CERN Computer Security Information


FlawFinder is a simple yet efficient ad quick tool that scans your C/C++ source code for calls to typical vulnerable library functions. It was developed by David Wheeler, a renowned security expert. It is run from the command line. Its output can easily be customized.

  • Typical error types found:
    • Calls to library functions creating buffer overflow vulnerabilities (gets, strcpy, sprintf, ...)
    • Calls to library functions potentially vulnerable to string formatting attacks (sprintf, printf, ...)
    • Potential race conditions in file handling.



Available on most Debian based distributions:

sudo apt-get install flawfinder
tar -xzvf flawfinder-1.31.tar.gz
cd flawfinder-1.31


Basic run

To obtain a complete (and possibly lengthy) report on your code, simply run:

flawfinder <path_to_your_source_directory>

Note: It doesn't properly check all files when run on the . directory, just run it on ./ instead. Alternatively, you can pass a list of files as argument.

Useful options

Setting the --help / -h option will provide a list of the possible options.

$ flawfinder --help

Flawfinder can provide the output in an html format (potentially easier to parse if you need to), disable header and footer of the report, ... The following example would only output the hits (of risk-rating at least 2), in an html format:

$ flawfinder -m 2 --html --quiet --dataonly

Furthermore, if you wish to view only the flaws introduced in a patch, you can save the hit-list history and run a differential analysis.

$ flawfinder --savehistfile=prepatchhits.ffh <pre_patch_directory_or_files>
$ flawfinder --diffhistfile=prepatchhits.ffh <patched_directory_or_files>

False positive ignoring/reporting

Some times, Flawfinder will report items that are not bugs. In that case, you can avoid having them reported again as shown below.

Inline comments

Directly on the line which you have identified as a false positive, include:

strcpy(largebuffer, smallconstantbuffer) /* Flawfinder: ignore */