7 @@ def process_options():
|
|||
diffhitlist_filename = value
|
||||
display_header()
|
||||
if showheading:
|
||||
print("Showing hits not in", value)
|
||||
print("Showing hits not in %s" % value)
|
||||
elif opt == "--version":
|
||||
print(version)
|
||||
sys.exit(0)
|
||||
|
@ -2338,7 +2338,7 @@ def process_options():
|
|||
# In Python 2 the convention is "getopt.GetoptError", but we
|
||||
# use "getopt.error" here so it's compatible with both
|
||||
# Python 1.5 and Python 2.
|
||||
except getopt.error as text:
|
||||
except getopt.error, text:
|
||||
print("*** getopt error:", text)
|
||||
usage()
|
||||
sys.exit(16)
|
||||
|
@ -2384,13 +2384,13 @@ def show_final_results():
|
|||
for i in possible_levels: # Initialize count_per_level_and_up
|
||||
count_per_level_and_up[i] = 0
|
||||
if show_immediately or not quiet: # Separate the final results.
|
||||
print()
|
||||
print '\n',
|
||||
if showheading:
|
||||
if output_format:
|
||||
print("<h2>Final Results</h2>")
|
||||
else:
|
||||
print("FINAL RESULTS:")
|
||||
print()
|
||||
print '\n',
|
||||
hitlist.sort(key=hitlist_sort_key)
|
||||
# Display results. The HTML format now uses
|
||||
# <ul> so that the format differentiates each entry.
|
||||
|
@ -2418,14 +2418,14 @@ def show_final_results():
|
|||
if output_format:
|
||||
print("<h2>Analysis Summary</h2>")
|
||||
else:
|
||||
print()
|
||||
print '\n',
|
||||
print("ANALYSIS SUMMARY:")
|
||||
if output_format:
|
||||
print("<p>")
|
||||
else:
|
||||
print()
|
||||
print '\n',
|
||||
if count > 0:
|
||||
print("Hits =", count)
|
||||
print 'Hits = %d' % count
|
||||
else:
|
||||
print("No hits found.")
|
||||
if output_format:
|
||||
|
@ -2436,27 +2436,27 @@ def show_final_results():
|
|||
time_analyzing = time.time() - starttime
|
||||
if required_regex:
|
||||
print("Hits limited to regular expression " + required_regex)
|
||||
print("Lines analyzed = %d" % sumlines, end='')
|
||||
print("Lines analyzed = %d" % sumlines),
|
||||
if time_analyzing > 0 and not omit_time: # Avoid divide-by-zero.
|
||||
print(" in approximately %.2f seconds (%.0f lines/second)" % (
|
||||
time_analyzing, (sumlines / time_analyzing)))
|
||||
else:
|
||||
print()
|
||||
print '\n',
|
||||
if output_format:
|
||||
print("<br>")
|
||||
print("Physical Source Lines of Code (SLOC) = %d" % sloc)
|
||||
if output_format:
|
||||
print("<br>")
|
||||
# Output hits@each level.
|
||||
print("Hits@level =", end='')
|
||||
print("Hits@level ="),
|
||||
for i in possible_levels:
|
||||
print(" [%d] %3d" % (i, count_per_level[i]), end='')
|
||||
print(" [%d] %3d" % (i, count_per_level[i])),
|
||||
if output_format:
|
||||
print(" <br>")
|
||||
else:
|
||||
print()
|
||||
print '\n',
|
||||
# Compute hits at "level x or higher"
|
||||
print("Hits@level+ =", end='')
|
||||
print("Hits@level+ ="),
|
||||
for i in possible_levels:
|
||||
for j in possible_levels:
|
||||
if j >= i:
|
||||
|
@ -2464,20 +2464,20 @@ def show_final_results():
|
|||
i] = count_per_level_and_up[i] + count_per_level[j]
|
||||
# Display hits at "level x or higher"
|
||||
for i in possible_levels:
|
||||
print(" [%d+] %3d" % (i, count_per_level_and_up[i]), end='')
|
||||
print(" [%d+] %3d" % (i, count_per_level_and_up[i])),
|
||||
if output_format:
|
||||
print(" <br>")
|
||||
else:
|
||||
print()
|
||||
print '\n',
|
||||
if sloc > 0:
|
||||
print("Hits/KSLOC@level+ =", end='')
|
||||
print("Hits/KSLOC@level+ ="),
|
||||
for i in possible_levels:
|
||||
print(" [%d+] %3g" % (
|
||||
i, count_per_level_and_up[i] * 1000.0 / sloc), end='')
|
||||
i, count_per_level_and_up[i] * 1000.0 / sloc)),
|
||||
if output_format:
|
||||
print(" <br>")
|
||||
else:
|
||||
print()
|
||||
print '\n',
|
||||
#
|
||||
if num_links_skipped:
|
||||
print("Symlinks skipped =", num_links_skipped, "(--allowlink overrides but see doc for security issue)")
|
||||
|
@ -2488,14 +2488,14 @@ def show_final_results():
|
|||
if output_format:
|
||||
print("<br>")
|
||||
if num_ignored_hits > 0:
|
||||
print("Suppressed hits =", num_ignored_hits, "(use --neverignore to show them)")
|
||||
print("Suppressed hits = %d (use --neverignore to show them)" % num_ignored_hits)
|
||||
if output_format:
|
||||
print("<br>")
|
||||
print("Minimum risk level = %d" % minimum_level)
|
||||
if output_format:
|
||||
print("<br>")
|
||||
else:
|
||||
print()
|
||||
print '\n',
|
||||
if count > 0:
|
||||
print("Not every hit is necessarily a security vulnerability.")
|
||||
print("You can inhibit a report by adding a comment in this form:")
|
||||
|
@ -2505,7 +2505,7 @@ def show_final_results():
|
|||
if output_format:
|
||||
print("<br>")
|
||||
else:
|
||||
print()
|
||||
print '\n',
|
||||
print("There may be other security vulnerabilities; review your code!")
|
||||
if output_format:
|
||||
print("<br>")
|
||||
|
@ -2550,3 +2550,4 @@ def main():
|
|||
|
||||
if __name__ == '__main__':
|
||||
main()
|
||||
|
||||
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
File diff suppressed because it is too large
Load Diff
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading…
Reference in New Issue