Flawfinder searches through source code looking for potential security flaws. It will provide a list of potential security flaws, sorted by risk, with the most potentially dangerous flaws shown first. This risk level depends not only on the function, but on the values of the parameters of the function. Flawfinder ignores text inside comments and strings.
|Tags||Software Development Quality Assurance Security|
|Operating Systems||OS Independent|
Release Notes: The ability to review only the changes to a program was added. Other minor improvements and bugfixes were made.
Release Notes: Code to better support Microsoft's approach to internationalization was added along with various new rules to detect more situations. False positives were reduced and some documentation was improved.
Release Notes: This release adds more rules for finding security flaws involving cuserid, getlogin, getpass, mkstemp, getpw, memalign, gsignal, ssignal, ulimit, and usleep. It has 137 rules that it checks automatically. Lengthy text has been added to the manual to explain exactly how to use flawfinder with Vim and Emacs. An error in the --columns format has been fixed, and many shortcut single-letter commands have been added. It tries to auto-remove some false positives, and a "--falsepositive" (-F) option has been added that tries to remove many more.
Release Notes: This version fixes an extremely obscure parsing error that in very rare cases caused false reports of a vulnerability where there wasn't one. Also, readlink() has been added to the vulnerability database.
Release Notes: This release fixed a subtle code bug that caused single character constants to not be be parsed correctly under certain unusual circumstances. An error in the manual where "--minlevel" incorrectly only had one dash was fixed, and C/C ++ filename extensions are listed in the documentation.