Flawfinder is a programming tool that examines C or C++source code looking for security weaknesses. It examines the source code at a simple (lexical) level, primarily looking for function names, which it then compares to a rule database. It then uses the rule database, and the parameters provided to the function, to assign a risk level to that particular code structure. Typical rules involves issues such as string functions that may overflow buffers, format strings that may be controlled by users, and so on. Once it completes examining the source code, it reports the potential security flaws, sorted by risk level. Flawfinder is implemented in Python, and was developed by David A. Wheeler.
Flawfinder knows about gettext (a common library for internationalized programs) and will treat constant strings passed through gettext as though they were constant strings; this reduces the number of false hits in internationalized programs.
Flawfinder has a number of options, which can be grouped into options that control its own documentation, select which hits to display, select the output format, and perform hitlist management.
Flawfinder can be fooled by user-defined functions or method names that happen to be the same as those defined as ‘‘hits’’ in its database, and will often trigger on definitions (as well as uses) of functions with the same name.
Feeds |
Contact