stdin

Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c
Examining data/erlang-bitcask-2.0.8+dfsg/c_src/erl_nif_compat.h
Examining data/erlang-bitcask-2.0.8+dfsg/c_src/erl_nif_util.c
Examining data/erlang-bitcask-2.0.8+dfsg/c_src/erl_nif_util.h
Examining data/erlang-bitcask-2.0.8+dfsg/c_src/khash.h
Examining data/erlang-bitcask-2.0.8+dfsg/c_src/murmurhash.c
Examining data/erlang-bitcask-2.0.8+dfsg/c_src/murmurhash.h
Examining data/erlang-bitcask-2.0.8+dfsg/c_src/pulse_c_send.c
Examining data/erlang-bitcask-2.0.8+dfsg/c_src/pulse_c_send.h

FINAL RESULTS:

data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:52:5:  [4] (format) vfprintf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
    vfprintf(stderr, fmt, ap);
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:123:13:  [4] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused).
            strcat(buf, cbuf);
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:58:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char N[MAX_DEBUG_STR];\
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:62:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char N[MAX_DEBUG_STR];\
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:88:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char cbuf[4]; // up to 3 digits + \0
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:107:9:  [2] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused). Risk is low because the
  source is a constant string.
        strcat(buf, "<<\"");
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:111:9:  [2] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused). Risk is low because the
  source is a constant string.
        strcat(buf, "\">>");
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:115:9:  [2] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused). Risk is low because the
  source is a constant string.
        strcat(buf, "<<");
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:122:13:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
            sprintf(cbuf, "%u", bin[i]);
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:125:9:  [2] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused). Risk is low because the
  source is a constant string.
        strcat(buf, ">>");
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:150:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char     key[0];
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:186:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char     key[0];
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:249:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char          name[0];
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:264:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char  filename[0];
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:445:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char name[4096];
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:472:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char name[4096];
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:966:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(ret->key, old->key, old->key_sz);
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:993:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char buf[4096];
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:995:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(&buf, h->key, h->key_sz);
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:1115:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(new_entry->key, entry->key, entry->key_sz);
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:1176:13:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
            memcpy(new_entry->key, h->key, h->key_sz);
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:1702:9:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
        memcpy(new_head, curr_head, head_sz);
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:1709:13:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
            memcpy(sib, next_sib, sizeof(bitcask_keydir_entry_sib));
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:1721:9:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
        memcpy(new, curr, new_sz);
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:1784:17:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
                memcpy(new_f, curr_f, sizeof(bitcask_fstats_entry));
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:1949:17:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
                memcpy(key.data, proxy.key, proxy.key_sz);
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:2182:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char filename[4096];
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:2198:18:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
        int fd = open(filename, flags, 0600);
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:2339:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char filename[4096];
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:2344:18:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
        int fd = open(filename, flags, S_IREAD | S_IWRITE);
data/erlang-bitcask-2.0.8+dfsg/c_src/erl_nif_util.c:33:9:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
        memcpy(outvalue, ((uint64_t*)bin.data), sizeof(uint64_t));
data/erlang-bitcask-2.0.8+dfsg/c_src/erl_nif_util.c:46:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(bin.data, &value, sizeof(uint64_t));
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:110:9:  [1] (buffer) strncat:
  Easily used incorrectly (e.g., incorrectly computing the correct maximum
  size to add) [MS-banned] (CWE-120). Consider strcat_s, strlcat, snprintf,
  or automatically resizing strings.
        strncat(buf, (char*)bin, n);
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:120:17:  [1] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused). Risk is low because the
  source is a constant character.
                strcat(buf, ",");
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:476:19:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
        name_sz = strlen(name);
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:507:13:  [1] (buffer) strncpy:
  Easily used incorrectly; doesn't always \0-terminate or check for invalid
  pointers [MS-banned] (CWE-120).
            strncpy(keydir->name, name, name_sz + 1);
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:2202:40:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            unsigned int filename_sz = strlen(filename) + 1;
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:2208:13:  [1] (buffer) strncpy:
  Easily used incorrectly; doesn't always \0-terminate or check for invalid
  pointers [MS-banned] (CWE-120).
            strncpy(handle->filename, filename, filename_sz);
data/erlang-bitcask-2.0.8+dfsg/c_src/bitcask_nifs.c:2519:30:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
        ssize_t bytes_read = read(handle->fd, bin.data, count);

ANALYSIS SUMMARY:

Hits = 39
Lines analyzed = 4051 in approximately 0.12 seconds (32958 lines/second)
Physical Source Lines of Code (SLOC) = 2955
Hits@level = [0]   8 [1]   7 [2]  30 [3]   0 [4]   2 [5]   0
Hits@level+ = [0+]  47 [1+]  39 [2+]  32 [3+]   2 [4+]   2 [5+]   0
Hits/KSLOC@level+ = [0+] 15.9052 [1+] 13.198 [2+] 10.8291 [3+] 0.676819 [4+] 0.676819 [5+]   0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.