Comments (3)
Flawfinder is a lexing-only tool, so I don't see how we can handle this case.
To do more requires actually reading the code into some sort of data structure, which is obviously possible but not how flawfinder works.
from flawfinder.
Perhaps such suggestion should not be emitted? If the diagnostic message is associated with vfprintf
will it ever be correct to pass ap
but take literal string as fmt
? I think the suggestion is over-applied from printf
or fprintf
but no longer applies in vfprintf
.
from flawfinder.
Oh, it definitely applies. If the fmt
is from an attacker, the attacker could use %n
to write to arbitrary memory, or reveal data that's not supposed to be revealed. If that's less likely we could reduce its risk level to say 3 instead of 4. Unfortunately, a lexically-based tool like flawfinder has no way to determine if the fmt is controlled by an attacker or not; that would require interprocedural flow control, and even then it's often impossible to tell (you also need to know which inputs are trusted, which is typically not information you can derive just from the source code).
from flawfinder.
Related Issues (20)
- v2.0.16 source package doesn't contain flawfinder py HOT 3
- How i can get an output with .csv format? In python,i use "flawfinder ./test" HOT 1
- Add GitHub Actions integration HOT 31
- `c_printf` possible false positive for format macro constant HOT 1
- Add an svg icon file for GitHub actions HOT 56
- Consider rewriting this to use joern or alternative HOT 1
- Only output CSV when using CSV option HOT 1
- std::istream::read() reports security issue, false alert? HOT 4
- Feature Request: Support Stream Use
- Presence of ioctl
- Add a --ignore option
- Invalid helpUri generated HOT 1
- SARIF artifact location paths HOT 3
- Character Encoding Error on UTF-8 Encoded Source File with U+0441 HOT 18
- Warn when PQExec is called with a non-constant to warn about SQL injection in PostgreSQL
- --csv option wont output hits to csv file from mac terminal
- FF1057 is missing CWE attribution in the warning text HOT 1
- Flawfinder does scan the directory with symlinks and exits quietly with error code HOT 1
- binary/hex integer literals with separators lead to parse error HOT 2
- Flawfinder reports abseil::StrCat the same as std:strcat HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from flawfinder.