Adding Flawfinder to Patchwatcher

[Rob Shearman]

2008/8/28 Austin English <austinenglish at gmail.com>:
> I had a discussion with Dan about adding Flawfinder to the
> patchwatcher. Currently, it's got some pretty generic errors, but it
> seems able to test only patches, so we wouldn't be flooded with old
> nonbugs (or we could set up a blacklist of safe errors). For
> reference, I've run it on today's git. I'm attaching the full log, as
> well as a condensed version of the most common errors (1 per error
> type). Looks like a lot of chances for buffer overflows..
>
> Thoughts?

Too many false positives to make it worth using. Just because you use
strcpy, for example, it doesn't mean your program has a chance for a
buffer overflow; it's using strcpy with a destination buffer that
might not be large enough that causes buffer overflows.

Having some kind of static analysis done on patches before Alexandre
commits them is a good idea, but I don't think Flawfinder is the right
static analysis tool to use.

Coverity and Prefast are both static analysis tools with a bit more
intelligence that identify bad code rather than just using "bad"
functions. Other people may be able to suggest more good tools.

-- 
Rob Shearman