2007-01-16 David A. Wheeler <dwheeler, at, dwheeler.com>
* Release version 1.27
2007-01-16 Sebastien Tandel <sebastien, at, tandel (doht) be)
* Cleaned up code for patch handling, fix bug in subdir handling,
include patch info in help.
2007-01-15 Steve Kemp <steve at shellcode dot org>
* Fix Debian bug 268236.
This complains that flawfinder crashes when presented with a
file it cannot read. The patch obviously can't prevent
the problem, since the tool can't review what it can't read,
but at least it halts with a cleaner error message.
2007-01-15 cmorgan <cmorgan47, at earthlink dooot net>
* Fixed Debian bug 271287 (flawfinder).
Fixed skipping newlines when line ended with \,
which caused incorrect line number reporting.
Skip multiple whitespace at one time.
2007-01-15 David A. Wheeler <dwheeler, at, dwheeler.com>
* Modified Sebastien Tandel's code so that it also supports GNU diff
(his code worked only for svn diff)
* When using a patchfile, skip analysis of any file not
listed in the patchfile.
2007-01-15 Sebastien Tandel <sebastien, at, tandel (doht) be)
* Add support for using "svn diff" created patch files, based
on the approach described by David A. Wheeler on how it
could be done.
2007-01-15 David A. Wheeler <dwheeler, at, dwheeler.com>
* By default, now skips directories beginning with "."
(this makes it work nicely with many SCM systems).
Added "--followdotdir" option if you WANT it to enter
such directories.
* Fixed divide-by-zero when no code found (not exactly common
in normal use, but anyway!)
developer is officially maintaining the package.
The rationale for changing this from "tech-pkg" to "pkgsrc-users" is
that it implies that any user can try to maintain the package (by
submitting patches to the mailing list). Since the folks most likely
to care about the package are the folks that want to use it or are
already using it, this would leverage the energy of users who aren't
developers.
Don't include python/extension.mk, as it is also useless. Don't set
NO_CONFIGURE, because it makes PYTHON_PATCH_SCRIPTS useless. Don't set
MAKEFILE, as we don't actually use the included makefile for anything.
Changes since 1.24:
* Added more support for Microsoft's approach to internationalization.
* Added two new rules for GLib functions, "g_get_home_dir" and
g_get_tmp_dir".
* Added curl_getenv().
* Added several rules for input functions (for -I) -
recv, recvfrom, recvmsg, fread, and readv.
* Tightened the false positive test slightly; if a name is
followed by = or - or + it's unlikely to be a function call,
so it'll be quietly discarded.
* Modified the summary report format slightly.
* Modified the getpass text to remove an extraneous character.
* Added rules for cuserid, getlogin, getpass, mkstemp, getpw, memalign,
as well as the obsolete functions gsignal, ssignal, ulimit, usleep.
* Modified text for strncat to clarify it.
* Fixed error in --columns format, so that the output is simply
"filename:linenumber:columnnumber" when --columns (-C) is used.
* Eliminated "Number of" phrase in the footer report
* Added more statistical information to the footer report.
* Added shortcut single-letter commands (-D for --dataonly,
-Q for --quiet, -C for --columns), so that invoking from
editors is easier.
* Tries to autoremove some false positives. In particular, a function
name followed immediately by "=" (ignoring whitespace)
is automatically considered to be a variable and NOT a function,
and thus doesn't register as a hit. There are exotic cases
where this won't be correct, but they're pretty unlikely in
real code.
* Added a "--falsepositive" (-F) option, which tries to remove
many more likely false positives.
2003-10-29 David A. Wheeler
* Fixed an incredibly obscure parsing error that caused some
false positives. If a constant C string, after the closing
double-quote, is followed by a \ and newline (instead of a comma),
the string might not be recognized as a constant string
(thus triggering warnings about non-constant values in some cases).
This kind of formatting is quite ugly and rare.
My thanks to Sascha Nitsch (sascha, at spsn.ath.cx) for pointing
this bug out and giving me a test case to work with.
* Added a warning for readlink. The implementation and warning
are mine, but the idea of warning about readlink came from
Stefan Kost (kost, at imn.htwk-leipzig.de). Thanks!!
2003-09-27 David A. Wheeler
* Released version 1.23. Minor bugfixes.
2003-09-27 David A. Wheeler
* Fixed subtle bug - in some circumstances single character constants
wouldn't be parsed correctly. My thanks to Scott Renfro
<scottdonotspam, at renfro.org> for notifying me about this bug.
Scott Renfro also sent me a patch; I didn't use it
(the patch didn't handle other cases), but I'm grateful since it
illustrated the problem.
* Fixed documentation bug in man page.
The option "--minlevel=X" must be preceded by two dashes,
as are all GNU-style long options. The man page accidentally only
had one dash in the summary (it was correct elsewhere); it now
correctly shows both dashes.
* Modified man page to list filename extensions that are
interpreted as C/C++.
* Removed index.html from distribution - it's really only for the
website.
* Improved the default output so it creates multiple formatted lines
instead of single very long lines for each hit.
Use the new "--singleline" (-S) option to get the original
"long line" format.
* Removed duplicate "getpass" entry in the ruleset;
this didn't hurt anything, but was unnecessary.
Thanks to the user who gave me that feedback, wish I'd kept your
email address so I could credit you properly :-).
* Added a short tutorial to man page.
* Fixed initial upper/lower case on many entries in the ruleset.
* Allow "--input" as a synonym for "--inputs".
extension Makefile fragments, because they really don't have anything to
do with the buildlink[12] frameworks. Change all the Makefiles that use
application.buildlink.mk and extension.buildlink.mk to use application.mk
and extension.mk instead.
flawfinder is a program that examines source code and reports
possible security weaknesses (``flaws'') sorted by risk level. It's
very useful for quickly finding and removing at least some potential
security problems before a program is widely released to the public.
