Christian Kurz (shorty@debian.org) said: > Would you mind explaining in which aspects it differs from rats, which > is already packaged for debian? At least both offer to scan sources for > potential dangerous function calls or other security flaws. So knowing > about the difference would be great and helpful. Sure, as maintainer of both, I'd be happy to. Rats and flawfinder are very similar. So much so, that the authors plan on merging them sometime in the future, but aren't sure how they're going to go about it yet. The main difference would be in the languages that they currently scan. rats checks c, php, python, and perl. flawfinder checks c/c++. They each maintain their own databases of stuff to check for (the rats db is currently larger). It's also worth mentioning that rats is written by Secure Software Solutions, and is apparently based on the contents of _Building Secure Software_. flawfinder is written by David Wheeler, who is also the author of the Secure Programming for Unix and Linux HOWTO. I'd probably not recommend one over the other, but would instead recommend using both to check your code. -- Adam Lazur, Cluster Monkey
Attachment:
pgpCtQWN1xvnF.pgp
Description: PGP signature