Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/cpustat-0.02.13/cpustat.c FINAL RESULTS: data/cpustat-0.02.13/cpustat.c:1292:9: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. (void)fprintf(fp, ",%" PRIu64, sorted_cpu_infos[i]->total); data/cpustat-0.02.13/cpustat.c:2102:8: [4] (format) snprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. (void)snprintf(buffer, sizeof(buffer), "%" PRId32, cpus); data/cpustat-0.02.13/cpustat.c:2179:8: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. (void)printf(APP_NAME ", version " VERSION "\n\n" data/cpustat-0.02.13/cpustat.c:2224:11: [3] (buffer) getopt: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt(argc, argv, "acdDghiln:qr:sSt:Tp:xX"); data/cpustat-0.02.13/cpustat.c:128:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char comm[17]; /* Name of process/kernel task */ data/cpustat-0.02.13/cpustat.c:333:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[32]; data/cpustat-0.02.13/cpustat.c:336:7: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fd = open("/proc/sys/kernel/pid_max", O_RDONLY); data/cpustat-0.02.13/cpustat.c:726:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buf[16]; data/cpustat-0.02.13/cpustat.c:837:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buffer[4096]; data/cpustat-0.02.13/cpustat.c:843:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char path[PATH_MAX]; data/cpustat-0.02.13/cpustat.c:853:21: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (UNLIKELY((fd = open(path, O_RDONLY)) < 0)) data/cpustat-0.02.13/cpustat.c:1073:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char str[256]; data/cpustat-0.02.13/cpustat.c:1076:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tmp[256]; data/cpustat-0.02.13/cpustat.c:1130:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[512], *ptr = buffer; data/cpustat-0.02.13/cpustat.c:1174:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[256], *ptr = buffer; data/cpustat-0.02.13/cpustat.c:1279:12: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((fp = fopen(filename, "w")) == NULL) { data/cpustat-0.02.13/cpustat.c:1466:8: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. (void)memcpy(info, new_info, sizeof(*info)); data/cpustat-0.02.13/cpustat.c:1773:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[4096]; data/cpustat-0.02.13/cpustat.c:1777:7: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fp = fopen("/proc/stat", "r"); data/cpustat-0.02.13/cpustat.c:1833:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[128], *ptr = buffer; data/cpustat-0.02.13/cpustat.c:1874:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char filename[PATH_MAX], *fnptr; data/cpustat-0.02.13/cpustat.c:1875:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[4096]; data/cpustat-0.02.13/cpustat.c:1887:13: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((fd = open(filename, O_RDONLY)) < 0) data/cpustat-0.02.13/cpustat.c:1999:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char filename[PATH_MAX], *fnptr; data/cpustat-0.02.13/cpustat.c:2007:20: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (LIKELY((fd = open(filename, O_RDONLY)) > -1)) { data/cpustat-0.02.13/cpustat.c:2008:4: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[64]; data/cpustat-0.02.13/cpustat.c:2033:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buffer[40]; data/cpustat-0.02.13/cpustat.c:2060:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buffer[4096]; data/cpustat-0.02.13/cpustat.c:2065:21: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (UNLIKELY((fd = open("/sys/devices/system/cpu/online", O_RDONLY)) < 0)) data/cpustat-0.02.13/cpustat.c:2115:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buffer[4096]; data/cpustat-0.02.13/cpustat.c:2120:21: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (UNLIKELY((fd = open("/proc/loadavg", O_RDONLY)) < 0)) data/cpustat-0.02.13/cpustat.c:2158:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[128], *ptr = buffer; data/cpustat-0.02.13/cpustat.c:339:6: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). n = read(fd, buf, sizeof(buf) - 1); data/cpustat-0.02.13/cpustat.c:868:8: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ret = read(fd, buffer, sizeof(buffer)); data/cpustat-0.02.13/cpustat.c:1083:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). n = strlen(tmp); data/cpustat-0.02.13/cpustat.c:1085:8: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). (void)strncpy(ptr, tmp, sizeof(str)); data/cpustat-0.02.13/cpustat.c:1091:8: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). Risk is low because the source is a constant string. (void)strncpy(ptr, "PID S CPU Time Task", sz); data/cpustat-0.02.13/cpustat.c:1099:9: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). Risk is low because the source is a constant string. (void)strncpy(ptr, " (", 4); data/cpustat-0.02.13/cpustat.c:1890:9: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). len = read(fd, buffer, sizeof(buffer) - 1); data/cpustat-0.02.13/cpustat.c:2011:10: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ret = read(fd, buffer, sizeof(buffer) - 1); data/cpustat-0.02.13/cpustat.c:2067:8: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ret = read(fd, buffer, sizeof(buffer) - 1); data/cpustat-0.02.13/cpustat.c:2122:8: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). len = read(fd, buffer, sizeof(buffer) - 1); ANALYSIS SUMMARY: Hits = 42 Lines analyzed = 2480 in approximately 0.08 seconds (31154 lines/second) Physical Source Lines of Code (SLOC) = 1841 Hits@level = [0] 42 [1] 10 [2] 28 [3] 1 [4] 3 [5] 0 Hits@level+ = [0+] 84 [1+] 42 [2+] 32 [3+] 4 [4+] 3 [5+] 0 Hits/KSLOC@level+ = [0+] 45.6274 [1+] 22.8137 [2+] 17.3819 [3+] 2.17273 [4+] 1.62955 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.