Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/cjs-4.6.0/cjs/atoms.cpp
Examining data/cjs-4.6.0/cjs/atoms.h
Examining data/cjs-4.6.0/cjs/byteArray.cpp
Examining data/cjs-4.6.0/cjs/byteArray.h
Examining data/cjs-4.6.0/cjs/console.cpp
Examining data/cjs-4.6.0/cjs/context-private.h
Examining data/cjs-4.6.0/cjs/context.cpp
Examining data/cjs-4.6.0/cjs/context.h
Examining data/cjs-4.6.0/cjs/coverage.cpp
Examining data/cjs-4.6.0/cjs/coverage.h
Examining data/cjs-4.6.0/cjs/debugger.cpp
Examining data/cjs-4.6.0/cjs/deprecation.cpp
Examining data/cjs-4.6.0/cjs/deprecation.h
Examining data/cjs-4.6.0/cjs/engine.cpp
Examining data/cjs-4.6.0/cjs/engine.h
Examining data/cjs-4.6.0/cjs/error-types.cpp
Examining data/cjs-4.6.0/cjs/error-types.h
Examining data/cjs-4.6.0/cjs/gjs.h
Examining data/cjs-4.6.0/cjs/global.cpp
Examining data/cjs-4.6.0/cjs/global.h
Examining data/cjs-4.6.0/cjs/importer.cpp
Examining data/cjs-4.6.0/cjs/importer.h
Examining data/cjs-4.6.0/cjs/jsapi-class.h
Examining data/cjs-4.6.0/cjs/jsapi-dynamic-class.cpp
Examining data/cjs-4.6.0/cjs/jsapi-util-args.h
Examining data/cjs-4.6.0/cjs/jsapi-util-error.cpp
Examining data/cjs-4.6.0/cjs/jsapi-util-root.h
Examining data/cjs-4.6.0/cjs/jsapi-util-string.cpp
Examining data/cjs-4.6.0/cjs/jsapi-util.cpp
Examining data/cjs-4.6.0/cjs/jsapi-util.h
Examining data/cjs-4.6.0/cjs/macros.h
Examining data/cjs-4.6.0/cjs/mem-private.h
Examining data/cjs-4.6.0/cjs/mem.cpp
Examining data/cjs-4.6.0/cjs/mem.h
Examining data/cjs-4.6.0/cjs/module.cpp
Examining data/cjs-4.6.0/cjs/module.h
Examining data/cjs-4.6.0/cjs/native.cpp
Examining data/cjs-4.6.0/cjs/native.h
Examining data/cjs-4.6.0/cjs/profiler-private.h
Examining data/cjs-4.6.0/cjs/profiler.cpp
Examining data/cjs-4.6.0/cjs/profiler.h
Examining data/cjs-4.6.0/cjs/stack.cpp
Examining data/cjs-4.6.0/gi/arg-cache.cpp
Examining data/cjs-4.6.0/gi/arg-cache.h
Examining data/cjs-4.6.0/gi/arg-inl.h
Examining data/cjs-4.6.0/gi/arg.cpp
Examining data/cjs-4.6.0/gi/arg.h
Examining data/cjs-4.6.0/gi/boxed.cpp
Examining data/cjs-4.6.0/gi/boxed.h
Examining data/cjs-4.6.0/gi/closure.cpp
Examining data/cjs-4.6.0/gi/closure.h
Examining data/cjs-4.6.0/gi/enumeration.cpp
Examining data/cjs-4.6.0/gi/enumeration.h
Examining data/cjs-4.6.0/gi/foreign.cpp
Examining data/cjs-4.6.0/gi/foreign.h
Examining data/cjs-4.6.0/gi/function.cpp
Examining data/cjs-4.6.0/gi/function.h
Examining data/cjs-4.6.0/gi/fundamental.cpp
Examining data/cjs-4.6.0/gi/fundamental.h
Examining data/cjs-4.6.0/gi/gerror.cpp
Examining data/cjs-4.6.0/gi/gerror.h
Examining data/cjs-4.6.0/gi/gjs_gi_trace.h
Examining data/cjs-4.6.0/gi/gobject.cpp
Examining data/cjs-4.6.0/gi/gobject.h
Examining data/cjs-4.6.0/gi/gtype.cpp
Examining data/cjs-4.6.0/gi/gtype.h
Examining data/cjs-4.6.0/gi/interface.cpp
Examining data/cjs-4.6.0/gi/interface.h
Examining data/cjs-4.6.0/gi/ns.cpp
Examining data/cjs-4.6.0/gi/ns.h
Examining data/cjs-4.6.0/gi/object.cpp
Examining data/cjs-4.6.0/gi/object.h
Examining data/cjs-4.6.0/gi/param.cpp
Examining data/cjs-4.6.0/gi/param.h
Examining data/cjs-4.6.0/gi/private.cpp
Examining data/cjs-4.6.0/gi/private.h
Examining data/cjs-4.6.0/gi/repo.cpp
Examining data/cjs-4.6.0/gi/repo.h
Examining data/cjs-4.6.0/gi/toggle.cpp
Examining data/cjs-4.6.0/gi/toggle.h
Examining data/cjs-4.6.0/gi/union.cpp
Examining data/cjs-4.6.0/gi/union.h
Examining data/cjs-4.6.0/gi/utils-inl.h
Examining data/cjs-4.6.0/gi/value.cpp
Examining data/cjs-4.6.0/gi/value.h
Examining data/cjs-4.6.0/gi/wrapperutils.cpp
Examining data/cjs-4.6.0/gi/wrapperutils.h
Examining data/cjs-4.6.0/installed-tests/minijasmine.cpp
Examining data/cjs-4.6.0/libgjs-private/gjs-gdbus-wrapper.c
Examining data/cjs-4.6.0/libgjs-private/gjs-gdbus-wrapper.h
Examining data/cjs-4.6.0/libgjs-private/gjs-util.c
Examining data/cjs-4.6.0/libgjs-private/gjs-util.h
Examining data/cjs-4.6.0/modules/cairo-context.cpp
Examining data/cjs-4.6.0/modules/cairo-gradient.cpp
Examining data/cjs-4.6.0/modules/cairo-image-surface.cpp
Examining data/cjs-4.6.0/modules/cairo-linear-gradient.cpp
Examining data/cjs-4.6.0/modules/cairo-module.h
Examining data/cjs-4.6.0/modules/cairo-path.cpp
Examining data/cjs-4.6.0/modules/cairo-pattern.cpp
Examining data/cjs-4.6.0/modules/cairo-pdf-surface.cpp
Examining data/cjs-4.6.0/modules/cairo-private.h
Examining data/cjs-4.6.0/modules/cairo-ps-surface.cpp
Examining data/cjs-4.6.0/modules/cairo-radial-gradient.cpp
Examining data/cjs-4.6.0/modules/cairo-region.cpp
Examining data/cjs-4.6.0/modules/cairo-solid-pattern.cpp
Examining data/cjs-4.6.0/modules/cairo-surface-pattern.cpp
Examining data/cjs-4.6.0/modules/cairo-surface.cpp
Examining data/cjs-4.6.0/modules/cairo-svg-surface.cpp
Examining data/cjs-4.6.0/modules/cairo.cpp
Examining data/cjs-4.6.0/modules/console.cpp
Examining data/cjs-4.6.0/modules/console.h
Examining data/cjs-4.6.0/modules/modules.cpp
Examining data/cjs-4.6.0/modules/modules.h
Examining data/cjs-4.6.0/modules/print.cpp
Examining data/cjs-4.6.0/modules/print.h
Examining data/cjs-4.6.0/modules/system.cpp
Examining data/cjs-4.6.0/modules/system.h
Examining data/cjs-4.6.0/test/gjs-test-call-args.cpp
Examining data/cjs-4.6.0/test/gjs-test-common.cpp
Examining data/cjs-4.6.0/test/gjs-test-common.h
Examining data/cjs-4.6.0/test/gjs-test-coverage.cpp
Examining data/cjs-4.6.0/test/gjs-test-no-introspection-object.cpp
Examining data/cjs-4.6.0/test/gjs-test-no-introspection-object.h
Examining data/cjs-4.6.0/test/gjs-test-rooting.cpp
Examining data/cjs-4.6.0/test/gjs-test-utils.cpp
Examining data/cjs-4.6.0/test/gjs-test-utils.h
Examining data/cjs-4.6.0/test/gjs-tests.cpp
Examining data/cjs-4.6.0/util/log.cpp
Examining data/cjs-4.6.0/util/log.h
Examining data/cjs-4.6.0/util/misc.cpp
Examining data/cjs-4.6.0/util/misc.h

FINAL RESULTS:

data/cjs-4.6.0/test/gjs-test-coverage.cpp:810:16:  [4] (buffer) sscanf:
  The scanf() family's %s operation, without a limit specification, permits
  buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
  different input function. If the scanf format is influenceable by an
  attacker, it's exploitable.
    nmatches = sscanf(line, format_string, &hit_count, detected_function);
data/cjs-4.6.0/cjs/context.cpp:169:16:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    FILE *fp = fopen(filename, "w");
data/cjs-4.6.0/cjs/debugger.cpp:93:13:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
            char buf[256];
data/cjs-4.6.0/cjs/jsapi-util.cpp:665:19:  [2] (buffer) MultiByteToWideChar:
  Requires maximum length in CHARACTERS, not bytes (CWE-120).
    int bufsize = MultiByteToWideChar(CP_UTF8, 0, str, len, nullptr, 0);
data/cjs-4.6.0/cjs/jsapi-util.cpp:670:18:  [2] (buffer) MultiByteToWideChar:
  Requires maximum length in CHARACTERS, not bytes (CWE-120).
    int result = MultiByteToWideChar(CP_UTF8, 0, str, len, &wstr[0], bufsize);
data/cjs-4.6.0/cjs/profiler.cpp:160:9:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
        char file[256];
data/cjs-4.6.0/cjs/profiler.cpp:334:9:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
        char final_string[512];
data/cjs-4.6.0/cjs/profiler.cpp:342:13:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
            memcpy(position, label, label_length);
data/cjs-4.6.0/cjs/profiler.cpp:364:17:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
                memcpy(position, dynamic_string, remaining_length);
data/cjs-4.6.0/gi/arg.cpp:1142:9:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
        memcpy(&flat_array[struct_size * i], gjs_arg_get<void*>(&arg),
data/cjs-4.6.0/gi/arg.cpp:2173:17:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
                memcpy(array->pdata, data, sizeof(void*) * length);
data/cjs-4.6.0/gi/arg.cpp:2927:9:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
        char utf8[7];
data/cjs-4.6.0/gi/boxed.cpp:312:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(m_ptr, boxed_ptr, g_struct_info_get_size(info()));
data/cjs-4.6.0/gi/boxed.cpp:629:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(raw_ptr() + offset, source_priv->to_instance()->ptr(),
data/cjs-4.6.0/installed-tests/minijasmine.cpp:69:15:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
        const char *coverage_prefixes[2] = { coverage_prefix, NULL };
data/cjs-4.6.0/modules/console.cpp:127:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char line[256];
data/cjs-4.6.0/modules/system.cpp:142:20:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
        FILE *fp = fopen(filename, "a");
data/cjs-4.6.0/test/gjs-test-coverage.cpp:458:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char hit_count[20];  /* can hold maxint64 (19 digits) + nul terminator */
data/cjs-4.6.0/test/gjs-test-coverage.cpp:475:25:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
        hit_count_num = atoi(hit_count);
data/cjs-4.6.0/test/gjs-tests.cpp:348:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char  *strv0[2] = {(char*)"foo", NULL};
data/cjs-4.6.0/test/gjs-tests.cpp:349:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char  *strv1[1] = {NULL};
data/cjs-4.6.0/test/gjs-tests.cpp:351:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char  *strv3[2] = {(char*)"bar", NULL};
data/cjs-4.6.0/test/gjs-tests.cpp:352:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char **stuff[4];
data/cjs-4.6.0/util/log.cpp:155:21:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
            logfp = fopen(log_file, "a");
data/cjs-4.6.0/cjs/byteArray.cpp:267:22:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
        size_t len = strlen(utf8.get());
data/cjs-4.6.0/cjs/console.cpp:287:15:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
        len = strlen(script);
data/cjs-4.6.0/cjs/console.cpp:292:15:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
        len = strlen(script);
data/cjs-4.6.0/cjs/coverage.cpp:119:24:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
        gsize offset = strlen(uri_header);
data/cjs-4.6.0/cjs/importer.cpp:719:41:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
                    g_strndup(filename, strlen(filename) - 3);
data/cjs-4.6.0/cjs/jsapi-dynamic-class.cpp:124:23:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
        return name + strlen("_private_");
data/cjs-4.6.0/cjs/jsapi-util-string.cpp:102:44:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    JS::ConstUTF8CharsZ chars(utf8_string, strlen(utf8_string));
data/cjs-4.6.0/cjs/jsapi-util.cpp:306:23:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    remaining_bytes = strlen (name);
data/cjs-4.6.0/cjs/jsapi-util.cpp:674:27:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    wstr.resize(len < 0 ? strlen(str) : len);
data/cjs-4.6.0/cjs/profiler.cpp:168:17:  [1] (buffer) sscanf:
  It's unclear if the %s limit in the format string is small enough
  (CWE-120). Check that the limit is sufficiently small, or use a different
  input function.
        int r = sscanf(lines[ix], "%lx-%lx %*15s %lx %*x:%*x %lu %255s",
data/cjs-4.6.0/cjs/profiler.cpp:328:31:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
        size_t label_length = strlen(label);
data/cjs-4.6.0/cjs/profiler.cpp:360:44:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            size_t dynamic_string_length = strlen(dynamic_string);
data/cjs-4.6.0/gi/arg.cpp:838:19:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
        *length = strlen(result.get());
data/cjs-4.6.0/gi/arg.cpp:2676:22:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
        size_t len = strlen(static_cast<char*>(c_array));
data/cjs-4.6.0/gi/repo.cpp:728:28:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    s = g_string_sized_new(strlen(camel_name) + 4 + 1);
data/cjs-4.6.0/test/gjs-test-call-args.cpp:299:43:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    bool ok = source.init(fx->cx, script, strlen(script),
data/cjs-4.6.0/test/gjs-test-call-args.cpp:320:43:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    bool ok = source.init(fx->cx, script, strlen(script),
data/cjs-4.6.0/test/gjs-test-coverage.cpp:75:45:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    g_file_replace_contents(file, contents, strlen(contents), NULL /* etag */,
data/cjs-4.6.0/test/gjs-test-coverage.cpp:163:33:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    const gsize needle_length = strlen(needle);
data/cjs-4.6.0/test/gjs-test-coverage.cpp:232:45:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    GjsAutoChar actual = g_strndup(&sf_line[strlen(key)], strlen(value));
data/cjs-4.6.0/test/gjs-test-coverage.cpp:232:59:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    GjsAutoChar actual = g_strndup(&sf_line[strlen(key)], strlen(value));
data/cjs-4.6.0/test/gjs-test-coverage.cpp:463:16:  [1] (buffer) sscanf:
  It's unclear if the %s limit in the format string is small enough
  (CWE-120). Check that the limit is sufficiently small, or use a different
  input function.
    nmatches = sscanf(line, "%i,%i,%i,%19s", &line_no, &block_no, &branch_id, hit_count);
data/cjs-4.6.0/test/gjs-test-coverage.cpp:472:9:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    if (strlen(hit_count) == 1 && *hit_count == '-')
data/cjs-4.6.0/test/gjs-test-coverage.cpp:697:42:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    GjsAutoChar actual = g_strndup(line, strlen(expected_function_name));
data/cjs-4.6.0/test/gjs-test-coverage.cpp:745:42:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    GjsAutoChar actual = g_strndup(line, strlen(expected_function_line));
data/cjs-4.6.0/test/gjs-test-coverage.cpp:1163:51:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
                                                  strlen(base_name) - 3);
data/cjs-4.6.0/test/gjs-test-coverage.cpp:1226:21:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
                    strlen (expected[i].source_file_path)) == 0) {
data/cjs-4.6.0/test/gjs-tests.cpp:237:38:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
                                     strlen(VALID_UTF8_STRING), &v_out);
data/cjs-4.6.0/test/gjs-tests.cpp:247:52:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    JS::ConstUTF8CharsZ jschars(VALID_UTF8_STRING, strlen(VALID_UTF8_STRING));
data/cjs-4.6.0/test/gjs-tests.cpp:268:52:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    JS::ConstUTF8CharsZ jschars(VALID_UTF8_STRING, strlen(VALID_UTF8_STRING));

ANALYSIS SUMMARY:

Hits = 54
Lines analyzed = 39838 in approximately 1.04 seconds (38478 lines/second)
Physical Source Lines of Code (SLOC) = 26919
Hits@level = [0]   6 [1]  30 [2]  23 [3]   0 [4]   1 [5]   0
Hits@level+ = [0+]  60 [1+]  54 [2+]  24 [3+]   1 [4+]   1 [5+]   0
Hits/KSLOC@level+ = [0+] 2.22891 [1+] 2.00602 [2+] 0.891564 [3+] 0.0371485 [4+] 0.0371485 [5+]   0
Dot directories skipped = 2 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.