FFmpeg security analysis

Goal

Lear how to use Codee for Static Application Security Testing (SAST) and generate a SAST report for FFmpeg.

Getting started

Make sure you have Codee installed and available on your machine and clone the FFmpeg repository.

git clone https://github.com/FFmpeg/FFmpeg.git && cd FFmpeg

The compile_commands.json can be obtained using bear:

./configure --disable-x86asm && \
bear -- make build

To obtain Codee SAST results for the CWE standard execute the following command:

codee diagnose --sast

You should have obtained a result similar to this:

<...>

2237 files, 21687 functions, 30419 loops, 795065 LOCs successfully analyzed (5846 checkers) and 0 non-analyzed files in 10 m 4 s