a static analysis tool for finding vulnerabilities in C/C++ source code
Go to file
David A. Wheeler ea67f5dbca Switch all print statements to print() functions
Switch all print statements to print() functions per PEP 3105.
Python 3 *only* supports print() functions, so this begins to
move the code towards simultaneously supporting python 2 and 3.

This implements "stage1" of futurize.  In theory, "stage1" is
supposed to be "low risk", but in fact a *large* number of
manual fixes had to be made to make the program work again.

Python 2's traditional print statement includes the "softspace"
feature. This is "a semi-secret attribute on files currently used to tell
print whether to insert a space before the first item".  The print()
function does not have the "softspace" feature, so there is no direct
translation for any situation that depended on softspaces.
Flawfinder used softspaces extensively, as they were convenient,
so it took a little work to make print() functions work.

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
2017-08-12 19:33:49 -04:00
CONTRIBUTING.md Improve documentation about the use of pylint 2017-07-30 20:47:28 -04:00
COPYING Initial import 2007-01-16 02:44:45 +00:00
ChangeLog Note CONTRIBUTING.md in README and ChangeLog 2017-07-30 20:52:42 -04:00
INSTALL.txt INSTALL.txt: Make it clear that you can simply run without installing. 2014-08-02 22:26:37 -04:00
MANIFEST.in Initial import 2007-01-16 02:44:45 +00:00
README Note CONTRIBUTING.md in README and ChangeLog 2017-07-30 20:52:42 -04:00
announcement Initial import 2007-01-16 02:44:45 +00:00
correct-results.csv Add "fingerprint" to CSV output 2017-07-30 23:50:52 -04:00
correct-results.html Update version number to 2.0.1 2017-07-30 23:15:56 -04:00
correct-results.txt Update version number to 2.0.1 2017-07-30 23:15:56 -04:00
cwe.l Add ability to list CWEs in source code 2014-07-13 09:44:34 -04:00
flawfinder Switch all print statements to print() functions 2017-08-12 19:33:49 -04:00
flawfinder.1 Document CSV format further, including the fingerprint 2017-07-30 23:56:09 -04:00
flawfinder.spec Update version number to 2.0.1 2017-07-30 23:15:56 -04:00
flawtest.c Initial import 2007-01-16 02:44:45 +00:00
junk.c Add support for git diff (as well as svn diff and GNU diff) 2014-07-12 21:36:54 -04:00
makefile Save CSV file on "make test-is-correct" 2017-07-30 23:16:40 -04:00
no-ending-newline.c Version number now 1.28, add test for filenames without trailing newline 2014-07-12 07:01:23 -04:00
pylintrc Mass reformat of flawfinder source code to better comply with PEP 8 2017-07-30 20:06:39 -04:00
setup.cfg Initial import 2007-01-16 02:44:45 +00:00
setup.py Change version number to 2.0.0 - use Semantic Versioning 2017-07-29 13:24:25 -04:00
sloctest.c Initial import 2007-01-16 02:44:45 +00:00
test.c Initial import 2007-01-16 02:44:45 +00:00
test2.c Initial import 2007-01-16 02:44:45 +00:00

README

This is "flawfinder" by David A. Wheeler, <dwheeler@dwheeler.com>.

Flawfinder is a simple program that scans C/C++ source code and reports
potential security flaws.  It can be a useful tool for examining software
for vulnerabilities, and it can also serve as a simple introduction to
static source code analysis tools more generally.  It is designed to
be easy to install and use.  Flawfinder supports the Common Weakness
Enumeration (CWE) and is officially CWE-Compatible.

For more information, see:
 http://www.dwheeler.com/flawfinder

Flawfinder is designed for use on Unix/Linux/POSIX systems
(including Cygwin, Linux-based systems, MacOS, and *BSDs) as a
command line tool.  It requires Python 2 (version 2.7 or later).

You can typically install flawfinder from its source code by doing this:
  tar xvzf FILENAME.tar.gz       # Uncompress distribution file
  cd flawfinder-*                # cd into it.
  sudo make prefix=/usr install  # Install in /usr
This installs the program as "/usr/bin/flawfinder" as well as the man page.
You can omit the "prefix=/usr"; it will then install under "/usr/local".
The file INSTALL.txt has more detailed installation instructions;
flawfinder supports the usual conventions (prefix, DESTDIR, etc.).
You don't HAVE to install it to run it, but it's easiest that way.

To run flawfinder, just give it a list of source files or directories to
example.  For example, to examine all files in "src/" and down recursively:
  flawfinder src/
The manual page (flawfinder.1 or flawfinder.pdf) describes how to use
flawfinder (including its various options) and related information
(such as how it supports CWE).  For example, the "--html" option generates
output in HTML format. The "--help" option gives a brief list of options.

More technically, flawfinder uses lexical scanning to find tokens
(such as function names) that suggest likely vulnerabilities, estimates their
level of risk (e.g., by the text of function calls), and reports the results.
Flawfinder does not use or have access to information about control flow,
data flow, or data types.  Thus, flawfinder will necessarily
produce many false positives for vulnerabilities and fail to report
many vulnerabilities.  On the other hand, flawfinder can find
vulnerabilities in programs that cannot be built or cannot be linked.
Flawfinder also doesn't get as confused by macro definitions
and other oddities that more sophisticated tools have trouble with.

We love contributions!  For more information on contributing, see
the file CONTRIBUTING.md.

Flawfinder is released under the GNU GPL license version 2 or later (GPL-2.0+).
See the COPYING file for license information.