Google

Flawfinder

This is the main web site for flawfinder, a program that examines source code and reports possible security weaknesses (``flaws'') sorted by risk level. It's very useful for quickly finding and removing at least some potential security problems before a program is widely released to the public. See ``how does Flawfinder work?'', below, for more information on how it works.

Flawfinder is specifically designed to be easy to install and use. After installing it, at a command line just type:

    flawfinder directory_with_source_code

Flawfinder works on Unix-like systems today (it's been tested on GNU/Linux), and it should be easy to port to Windows systems. It requires Python 1.5 or greater to run (Python 1.3 or earlier won't work).

Sample Output

If you're curious to see what the results look like, you can see sample HTML output and text output produced by analyzing a test C program.

The test code intentionally includes a large number of security problems, both to test flawfinder and show what it can find; hopefully the code you're analyzing won't have quite so many high-risk vulnerabilities!

License

Flawfinder is released under the General Public License (GPL) version 2, and thus is open source software (as defined by the Open Source Definition) and Free Software (as defined by the Free Software Foundation's GNU project). Feel free to see Open Source Software / Free Software (OSS/FS) References or Why OSS/FS? Look at the Numbers! for more information about OSS/FS.

Documentation

Flawfinder comes with a simple manual describing how to use it. If you're not sure you want to take the plunge to install the program, you can just look at the documentation first. The documentation is available in the following formats:

Downloading

Just select one of the following formats to get the latest version of flawfinder (including the program, installation scripts, and documentation):

The current version of flawfinder is 1.21. If you want to see how it's changed, view its ChangeLog. You can even go look at the flawfinder source code directly.

If you have trouble getting flawfinder here, you can download it from mirrors. For example, version 0.15 of flawfinder is available at http://packetstorm.securify.com/filedesc/flawfinder-0.15.tar.html. The ChangeLog identifies all the version numbers.

Installation

On Unix-like systems, if you choose the tarball format, you can uncompress and install it in the usual manner:
  gunzip  flawfinder-*.tar.gz
  tar xvf flawfinder-*.tar
  cd flawfinder-*
  su
  make install

Debian users can quickly download and install flawfinder using apt-get, as usual (my thanks to Adam Lazur for doing the Debian packaging):

  apt-get flawfinder

For RPM files, install them as would normally install an RPM file. If you want to install the RPM file through a command line, this would be:

  rpm -Uvh flawfinder-*.noarch.rpm

NetBSD users can use users can use NetBSD's pkgsrc to install flawfinder (my thanks to Thomas Klausner for doing the NetBSD packaging).

Testimonials

Others have found it useful. One user, Darryl Luff, said:

I just installed the 0.21 version of Flawfinder. I tried a few different code checking tools and it's by far the friendliest to use.
Joerg Beyer said:
I just sent tons of C/C++ source through flawfinder 1.0. Thanks for the tool, it found several places that I have now fixed.

Speed

Flawfinder is written in Python, to simplify the task of writing and extending it. Python code is not as fast as C code, but for the task I believe it's just fine. Flawfinder version 0.12 on a 400Mhz Pentium II system analyzed 51055 lines in 39.7 seconds, resulting in an average of 1285 analyzed lines/second. Flawfinder 1.20 and later will report their speed (in analyzed lines/second) if you're curious.

How does Flawfinder Work?

Flawfinder works by using a built-in database of C/C++ functions with well-known problems, such as buffer overflow risks (e.g., strcpy(), strcat(), gets(), sprintf(), and the scanf() family), format string problems ([v][f]printf(), [v]snprintf(), and syslog()), race conditions (such as access(), chown(), chgrp(), chmod(), tmpfile(), tmpnam(), tempnam(), and mktemp()), potential shell metacharacter dangers (most of the exec() family, system(), popen()), and poor random number acquisition (such as random()).

Flawfinder produces a list of ``hits'' (potential security flaws), sorted by risk; by default the riskiest hits are shown first. This risk level depends not only on the function, but on the values of the parameters of the function. For example, constant strings are often less risky than fully variable strings in many contexts. In some cases, flawfinder may be able to determine that the construct isn't risky at all, reducing false positives. Also, Flawfinder correctly ignores text inside comments and strings (except for flawfinder directives). Flawfinder knows about gettext (a common library for internationalized programs) and will treat constant strings passed through gettext as though they were constant strings; this reduces the number of false hits in internationalized programs. Thus, flawfinder gives better information - and better prioritization - than simply running "grep" on the source code.

Not every hit is actually a security vulnerability, and not every security vulnerability is necessarily found. In fact, note that flawfinder doesn't really ``understand'' the semantics of the code at all - it primarily does simple text pattern matching (though it does ignore comments and strings as it should). Nevertheless, flawfinder can be a very useful aid in finding and removing security vulnerabilities.

RATS

Unbenowst to me, while I was developing flawfinder, Secure Software Solutions simultaneously developed RATS, which is also a source code scanner. We agreed to release our programs simultaneously (on May 21, 2001), and we agreed to mention each other's programs in our announcements (you can even see the original flawfinder announcement). Now that we've both released our code, we plan to coordinate so that there will be a single ``best of breed'' source code scanner that is open source / free software. Exactly how this will happen is not yet clear, so be prepared for future announcements.

Until the time where we've figured out how to merge these dissimilar projects, I recommend that distributions and software development websites include both programs. Each has advantages that the other doesn't. For example, at the time of this writing Flawfinder is easier to use - just give flawfinder a directory name, and flawfinder will enter the directory recursively, figure out what needs analyzing, and analyze it. Other advantages of flawfinder are that it can handle internationalized programs (it knows about special calls like gettext(), unlike RATS), flawfinder can report column numbers (as well as line numbers) of hits, and flawfinder can produce HTML-formatted results. The automated recursion and HTML formatted results make flawfinder especially nice for source code hosting systems. The flawfinder database includes a number of entries not in RATS, so flawfinder will find things RATS won't. In contrast, RATS can handle other programming languages and runs faster. Both projects are essentially automated advisors, and having two advisors look at your program is likely to be better than using only one (it's somewhat analogous to having two people review your code for security).

Note that there is a similar program, ITS4, but note that it isn't open source software or Free Software (OSS/FS) as defined above.


Flawfinder, RATS, and ITS4 are all discussed in the Linux Journal article Source Code Scanners for Better Code, although note that flawfinder as of version 1.20 can also detect static character buffers. Related tools that also statically analyze programs for security issues, that appears to be OSS/FS but using somewhat different techiniques, include SPLINT (GPL license), Cqual (GPL license), MOPS (old BSD license), and BOON (BSD-like license).

You might want to look at my Secure Programming HOWTO web page.

You can also view my home page.