2008/8/28 Austin English <[EMAIL PROTECTED]>: > I had a discussion with Dan about adding Flawfinder to the > patchwatcher. Currently, it's got some pretty generic errors, but it > seems able to test only patches, so we wouldn't be flooded with old > nonbugs (or we could set up a blacklist of safe errors). For > reference, I've run it on today's git. I'm attaching the full log, as > well as a condensed version of the most common errors (1 per error > type). Looks like a lot of chances for buffer overflows.. > > Thoughts?
Too many false positives to make it worth using. Just because you use strcpy, for example, it doesn't mean your program has a chance for a buffer overflow; it's using strcpy with a destination buffer that might not be large enough that causes buffer overflows. Having some kind of static analysis done on patches before Alexandre commits them is a good idea, but I don't think Flawfinder is the right static analysis tool to use. Coverity and Prefast are both static analysis tools with a bit more intelligence that identify bad code rather than just using "bad" functions. Other people may be able to suggest more good tools. -- Rob Shearman