1This is "flawfinder" by David A. Wheeler, <dwheeler@dwheeler.com>. 2 3Flawfinder is a simple program that scans C/C++ source code and reports 4potential security flaws. It can be a useful tool for examining software 5for vulnerabilities, and it can also serve as a simple introduction to 6static source code analysis tools more generally. It is designed to 7be easy to install and use. Flawfinder supports the Common Weakness 8Enumeration (CWE) and is officially CWE-Compatible. 9 10For more information, see: 11 http://www.dwheeler.com/flawfinder 12 13Flawfinder is designed for use on Unix/Linux/POSIX systems 14(including Cygwin, Linux-based systems, MacOS, and *BSDs) as a 15command line tool. It requires Python 2 (version 2.5 or later). 16 17You can typically install flawfinder from its source code by doing this: 18 tar xvzf FILENAME.tar.gz # Uncompress distribution file 19 cd flawfinder-* # cd into it. 20 sudo make prefix=/usr install # Install in /usr 21This installs the program as "/usr/bin/flawfinder" as well as the man page. 22You can omit the "prefix=/usr"; it will then install under "/usr/local". 23The file INSTALL.txt has more detailed installation instructions; 24flawfinder supports the usual conventions (prefix, DESTDIR, etc.). 25You don't HAVE to install it to run it, but it's easiest that way. 26 27To run flawfinder, just give it a list of source files or directories to 28example. For example, to examine all files in "src/" and down recursively: 29 flawfinder src/ 30The manual page (flawfinder.1 or flawfinder.pdf) describes how to use 31flawfinder (including its various options) and related information 32(such as how it supports CWE). For example, the "--html" option generates 33output in HTML format. The "--help" option gives a brief list of options. 34 35More technically, flawfinder uses lexical scanning to find tokens 36(such as function names) that suggest likely vulnerabilities, estimates their 37level of risk (e.g., by the text of function calls), and reports the results. 38Flawfinder does not use or have access to information about control flow, 39data flow, or data types. Thus, flawfinder will necessarily 40produce many false positives for vulnerabilities and fail to report 41many vulnerabilities. On the other hand, flawfinder can find 42vulnerabilities in programs that cannot be built or cannot be linked. 43Flawfinder also doesn't get as confused by macro definitions 44and other oddities that more sophisticated tools have trouble with. 45 46Flawfinder is released under the GNU GPL license version 2 or later (GPLv2+). 47See the COPYING file for license information. 48 49