Looking for the latest version? Download flawfinder-1.31.tar.gz (174.1 kB)
Home
Name Modified Size Downloads / Week Status
Totals: 5 Items   514.5 kB 23
flawfinder 2007-01-17 1 weekly downloads
README 2014-08-03 2.6 kB 22 weekly downloads
flawfinder-1.31.tar.gz 2014-08-03 174.1 kB 1818 weekly downloads
flawfinder-1.29.tar.gz 2014-07-19 175.4 kB 22 weekly downloads
flawfinder-1.28.tar.gz 2014-07-13 162.4 kB 11 weekly downloads
This is "flawfinder" by David A. Wheeler, <dwheeler@dwheeler.com>. Flawfinder is a simple program that scans C/C++ source code and reports potential security flaws. It can be a useful tool for examining software for vulnerabilities, and it can also serve as a simple introduction to static source code analysis tools more generally. It is designed to be easy to install and use. Flawfinder supports the Common Weakness Enumeration (CWE) and is officially CWE-Compatible. For more information, see: http://www.dwheeler.com/flawfinder Flawfinder is designed for use on Unix/Linux/POSIX systems (including Cygwin, Linux-based systems, MacOS, and *BSDs) as a command line tool. It requires Python 2 (version 2.5 or later). You can typically install flawfinder from its source code by doing this: tar xvzf FILENAME.tar.gz # Uncompress distribution file cd flawfinder-* # cd into it. sudo make prefix=/usr install # Install in /usr This installs the program as "/usr/bin/flawfinder" as well as the man page. You can omit the "prefix=/usr"; it will then install under "/usr/local". The file INSTALL.txt has more detailed installation instructions; flawfinder supports the usual conventions (prefix, DESTDIR, etc.). You don't HAVE to install it to run it, but it's easiest that way. To run flawfinder, just give it a list of source files or directories to example. For example, to examine all files in "src/" and down recursively: flawfinder src/ The manual page (flawfinder.1 or flawfinder.pdf) describes how to use flawfinder (including its various options) and related information (such as how it supports CWE). For example, the "--html" option generates output in HTML format. The "--help" option gives a brief list of options. More technically, flawfinder uses lexical scanning to find tokens (such as function names) that suggest likely vulnerabilities, estimates their level of risk (e.g., by the text of function calls), and reports the results. Flawfinder does not use or have access to information about control flow, data flow, or data types. Thus, flawfinder will necessarily produce many false positives for vulnerabilities and fail to report many vulnerabilities. On the other hand, flawfinder can find vulnerabilities in programs that cannot be built or cannot be linked. Flawfinder also doesn't get as confused by macro definitions and other oddities that more sophisticated tools have trouble with. Flawfinder is released under the GNU GPL license version 2 or later (GPLv2+). See the COPYING file for license information.
Source: README, updated 2014-08-03