Hello,
I agree that it [potentially] many false positives and the is even
addressed in the homepage.
While this is common to most static analyzers to some extent and
requires going through each "find" with care while mumbling "again with
this crap..", I still think it has some value. One person's opinion.
May the source be with you,
Best regards,
Jess Portnoy
Rasmus Lerdorf wrote:
Jess Portnoy wrote:
Hello,
clang is indeed a great tool but since it does a lot more than just
static analysis.
For those cases where one wants source code analysis, especially
security oriented, I'd recommend flawfinder
[http://www.dwheeler.com/flawfinder].
I find that flawfinder is way too simplistic. It just does a grep for
certain strings and spews a canned warning. For example:
basic_functions.c:137: [4] (buffer) sprintf:
Does not check for buffer overflows. Use snprintf or vsnprintf.
basic_functions.c:2778: [4] (buffer) sprintf:
Does not check for buffer overflows. Use snprintf or vsnprintf.
basic_functions.c:2779: [4] (format) printf:
If format strings can be influenced by an attacker, they can be
exploited. Use a constant for the format specification.
Now, that sounds very scary, until you look at those source code lines:
137: #undef sprintf
2778: PHP_NAMED_FE(sprintf, PHP_FN(user_sprintf), arginfo_sprintf)
2779: PHP_NAMED_FE(printf, PHP_FN(user_printf), arginfo_printf)
It is so littered with false positives like this that I don't find it
useful.
-Rasmus
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
