Flawfinder

This is the main web site for flawfinder, a program that examines source code looking for security weaknesses (``flaws''). Unlike ITS4, flawfinder is open source software (as defined by the Open Source Definition) and it's fully Free Software (as defined by the Free Software Foundation's GNU project). Feel free to see Open Source Software / Free Software (OSS/FS) References or Quantitative Measures on OSS/FS for more information about OSS/FS. Flawfinder is released under the General Public License (GPL).

Flawfinder works on Unix-like systems today (it's been tested on GNU/Linux), and it should be easy to port to Windows systems. It requires Python 1.5 or greater to run (Python 1.3 or earlier won't work). It's already included in Debian and probably several other GNU/Linux distributions.

Downloading

Just select one of the following formats to get the latest version of flawfinder:

The current version of flawfinder is 0.21. Flawfinder is reliable; I've assigned it a low version number because its vulnerability database is small and needs to grow. If you want to see how it's changed, view its ChangeLog.

If you have trouble getting flawfinder here, you can download it from mirrors. For example, version 0.15 of flawfinder is available at http://packetstorm.securify.com/filedesc/flawfinder-0.15.tar.html.

If you're not sure you want to take the plunge to install the program, you can just look at the documentation in PDF or Postscript format. You can even go look at the flawfinder source code.

Installation

On Unix-like systems, if you choose the tarball format, you can uncompress and install it in the usual manner: 
  gunzip  flawfinder-*.tar.gz
  tar xvf flawfinder-*.tar
  cd flawfinder-*
  su
  make install

For RPM files, install them as would normally install an RPM file. If you want to install the RPM file through a command line, this would be: 

  rpm -Uvh flawfinder-*.noarch.rpm

Speed

flawfinder is written in Python, to simplify the task of writing and extending it. Python code is not as fast as C code, but for the task I believe it's just fine. Flawfinder version 0.12 on a 400Mhz Pentium II system analyzed 51055 lines in 39.7 seconds, resulting in an average of 1285 analyzed lines/second.

RATS

Unbenowst to me, while I was developing flawfinder, Secure Software Solutions simultaneously developed RATS, which is also a source code scanner. We agreed to release our programs simultaneously (on May 21, 2001), and we agreed to mention each other's programs in our announcements (you can even see the original flawfinder announcement). Now that we've both released our code, we plan to coordinate so that there will be a single ``best of breed'' source code scanner that is open source / free software. Exactly how this will happen is not yet clear, so be prepared for future announcements.

Until the time where we've figured out how to merge these dissimilar projects, I recommend that distributions and software development websites include both programs. Each has advantages that the other doesn't. For example, at the time of this writing advantages of Flawfinder are that it can handle internationalized programs (it knows about special calls like gettext()), it can report column numbers (as well as line numbers) of hits, and it can simply be given a directory name (it will enter the directory recursively, figure out what needs analyzing, and analyze it). In contrast, RATS can handle other languages and runs faster. Both projects are essentially automated advisors, and having two advisors look at your program is likely to be better than using only one.

You might want to look at my Secure Programming HOWTO web page.

You can also view my home page.