下载：

http://sourceforge.net/projects/flawfinder/

 

是一个用python编写的检查c/c++源代码的潜在安全编程风险，基于安全编程模式匹配。

工作原理参考：http://www.dwheeler.com/flawfinder/How doesFlawfinderWork?章。

 

 

Linux环境python2.5上对linux c++工程上试验。

 

1设置环境变量

 

export PATH=$PATH:~/flawfinder-1.27/

 

2

[liangjz@b2b_plat_1367 hummock_trunk]$ flawfinder    --minlevel=4    --html  --followdotdir .  > flawfinder.html

 

3报告（摘录部份）

 

Flawfinder Results

Here are the security scan results from Flawfinder version 1.27, (C) 2001-2004 David A. Wheeler. Number of dangerous functions in C/C++ ruleset: 160

Examining ./src/common/Application.hpp

 

./src/common/Utility.c:255: [5] (race) readlink: This accepts filename arguments; if an attacker can move those files or change the link content, a race condition results. Also, it does not terminate with ASCII NUL. Reconsider approach.

./src/common/Utility.c:413: [5] (race) readlink: This accepts filename arguments; if an attacker can move those files or change the link content, a race condition results. Also, it does not terminate with ASCII NUL. Reconsider approach.

./src/client/Client.cpp:117: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination. Consider using strncpy or strlcpy (warning, strncpy is easily misused).

./src/client/mod_hummock.c:11: [4] (buffer) sprintf: Does not check for buffer overflows. Use snprintf or vsnprintf.

./src/common/Output.cpp:44: [4] (race) access: This usually indicates a security flaw. If an attacker can change anything along the path between the call to access() and the file's actual use (e.g., by moving files), the attacker can exploit the race condition. Set up the correct permissions (e.g., using setuid()) and try to open the file directly.

./src/common/Output.hpp:33: [4] (format) vfprintf: If format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification.

./src/common/ProcessHandler.cpp:209: [4] (shell) execv: This causes a new program to execute and is difficult to use safely. try using a library call that implements the same functionality if available.

./src/server/AreaConf.hpp:393: [4] (format) snprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate. Use a constant for the format specification.

/src/server/Calc.cpp:265: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination. Consider using strncpy or strlcpy (warning, strncpy is easily misused).

./src/server/Hummock.cpp:113: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination. Consider using strncpy or strlcpy (warning, strncpy is easily misused).

 

Hits = 31

Lines analyzed =17787 in1.27 seconds (23198 lines/second)

Physical Source Lines of Code (SLOC) = 16115

Hits@level = [0] 0 [1] 0 [2] 0 [3] 0 [4] 29 [5] 2

Hits@level+ = [0+] 31 [1+] 31 [2+] 31 [3+] 31 [4+] 31 [5+] 2

Hits/KSLOC@level+ = [0+] 1.92367 [1+] 1.92367 [2+] 1.92367 [3+] 1.92367 [4+] 1.92367 [5+] 0.124108

Minimum risk level = 4

Not every hit is necessarily a security vulnerability.

There may be other security vulnerabilities; review your code!

 

 

含意是

Hits表示找到31个潜在的攻击

Hits@level是各个级别找到的攻击个数

Hits@level+是各个级别或者以上找到的攻击个数

Minimum risk level风险起点