{"id":13492839,"url":"https://github.com/andrew-d/rough-auditing-tool-for-security","last_synced_at":"2025-04-17T05:56:34.385Z","repository":{"id":32223642,"uuid":"35797629","full_name":"andrew-d/rough-auditing-tool-for-security","owner":"andrew-d","description":"Automatically exported from code.google.com/p/rough-auditing-tool-for-security","archived":false,"fork":false,"pushed_at":"2021-05-05T13:03:20.000Z","size":528,"stargazers_count":84,"open_issues_count":13,"forks_count":30,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-03-29T06:03:57.678Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/andrew-d.png","metadata":{"files":{"readme":"README","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-05-18T04:58:14.000Z","updated_at":"2024-10-31T09:24:50.000Z","dependencies_parsed_at":"2022-09-22T23:22:00.117Z","dependency_job_id":null,"html_url":"https://github.com/andrew-d/rough-auditing-tool-for-security","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andrew-d%2Frough-auditing-tool-for-security","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andrew-d%2Frough-auditing-tool-for-security/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andrew-d%2Frough-auditing-tool-for-security/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andrew-d%2Frough-auditing-tool-for-security/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/andrew-d","download_url":"https://codeload.github.com/andrew-d/rough-auditing-tool-for-security/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249319198,"owners_count":21250496,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T19:01:09.754Z","updated_at":"2025-04-17T05:56:34.073Z","avatar_url":"https://github.com/andrew-d.png","language":"C","funding_links":[],"categories":["Automation"],"sub_categories":["Static Analysis Tools"],"readme":"                    \r\n\r\n\t\tRATS - Rough Auditing Tool for Security\r\n\r\nThis is RATS, a rough auditing tool for security, developed by Secure\r\nSoftware Inc.  It is a tool for scanning C, C++, Perl, PHP, Python \r\nand Ruby source code and flagging common security related programming\r\nerrors such as buffer overflows and TOCTOU (Time Of Check, Time Of\r\nUse) race conditions.  As its name implies, the tool performs only a\r\nrough analysis of source code.  It will not find every error and will\r\nalso find things that are not errors.  Manual inspection of your code\r\nis still necessary, but greatly aided with this tool.\r\n\r\nRATS is free software.  You may copy, distribute, and modify it under\r\nthe terms of the GNU Public License as contained in the file named\r\nCOPYING that has been included with this distribution.\r\n\r\nRequirements\r\n------------\r\nRATS requires expat to be installed in order to build and run.  Expat\r\nis often installed in /usr/local/lib and /usr/local/include.  On some\r\nsystems, you will need to specify --with-expat-lib and\r\n--with-expat-include options to configure so that it can find your\r\ninstallation of the library and header.\r\n\r\nExpat can be found at: http://expat.sourceforge.net/\r\n\r\nInstallation\r\n------------\r\nBuilding and installation of RATS is simple.  To build, you simply\r\nneed to run the configuration shell script in the distribution's\r\ntop-level directory:\r\n\r\n        ./configure\r\n\r\nThe configuration script is a standard autoconf generation\r\nconfiguration script and accepts many options.  Run configure with the\r\n--help option to see what options are available.\r\n\r\nOnce the configuration script has completed successfully, simply run\r\nmake in the distribution's top-level directory to build the program:\r\n\r\n        make\r\n\r\nBy default, RATS will be installed to /usr/local/bin and its\r\nvulnerability database will be installed to /usr/local/lib.  You may\r\nchange the installation directories of both with the --prefix option\r\nto configure.  You may optionally use the --bindir and --datadir to\r\nspecify more precise locations for the files that are installed.\r\n\r\nTo install after building, simply run make with the install target:\r\n\r\n        make install\r\n\r\nThis will copy the built binary, rats, to the binary installation\r\ndirectory and the vulnerability database, rats.xml, to the data\r\ninstallation directory.\r\n\r\nRunning RATS\r\n------------\r\nOnce you have built and installed RATS, it's time to start auditing\r\nyour software!  RATS accepts a few command line options that will be\r\ndescribed here and accepts a list of files to audit on the command\r\nline.  If no files to audit are specified, stdin will be used.\r\n\r\nusage: rats [options] [file]...\r\n\r\nOptions explained:\r\n    -d \u003cfilename\u003e, --db \u003cfilename\u003e, --database \u003cfilename\u003e\r\n                    Specifies a vulnerability database to be loaded.  You may\r\n                    have multiple -d options and each database specified will\r\n                    be loaded.\r\n    -h, --help      Displays a brief usage summary\r\n    -i, --input     Causes a list of function calls that were used which\r\n                    accept external input to be produced at the end of the\r\n                    vulnerability report.\r\n    -l \u003clang\u003e, --language \u003clang\u003e\r\n         \t    Force the specified language to be used regardless of \r\n                    filename extension. Currently valid language names are \r\n                    \"c\", \"perl\", \"php\", \"python\" and \"ruby\".\r\n    -r, --references\r\n\t            Causes references to vulnerable function calls that are not\r\n                    being used as calls themselves to be reported.\r\n    -w \u003clevel\u003e, --warning\u003clevel\u003e\r\n\t\t    Sets the warning level.  Valid levels are 1, 2 or 3.   \r\n                    Warning level 1 includes only default and high severity\r\n                    Level 2 includes medium severity. Level 2 is the default \r\n                    warning level 3 includes low severity vulnerabilities.\r\n    -x              Causes the default vulnerability databases (which are in \r\n                    the installation data directory, /usr/local/lib by default)\r\n                    to not be loaded.\r\n    -R, --no-recursion\r\n\t\t    Disable recursion into subdirectories.\r\n    --xml\t    Cause output to be in XML\r\n    --html\t    Cause output to be in HTML\r\n    --follow-symlinks\r\n\t\t    Evaluate and follow symlinks.\r\n\r\nWhen started, RATS will scan each file specified on the command line and\r\nproduce a report when scanning is complete.  What vulnerabilities are reported\r\nin the final report depend on the data contained in the vulnerability database\r\nor databases that are used and the warning level in use.\r\n\r\nFor each vulnerability, the list of files and line numbers where it occured is\r\ngiven, followed by a brief description of the vulnerability and suggested\r\naction.\r\n\r\nContact\r\n-------\r\nRATS is authored, maintained and distributed by Secure Software, Inc.  All\r\nbug reports, patches, database contributions, comments, etc. should be sent to\r\nrats@securesoftware.com.  Our website is http://www.securesoftware.com/\r\n\r\nAcknowledgments\r\n---------------\r\nThanks to Mike Ellison for providing the legwork on the initial port\r\nof rats-1.3 to the Win32 platform.\r\n\r\nSpecial thanks to Ben Laurie for many significant contributions,\r\nincluding the OpenSSL-specific portions of the database.\r\n\r\nThanks to Adam Lazur for originally authoring the man page\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fandrew-d%2Frough-auditing-tool-for-security","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fandrew-d%2Frough-auditing-tool-for-security","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fandrew-d%2Frough-auditing-tool-for-security/lists"}