Flawfinder

FlawFinder is a simple yet efficient ad quick tool that scans your C/C++ source code for calls to typical vulnerable library functions. It was developed by David Wheeler, a renowned security expert. It is run from the command line. Its output can easily be customized.

• Typical error types found:
  • Calls to library functions creating buffer overflow vulnerabilities (gets, strcpy, sprintf, ...)
  • Calls to library functions potentially vulnerable to string formatting attacks (sprintf, printf, ...)
  • Potential race conditions in file handling.

Installation

Debian

Available on most Debian based distributions:

sudo apt-get install flawfinder

Others

wget http://www.dwheeler.com/flawfinder/flawfinder-1.31.tar.gz
tar -xzvf flawfinder-1.31.tar.gz
cd flawfinder-1.31
./flawfinder

Usage

Basic run

To obtain a complete (and possibly lengthy) report on your code, simply run:

flawfinder <path_to_your_source_directory>

Note: It doesn't properly check all files when run on the . directory, just run it on ./ instead. Alternatively, you can pass a list of files as argument.

Useful options

Setting the --help / -h option will provide a list of the possible options.

$ flawfinder --help

Flawfinder can provide the output in an html format (potentially easier to parse if you need to), disable header and footer of the report, ... The following example would only output the hits (of risk-rating at least 2), in an html format:

$ flawfinder -m 2 --html --quiet --dataonly

Furthermore, if you wish to view only the flaws introduced in a patch, you can save the hit-list history and run a differential analysis.

$ flawfinder --savehistfile=prepatchhits.ffh <pre_patch_directory_or_files>
$ flawfinder --diffhistfile=prepatchhits.ffh <patched_directory_or_files>

False positive ignoring/reporting

Some times, Flawfinder will report items that are not bugs. In that case, you can avoid having them reported again as shown below.

Inline comments

Directly on the line which you have identified as a false positive, include:

strcpy(largebuffer, smallconstantbuffer) /* Flawfinder: ignore */

For All Users
(Experts or Not)

• Seven easy good practises
• Passwords & toothbrushes
• Starting with multi-factor authentication
• Bad mails for you:
  "Phishing", "SPAM" & fraud
• How to identify malicious e-mails and attachments
• How to secure your PC or Mac
• Working remotely
• Connecting to CERN
• Connecting using SSH
• Encrypting Windows PCs/laptops (Bitlocker), Macs (FileVault) and Linux (LUKS)
• More on Windows folders, Mozilla security

For Software Developers

• Good programming in C/C++, Java, Perl, PHP, and Python
• How to keep secrets secret
  (alternatives to passwords)
• Security checklist
• GitLab CI Security Tools
• Securing Web applications
• Static code analysis tools
• Further reading

For System Owners

• Checking for rootkits
• Securing Control Systems (CNIC)
• Securing Containers & Pods
• Security baselines
• The CERN Linux vulnerability FAQ