Automated Audit Example: flawfinder

flawfinder is a general purpose scanner for finding and reporting upon potential flaws in both C and C++ source code.

Running flawfinder

Running flawfinder as simple as invoking the command with the name directories or files to examine. If given a directory name it will then process all the valid source files it can find inside that directory.

In addition to given the program a list of files or directories there are several command line options which may be used to control the tools behaviour.

Each of the options is explained in the manpage, but the following options are particularly useful and will be used in our example:

To output an HTML file containing the results of our program, only caring about "high risk" functions we'd run something like this:

flawfinder --html --context --minlevel=4 test.c > output.html

The Results

Running flawfinder against our sample code produces the following output:

Examining test.c

Number of hits = 4
Number of Lines Analyzed = 48 in 0.53 seconds (1392 lines/second)

Understanding The Output

Much like the output of RATS this report is very simple to read. It clearly shows the functions which have been detected as potentially dangerous, as well as a description of the problem.

Including context information is very useful too as it can immediately attract attention to areas of concern, or rule out other reports as being invalid.

The analysis of the our sample code is fairly intelligent, in the sense that it didn't warn about every use of the troublesome strcpy function - only ones which it thought were potentially dangerous.

In this way it has managed to highlight all of our code's flaws whilst having no false positives.

Back to the auditing project | Back to the sample auditing page