I want to use flawfinder for my merge requests, thus analyzing only the code that change. I saw that flawfinder supports patches, so I thought it would be really easy.
Thing is : I'm unable to make it work with git patch. Flawfinder does recognize it's a git patch, it does scan only the needed files, but there are no hits. If I run flawfinder without the patch argument and check the hits on the changed file, I do see some hits, in the new lines added. I tried with a diff from svn : works like a charm. With no diff at all : same. With a diff from git : no way to make it works.
If someone has an idea, I'll gladly take it. Or an example.
Quick commands to reproduce :
git diff --patch --output PATCH
flawfinder --patch PATCH <dir>
I got on the output :
Examining <dir>/<file.c>
FINAL RESULTS:
ANALYSIS SUMMARY:
No hits found.
For those interested : it is indeed an issue due to the git diff format being slightly different form the unified diff / svn diff format.
diff --git a/file.c b/file.c
index 19651c89a3..c119389931 100644
--- a/file.c
+++ b/file.c
@@ -5017,6 +5017,15 @@ static void foo()
The svn / unified diff don't have the function name after the last @@.
Here is the regex used in flawfinder.py :
diff_hunk = re.compile(r'^@@ -\d+(,\d+)?\s+\+(?P<linenumber>\d+)[, ].*@@$')
Just removing the $ in the regex is enough to make it work for git.