Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/cstore-fdw-1.7.0/cstore_compression.c Examining data/cstore-fdw-1.7.0/cstore_fdw.c Examining data/cstore-fdw-1.7.0/cstore_fdw.h Examining data/cstore-fdw-1.7.0/cstore_metadata_serialization.c Examining data/cstore-fdw-1.7.0/cstore_metadata_serialization.h Examining data/cstore-fdw-1.7.0/cstore_reader.c Examining data/cstore-fdw-1.7.0/cstore_version_compat.h Examining data/cstore-fdw-1.7.0/cstore_writer.c FINAL RESULTS: data/cstore-fdw-1.7.0/cstore_fdw.c:502:3: [4] (format) snprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. snprintf(completionTag, COMPLETION_TAG_BUFSIZE, "COPY " UINT64_FORMAT, data/cstore-fdw-1.7.0/cstore_metadata_serialization.c:368:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(skipListSizeArray, protobufStripeFooter->skiplistsizearray, sizeArrayLength); data/cstore-fdw-1.7.0/cstore_metadata_serialization.c:369:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(existsSizeArray, protobufStripeFooter->existssizearray, sizeArrayLength); data/cstore-fdw-1.7.0/cstore_metadata_serialization.c:370:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(valueSizeArray, protobufStripeFooter->valuesizearray, sizeArrayLength); data/cstore-fdw-1.7.0/cstore_metadata_serialization.c:549:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(datumBuffer, DatumGetPointer(datum), datumTypeLength); data/cstore-fdw-1.7.0/cstore_metadata_serialization.c:554:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(datumBuffer, DatumGetPointer(datum), datumLength); data/cstore-fdw-1.7.0/cstore_metadata_serialization.c:576:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(binaryDataCopy, protobufBinary.data, protobufBinary.len); data/cstore-fdw-1.7.0/cstore_reader.c:199:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&postscriptSize, postscriptSizeBuffer->data, CSTORE_POSTSCRIPT_SIZE_LENGTH); data/cstore-fdw-1.7.0/cstore_writer.c:750:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(currentDatumDataPointer, DatumGetPointer(datum), datumTypeLength); data/cstore-fdw-1.7.0/cstore_writer.c:756:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(currentDatumDataPointer, DatumGetPointer(datum), datumLength); data/cstore-fdw-1.7.0/cstore_writer.c:906:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(datumData, DatumGetPointer(datum), datumLength); data/cstore-fdw-1.7.0/cstore_writer.c:923:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(stripeMetadataCopy, &stripeMetadata, sizeof(StripeMetadata)); data/cstore-fdw-1.7.0/cstore_writer.c:1013:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(targetString->data, sourceString->data, sourceString->len); ANALYSIS SUMMARY: Hits = 13 Lines analyzed = 6019 in approximately 0.22 seconds (27847 lines/second) Physical Source Lines of Code (SLOC) = 4067 Hits@level = [0] 1 [1] 0 [2] 12 [3] 0 [4] 1 [5] 0 Hits@level+ = [0+] 14 [1+] 13 [2+] 13 [3+] 1 [4+] 1 [5+] 0 Hits/KSLOC@level+ = [0+] 3.44234 [1+] 3.19646 [2+] 3.19646 [3+] 0.245881 [4+] 0.245881 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.