David A. Wheeler's Blog

Mon, 31 May 2004

Flawfinder version 1.25 released!

I’ve released a new version of flawfinder - version 1.25. Flawfinder is a simple program that examines C/C++ source code and reports on likely security flaws in the program, ranked by risk level. You can view the Flawfinder ChangeLog for the details. Here are some of the highlights:
  1. Added more rules for finding problems by examining the Red Hat Linux 9 documentation (the man3 man pages), looking for phrases like “do not use”, “security”, and “obsolete”. Thus, added rules for cuserid, getlogin, getpass, mkstemp, getpw, memalign, as well as the obsolete functions gsignal, ssignal, ulimit, usleep. Flawfinder now has 137 rules that it checks automatically.
  2. Added lengthy text to the manual to explain exactly how to use flawfinder with vim and emacs. This should also help integrate flawfinder into other text editors/IDEs.
  3. Fixed an error in —columns format, so that the output is simply “filename:linenumber:columnnumber” when —columns (-C) is used.
  4. Added shortcut single-letter commands (-D for —dataonly, -Q for —quiet, -C for —columns), so that invoking from editors is easier.
  5. Tries to autoremove some false positives, and added a “—falsepositive” (-F) option which tries to remove many more.

Just go to the flawfinder home page to get the latest version.

path: /security | Current Weblog | permanent link to this entry