FlawFinder is a simple yet efficient ad quick tool that scans your C/C++ source code for calls to typical vulnerable library functions. It was developed by David Wheeler, a renowned security expert. It is run from the command line. Its output can easily be customized.
- Typical error types found:
- Calls to library functions creating buffer overflow vulnerabilities (gets, strcpy, sprintf, ...)
- Calls to library functions potentially vulnerable to string formatting attacks (sprintf, printf, ...)
- Potential race conditions in file handling.
Available on most Debian based distributions:
sudo apt-get install flawfinder
wget http://www.dwheeler.com/flawfinder/flawfinder-1.31.tar.gz tar -xzvf flawfinder-1.31.tar.gz cd flawfinder-1.31 ./flawfinder
To obtain a complete (and possibly lengthy) report on your code, simply run:
Note: It doesn't properly check all files when run on the . directory, just run it on ./ instead. Alternatively, you can pass a list of files as argument.
Setting the --help / -h option will provide a list of the possible options.
$ flawfinder --help
Flawfinder can provide the output in an html format (potentially easier to parse if you need to), disable header and footer of the report, ... The following example would only output the hits (of risk-rating at least 2), in an html format:
$ flawfinder -m 2 --html --quiet --dataonly
Furthermore, if you wish to view only the flaws introduced in a patch, you can save the hit-list history and run a differential analysis.
$ flawfinder --savehistfile=prepatchhits.ffh <pre_patch_directory_or_files> $ flawfinder --diffhistfile=prepatchhits.ffh <patched_directory_or_files>
False positive ignoring/reporting
Some times, Flawfinder will report items that are not bugs. In that case, you can avoid having them reported again as shown below.
Directly on the line which you have identified as a false positive, include:
strcpy(largebuffer, smallconstantbuffer) /* Flawfinder: ignore */