Flawfinder

This is the main web site for flawfinder, a program that examines source code looking for security weaknesses (``flaws''). It's very useful for quickly finding and removing at least some potential security problems before a program is widely released to the public. See ``how does Flawfinder work?'', below, for more information on how it works.

Unlike ITS4 (a similar program), flawfinder is open source software (as defined by the Open Source Definition) and it's fully Free Software (as defined by the Free Software Foundation's GNU project). Feel free to see Open Source Software / Free Software (OSS/FS) References or Quantitative Measures on OSS/FS for more information about OSS/FS. Flawfinder is released under the General Public License (GPL).

Flawfinder works on Unix-like systems today (it's been tested on GNU/Linux), and it should be easy to port to Windows systems. It requires Python 1.5 or greater to run (Python 1.3 or earlier won't work). It's already included in Debian and probably several other GNU/Linux distributions.

Flawfinder is specifically designed to be easy to install and use. One user (Darryl Luff) said:

I just installed the 0.21 version of Flawfinder. I tried a few different code checking tools and it's by far the friendliest to use.

Downloading

Just select one of the following formats to get the latest version of flawfinder:

The current version of flawfinder is 1.01. If you want to see how it's changed, view its ChangeLog.

If you have trouble getting flawfinder here, you can download it from mirrors. For example, version 0.15 of flawfinder is available at http://packetstorm.securify.com/filedesc/flawfinder-0.15.tar.html.

If you're not sure you want to take the plunge to install the program, you can just look at the documentation in PDF or Postscript format. You can even go look at the flawfinder source code.

Installation

On Unix-like systems, if you choose the tarball format, you can uncompress and install it in the usual manner:

  gunzip  flawfinder-*.tar.gz
  tar xvf flawfinder-*.tar
  cd flawfinder-*
  su
  make install

For RPM files, install them as would normally install an RPM file. If you want to install the RPM file through a command line, this would be:

  rpm -Uvh flawfinder-*.noarch.rpm

Speed

flawfinder is written in Python, to simplify the task of writing and extending it. Python code is not as fast as C code, but for the task I believe it's just fine. Flawfinder version 0.12 on a 400Mhz Pentium II system analyzed 51055 lines in 39.7 seconds, resulting in an average of 1285 analyzed lines/second.

How does Flawfinder Work?

Flawfinder works by using a built-in database of C/C++ functions with well-known problems, such as buffer overflow risks (e.g., strcpy(), strcat(), gets(), sprintf(), and the scanf() family), format string problems ([v][f]printf(), [v]snprintf(), and syslog()), race conditions (such as access(), chown(), chgrp(), chmod(), tmpfile(), tmpnam(), tempnam(), and mktemp()), potential shell metacharacter dangers (most of the exec() family, system(), popen()), and poor random number acquisition (such as random()).

Flawfinder produces a list of ``hits'' (potential security flaws), sorted by risk; by default the riskiest hits are shown first. This risk level depends not only on the function, but on the values of the parameters of the function. For example, constant strings are often less risky than fully variable strings in many contexts. In some cases, flawfinder may be able to determine that the construct isn't risky at all, reducing false positives. Also, Flawfinder correctly ignores text inside comments and strings (except for flawfinder directives). Flawfinder knows about gettext (a common library for internationalized programs) and will treat constant strings passed through gettext as though they were constant strings; this reduces the number of false hits in internationalized programs. Thus, flawfinder gives better information - and better prioritization - than simply running "grep" on the source code.

Not every hit is actually a security vulnerability, and not every security vulnerability is necessarily found. In fact, note that flawfinder doesn't really ``understand'' the semantics of the code at all - it merely does simple text pattern matching. Nevertheless, flawfinder can be a very useful aid in finding and removing security vulnerabilities.

RATS

Unbenowst to me, while I was developing flawfinder, Secure Software Solutions simultaneously developed RATS, which is also a source code scanner. We agreed to release our programs simultaneously (on May 21, 2001), and we agreed to mention each other's programs in our announcements (you can even see the original flawfinder announcement). Now that we've both released our code, we plan to coordinate so that there will be a single ``best of breed'' source code scanner that is open source / free software. Exactly how this will happen is not yet clear, so be prepared for future announcements.

Until the time where we've figured out how to merge these dissimilar projects, I recommend that distributions and software development websites include both programs. Each has advantages that the other doesn't. For example, at the time of this writing Flawfinder is easier to use - just give flawfinder a directory name, and flawfinder will enter the directory recursively, figure out what needs analyzing, and analyze it. Other advantages of flawfinder are that it can handle internationalized programs (it knows about special calls like gettext(), unlike RATS), flawfinder can report column numbers (as well as line numbers) of hits, and flawfinder can produce HTML-formatted results. The automated recursion and HTML formatted results make flawfinder especially nice for source code hosting systems. The flawfinder database includes a number of entries not in RATS, so flawfinder will find things RATS won't. In contrast, RATS can handle other programming languages and runs faster. Both projects are essentially automated advisors, and having two advisors look at your program is likely to be better than using only one (it's somewhat analogous to having two people review your code for security).

Flawfinder, RATS, and ITS4 are all discussed in the Linux Journal article Source Code Scanners for Better Code. Another somewhat related tool is MOPS.

You might want to look at my Secure Programming HOWTO web page.

You can also view my home page.