Problems found locating distfiles:
Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
Package libidea: missing distfile libidea-0.8.2b.tar.gz
Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
Package uvscan: missing distfile vlp4510e.tar.Z
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
- Add LICENSE= gnu-gpl-v2
(upstream)
- Update 1.27 to 1.31
----------------------
2014-08-03 David A. Wheeler <dwheeler, at, dwheeler.com>
* Release version 1.31, a set of small improvements mostly CWE-related.
* Note that flawfinder is officially CWE-compatible.
* Support GNU make install conventions (prefix, bindir, DESTDIR, etc.).
The older program-specific conventions are still supported, but
the documentation emphasizes using the standard conventions instead.
* Simplified installation text.
* Added more wide character function rules.
* Add reference to info at "http://www.dwheeler.com/secure-programs".
* Document that hitlists should be trusted to be loaded or diffed.
These are implented using Python's pickle module, and that module
presumes the data is from a trustworthy source. In the expected
use case this is fine... but it needed to be documented.
* Tweak/improve mappings to CWE. E.G., strlen()
better maps to CWE-126 (buffer over-read). In a few cases the
CWE mappings weren't reported as such; that is now fixed.
CWEs are actually a hierarchy; expose a little of this so
people can more easily search on them.
* Improved error detection and reporting. In particular, error
messages are sent to standard errors, filenames listed but
non-existent trigger a separate warning, and there's a warning
about non-existent filenames listed on the command line that
begin with the UTF-8 long dash sequence (users might not notice
the difference between long dash and dash, and this can happen
in some cases when copying and pasting).
* Add "-H" option as synonym for "--html".
2014-07-19 David A. Wheeler <dwheeler, at, dwheeler.com>
* Release 1.29, primarily for CWE improvements.
* Multi-line formatting is faster and formats better.
* Documentation about CWEs has been improved.
* HTML format includes links from CWE identifiers to their definitions.
* Tweak CWE mappings, e.g., strlen maps to CWE-126 (buffer over-read).
* Option "--listrules" now gives default warning and is tab-delimited.
* Regression test suite now also tests the generated HTML.
2014-07-13 David A. Wheeler <dwheeler, at, dwheeler.com>
* Release 1.28
* Common Weakness Enumeration (CWE) references are
now included in most hits
* Handle files not ending in newline (thanks to Alexis Wilke)
* Documentation clarifications
* Added support for "git diff" in patchfile processing
* Handles unbalanced double-quotes in sprintf
* Fix incorrect time executed report
* Fix bug to allow "flawfinder ." (fix bug#3)
* Fix ignore directive when filenames differ (fix bug#6)
2007-01-16 David A. Wheeler <dwheeler, at, dwheeler.com>
* Release version 1.27
2007-01-16 Sebastien Tandel <sebastien, at, tandel (doht) be)
* Cleaned up code for patch handling, fix bug in subdir handling,
include patch info in help.
2007-01-15 Steve Kemp <steve at shellcode dot org>
* Fix Debian bug 268236.
This complains that flawfinder crashes when presented with a
file it cannot read. The patch obviously can't prevent
the problem, since the tool can't review what it can't read,
but at least it halts with a cleaner error message.
2007-01-15 cmorgan <cmorgan47, at earthlink dooot net>
* Fixed Debian bug 271287 (flawfinder).
Fixed skipping newlines when line ended with \,
which caused incorrect line number reporting.
Skip multiple whitespace at one time.
2007-01-15 David A. Wheeler <dwheeler, at, dwheeler.com>
* Modified Sebastien Tandel's code so that it also supports GNU diff
(his code worked only for svn diff)
* When using a patchfile, skip analysis of any file not
listed in the patchfile.
2007-01-15 Sebastien Tandel <sebastien, at, tandel (doht) be)
* Add support for using "svn diff" created patch files, based
on the approach described by David A. Wheeler on how it
could be done.
2007-01-15 David A. Wheeler <dwheeler, at, dwheeler.com>
* By default, now skips directories beginning with "."
(this makes it work nicely with many SCM systems).
Added "--followdotdir" option if you WANT it to enter
such directories.
* Fixed divide-by-zero when no code found (not exactly common
in normal use, but anyway!)
developer is officially maintaining the package.
The rationale for changing this from "tech-pkg" to "pkgsrc-users" is
that it implies that any user can try to maintain the package (by
submitting patches to the mailing list). Since the folks most likely
to care about the package are the folks that want to use it or are
already using it, this would leverage the energy of users who aren't
developers.
Don't include python/extension.mk, as it is also useless. Don't set
NO_CONFIGURE, because it makes PYTHON_PATCH_SCRIPTS useless. Don't set
MAKEFILE, as we don't actually use the included makefile for anything.
Changes since 1.24:
* Added more support for Microsoft's approach to internationalization.
* Added two new rules for GLib functions, "g_get_home_dir" and
g_get_tmp_dir".
* Added curl_getenv().
* Added several rules for input functions (for -I) -
recv, recvfrom, recvmsg, fread, and readv.
* Tightened the false positive test slightly; if a name is
followed by = or - or + it's unlikely to be a function call,
so it'll be quietly discarded.
* Modified the summary report format slightly.
* Modified the getpass text to remove an extraneous character.
* Added rules for cuserid, getlogin, getpass, mkstemp, getpw, memalign,
as well as the obsolete functions gsignal, ssignal, ulimit, usleep.
* Modified text for strncat to clarify it.
* Fixed error in --columns format, so that the output is simply
"filename:linenumber:columnnumber" when --columns (-C) is used.
* Eliminated "Number of" phrase in the footer report
* Added more statistical information to the footer report.
* Added shortcut single-letter commands (-D for --dataonly,
-Q for --quiet, -C for --columns), so that invoking from
editors is easier.
* Tries to autoremove some false positives. In particular, a function
name followed immediately by "=" (ignoring whitespace)
is automatically considered to be a variable and NOT a function,
and thus doesn't register as a hit. There are exotic cases
where this won't be correct, but they're pretty unlikely in
real code.
* Added a "--falsepositive" (-F) option, which tries to remove
many more likely false positives.
2003-10-29 David A. Wheeler
* Fixed an incredibly obscure parsing error that caused some
false positives. If a constant C string, after the closing
double-quote, is followed by a \ and newline (instead of a comma),
the string might not be recognized as a constant string
(thus triggering warnings about non-constant values in some cases).
This kind of formatting is quite ugly and rare.
My thanks to Sascha Nitsch (sascha, at spsn.ath.cx) for pointing
this bug out and giving me a test case to work with.
* Added a warning for readlink. The implementation and warning
are mine, but the idea of warning about readlink came from
Stefan Kost (kost, at imn.htwk-leipzig.de). Thanks!!
2003-09-27 David A. Wheeler
* Released version 1.23. Minor bugfixes.
2003-09-27 David A. Wheeler
* Fixed subtle bug - in some circumstances single character constants
wouldn't be parsed correctly. My thanks to Scott Renfro
<scottdonotspam, at renfro.org> for notifying me about this bug.
Scott Renfro also sent me a patch; I didn't use it
(the patch didn't handle other cases), but I'm grateful since it
illustrated the problem.
* Fixed documentation bug in man page.
The option "--minlevel=X" must be preceded by two dashes,
as are all GNU-style long options. The man page accidentally only
had one dash in the summary (it was correct elsewhere); it now
correctly shows both dashes.
* Modified man page to list filename extensions that are
interpreted as C/C++.
* Removed index.html from distribution - it's really only for the
website.
* Improved the default output so it creates multiple formatted lines
instead of single very long lines for each hit.
Use the new "--singleline" (-S) option to get the original
"long line" format.
* Removed duplicate "getpass" entry in the ruleset;
this didn't hurt anything, but was unnecessary.
Thanks to the user who gave me that feedback, wish I'd kept your
email address so I could credit you properly :-).
* Added a short tutorial to man page.
* Fixed initial upper/lower case on many entries in the ruleset.
* Allow "--input" as a synonym for "--inputs".
extension Makefile fragments, because they really don't have anything to
do with the buildlink[12] frameworks. Change all the Makefiles that use
application.buildlink.mk and extension.buildlink.mk to use application.mk
and extension.mk instead.
flawfinder is a program that examines source code and reports
possible security weaknesses (``flaws'') sorted by risk level. It's
very useful for quickly finding and removing at least some potential
security problems before a program is widely released to the public.
