Adding Flawfinder to Patchwatcher

Jason Spiro jasonspiro4 at
Sun Sep 7 13:10:24 CDT 2008

Rob Shearman <robertshearman <at>> wrote:
> Coverity and Prefast are both static analysis tools with a bit more
> intelligence that identify bad code rather than just using "bad"
> functions.

I'm pretty sure Coverity's tool, Prevent, costs money to buy.  IIRC if the
maintainers of an OSS project ask them to, they will set their server to run a scan on that project's code and upload
the scan results to the web at no charge.  But their tool will always remain
closed-source (unmodifiable) software.

Prefast is closed-source freeware for Windows.  IIRC they ship it as part of a
package called "Prefast for Drivers".  The package includes Prefast, plus a
Prefast plugin for scanning Windows hardware drivers.  You don't have to use the

> Other people may be able to suggest more good tools.

AFAIK "splint" is one of the most popular OSS static analysis tools, but I've
never really used it.  Has anyone here used it?  On the flawfinder homepage, it
says that splint does deeper analysis than flawfinder.  It says it "
somewhat like lint, searching for probable errors; to really use it, developers
need to add additional annotations to help the tool identify problems. This is a
very mature program, widely used, and one you can start using right away on
'real programs'."

More information about the wine-devel mailing list