Flawfinder - Source code Auditor

Flawfinder works by using a built-in database of C/C++ functions with well-known problems, such as buffer overflow risks (e.g., strcpy(), strcat(), gets(), sprintf(), and the scanf() family), format string problems ([v][f]printf(), [v]snprintf(), and syslog()), race conditions (such as access(), chown(), chgrp(), chmod(), tmpfile(), tmpnam(), tempnam(), and mktemp()), potential shell metacharacter dangers (most of the exec() family, system(), popen()), and poor random number acquisition (such as random()).

Flawfinder produces a list of ``hits'' (potential security flaws), sorted by risk; by default the riskiest hits are shown first. This risk level depends not only on the function, but on the values of the parameters of the function. For example, constant strings are often less risky than fully variable strings in many contexts. In some cases, flawfinder may be able to determine that the construct isn't risky at all, reducing false positives. Also, Flawfinder correctly ignores text inside comments and strings (except for flawfinder directives). Flawfinder knows about gettext (a common library for internationalized programs) and will treat constant strings passed through gettext as though they were constant strings; this reduces the number of false hits in internationalized programs. Thus, flawfinder gives better information - and better prioritization - than simply running "grep" on the source code.

Not every hit is actually a security vulnerability, and not every security vulnerability is necessarily found. In fact, note that flawfinder doesn't really ``understand'' the semantics of the code at all - it primarily does simple text pattern matching (though it does ignore comments and strings as it should). Nevertheless, flawfinder can be a very useful aid in finding and removing security vulnerabilities.