Flawfinder

This is the main web site for flawfinder, a program that examines source code looking for security weaknesses (``flaws''). Unlike ITS4, flawfinder is completely open source / free software. Flawfinder is released under the General Public License (GPL).

Flawfinder works on Unix-like systems today (it's been tested on GNU/Linux), and it should be easy to port to Windows systems. It requires Python to run.

Downloading

Just select this to get flawfinder:

Download the current version of flawfinder (``tarball'' format).

The current version of flawfinder is 0.12. Flawfinder is reliable; I've assigned it a low version number because its vulnerability database is small and needs to grow.

If you're not sure you want to take the plunge to install the program, you can just look at the documentation in PDF or Postscript format. You can even go look at the flawfinder source code.

Installation

On Unix-like systems, you can uncompress and install it in the usual manner:

  gunzip  flawfinder-0.12.tar.gz
  tar xvf flawfinder-0.12.tar
  cd flawfinder-0.12
  su
  make install

Simple end-user installation processes, etc., are to come.

Speed

flawfinder is written in Python, to simplify the task of writing and extending it. Python code is not as fast as C code, but for the task I believe it's just fine. Flawfinder version 0.12 on a 400Mhz Pentium II system analyzed 51055 lines in 39.7 seconds, resulting in an average of 1285 analyzed lines/second.

RATS

Unbenowst to me, while I was developing flawfinder, Secure Software Solutions simultaneously developed RATS, which is also a source code scanner. We agreed to release our programs simultaneously (on May 21, 2001), and we agreed to mention each other's programs in our announcements (you can even see the original flawfinder announcement). Now that we've both released our code, we plan to coordinate so that there will be a single ``best of breed'' source code scanner that is open source / free software. Exactly what the shape of this is not yet clear, so be prepared for future announcements.

You might want to look at my Secure Programming HOWTO web page.

You can also view my home page.