Log Message:
Update flawfinder to 1.26.  Don't set PY_PATCHPLIST, as it is useless.
Don't include python/extension.mk, as it is also useless.  Don't set
NO_CONFIGURE, because it makes PYTHON_PATCH_SCRIPTS useless.  Don't set
MAKEFILE, as we don't actually use the included makefile for anything.

Changes since 1.24:
* Added more support for Microsoft's approach to internationalization.
* Added two new rules for GLib functions, "g_get_home_dir" and
  g_get_tmp_dir".
* Added curl_getenv().
* Added several rules for input functions (for -I) -
  recv, recvfrom, recvmsg, fread, and readv.
* Tightened the false positive test slightly; if a name is
  followed by = or - or + it's unlikely to be a function call,
  so it'll be quietly discarded.
* Modified the summary report format slightly.
* Modified the getpass text to remove an extraneous character.
* Added rules for cuserid, getlogin, getpass, mkstemp, getpw, memalign,
  as well as the obsolete functions gsignal, ssignal, ulimit, usleep.
* Modified text for strncat to clarify it.
* Fixed error in --columns format, so that the output is simply
  "filename:linenumber:columnnumber" when --columns (-C) is used.
* Eliminated "Number of" phrase in the footer report
* Added more statistical information to the footer report.
* Added shortcut single-letter commands (-D for --dataonly,
  -Q for --quiet, -C for --columns), so that invoking from
  editors is easier.
* Tries to autoremove some false positives.  In particular, a function
  name followed immediately by "=" (ignoring whitespace)
  is automatically considered to be a variable and NOT a function,
  and thus doesn't register as a hit.  There are exotic cases
  where this won't be correct, but they're pretty unlikely in
  real code.
* Added a "--falsepositive" (-F) option, which tries to remove
  many more likely false positives.