• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

COPYINGH A D25-Aug-201317.6 KiB341281

ChangeLogH A D03-Aug-201428.3 KiB619560

MANIFEST.inH A D25-Aug-2013244 1513

READMEH A D03-Aug-20142.5 KiB4940

announcementH A D25-Aug-20131.3 KiB3022

cwe.lH A D13-Jul-2014357 3016

flawfinderH A D03-May-202278.9 KiB1,9741,469

flawfinder.1H A D03-Aug-201445.1 KiB1,1081,014

flawfinder.psH A D03-Aug-201488.5 KiB

flawfinder.specH A D27-Jul-20141.2 KiB4837

flawtest.cH A D25-Aug-2013750 2717

junk.cH A D13-Jul-2014153 118

makefileH A D03-Aug-20146.4 KiB196110

no-ending-newline.cH A D12-Jul-2014440 3225

setup.cfgH A D25-Aug-2013138 87

setup.pyH A D27-Jul-20141.8 KiB4219

sloctest.cH A D25-Aug-2013117 106

test.cH A D25-Aug-20133.3 KiB11880

test2.cH A D25-Aug-201344 20

README

1This is "flawfinder" by David A. Wheeler, <dwheeler@dwheeler.com>.
2
3Flawfinder is a simple program that scans C/C++ source code and reports
4potential security flaws.  It can be a useful tool for examining software
5for vulnerabilities, and it can also serve as a simple introduction to
6static source code analysis tools more generally.  It is designed to
7be easy to install and use.  Flawfinder supports the Common Weakness
8Enumeration (CWE) and is officially CWE-Compatible.
9
10For more information, see:
11 http://www.dwheeler.com/flawfinder
12
13Flawfinder is designed for use on Unix/Linux/POSIX systems
14(including Cygwin, Linux-based systems, MacOS, and *BSDs) as a
15command line tool.  It requires Python 2 (version 2.5 or later).
16
17You can typically install flawfinder from its source code by doing this:
18  tar xvzf FILENAME.tar.gz       # Uncompress distribution file
19  cd flawfinder-*                # cd into it.
20  sudo make prefix=/usr install  # Install in /usr
21This installs the program as "/usr/bin/flawfinder" as well as the man page.
22You can omit the "prefix=/usr"; it will then install under "/usr/local".
23The file INSTALL.txt has more detailed installation instructions;
24flawfinder supports the usual conventions (prefix, DESTDIR, etc.).
25You don't HAVE to install it to run it, but it's easiest that way.
26
27To run flawfinder, just give it a list of source files or directories to
28example.  For example, to examine all files in "src/" and down recursively:
29  flawfinder src/
30The manual page (flawfinder.1 or flawfinder.pdf) describes how to use
31flawfinder (including its various options) and related information
32(such as how it supports CWE).  For example, the "--html" option generates
33output in HTML format. The "--help" option gives a brief list of options.
34
35More technically, flawfinder uses lexical scanning to find tokens
36(such as function names) that suggest likely vulnerabilities, estimates their
37level of risk (e.g., by the text of function calls), and reports the results.
38Flawfinder does not use or have access to information about control flow,
39data flow, or data types.  Thus, flawfinder will necessarily
40produce many false positives for vulnerabilities and fail to report
41many vulnerabilities.  On the other hand, flawfinder can find
42vulnerabilities in programs that cannot be built or cannot be linked.
43Flawfinder also doesn't get as confused by macro definitions
44and other oddities that more sophisticated tools have trouble with.
45
46Flawfinder is released under the GNU GPL license version 2 or later (GPLv2+).
47See the COPYING file for license information.
48
49