Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/cracklib2-2.9.6/python/_cracklib.c Examining data/cracklib2-2.9.6/util/testlib.c Examining data/cracklib2-2.9.6/util/unpacker.c Examining data/cracklib2-2.9.6/util/packer.c Examining data/cracklib2-2.9.6/util/testnum.c Examining data/cracklib2-2.9.6/util/teststr.c Examining data/cracklib2-2.9.6/util/check.c Examining data/cracklib2-2.9.6/lib/stringlib.c Examining data/cracklib2-2.9.6/lib/packer.h Examining data/cracklib2-2.9.6/lib/crack.h Examining data/cracklib2-2.9.6/lib/packlib.c Examining data/cracklib2-2.9.6/lib/fascist.c Examining data/cracklib2-2.9.6/lib/rules.c Examining data/cracklib2-2.9.6/debian/examples/cracklib_example.c FINAL RESULTS: data/cracklib2-2.9.6/lib/fascist.c:523:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(gbuffer, Lowercase(tbuffer)); data/cracklib2-2.9.6/lib/fascist.c:588:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(longbuffer, uwords[i]); data/cracklib2-2.9.6/lib/fascist.c:589:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(longbuffer, uwords[j]); data/cracklib2-2.9.6/lib/fascist.c:596:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(longbuffer, uwords[j]); data/cracklib2-2.9.6/lib/fascist.c:597:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(longbuffer, uwords[i]); data/cracklib2-2.9.6/lib/fascist.c:609:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(longbuffer, uwords[j]); data/cracklib2-2.9.6/lib/fascist.c:621:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(longbuffer, uwords[i]); data/cracklib2-2.9.6/lib/fascist.c:743:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(password, (char *)Lowercase(password)); data/cracklib2-2.9.6/lib/fascist.c:814:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(password, (char *)Reverse(password)); data/cracklib2-2.9.6/lib/packlib.c:536:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(nstr, ostr); data/cracklib2-2.9.6/lib/rules.c:27:5: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(stderr, a, b, c, d, e, f, g); data/cracklib2-2.9.6/lib/rules.c:160:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(area, string); data/cracklib2-2.9.6/lib/rules.c:439:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(area, input); data/cracklib2-2.9.6/lib/rules.c:448:6: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(area, Reverse(area)); data/cracklib2-2.9.6/lib/rules.c:451:6: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(area, Uppercase(area)); data/cracklib2-2.9.6/lib/rules.c:454:6: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(area, Lowercase(area)); data/cracklib2-2.9.6/lib/rules.c:457:6: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(area, Capitalise(area)); data/cracklib2-2.9.6/lib/rules.c:460:6: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(area, Pluralise(area)); data/cracklib2-2.9.6/lib/rules.c:463:6: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(area, Reverse(area)); data/cracklib2-2.9.6/lib/rules.c:466:6: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(area2, area); data/cracklib2-2.9.6/lib/rules.c:467:6: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(area, area2); data/cracklib2-2.9.6/lib/rules.c:515:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(area2 + 1, area); data/cracklib2-2.9.6/lib/rules.c:516:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(area, area2); data/cracklib2-2.9.6/lib/rules.c:550:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(area2, area); data/cracklib2-2.9.6/lib/rules.c:608:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(p2, p1); data/cracklib2-2.9.6/lib/rules.c:609:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(area, area2); data/cracklib2-2.9.6/lib/rules.c:621:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(area, Purge(area, *(++ptr))); data/cracklib2-2.9.6/lib/rules.c:624:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(area, PolyPurge(area, ptr[2])); data/cracklib2-2.9.6/lib/rules.c:635:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(area, Substitute(area, ptr[1], ptr[2])); data/cracklib2-2.9.6/lib/rules.c:639:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(area, PolySubst(area, ptr[2], ptr[3])); data/cracklib2-2.9.6/lib/stringlib.c:56:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(retval, string); data/cracklib2-2.9.6/python/_cracklib.c:114:9: [4] (format) sprintf: Potential format string problem (CWE-134). Make format string constant. sprintf(dictfile, "%s" DICT_SUFFIX, dict); data/cracklib2-2.9.6/python/_cracklib.c:136:9: [4] (format) sprintf: Potential format string problem (CWE-134). Make format string constant. sprintf(dictfile, "%s" DICT_SUFFIX, defaultdict); data/cracklib2-2.9.6/util/packer.c:72:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(prev, buffer); data/cracklib2-2.9.6/debian/examples/cracklib_example.c:25:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char password[80U] = ""; data/cracklib2-2.9.6/lib/fascist.c:502:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char gbuffer[STRINGSIZE]; data/cracklib2-2.9.6/lib/fascist.c:503:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tbuffer[STRINGSIZE]; data/cracklib2-2.9.6/lib/fascist.c:504:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *uwords[STRINGSIZE]; data/cracklib2-2.9.6/lib/fascist.c:505:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char longbuffer[STRINGSIZE]; data/cracklib2-2.9.6/lib/fascist.c:704:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char junk[STRINGSIZE]; data/cracklib2-2.9.6/lib/fascist.c:706:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char rpassword[STRINGSIZE]; data/cracklib2-2.9.6/lib/fascist.c:852:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char pwtrunced[STRINGSIZE]; data/cracklib2-2.9.6/lib/fascist.c:904:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char pwtrunced[STRINGSIZE]; data/cracklib2-2.9.6/lib/packer.h:71:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char data_put[NUMWORDS][MAXWORDLEN]; data/cracklib2-2.9.6/lib/packer.h:72:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char data_get[NUMWORDS][MAXWORDLEN]; data/cracklib2-2.9.6/lib/packlib.c:45:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char data_put[NUMWORDS][MAXWORDLEN]; data/cracklib2-2.9.6/lib/packlib.c:46:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char data_get[NUMWORDS][MAXWORDLEN]; data/cracklib2-2.9.6/lib/packlib.c:73:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char iname[STRINGSIZE]; data/cracklib2-2.9.6/lib/packlib.c:74:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char dname[STRINGSIZE]; data/cracklib2-2.9.6/lib/packlib.c:75:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char wname[STRINGSIZE]; data/cracklib2-2.9.6/lib/packlib.c:97:21: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!(pdesc.dfp = fopen(dname, mode))) data/cracklib2-2.9.6/lib/packlib.c:118:21: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!(pdesc.dfp = fopen(dname, mode))) data/cracklib2-2.9.6/lib/packlib.c:125:23: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!(pdesc.ifp = fopen(iname, mode))) data/cracklib2-2.9.6/lib/packlib.c:137:22: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((pdesc.wfp = fopen(wname, mode))) data/cracklib2-2.9.6/lib/packlib.c:455:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[NUMWORDS * MAXWORDLEN]; data/cracklib2-2.9.6/lib/rules.c:90:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char area[STRINGSIZE]; data/cracklib2-2.9.6/lib/rules.c:105:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char area[STRINGSIZE]; data/cracklib2-2.9.6/lib/rules.c:122:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char area[STRINGSIZE]; data/cracklib2-2.9.6/lib/rules.c:139:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char area[STRINGSIZE]; data/cracklib2-2.9.6/lib/rules.c:158:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char area[STRINGSIZE]; data/cracklib2-2.9.6/lib/rules.c:169:2: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat(area, "es"); data/cracklib2-2.9.6/lib/rules.c:179:6: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(area + length - 1, "ies"); data/cracklib2-2.9.6/lib/rules.c:184:2: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat(area, "es"); data/cracklib2-2.9.6/lib/rules.c:201:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char area[STRINGSIZE]; data/cracklib2-2.9.6/lib/rules.c:218:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char area[STRINGSIZE]; data/cracklib2-2.9.6/lib/rules.c:381:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char area[STRINGSIZE]; data/cracklib2-2.9.6/lib/rules.c:398:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char area[STRINGSIZE]; data/cracklib2-2.9.6/lib/rules.c:437:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char area[STRINGSIZE * 2] = {0}; data/cracklib2-2.9.6/lib/rules.c:438:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char area2[STRINGSIZE * 2] = {0}; data/cracklib2-2.9.6/python/_cracklib.c:79:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char errmsg[255]; data/cracklib2-2.9.6/util/check.c:20:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[LINE_MAX]; data/cracklib2-2.9.6/util/packer.c:23:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[STRINGSIZE], prev[STRINGSIZE]; data/cracklib2-2.9.6/util/testlib.c:18:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[1024]; data/cracklib2-2.9.6/util/testnum.c:21:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[STRINGSIZE]; data/cracklib2-2.9.6/util/teststr.c:16:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[STRINGSIZE]; data/cracklib2-2.9.6/debian/examples/cracklib_example.c:30:5: [1] (buffer) scanf: It's unclear if the %s limit in the format string is small enough (CWE-120). Check that the limit is sufficiently small, or use a different input function. scanf( "%79s", password ); data/cracklib2-2.9.6/lib/fascist.c:446:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(password); data/cracklib2-2.9.6/lib/fascist.c:512:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(tbuffer, user, STRINGSIZE); data/cracklib2-2.9.6/lib/fascist.c:521:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(tbuffer, gecos, STRINGSIZE); data/cracklib2-2.9.6/lib/fascist.c:586:10: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE) data/cracklib2-2.9.6/lib/fascist.c:586:30: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE) data/cracklib2-2.9.6/lib/fascist.c:605:10: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(uwords[j]) < STRINGSIZE - 1) data/cracklib2-2.9.6/lib/fascist.c:617:10: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(uwords[i]) < STRINGSIZE - 1) data/cracklib2-2.9.6/lib/fascist.c:712:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(rpassword, instring, TRUNCSTRINGSIZE); data/cracklib2-2.9.6/lib/fascist.c:716:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(password) < 4) data/cracklib2-2.9.6/lib/fascist.c:721:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(password) < MINLEN) data/cracklib2-2.9.6/lib/fascist.c:738:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(junk) < MINDIFF) data/cracklib2-2.9.6/lib/fascist.c:770:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). maxrepeat = 3+(0.09*strlen(password)); data/cracklib2-2.9.6/lib/fascist.c:866:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(pwtrunced, password, TRUNCSTRINGSIZE); data/cracklib2-2.9.6/lib/fascist.c:918:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(pwtrunced, password, TRUNCSTRINGSIZE); data/cracklib2-2.9.6/lib/fascist.c:933:9: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(errstr, error, errstr_len); data/cracklib2-2.9.6/lib/packlib.c:394:2: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(pwp->data_put[pwp->count], string, MAXWORDLEN); data/cracklib2-2.9.6/lib/rules.c:72:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). i = strlen(myword); data/cracklib2-2.9.6/lib/rules.c:73:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). j = strlen(suffix); data/cracklib2-2.9.6/lib/rules.c:91:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). j = i = strlen(str); data/cracklib2-2.9.6/lib/rules.c:159:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). length = strlen(string); data/cracklib2-2.9.6/lib/rules.c:175:6: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. strcat(area, "s"); data/cracklib2-2.9.6/lib/rules.c:188:2: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. strcat(area, "s"); data/cracklib2-2.9.6/lib/rules.c:482:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ( (int) strlen(area) <= limit) data/cracklib2-2.9.6/lib/rules.c:501:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ( (int) strlen(area) >= limit) data/cracklib2-2.9.6/lib/stringlib.c:53:30: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). retval = (char *) malloc(strlen(string) + 1); data/cracklib2-2.9.6/python/_cracklib.c:108:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). dictfile = malloc(strlen(dict) + sizeof(DICT_SUFFIX)); data/cracklib2-2.9.6/python/_cracklib.c:129:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). dictfile = malloc(strlen(defaultdict) + sizeof(DICT_SUFFIX)); data/cracklib2-2.9.6/python/_cracklib.c:164:34: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ((errmsg != NULL) && (strlen(errmsg) > 0)) data/cracklib2-2.9.6/util/check.c:31:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). while (((i = strlen(buf)) > 0) && (i > 0)) { data/cracklib2-2.9.6/util/check.c:43:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ((why != NULL) && (strlen(why) > 0)) { ANALYSIS SUMMARY: Hits = 106 Lines analyzed = 3221 in approximately 0.19 seconds (17067 lines/second) Physical Source Lines of Code (SLOC) = 2652 Hits@level = [0] 59 [1] 31 [2] 41 [3] 0 [4] 34 [5] 0 Hits@level+ = [0+] 165 [1+] 106 [2+] 75 [3+] 34 [4+] 34 [5+] 0 Hits/KSLOC@level+ = [0+] 62.2172 [1+] 39.9698 [2+] 28.2805 [3+] 12.8205 [4+] 12.8205 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.