[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#117657: ITP: flawfinder -- examines source code and look for security weaknesses

Christian Kurz (shorty@debian.org) said:
> Would you mind explaining in which aspects it differs from rats, which
> is already packaged for debian? At least both offer to scan sources for
> potential dangerous function calls or other security flaws. So knowing
> about the difference would be great and helpful.

Sure, as maintainer of both, I'd be happy to.

Rats and flawfinder are very similar. So much so, that the authors plan
on merging them sometime in the future, but aren't sure how they're
going to go about it yet.

The main difference would be in the languages that they currently scan.
rats checks c, php, python, and perl. flawfinder checks c/c++.

They each maintain their own databases of stuff to check for (the rats
db is currently larger).

It's also worth mentioning that rats is written by Secure Software
Solutions, and is apparently based on the contents of _Building Secure
Software_. flawfinder is written by David Wheeler, who is also the
author of the Secure Programming for Unix and Linux HOWTO.

I'd probably not recommend one over the other, but would instead
recommend using both to check your code.

Adam Lazur, Cluster Monkey

Attachment: pgpCtQWN1xvnF.pgp
Description: PGP signature

Reply to: