From: RATS Development Team [rats@securesw.com]
Sent: Monday, May 21, 2001 2:26 AM
To: bugtraq@securityfocus.com; secprog@securityfocus.com;
ntbugtraq@listserv.ntbugtraq.com
Subject: ANNOUNCEMENT: RATS-0.9 (C/C++ Security Scanner)

Secure Software Solutions (www.securesw.com) announces RATS, a
security auditing tool for C and C++ code.  RATS scans through code,
finding potentially dangerous function calls.  The goal of this tool
is not to definitively find bugs.  Instead, this tool aims to provide
a reasonable starting point for performing manual security audits.

RATS is released under version 2 of the GNU Public License (GPL).
Version 0.9 is available from:

   http://www.securesw.com/rats/

Currently, we've made available a source tarball, RPMs, and an OS X
package.

The initial vulnerability database is taken directly from things that
could be easily found when starting with the forthcoming book,
"Building Secure Software" by Viega and McGraw.

We plan on actively maintaining RATS.  We welcome any feedback, bug
reports or contributions.  Particularly, we would like to incorporate
any vulnerability information people contribute.  However, we will
need to determine that information is public knowledge before we can
incorporate it into the release.
 
Feedback will be useful as we work on new versions of the tool.  In
the future, we plan on enhancing the tool with better analysis
Additionally, we plan on extending the tool to handle other
programming languages.  We'd appreciate feedback on which languages
are most important to people.

The developers can be reached at: rats@securesw.com.  

P.S.

We've recently learned that David Wheeler has built a similar tool in
Python called "flawfinder", which he is also releasing today.  It is
also a GPL'd C/C++ security scanner.  We've talked to David about it--
the tentative plan is to examine the advantages of each tool and then
merge them.