| 2014-04-21 11:43:14 |
Hans Joachim Desserud |
description |
I recently discovered flawfinder (http://www.dwheeler.com/flawfinder/), which is a static code analysis tool focusing on security issues. I can't really review the issues found, but it seemed to be few with high severety though. Also, it runs really fast, using only 1-2 seconds to generate a report for the entire code base.
I created the attached report with the following command:
$ flawfinder --context --falsepositive src/ > flawfinder-report.txt
Some explanation to the options; "--context" prints the line in question to easier see what the issue is about and "--falsepostive" silence some (~200) issues which are likely false positives. (Note that other issues reported might still be false positives.) In the report, after the list of files scanned it will list the issues in decending order of importance. See the number in brackets after the file name for importance, where [5] is the most severe.
Since I only recently discovered it, any issues will be too late to make it into build18 (unless something is really critical I guess). Though, I think someone should take a look at the report to see if any of them should be fixed.
PS. I initially filed this as a private security issue, since that's the kind of issues this tool finds. I don't know if that is really necessary, though since the report contains potential security issues I figured we might review and/or patch them before making this visible to the general public. |
I recently discovered flawfinder (http://www.dwheeler.com/flawfinder/), which is a static code analysis tool focusing on security issues. I can't really review the issues found, but it seemed to be few with high severety though. Also, it runs really fast, using only 1-2 seconds to generate a report for the entire code base.
I created the attached report with the following command:
$ flawfinder --context --falsepositive src/ > flawfinder-report.txt
Some explanation to the options; "--context" prints the line in question to easier see what the issue is about and "--falsepostive" silence some (~200) issues which are likely false positives. (Note that other issues reported might still be false positives.) In the report, after the list of files scanned it will list the issues in decending order of importance. See the number in brackets after the file name for importance, where [5] is the most severe.
Since I only recently discovered it, any issues will be too late to make it into build18 (unless something is really critical I guess). Though, I think someone should take a look at the report to see if any of them should be fixed.
PS. I initially filed this as a private security issue, since that's the kind of issues this tool finds. I don't know if that is really necessary, though since the report contains potential security issues I figured we might review and/or patch them before making this visible to the general public.
PS. For other warning reports, see bug 1258667 (Clang), bug 986611 (cppcheck) and bug 1202101 (Visual Studio). |
|
