49 lines
2.5 KiB
Plaintext
49 lines
2.5 KiB
Plaintext
This is "flawfinder" by David A. Wheeler, <dwheeler@dwheeler.com>.
|
|
|
|
Flawfinder is a simple program that scans C/C++ source code and reports
|
|
potential security flaws. It can be a useful tool for examining software
|
|
for vulnerabilities, and it can also serve as a simple introduction to
|
|
static source code analysis tools more generally. It is designed to
|
|
be easy to install and use. Flawfinder supports the Common Weakness
|
|
Enumeration (CWE) and is officially CWE-Compatible.
|
|
|
|
For more information, see:
|
|
http://www.dwheeler.com/flawfinder
|
|
|
|
Flawfinder is designed for use on Unix/Linux/POSIX systems
|
|
(including Cygwin, Linux-based systems, MacOS, and *BSDs) as a
|
|
command line tool. It requires Python 2 (version 2.5 or later).
|
|
|
|
You can typically install flawfinder from its source code by doing this:
|
|
tar xvzf FILENAME.tar.gz # Uncompress distribution file
|
|
cd flawfinder-* # cd into it.
|
|
sudo make prefix=/usr install # Install in /usr
|
|
This installs the program as "/usr/bin/flawfinder" as well as the man page.
|
|
You can omit the "prefix=/usr"; it will then install under "/usr/local".
|
|
The file INSTALL.txt has more detailed installation instructions;
|
|
flawfinder supports the usual conventions (prefix, DESTDIR, etc.).
|
|
You don't HAVE to install it to run it, but it's easiest that way.
|
|
|
|
To run flawfinder, just give it a list of source files or directories to
|
|
example. For example, to examine all files in "src/" and down recursively:
|
|
flawfinder src/
|
|
The manual page (flawfinder.1 or flawfinder.pdf) describes how to use
|
|
flawfinder (including its various options) and related information
|
|
(such as how it supports CWE). For example, the "--html" option generates
|
|
output in HTML format. The "--help" option gives a brief list of options.
|
|
|
|
More technically, flawfinder uses lexical scanning to find tokens
|
|
(such as function names) that suggest likely vulnerabilities, estimates their
|
|
level of risk (e.g., by the text of function calls), and reports the results.
|
|
Flawfinder does not use or have access to information about control flow,
|
|
data flow, or data types. Thus, flawfinder will necessarily
|
|
produce many false positives for vulnerabilities and fail to report
|
|
many vulnerabilities. On the other hand, flawfinder can find
|
|
vulnerabilities in programs that cannot be built or cannot be linked.
|
|
Flawfinder also doesn't get as confused by macro definitions
|
|
and other oddities that more sophisticated tools have trouble with.
|
|
|
|
Flawfinder is released under the GNU GPL license version 2 or later (GPLv2+).
|
|
See the COPYING file for license information.
|
|
|