FLAWFINDER
| | ||
Flawfinder, written by Dave Wheeler, collected the most common C and C++ programming errors and dropped them into a tool that would check source for their presence. The tool does not understand C syntax or subtle programming techniques; however, it serves well as a quick sanity check of your applications. It is written in readable Python and has just over 1000 lines, which makes it an excellent candidate for customization.
Implementation
Flawfinder's power comes from its catalog of problematic functions. It provides several options, but you will most likely need to use only a few of them. A complete list is provided in Table 11-1.
| Option | Description |
|---|---|
| allowlink | Follows symbolic links. |
| context | Displays the line that contains the potential flaw, similar to using grep to search for each function and showing the results of each match. |
| columns | Displays the column number of the potential flaw. For example, a vulnerable strcpy might start at the sixteenth character on the line. |
| dataonly | Does not display the headers and footers for findings. |
| listrules | Views the current database of checks. This will list about 120 C/C++ functions with known problems and their relative risk (on a scale of 1 to 5, 5 is high). |
| minlevel=X | Sets the minimum risk level for which a hit is reported . The value of X can equal 0 (no risk) through 5 (highest risk). The default is 1. |
| neverignore | Does not honor the ignore directive in a source file. |
| html | Provides report as HTML. |
| immediate | Displays potential flaws as they are found. |
| inputs | Displays only functions that receive external input (set variables from data obtained outside of the program). Sets minlevel to 0. |
| quiet | Does not display hit information during a scan. |
| loadhitlist=F | Loads hits from file F instead of analyzing source programs. |
| savehitlist=F | Saves hits to file F . |
| diffhitlist=F | Does not display hits contained in file F . Useful for comparing revisions. |
The quickest way to run Flawfinder is to specify a directory or list of files to check:
$ flawfinder src/
By default, Flawfinder examines only the C files it encounters. It determines a C file based on the filename extension: c, h, ec, ecp, pgc, C, cpp, cxx, cc, pcc, hpp, or H. Even though it doesn't fully understand C, Flawfinder does partially distinguish between potential vulnerable functions that use variables as opposed to constants, evaluating the former as a higher risk.
If one of your files does not have one of the default extensions, you can specify it on the command line, like so:
$ flawfinder ftpcmd.y
The output is formatted as such:
filename:line_number:column_number [risk_level] (type) function_name:message
The column_number is omitted unless the columns option is present. Use the m option to catch risk levels of a certain number or higher. Flawfinder places each hit into a category (type): buffer overflow, race condition, inadequate random number source, and mishandled temporary file.
Use the savehitlist option to save the output to a file. This makes it easier for you to review output, especially for large projects. The difflist option also helps when handling large projects. Flawfinder ignores hits already present in the filename specified after the option ( difflist < filename >). Thus, you can save hit files at various stages of development to keep track of new functions.
In the course of auditing your code, Flawfinder may sometimes hit a false positive. If you want to have Flawfinder ignore a line, place one of the following three directives before the line to ignore:
/* Flawfinder: ignore */ /* RATS: ignore */ /* ITS4: ignore */
You can also insert these lines with C++ style comments (//). When Flawfinder sees one of these ignore directives in source code, it does not report errors on the succeeding lineregardless of how insecure the line may be.
As you can see, Flawfinder plays well with other audit tools' directives.
| | ||
EAN: 2147483647
Pages: 175