2008/8/28 Austin English austinenglish@gmail.com:
I had a discussion with Dan about adding Flawfinder to the patchwatcher. Currently, it's got some pretty generic errors, but it seems able to test only patches, so we wouldn't be flooded with old nonbugs (or we could set up a blacklist of safe errors). For reference, I've run it on today's git. I'm attaching the full log, as well as a condensed version of the most common errors (1 per error type). Looks like a lot of chances for buffer overflows..
Thoughts?
Too many false positives to make it worth using. Just because you use strcpy, for example, it doesn't mean your program has a chance for a buffer overflow; it's using strcpy with a destination buffer that might not be large enough that causes buffer overflows.
Having some kind of static analysis done on patches before Alexandre commits them is a good idea, but I don't think Flawfinder is the right static analysis tool to use.
Coverity and Prefast are both static analysis tools with a bit more intelligence that identify bad code rather than just using "bad" functions. Other people may be able to suggest more good tools.