Flawfinder

Flawfinder

Author of flawfinder here.

You might expect me to object to the paper, but I think it's great. I'm glad there are more advanced tools being developed as OSS. Flawfinder and RATS, as noted in the paper, use a very simplistic lexical approach to finding vulnerabilities. That means they're simple, easy to install, and can handle code that can't build - all pluses. And I can confirm that flawfinder's messages were specifically designed to be useful to developers who were less familiar with how to develop secure software. But as the article notes, they're subject to a range of false positives because they're not following control flow or data flow.

The number of reports from flawfinder look huge, but I think it's important to put them in context. By default flawfinder reports practically everything, but sorts them the reports by expected risk... so most users simply start with the "most risky" items first. If you don't plan to look at the less risky ones, a simple option will stop reporting them. But fundamentally the approach taken by flawfinder and RATS will always have more false positive approaches than an in-depth approach that uses data flow and control flow information.

I do have questions. It's not clear to me how easy it would be to expand it beyond kernel drivers. They discuss it, but not enough to make it easy to estimate the time involved. Also, are they planning to maintain it? I'd like to see this as a live project, not something released and never improved upon. I hope they (or someone else) will do that!