David A. Wheeler's Blog

Tue, 16 Jan 2007

Flawfinder version 1.27 released!

I’ve released yet another new version of flawfinder - now it’s version 1.27. Flawfinder is a simple program that examines C/C++ source code and reports on likely security flaws in the program, ranked by risk level.

The big functional addition is that flawfinder can now examine just the changes in a program. If you’re modifying a big program, it can be overwhelming to view all of the warnings flawfinder can produce… but if you can look at only the ones relevant to the change you are making, it can be easier to handle. My thanks to Sebastien Tandel - he suggested the feature, I replied in a brief email describing how I thought it could be done, and in the same day he replied with code to implement it. Wow, that’s truly amazing. His original patch only worked with Subversion; I modified it so that it also works with GNU diff. For this to work, you use the new “—patch” option and give flawfinder a patch file (in unified diff format) that describes the changes… and flawfinder will only report on the potential vulnerabilities on the changed lines (or the lines immediately above and below them).

An administrative change is that flawfinder is now hosted on SourceForge.net, with a mailing list and a Subversion repository for code changes. This should make it easier for people to discuss the program, submit changes, and generally keep track of things. And it also deals nicely with the “what happens if he’s hit by a bus” problem.

You can view the Flawfinder ChangeLog for the details on the other changes. It deals more gracefully with unreadable files and when there are zero lines of code. Also, it now skips by default any directories beginning with “.”; this makes it work nicely with many SCM systems (use “—followdotdir” if you WANT it to enter such directories). My thanks to Steve Kemp, cmorgan, and others.

For more info, or a copy, just go to my original flawfinder home page or the new flawfinder page on SourceForge.net. Enjoy!

path: /security | Current Weblog | permanent link to this entry