0

I want to use flawfinder for my merge requests, thus analyzing only the code that change. I saw that flawfinder supports patches, so I thought it would be really easy.

Thing is : I'm unable to make it work with git patch. Flawfinder does recognize it's a git patch, it does scan only the needed files, but there are no hits. If I run flawfinder without the patch argument and check the hits on the changed file, I do see some hits, in the new lines added. I tried with a diff from svn : works like a charm. With no diff at all : same. With a diff from git : no way to make it works.

If someone has an idea, I'll gladly take it. Or an example.

Quick commands to reproduce :

git diff --patch --output PATCH
flawfinder --patch PATCH <dir>

I got on the output :

Examining <dir>/<file.c>
                                     
FINAL RESULTS:                       
                                     
                                     
ANALYSIS SUMMARY:                    
                                     
No hits found.
RobinG
  • 135
  • 10

1 Answers1

0

For those interested : it is indeed an issue due to the git diff format being slightly different form the unified diff / svn diff format.

diff --git a/file.c b/file.c
index 19651c89a3..c119389931 100644                                             
--- a/file.c
+++ b/file.c
@@ -5017,6 +5017,15 @@ static void foo()

The svn / unified diff don't have the function name after the last @@. Here is the regex used in flawfinder.py :

 diff_hunk = re.compile(r'^@@ -\d+(,\d+)?\s+\+(?P<linenumber>\d+)[, ].*@@$')

Just removing the $ in the regex is enough to make it work for git.

RobinG
  • 135
  • 10