a static analysis tool for finding vulnerabilities in C/C++ source code
Go to file
David A. Wheeler 49a2289fe3 _ftcsat should be _ftcscat. Thanks to Lucas Ramage
Fix typo in name of "banned" function.  Thanks to Lucas Ramage,
who reported this January 2019.

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
2019-01-12 11:53:27 -05:00
.gitignore Broaden an ignore rule 2018-03-15 22:49:45 -06:00
CONTRIBUTING.md Change www.dwheeler.com to dwheeler.com 2018-09-30 21:35:11 -04:00
COPYING Initial import 2007-01-16 02:44:45 +00:00
ChangeLog Add latest info to ChangeLog 2018-09-30 21:54:30 -04:00
INSTALL.md Fix installation, including a misspelling of "command" 2018-09-30 21:15:03 -04:00
MANIFEST.in Fix SourceForge #18 Renamed file still referenced by other files 2018-10-06 18:46:09 -04:00
README.md Change www.dwheeler.com to dwheeler.com 2018-09-30 21:35:11 -04:00
announcement Initial import 2007-01-16 02:44:45 +00:00
correct-results-004.txt Update correct test results to match memcpy change 2018-12-19 08:12:33 -05:00
correct-results-005.txt Update correct test results to match memcpy change 2018-12-19 08:12:33 -05:00
correct-results-006.txt Update correct test results to match memcpy change 2018-12-19 08:12:33 -05:00
correct-results.csv Update correct test results to match memcpy change 2018-12-19 08:12:33 -05:00
correct-results.html Update correct test results to match memcpy change 2018-12-19 08:12:33 -05:00
correct-results.txt Update correct test results to match memcpy change 2018-12-19 08:12:33 -05:00
cwe.l Add ability to list CWEs in source code 2014-07-13 09:44:34 -04:00
flawfinder _ftcsat should be _ftcscat. Thanks to Lucas Ramage 2019-01-12 11:53:27 -05:00
flawfinder.1 Change www.dwheeler.com to dwheeler.com 2018-09-30 21:35:11 -04:00
flawfinder.spec Update for next version (2.0.8) 2018-10-08 18:55:52 -04:00
flawtest.c Initial import 2007-01-16 02:44:45 +00:00
junk.c Add support for git diff (as well as svn diff and GNU diff) 2014-07-12 21:36:54 -04:00
makefile Update for next version (2.0.8) 2018-10-08 18:55:52 -04:00
no-ending-newline.c Version number now 1.28, add test for filenames without trailing newline 2014-07-12 07:01:23 -04:00
pylintrc Mass reformat of flawfinder source code to better comply with PEP 8 2017-07-30 20:06:39 -04:00
release_process.md Merge branch 'nickthetait_branch' after fixing conflicts 2018-09-30 20:35:03 -04:00
setup.cfg Fix SourceForge #18 Renamed file still referenced by other files 2018-10-06 18:46:09 -04:00
setup.py Update for next version (2.0.8) 2018-10-08 18:55:52 -04:00
sloctest.c Initial import 2007-01-16 02:44:45 +00:00
test-diff-005.patch Rename test-diff-0005 to follow other filename conventions 2017-09-02 15:45:08 -04:00
test-patched.c Add test for -P (patch) option, which tests diff handling 2017-08-26 15:42:35 -04:00
test.c Fixes #19 - don't warn if memcpy call includes sizeof(first arg) 2018-12-19 08:07:47 -05:00
test2.c Initial import 2007-01-16 02:44:45 +00:00

README.md

About

This is "flawfinder" by David A. Wheeler.

Flawfinder is a simple program that scans C/C++ source code and reports potential security flaws. It can be a useful tool for examining software for vulnerabilities, and it can also serve as a simple introduction to static source code analysis tools more generally. It is designed to be easy to install and use. Flawfinder supports the Common Weakness Enumeration (CWE) and is officially CWE-Compatible.

For more information, see the project website

Platforms

Flawfinder is designed for use on Unix/Linux/POSIX systems (including Cygwin, Linux-based systems, MacOS, and various BSDs) as a command line tool. It requires Python 2.7 or Python 3.

Installation

If you just want to use it, you can install flawfinder with Python's "pip" or with your system's package manager (flawfinder has packages for many systems). It also supports easy installation following usual make install source installation conventions. The file INSTALL.md has more detailed installation instructions. You don't HAVE to install it to run it, but it's easiest that way.

Usage

To run flawfinder, just give it a list of source files or directories to example. For example, to examine all files in "src/" and down recursively:

flawfinder src/

The manual page (flawfinder.1 or flawfinder.pdf) describes how to use flawfinder (including its various options) and related information (such as how it supports CWE). For example, the --html option generates output in HTML format. The --help option gives a brief list of options.

Under the hood

More technically, flawfinder uses lexical scanning to find tokens (such as function names) that suggest likely vulnerabilities, estimates their level of risk (e.g., by the text of function calls), and reports the results. Flawfinder does not use or have access to information about control flow, data flow, or data types. Thus, flawfinder will necessarily produce many false positives for vulnerabilities and fail to report many vulnerabilities. On the other hand, flawfinder can find vulnerabilities in programs that cannot be built or cannot be linked. Flawfinder also doesn't get as confused by macro definitions and other oddities that more sophisticated tools have trouble with.

Contributions

We love contributions! For more information on contributing, see the file CONTRIBUTING.md.

License

Flawfinder is released under the GNU GPL license version 2 or later (GPL-2.0+). See the COPYING file for license information.