Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/binstats-1.08/derefsymlink.c FINAL RESULTS: data/binstats-1.08/derefsymlink.c:112:3: [5] (buffer) strncat: Easily used incorrectly (e.g., incorrectly computing the correct maximum size to add) [MS-banned] (CWE-120). Consider strcat_s, strlcat, snprintf, or automatically resizing strings. Risk is high; the length parameter appears to be a constant, instead of computing the number of characters left. strncat(curdir, "/", FILENAME_MAX-1); data/binstats-1.08/derefsymlink.c:116:7: [5] (buffer) strncat: Easily used incorrectly (e.g., incorrectly computing the correct maximum size to add) [MS-banned] (CWE-120). Consider strcat_s, strlcat, snprintf, or automatically resizing strings. Risk is high; the length parameter appears to be a constant, instead of computing the number of characters left. strncat(cname, name, FILENAME_MAX-1); data/binstats-1.08/derefsymlink.c:130:13: [5] (race) readlink: This accepts filename arguments; if an attacker can move those files or change the link content, a race condition results. Also, it does not terminate with ASCII NUL. (CWE-362, CWE-20). Reconsider approach. len = readlink(cname, tempa, FILENAME_MAX-1); data/binstats-1.08/derefsymlink.c:138:3: [5] (buffer) strncat: Easily used incorrectly (e.g., incorrectly computing the correct maximum size to add) [MS-banned] (CWE-120). Consider strcat_s, strlcat, snprintf, or automatically resizing strings. Risk is high; the length parameter appears to be a constant, instead of computing the number of characters left. strncat(cname, tempa, FILENAME_MAX-1); data/binstats-1.08/derefsymlink.c:161:7: [5] (buffer) strncat: Easily used incorrectly (e.g., incorrectly computing the correct maximum size to add) [MS-banned] (CWE-120). Consider strcat_s, strlcat, snprintf, or automatically resizing strings. Risk is high; the length parameter appears to be a constant, instead of computing the number of characters left. strncat(name, tempa, FILENAME_MAX-1); data/binstats-1.08/derefsymlink.c:183:7: [5] (buffer) strncat: Easily used incorrectly (e.g., incorrectly computing the correct maximum size to add) [MS-banned] (CWE-120). Consider strcat_s, strlcat, snprintf, or automatically resizing strings. Risk is high; the length parameter appears to be a constant, instead of computing the number of characters left. strncat(tempa, tempb, FILENAME_MAX-1); data/binstats-1.08/derefsymlink.c:189:7: [5] (buffer) strncat: Easily used incorrectly (e.g., incorrectly computing the correct maximum size to add) [MS-banned] (CWE-120). Consider strcat_s, strlcat, snprintf, or automatically resizing strings. Risk is high; the length parameter appears to be a constant, instead of computing the number of characters left. strncat(tempa, tempb, FILENAME_MAX-1); data/binstats-1.08/derefsymlink.c:72:19: [4] (buffer) fscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a different input function. while ((i = fscanf(fi, "%s", cname)) != EOF) { data/binstats-1.08/derefsymlink.c:231:6: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(iname, argv[++i]); data/binstats-1.08/derefsymlink.c:235:6: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(oname, argv[++i]); data/binstats-1.08/derefsymlink.c:44:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char iname[FILENAME_MAX], oname[FILENAME_MAX], data/binstats-1.08/derefsymlink.c:57:17: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((fo = fopen(oname, "w")) == NULL) { data/binstats-1.08/derefsymlink.c:67:13: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((fi = fopen(iname, "r")) == NULL) { data/binstats-1.08/derefsymlink.c:89:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char curdir[FILENAME_MAX]; data/binstats-1.08/derefsymlink.c:94:4: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tempa[FILENAME_MAX], cname[FILENAME_MAX]; data/binstats-1.08/derefsymlink.c:171:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char tempa[FILENAME_MAX], tempb[FILENAME_MAX]; data/binstats-1.08/derefsymlink.c:79:7: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(cname, argv[al++], FILENAME_MAX-1); data/binstats-1.08/derefsymlink.c:108:4: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(cname, name, FILENAME_MAX-1); data/binstats-1.08/derefsymlink.c:115:7: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(cname, curdir, FILENAME_MAX-1); data/binstats-1.08/derefsymlink.c:140:3: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(cname, tempa, FILENAME_MAX-1); data/binstats-1.08/derefsymlink.c:156:7: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(tempa, ptra, FILENAME_MAX-1); data/binstats-1.08/derefsymlink.c:160:7: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(name, cname, FILENAME_MAX-1); data/binstats-1.08/derefsymlink.c:162:11: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). } else strncpy(name, cname, FILENAME_MAX-1); data/binstats-1.08/derefsymlink.c:174:4: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(tempa, name, FILENAME_MAX-1); data/binstats-1.08/derefsymlink.c:182:7: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(tempb, ptra+4, FILENAME_MAX-1); data/binstats-1.08/derefsymlink.c:188:7: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(tempb, ptra+2, FILENAME_MAX-1); data/binstats-1.08/derefsymlink.c:191:4: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(name, tempa, FILENAME_MAX-1); data/binstats-1.08/derefsymlink.c:215:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). olen = strlen(argv[i])-1; ANALYSIS SUMMARY: Hits = 28 Lines analyzed = 251 in approximately 0.02 seconds (13505 lines/second) Physical Source Lines of Code (SLOC) = 186 Hits@level = [0] 16 [1] 12 [2] 6 [3] 0 [4] 3 [5] 7 Hits@level+ = [0+] 44 [1+] 28 [2+] 16 [3+] 10 [4+] 10 [5+] 7 Hits/KSLOC@level+ = [0+] 236.559 [1+] 150.538 [2+] 86.0215 [3+] 53.7634 [4+] 53.7634 [5+] 37.6344 Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.