In this discussion:
> | This is a perfect example of how a source code analysis tool failed,
> | because you let a developer tell it to NOT scan it. :) I wonder if
> | there are flags like that in Fortify?
> There are flags like that in *every* source code scanner I know of.  The
> state of the art is just not at a point where you don't need a way to
> turn off warnings for false positives.

That's exactly right, unfortunately.  To compensate for the problem of 
people inserting bad ignore directives, many scanning tools _also_ 
include an "ignore the ignores" command.  For example, flawfinder has a 
--neverignore (-n) flag that "ignores the ignore command".  I believe 
that such an option ("ignore ignores") is critically necessary for any 
tool that has "ignore" directives, to address this very problem.

If you couldn't insert "ignore" directives, many people wouldn't use 
such tools at all, and would release code with vulnerabilities that 
WOULD be found by such tools.

--- David A. Wheeler

Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -
SC-L is hosted and moderated by KRvW Associates, LLC (
as a free, non-commercial service to the software security community.

Reply via email to