Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/bbe-0.2.2/src/bbe.h
Examining data/bbe-0.2.2/src/bbe.c
Examining data/bbe-0.2.2/src/xmalloc.c
Examining data/bbe-0.2.2/src/buffer.c
Examining data/bbe-0.2.2/src/execute.c

FINAL RESULTS:

data/bbe-0.2.2/src/bbe.c:506:13:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
            strcpy(new->s1,token[1]);
data/bbe-0.2.2/src/bbe.c:507:13:  [4] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused).
            strcat(new->s1,token[2]);
data/bbe-0.2.2/src/bbe.c:677:9:  [4] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf.
        sprintf(info,"Error in file '%s' in line %d\n",file,line_no);
data/bbe-0.2.2/src/execute.c:518:9:  [4] (format) sprintf:
  Potential format string problem (CWE-134). Make format string constant.
        sprintf(num,format,(long long) block_number);
data/bbe-0.2.2/src/execute.c:520:9:  [4] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused).
        strcat(file,num);
data/bbe-0.2.2/src/execute.c:523:5:  [4] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused).
    strcat(file,f);
data/bbe-0.2.2/src/bbe.c:754:19:  [3] (buffer) getopt_long:
  Some older implementations do not protect against internal buffer overflows
  (CWE-120, CWE-20). Check implementation on installation, or limit the size
  of all string inputs.
    while ((opt = getopt_long(argc,argv,short_opts,long_opts,NULL)) != -1)
data/bbe-0.2.2/src/bbe.c:756:19:  [3] (buffer) getopt:
  Some older implementations do not protect against internal buffer overflows
  (CWE-120, CWE-20). Check implementation on installation, or limit the size
  of all string inputs.
    while ((opt = getopt(argc,argv,short_opts)) != -1)
data/bbe-0.2.2/src/bbe.c:176:14:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    unsigned char buf[INPUT_BUFFER_LOW+1];
data/bbe-0.2.2/src/bbe.c:177:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char num[5];
data/bbe-0.2.2/src/bbe.c:261:9:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
        memcpy(ret,buf,i);
data/bbe-0.2.2/src/bbe.c:399:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char *token[10];
data/bbe-0.2.2/src/bbe.c:667:10:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    fp = fopen(file,"r");
data/bbe-0.2.2/src/buffer.c:56:25:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
        out_stream.fd = open(file,O_WRONLY | O_CREAT | O_TRUNC,S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH);
data/bbe-0.2.2/src/buffer.c:100:19:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
        new->fd = open(file,O_RDONLY);
data/bbe-0.2.2/src/buffer.c:165:9:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
        memcpy(in_buffer.buffer,in_buffer.read_pos,to_be_saved);    // move "low water" part to beginning of buffer
data/bbe-0.2.2/src/buffer.c:484:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(out_buffer.write_pos,buf,length);
data/bbe-0.2.2/src/execute.c:62:12:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    static char string[128];
data/bbe-0.2.2/src/execute.c:68:13:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
            sprintf(string,"x%02x",(int) byte);
data/bbe-0.2.2/src/execute.c:71:13:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
            sprintf(string,"%3d",(int) byte);
data/bbe-0.2.2/src/execute.c:74:13:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
            sprintf(string,"%03o",(int) byte);
data/bbe-0.2.2/src/execute.c:77:13:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
            sprintf(string,"%c",isprint(byte) ? byte : ' ');
data/bbe-0.2.2/src/execute.c:99:12:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    static char string[128];
data/bbe-0.2.2/src/execute.c:104:14:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
             sprintf(string,"x%llx",(long long) number);
data/bbe-0.2.2/src/execute.c:107:14:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
             sprintf(string,"%lld",(long long) number);
data/bbe-0.2.2/src/execute.c:110:14:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
             sprintf(string,"0%llo",(long long) number);
data/bbe-0.2.2/src/execute.c:132:21:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    static unsigned char ioblock[IO_BLOCK_SIZE];
data/bbe-0.2.2/src/execute.c:504:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char num[128],format[64];
data/bbe-0.2.2/src/execute.c:517:9:  [2] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused). Risk is low because the
  source is a constant string.
        strcat(format,"lld");
data/bbe-0.2.2/src/execute.c:531:12:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    static char file[4096];
data/bbe-0.2.2/src/execute.c:550:21:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
            c->fd = fopen(file,"w");
data/bbe-0.2.2/src/execute.c:584:29:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
                    c->fd = fopen(c->s1,"w");
data/bbe-0.2.2/src/execute.c:602:25:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
                c->fd = fopen(c->s1,"r");
data/bbe-0.2.2/src/execute.c:616:25:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
                c->fd = fopen(c->s1,"r");
data/bbe-0.2.2/src/bbe.c:280:8:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    if(strlen(bs) > (2*4*INPUT_BUFFER_LOW))
data/bbe-0.2.2/src/bbe.c:453:34:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            if(i < 1 || i > 2 || strlen(token[0]) > 1) panic("Error in command",command_string,NULL);
data/bbe-0.2.2/src/bbe.c:465:26:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            if(i != 2 || strlen(token[0]) > 1) panic("Error in command",command_string,NULL);
data/bbe-0.2.2/src/bbe.c:471:26:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            if(i != 2 || strlen(token[0]) > 1) panic("Error in command",command_string,NULL);
data/bbe-0.2.2/src/bbe.c:476:26:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            if(i != 2 || strlen(token[0]) > 1) panic("Error in command",command_string,NULL);
data/bbe-0.2.2/src/bbe.c:481:26:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            if(i != 2 || strlen(token[0]) > 1) panic("Error in command",command_string,NULL);
data/bbe-0.2.2/src/bbe.c:486:26:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            if(i != 3 || strlen(token[0]) > 1) panic("Error in command",command_string,NULL);
data/bbe-0.2.2/src/bbe.c:491:34:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            if(i < 2 || i > 3 || strlen(token[0]) > 1) panic("Error in command",command_string,NULL);
data/bbe-0.2.2/src/bbe.c:504:26:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            if(i != 3 || strlen(token[1]) != 3 || strlen(token[2]) != 3 || strlen(token[0]) > 1) panic("Error in command",command_string,NULL);
data/bbe-0.2.2/src/bbe.c:504:51:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            if(i != 3 || strlen(token[1]) != 3 || strlen(token[2]) != 3 || strlen(token[0]) > 1) panic("Error in command",command_string,NULL);
data/bbe-0.2.2/src/bbe.c:504:76:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            if(i != 3 || strlen(token[1]) != 3 || strlen(token[2]) != 3 || strlen(token[0]) > 1) panic("Error in command",command_string,NULL);
data/bbe-0.2.2/src/bbe.c:505:31:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            new->s1 = xmalloc(strlen(token[1]) + strlen(token[2]) + 2);
data/bbe-0.2.2/src/bbe.c:505:50:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            new->s1 = xmalloc(strlen(token[1]) + strlen(token[2]) + 2);
data/bbe-0.2.2/src/bbe.c:519:16:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            if(strlen(command_string) < 4) panic("Error in command",command_string,NULL);
data/bbe-0.2.2/src/bbe.c:548:26:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            if(i > 1 && (strlen(token[1]) != 1)) panic("Error in command",command_string,NULL);
data/bbe-0.2.2/src/bbe.c:550:26:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            if(i != 2 || strlen(token[0]) > 1) panic("Error in command",command_string,NULL);
data/bbe-0.2.2/src/bbe.c:568:26:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            if(i != 1 || strlen(token[0]) > 1) panic("Error in command",command_string,NULL);
data/bbe-0.2.2/src/bbe.c:573:26:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            if(i != 2 || strlen(token[0]) > 1) panic("Error in command",command_string,NULL);
data/bbe-0.2.2/src/bbe.c:579:26:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            if(i != 1 || strlen(token[0]) > 1) panic("Error in command",command_string,NULL);
data/bbe-0.2.2/src/bbe.c:583:26:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            if(i != 3 || strlen(token[0]) > 1) panic("Error in command",command_string,NULL);
data/bbe-0.2.2/src/bbe.c:665:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    info = xmalloc(strlen(file) + 100);
data/bbe-0.2.2/src/buffer.c:176:22:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
         last_read = read(in_stream->fd,buffer_write_pos + read_count,(size_t) (to_be_read - read_count));
data/bbe-0.2.2/src/execute.c:514:9:  [1] (buffer) strncat:
  Easily used incorrectly (e.g., incorrectly computing the correct maximum
  size to add) [MS-banned] (CWE-120). Consider strcat_s, strlcat, snprintf,
  or automatically resizing strings.
        strncat(file,f,bstart - f);
data/bbe-0.2.2/src/execute.c:515:9:  [1] (buffer) strncpy:
  Easily used incorrectly; doesn't always \0-terminate or check for invalid
  pointers [MS-banned] (CWE-120).
        strncpy(format,bstart,blen-1);
data/bbe-0.2.2/src/execute.c:519:12:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
        if(strlen(file) + strlen(num) >= 4096) panic("Filename for w-command too long",str,NULL);
data/bbe-0.2.2/src/execute.c:519:27:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
        if(strlen(file) + strlen(num) >= 4096) panic("Filename for w-command too long",str,NULL);

ANALYSIS SUMMARY:

Hits = 60
Lines analyzed = 2334 in approximately 0.07 seconds (34687 lines/second)
Physical Source Lines of Code (SLOC) = 1880
Hits@level = [0]  44 [1]  26 [2]  26 [3]   2 [4]   6 [5]   0
Hits@level+ = [0+] 104 [1+]  60 [2+]  34 [3+]   8 [4+]   6 [5+]   0
Hits/KSLOC@level+ = [0+] 55.3191 [1+] 31.9149 [2+] 18.0851 [3+] 4.25532 [4+] 3.19149 [5+]   0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.