Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/cryptokit-1.16.1/src/aesni.c Examining data/cryptokit-1.16.1/src/aesni.h Examining data/cryptokit-1.16.1/src/arcfour.c Examining data/cryptokit-1.16.1/src/arcfour.h Examining data/cryptokit-1.16.1/src/blake2.c Examining data/cryptokit-1.16.1/src/blake2.h Examining data/cryptokit-1.16.1/src/blowfish.c Examining data/cryptokit-1.16.1/src/blowfish.h Examining data/cryptokit-1.16.1/src/chacha20.c Examining data/cryptokit-1.16.1/src/chacha20.h Examining data/cryptokit-1.16.1/src/d3des.c Examining data/cryptokit-1.16.1/src/d3des.h Examining data/cryptokit-1.16.1/src/keccak.c Examining data/cryptokit-1.16.1/src/keccak.h Examining data/cryptokit-1.16.1/src/rijndael-alg-fst.c Examining data/cryptokit-1.16.1/src/rijndael-alg-fst.h Examining data/cryptokit-1.16.1/src/ripemd160.c Examining data/cryptokit-1.16.1/src/ripemd160.h Examining data/cryptokit-1.16.1/src/sha1.c Examining data/cryptokit-1.16.1/src/sha1.h Examining data/cryptokit-1.16.1/src/sha256.c Examining data/cryptokit-1.16.1/src/sha256.h Examining data/cryptokit-1.16.1/src/sha512.c Examining data/cryptokit-1.16.1/src/sha512.h Examining data/cryptokit-1.16.1/src/stubs-aes.c Examining data/cryptokit-1.16.1/src/stubs-arcfour.c Examining data/cryptokit-1.16.1/src/stubs-blake2.c Examining data/cryptokit-1.16.1/src/stubs-blowfish.c Examining data/cryptokit-1.16.1/src/stubs-chacha20.c Examining data/cryptokit-1.16.1/src/stubs-des.c Examining data/cryptokit-1.16.1/src/stubs-md5.c Examining data/cryptokit-1.16.1/src/stubs-misc.c Examining data/cryptokit-1.16.1/src/stubs-ripemd160.c Examining data/cryptokit-1.16.1/src/stubs-rng.c Examining data/cryptokit-1.16.1/src/stubs-sha1.c Examining data/cryptokit-1.16.1/src/stubs-sha256.c Examining data/cryptokit-1.16.1/src/stubs-sha3.c Examining data/cryptokit-1.16.1/src/stubs-sha512.c Examining data/cryptokit-1.16.1/src/stubs-zlib.c FINAL RESULTS: data/cryptokit-1.16.1/src/arcfour.h:18:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char state[256]; data/cryptokit-1.16.1/src/blake2.c:132:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(s->buffer, key, keylen); data/cryptokit-1.16.1/src/blake2.c:146:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(s->buffer + s->numbytes, data, len); data/cryptokit-1.16.1/src/blake2.c:150:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(s->buffer + s->numbytes, data, n); data/cryptokit-1.16.1/src/blake2.c:160:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(s->buffer, data, len); data/cryptokit-1.16.1/src/blake2.c:271:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(s->buffer, key, keylen); data/cryptokit-1.16.1/src/blake2.c:285:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(s->buffer + s->numbytes, data, len); data/cryptokit-1.16.1/src/blake2.c:289:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(s->buffer + s->numbytes, data, n); data/cryptokit-1.16.1/src/blake2.c:299:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(s->buffer, data, len); data/cryptokit-1.16.1/src/blake2.h:22:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buffer[BLAKE2b_BLOCKSIZE]; data/cryptokit-1.16.1/src/blake2.h:38:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buffer[BLAKE2s_BLOCKSIZE]; data/cryptokit-1.16.1/src/keccak.c:136:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ctx->buffer + ctx->numbytes, data, len); data/cryptokit-1.16.1/src/keccak.c:140:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ctx->buffer + ctx->numbytes, data, n); data/cryptokit-1.16.1/src/keccak.c:152:16: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. if (len > 0) memcpy(ctx->buffer, data, len); data/cryptokit-1.16.1/src/keccak.h:7:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buffer[144]; data/cryptokit-1.16.1/src/ripemd160.c:104:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dst, src, numwords * sizeof(u32)); data/cryptokit-1.16.1/src/ripemd160.c:350:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ctx->buffer + ctx->numbytes, data, len); data/cryptokit-1.16.1/src/ripemd160.c:354:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ctx->buffer + ctx->numbytes, data, t); data/cryptokit-1.16.1/src/ripemd160.c:361:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ctx->buffer, data, 64); data/cryptokit-1.16.1/src/ripemd160.c:367:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ctx->buffer, data, len); data/cryptokit-1.16.1/src/ripemd160.c:371:63: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. void RIPEMD160_finish(struct RIPEMD160Context * ctx, unsigned char output[20]) data/cryptokit-1.16.1/src/ripemd160.h:24:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buffer[64]; data/cryptokit-1.16.1/src/ripemd160.h:32:39: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char output[20]); data/cryptokit-1.16.1/src/sha1.c:31:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dst, src, numwords * sizeof(u32)); data/cryptokit-1.16.1/src/sha1.c:130:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ctx->buffer + ctx->numbytes, data, len); data/cryptokit-1.16.1/src/sha1.c:134:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ctx->buffer + ctx->numbytes, data, t); data/cryptokit-1.16.1/src/sha1.c:141:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ctx->buffer, data, 64); data/cryptokit-1.16.1/src/sha1.c:147:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ctx->buffer, data, len); data/cryptokit-1.16.1/src/sha1.c:151:53: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. void SHA1_finish(struct SHA1Context * ctx, unsigned char output[20]) data/cryptokit-1.16.1/src/sha1.h:24:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buffer[64]; data/cryptokit-1.16.1/src/sha1.h:30:60: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. extern void SHA1_finish(struct SHA1Context * ctx, unsigned char output[20]); data/cryptokit-1.16.1/src/sha256.c:36:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dst, src, numwords * sizeof(u32)); data/cryptokit-1.16.1/src/sha256.c:181:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ctx->buffer + ctx->numbytes, data, len); data/cryptokit-1.16.1/src/sha256.c:185:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ctx->buffer + ctx->numbytes, data, t); data/cryptokit-1.16.1/src/sha256.c:192:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ctx->buffer, data, 64); data/cryptokit-1.16.1/src/sha256.c:198:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ctx->buffer, data, len); data/cryptokit-1.16.1/src/sha256.h:29:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buffer[64]; data/cryptokit-1.16.1/src/sha512.c:36:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dst, src, numwords * 8); data/cryptokit-1.16.1/src/sha512.c:251:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ctx->buffer + ctx->numbytes, data, len); data/cryptokit-1.16.1/src/sha512.c:255:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ctx->buffer + ctx->numbytes, data, l); data/cryptokit-1.16.1/src/sha512.c:262:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ctx->buffer, data, 128); data/cryptokit-1.16.1/src/sha512.c:268:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ctx->buffer, data, len); data/cryptokit-1.16.1/src/sha512.h:30:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buffer[128]; data/cryptokit-1.16.1/src/stubs-md5.c:30:18: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char in[64]; data/cryptokit-1.16.1/src/stubs-rng.c:143:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dst, &rr, nbytes); ANALYSIS SUMMARY: Hits = 45 Lines analyzed = 6067 in approximately 0.26 seconds (23513 lines/second) Physical Source Lines of Code (SLOC) = 4662 Hits@level = [0] 0 [1] 0 [2] 45 [3] 0 [4] 0 [5] 0 Hits@level+ = [0+] 45 [1+] 45 [2+] 45 [3+] 0 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 9.65251 [1+] 9.65251 [2+] 9.65251 [3+] 0 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.