1 2I've just released "flawfinder", a program that can scan source code 3and identify out potential security flaws, ranking them by likely severity. 4Unlike ITS4, flawfinder is completely open source / free software 5(it's released under the GPL license). 6 7Flawfinder will miss some security problems, and point out issues that aren't 8really security problems, but nevertheless I think it can help track 9down security problems in code so that the code can be fixed. 10 11You can download flawfinder from: 12 http://www.dwheeler.com/flawfinder 13 14Flawfinder is in its very early stages - I'm labelling it version "0.12". 15It works reliably, but its ruleset is currently small and rudimentary. 16It can already find some security problems now, but expanding its ruleset 17will give it much more power. Also, it currently can only examine C/C++ code. 18 19After I wrote flawfinder - and just before I released it - I found out that 20Secure Software Solutions was also writing a program (RATS) to perform this 21same task, also to be released under the GPL. We agreed to release our 22programs simultaneously, and to mention each other's programs in our 23announcements. Now that we've released our programs, we plan to coordinate 24so that there will be a single open source / free software 25source code scanner that will be a ``best of breed.'' 26 27--- David A. Wheeler 28 dwheeler@dwheeler.com 29 30