Flawfinder的安装及使用

工具源码位于：https://github.com/david-a-wheeler/flawfinder

安装

pip安装即可

pip install flawfinder
1

安装完成后，输入 flawfinder -h 看看有没有提示帮助信息，有的话就成功了。

如果在pip安装过程中，出现下图所示的warning。

可能需要设置下环境变量。具体可以参考以下链接：

https://blog.csdn.net/White_Idiot/article/details/78253004

使用

直接输入下面命令即可对代码进行静态分析。

flawfinder [要测试的文件目录]
1

如果一切正常的话，应该会出现类似下面的结果。

...
FINAL RESULTS:
...
./repo/pngwutil.c:1547:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
./repo/pngwutil.c:1602:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
./repo/pngwutil.c:1670:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
./repo/pngwutil.c:1672:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
./repo/pngwutil.c:1686:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
./repo/pngwutil.c:1768:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
./repo/pngwutil.c:1780:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
./repo/pngwutil.c:1817:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
./repo/pngwutil.c:1818:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).


ANALYSIS SUMMARY:

Hits = 545
Lines analyzed = 95250 in approximately 1.01 seconds (94739 lines/second)
Physical Source Lines of Code (SLOC) = 62997
Hits@level = [0] 718 [1]  96 [2] 304 [3]   9 [4] 136 [5]   0
Hits@level+ = [0+] 1263 [1+] 545 [2+] 449 [3+] 145 [4+] 136 [5+]   0
Hits/KSLOC@level+ = [0+] 20.0486 [1+] 8.65121 [2+] 7.12732 [3+] 2.3017 [4+] 2.15883 [5+]   0
Dot directories skipped = 12 (--followdotdir overrides)
Minimum risk level = 1

Not every hit is necessarily a security vulnerability.
You can inhibit a report by adding a comment in this form:
// flawfinder: ignore
Make *sure* it's a false positive!
You can use the option --neverignore to show these.

There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

可以发现输出的结果在命令行终端显示，不太方便。flawfinder也提供了几种输出格式。

比如，用html参数将结果输出为html格式

flawfinder --quiet --html ./repo/ > results.html

1
2

运行以上命令的结果为：

也可以输出为sarif格式。

flawfinder --quiet --sarif ./repo/ > results.sarif
1

更多的格式可以查看他的官方手册：http://dwheeler.com/flawfinder/flawfinder.pdf

flawfinder支持以下的漏洞类型：（其中带*的表示也是CWE/SANS榜单上的TOP 25）

• CWE-20: Improper Input Validation
• CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘‘Path Traversal’’)
• CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘‘OS Command Injection’’)*
• CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer (a parent of
CWE-120*, so this is shown as CWE-119!/CWE-120)
• CWE-120: Buffer Copy without Checking Size of Input (‘‘Classic Buffer Overflow’’)*
• CWE-126: Buffer Over-read
• CWE-134: Uncontrolled Format String*
• CWE-190: Integer Overflow or Wraparound*
• CWE-250: Execution with Unnecessary Privileges
• CWE-327: Use of a Broken or Risky Cryptographic Algorithm*
• CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (‘‘Race Condition’’)
• CWE-377: Insecure Temporary File
• CWE-676: Use of Potentially Dangerous Function*

• CWE-732: Incorrect Permission Assignment for Critical Resource*
• CWE-785: Use of Path Manipulation Function without Maximum-sized Buffer (child of CWE-120*, so
this is shown as CWE-120/CWE-785)
• CWE-807: Reliance on Untrusted Inputs in a Security Decision*
• CWE-829: Inclusion of Functionality from Untrusted Control Sphere*

如果要检测某种类型的漏洞，可以加上regex参数

flawfinder --quiet --sarif --regex "CWE-120|CWE-126" ./repo/ > results.sarif
1

遇到的问题

问题1：在使用过程中报如下的编码错误。

Error: encoding error in ./contrib/gregbook/rpng-x.c
'utf-8' codec can't decode byte 0xe7 in position 1146: invalid continuation byte

Python3 requires input character data to be perfectly encoded;
it also requires perfectly correct system encoding settings.
Unfortunately, your data and/or system settings are not.
Here are some options:
1. Run: PYTHONUTF8=0 python3 flawfinder
   if your system and and data are all properly set up for
   a non-UTF-8 encoding.
2. Run: PYTHONUTF8=0 LC_ALL=C.ISO-2022 python3 flawfinder
   if your data has a specific encoding such as ISO-2022
   (replace "ISO-2022" with the name of your encoding,
   and optionally replace "C" with your native language).
3. Run: PYTHONUTF8=0 LC_ALL=C.ISO-8859-1 python3 flawfinder
   if your data has an unknown or inconsistent encoding
   (ISO-8859-1 encoders normally allow anything).
4. Convert all your source code to the UTF-8 encoding.
   The system program "iconv" or Python program "cvt2utf" can
   do this (for cvt2utf, you can use "pip install cvt2utf").
5. Run: python2 flawfinder
   (That is, use Python 2 instead of Python 3).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

解决：将源代码转换为utf-8编码即可。

贴心的作者给出了提示，可以用cvt2utf工具去做转换。工具的github链接：https://github.com/x1angli/cvt2utf

依次输入下面的命令。

pip install cvt2utf # 安装cvt2utf
cvt2utf convert ./ -b -i c cpp -x txt # 将cpp和c文件转换为utf-8编码

1
2
3

此时我再用flawfinder检测就没有报错了。

如果不需要备份，可以执行下面的命令删除编码前的备份。

cvt2utf cleanbak ./
1

题外话，开发这个工具的开发者的网站上有很多干货，可以去搜刮搜刮（😀）
https://dwheeler.com/