Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/canlock-3.1.0/include/sha.h
Examining data/canlock-3.1.0/include/base64.h
Examining data/canlock-3.1.0/include/sha-private.h
Examining data/canlock-3.1.0/include/canlock-private.h
Examining data/canlock-3.1.0/src/sha1.c
Examining data/canlock-3.1.0/src/base64.c
Examining data/canlock-3.1.0/src/sha384-512.c
Examining data/canlock-3.1.0/src/canlock.c
Examining data/canlock-3.1.0/src/secret.c
Examining data/canlock-3.1.0/src/sha224-256.c
Examining data/canlock-3.1.0/src/usha.c
Examining data/canlock-3.1.0/src/hmac.c
Examining data/canlock-3.1.0/hp/include/package_name.h
Examining data/canlock-3.1.0/hp/include/hfp_lexer.h
Examining data/canlock-3.1.0/hp/include/hfp_parser_external.h
Examining data/canlock-3.1.0/hp/util/package_name.c
Examining data/canlock-3.1.0/hp/util/canlock-mhp.c
Examining data/canlock-3.1.0/hp/util/canlock-hfp.c
Examining data/canlock-3.1.0/test/shatest.c
Examining data/canlock-3.1.0/test/canlocktest.c
Examining data/canlock-3.1.0/test/hkdf.c
Examining data/canlock-3.1.0/test/canlocktest_legacy.c
Examining data/canlock-3.1.0/util/canlock.c

FINAL RESULTS:

data/canlock-3.1.0/hp/util/canlock-hfp.c:76:4:  [4] (format) snprintf:
  If format strings can be influenced by an attacker, they can be exploited,
  and note that sprintf variations do not always \0-terminate (CWE-134). Use
  a constant for the format specification.
   snprintf(sbuf, 81, __VA_ARGS__); \
data/canlock-3.1.0/hp/util/package_name.c:64:7:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
      strcpy(p, n);
data/canlock-3.1.0/test/canlocktest.c:171:4:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
   strcpy(uid_mid, uid);
data/canlock-3.1.0/test/canlocktest.c:172:4:  [4] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused).
   strcat(uid_mid, mid);
data/canlock-3.1.0/test/canlocktest_legacy.c:118:4:  [4] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf.
   sprintf(canlock, "%s", "sha1:bNXHc6ohSmeHaRHHW56BIWZJt+4=");
data/canlock-3.1.0/test/canlocktest_legacy.c:119:4:  [4] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf.
   sprintf(cankey, "%s", "sha1:aaaBBBcccDDDeeeFFF");
data/canlock-3.1.0/test/canlocktest_legacy.c:126:4:  [4] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf.
   sprintf(canlock, "%s", "SHA1:H7/zsCUemvbvSDyARDaMs6AQu5s=");
data/canlock-3.1.0/test/canlocktest_legacy.c:127:4:  [4] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf.
   sprintf(cankey, "%s", "sha1:chW8hNeDx3iNUsGBU6/ezDk88P4=");
data/canlock-3.1.0/test/canlocktest_legacy.c:130:4:  [4] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf.
   sprintf(canlock, "%s", "SHA1:H7/zsCUemvbvSDyARDaMs6AQu5s=");
data/canlock-3.1.0/test/canlocktest_legacy.c:131:4:  [4] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf.
   sprintf(cankey, "%s", "sha1:4srkWaRIzvK51ArAP:Hc");
data/canlock-3.1.0/test/canlocktest_legacy.c:138:4:  [4] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf.
   sprintf(canlock, "%s", "sha1:JyEBL4w9/abCBuzCxMIE/E73GM4=");
data/canlock-3.1.0/test/canlocktest_legacy.c:139:4:  [4] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf.
   sprintf(cankey, "%s", "sha1:K4rkWRjRcXmIzvK51ArAP:Jy");
data/canlock-3.1.0/test/canlocktest_legacy.c:142:4:  [4] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf.
   sprintf(canlock, "%s", "sha1:2Bmg+zWaY1noRiCdy8k3IapwSDU=");
data/canlock-3.1.0/test/canlocktest_legacy.c:143:4:  [4] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf.
   sprintf(cankey, "%s", "sha1:K4rkWRjRcXmIzvK51ArAP:Jy");
data/canlock-3.1.0/util/canlock.c:261:13:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
            strcpy(key, opt_value);
data/canlock-3.1.0/test/shatest.c:1377:15:  [3] (buffer) getopt:
  Some older implementations do not protect against internal buffer overflows
  (CWE-120, CWE-20). Check implementation on installation, or limit the size
  of all string inputs.
  while ((i = getopt(argc, argv,
data/canlock-3.1.0/hp/util/canlock-hfp.c:67:8:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
static char sbuf[81];                 /*!< String buffer for debugging */
data/canlock-3.1.0/include/sha.h:216:14:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    unsigned char k_opad[USHA_Max_Message_Block_Size];
data/canlock-3.1.0/include/sha.h:231:14:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    unsigned char prk[USHAMaxHashSize];
data/canlock-3.1.0/include/sha.h:331:53:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
extern int hkdf(SHAversion whichSha, const unsigned char *salt,
data/canlock-3.1.0/include/sha.h:332:46:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
                int salt_len, const unsigned char *ikm, int ikm_len,
data/canlock-3.1.0/include/sha.h:333:32:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
                const unsigned char *info, int info_len,
data/canlock-3.1.0/include/sha.h:335:60:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
extern int hkdfExtract(SHAversion whichSha, const unsigned char *salt,
data/canlock-3.1.0/include/sha.h:336:53:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
                       int salt_len, const unsigned char *ikm,
data/canlock-3.1.0/include/sha.h:339:51:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
                      int prk_len, const unsigned char *info,
data/canlock-3.1.0/include/sha.h:355:38:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
                      const unsigned char *info, int info_len,
data/canlock-3.1.0/src/canlock.c:224:4:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
   char *cankey[1], *tmp;
data/canlock-3.1.0/src/canlock.c:303:4:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
   char *canlock[1], *tmp, *junk;
data/canlock-3.1.0/src/canlock.c:406:4:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
   char *templock[1];
data/canlock-3.1.0/src/hmac.c:46:20:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    const unsigned char *message_array, int length,
data/canlock-3.1.0/src/hmac.c:47:20:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    const unsigned char *key, int key_len,
data/canlock-3.1.0/src/hmac.c:88:12:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  unsigned char k_ipad[USHA_Max_Message_Block_Size];
data/canlock-3.1.0/src/hmac.c:91:12:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  unsigned char tempkey[USHAMaxHashSize];
data/canlock-3.1.0/test/canlocktest_legacy.c:57:4:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
   char keytype[BUFFSIZE], locktype[BUFFSIZE];
data/canlock-3.1.0/test/canlocktest_legacy.c:90:4:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
   char cankey[256], canlock[256], *lkey, *llock;
data/canlock-3.1.0/test/hkdf.c:57:20:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    const unsigned char *salt, int salt_len,
data/canlock-3.1.0/test/hkdf.c:58:20:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    const unsigned char *ikm, int ikm_len,
data/canlock-3.1.0/test/hkdf.c:59:20:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    const unsigned char *info, int info_len,
data/canlock-3.1.0/test/hkdf.c:96:20:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    const unsigned char *salt, int salt_len,
data/canlock-3.1.0/test/hkdf.c:97:20:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    const unsigned char *ikm, int ikm_len,
data/canlock-3.1.0/test/hkdf.c:100:12:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  unsigned char nullSalt[USHAMaxHashSize];
data/canlock-3.1.0/test/hkdf.c:145:20:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    const unsigned char *info, int info_len,
data/canlock-3.1.0/test/hkdf.c:149:12:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  unsigned char T[USHAMaxHashSize];
data/canlock-3.1.0/test/hkdf.c:178:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(okm + where, T,
data/canlock-3.1.0/test/hkdf.c:213:12:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  unsigned char nullSalt[USHAMaxHashSize];
data/canlock-3.1.0/test/hkdf.c:317:31:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
               const unsigned char *info, int info_len,
data/canlock-3.1.0/test/shatest.c:242:11:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    const char *randomresults[RANDOMCOUNT];
data/canlock-3.1.0/test/shatest.c:424:11:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    const char *keyarray[5];
data/canlock-3.1.0/test/shatest.c:426:11:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    const char *dataarray[5];
data/canlock-3.1.0/test/shatest.c:428:11:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    const char *resultarray[5];
data/canlock-3.1.0/test/shatest.c:757:14:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
static const char hexdigits[ ] = "0123456789ABCDEF";
data/canlock-3.1.0/test/shatest.c:923:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char buf[20];
data/canlock-3.1.0/test/shatest.c:993:3:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
  sprintf(buf, "%d", testno+1);
data/canlock-3.1.0/test/shatest.c:1013:12:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  unsigned char prk[USHAMaxHashSize+1];
data/canlock-3.1.0/test/shatest.c:1015:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char buf[20];
data/canlock-3.1.0/test/shatest.c:1046:3:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
  sprintf(buf, "hkdf %d", testno+1);
data/canlock-3.1.0/test/shatest.c:1062:3:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
  sprintf(buf, "hkdfExtract %d", testno+1);
data/canlock-3.1.0/test/shatest.c:1077:3:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
  sprintf(buf, "hkdfExpand %d", testno+1);
data/canlock-3.1.0/test/shatest.c:1099:12:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  unsigned char buf[4096];
data/canlock-3.1.0/test/shatest.c:1104:5:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    fopen(hashfilename, "r");
data/canlock-3.1.0/test/shatest.c:1205:13:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  int i, j; char buf[20];
data/canlock-3.1.0/test/shatest.c:1206:12:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  unsigned char SEED[USHAMaxHashSize], MD[1003][USHAMaxHashSize];
data/canlock-3.1.0/test/shatest.c:1209:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(SEED, seed, hashsize);
data/canlock-3.1.0/test/shatest.c:1218:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(MD[0], SEED, hashsize);
data/canlock-3.1.0/test/shatest.c:1219:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(MD[1], SEED, hashsize);
data/canlock-3.1.0/test/shatest.c:1220:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(MD[2], SEED, hashsize);
data/canlock-3.1.0/test/shatest.c:1234:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(SEED, MD[i-1], hashsize);
data/canlock-3.1.0/test/shatest.c:1237:5:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
    sprintf(buf, "%d", j);
data/canlock-3.1.0/test/shatest.c:1250:9:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  const char *names[HASHCOUNT][2] = {
data/canlock-3.1.0/test/shatest.c:1381:35:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
      case 'B': numberExtrabits = atoi(optarg); break;
data/canlock-3.1.0/test/shatest.c:1391:30:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
      case 'l': loopnohigh = atoi(optarg); break;
data/canlock-3.1.0/test/shatest.c:1396:31:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
      case 'R': randomcount = atoi(optarg); break;
data/canlock-3.1.0/test/shatest.c:1400:43:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
      case 't': testnolow = ntestnohigh = atoi(optarg) - 1; break;
data/canlock-3.1.0/test/shatest.c:1442:55:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
          numberExtrabits, extrabits, (const unsigned char *)hmacKey,
data/canlock-3.1.0/test/shatest.c:1453:40:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
                       (const unsigned char *)hmacKey, hmaclen,
data/canlock-3.1.0/test/shatest.c:1461:40:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
                       (const unsigned char *)hmacKey, hmaclen,
data/canlock-3.1.0/test/shatest.c:1482:40:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
                       (const unsigned char *)(
data/canlock-3.1.0/util/canlock.c:150:20:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
   static unsigned char buf[SEC_DATA_SIZE_MAX];
data/canlock-3.1.0/hp/util/canlock-hfp.c:216:42:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
      else if ('-' == argv[i][0] && 1 != strlen(argv[i]))
data/canlock-3.1.0/hp/util/canlock-mhp.c:159:11:  [1] (buffer) fgetc:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
      c = fgetc(stdin);
data/canlock-3.1.0/hp/util/canlock-mhp.c:225:10:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
   len = strlen(buf);
data/canlock-3.1.0/hp/util/canlock-mhp.c:237:10:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
   len = strlen(fn);
data/canlock-3.1.0/hp/util/canlock-mhp.c:253:12:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
      if (!strlen(ufn))  { print_error("Empty header field name"); }
data/canlock-3.1.0/hp/util/canlock-mhp.c:318:44:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
         memmove((void*) p, (void*) &p[1], strlen(&p[1]) + (size_t) 1);
data/canlock-3.1.0/hp/util/canlock-mhp.c:322:44:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
         memmove((void*) p, (void*) &p[1], strlen(&p[1]) + (size_t) 1);
data/canlock-3.1.0/hp/util/package_name.c:61:23:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
   p = (char*) malloc(strlen(n) + (size_t) 1);
data/canlock-3.1.0/src/base64.c:83:12:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    return strlen(s);
data/canlock-3.1.0/src/base64.c:108:8:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
   if (strlen(token) < 4)
data/canlock-3.1.0/src/canlock.c:87:10:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
   len = strlen(s);
data/canlock-3.1.0/src/canlock.c:91:7:  [1] (buffer) strncpy:
  Easily used incorrectly; doesn't always \0-terminate or check for invalid
  pointers [MS-banned] (CWE-120).
      strncpy(res, s, len);
data/canlock-3.1.0/src/canlock.c:181:32:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
      scheme = (char *) malloc(strlen(input) + (size_t) 1);
data/canlock-3.1.0/src/canlock.c:264:17:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
   scheme_len = strlen(scheme);
data/canlock-3.1.0/src/canlock.c:275:4:  [1] (buffer) strncpy:
  Easily used incorrectly; doesn't always \0-terminate or check for invalid
  pointers [MS-banned] (CWE-120).
   strncpy(*cankey, scheme, scheme_len);
data/canlock-3.1.0/src/canlock.c:334:52:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
   if (USHAInput(&hash_ctx, cankey, (unsigned int) strlen((char *) cankey))
data/canlock-3.1.0/src/canlock.c:370:17:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
   scheme_len = strlen(scheme);
data/canlock-3.1.0/src/canlock.c:381:4:  [1] (buffer) strncpy:
  Easily used incorrectly; doesn't always \0-terminate or check for invalid
  pointers [MS-banned] (CWE-120).
   strncpy(*canlock, scheme, scheme_len);
data/canlock-3.1.0/src/canlock.c:421:15:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
   key_size = strlen(key);
data/canlock-3.1.0/test/canlocktest.c:134:63:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
   c_key = cl_get_key(CL_SHA256, (const unsigned char *) sec, strlen(sec),
data/canlock-3.1.0/test/canlocktest.c:135:52:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
                      (const unsigned char *) mid, strlen(mid));
data/canlock-3.1.0/test/canlocktest.c:136:65:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
   c_lock = cl_get_lock(CL_SHA256, (const unsigned char *) sec, strlen(sec),
data/canlock-3.1.0/test/canlocktest.c:137:54:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
                        (const unsigned char *) mid, strlen(mid));
data/canlock-3.1.0/test/canlocktest.c:170:30:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
   uid_mid = (char *) malloc(strlen(uid) + strlen(mid) + (size_t) 1);
data/canlock-3.1.0/test/canlocktest.c:170:44:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
   uid_mid = (char *) malloc(strlen(uid) + strlen(mid) + (size_t) 1);
data/canlock-3.1.0/test/canlocktest.c:173:64:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
   c_key = cl_get_key(CL_SHA256, (const unsigned char *) sec2, strlen(sec2),
data/canlock-3.1.0/test/canlocktest.c:174:56:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
                      (const unsigned char *) uid_mid, strlen(uid_mid));
data/canlock-3.1.0/test/canlocktest.c:175:66:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
   c_lock = cl_get_lock(CL_SHA256, (const unsigned char *) sec2, strlen(sec2),
data/canlock-3.1.0/test/canlocktest.c:176:58:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
                        (const unsigned char *) uid_mid, strlen(uid_mid));
data/canlock-3.1.0/test/canlocktest_legacy.c:99:29:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
   llock = sha_lock(secret, strlen((char *) secret),
data/canlock-3.1.0/test/canlocktest_legacy.c:100:30:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
                    message, strlen((char *) message));
data/canlock-3.1.0/test/canlocktest_legacy.c:101:27:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
   lkey = sha_key(secret, strlen((char *) secret),
data/canlock-3.1.0/test/canlocktest_legacy.c:102:28:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
                  message, strlen((char *)message));
data/canlock-3.1.0/test/shatest.c:1129:17:  [1] (buffer) getc:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
    while ((c = getc(hashfp)) != EOF) {
data/canlock-3.1.0/test/shatest.c:1389:42:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
      case 'i': info = optarg; infolen = strlen(optarg); break;
data/canlock-3.1.0/test/shatest.c:1390:45:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
      case 'k': hmacKey = optarg; hmaclen = strlen(optarg); break;
data/canlock-3.1.0/test/shatest.c:1398:45:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
      case 's': hashstr = optarg; hashlen = strlen(hashstr); break;
data/canlock-3.1.0/util/canlock.c:162:12:  [1] (buffer) fgetc:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
      rv = fgetc(stdin);
data/canlock-3.1.0/util/canlock.c:229:59:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
               out = cl_get_key(hash, sec, sec_size, mid, strlen(opt_value));
data/canlock-3.1.0/util/canlock.c:233:60:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
               out = cl_get_lock(hash, sec, sec_size, mid, strlen(opt_value));
data/canlock-3.1.0/util/canlock.c:257:32:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
         key = (char *) malloc(strlen(opt_value) + (size_t) 1);

ANALYSIS SUMMARY:

Hits = 119
Lines analyzed = 7571 in approximately 0.30 seconds (25167 lines/second)
Physical Source Lines of Code (SLOC) = 4297
Hits@level = [0] 131 [1]  41 [2]  62 [3]   1 [4]  15 [5]   0
Hits@level+ = [0+] 250 [1+] 119 [2+]  78 [3+]  16 [4+]  15 [5+]   0
Hits/KSLOC@level+ = [0+] 58.1801 [1+] 27.6937 [2+] 18.1522 [3+] 3.72353 [4+] 3.49081 [5+]   0
Dot directories skipped = 5 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.