Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/faultstat-0.01.05/faultstat.c FINAL RESULTS: data/faultstat-0.01.05/faultstat.c:127:64: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. void (*df_printf)(const char *str, ...) __attribute__((format(printf, 1, 2))); data/faultstat-0.01.05/faultstat.c:147:24: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. __attribute__((format(printf, 1, 2))); data/faultstat-0.01.05/faultstat.c:150:24: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. __attribute__((format(printf, 1, 2))); data/faultstat-0.01.05/faultstat.c:387:8: [4] (format) vsnprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. (void)vsnprintf(buf, sizeof(buf), fmt, ap); data/faultstat-0.01.05/faultstat.c:407:8: [4] (format) vsnprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. (void)vsnprintf(buf, sizeof(buf), fmt, ap); data/faultstat-0.01.05/faultstat.c:1549:11: [3] (buffer) getopt: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt(argc, argv, "acdhlp:stT"); data/faultstat-0.01.05/faultstat.c:230:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[32]; data/faultstat-0.01.05/faultstat.c:236:7: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fd = open("/proc/sys/kernel/pid_max", O_RDONLY); data/faultstat-0.01.05/faultstat.c:376:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[256]; data/faultstat-0.01.05/faultstat.c:404:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[256]; data/faultstat-0.01.05/faultstat.c:562:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[4096]; data/faultstat-0.01.05/faultstat.c:568:12: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((fd = open(buffer, O_RDONLY)) < 0) data/faultstat-0.01.05/faultstat.c:587:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[4096]; data/faultstat-0.01.05/faultstat.c:594:12: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((fd = open(buffer, O_RDONLY)) < 0) data/faultstat-0.01.05/faultstat.c:648:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char path[PATH_MAX]; data/faultstat-0.01.05/faultstat.c:813:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[16]; data/faultstat-0.01.05/faultstat.c:993:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[4096]; data/faultstat-0.01.05/faultstat.c:994:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char path[PATH_MAX]; data/faultstat-0.01.05/faultstat.c:1031:12: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((fp = fopen(path, "r")) == NULL) { data/faultstat-0.01.05/faultstat.c:1059:12: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((fp = fopen(path, "r")) == NULL) data/faultstat-0.01.05/faultstat.c:1244:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char s_min_fault[12], s_maj_fault[12], data/faultstat-0.01.05/faultstat.c:1351:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char s_min_fault[12], s_maj_fault[12], data/faultstat-0.01.05/faultstat.c:239:6: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). n = read(fd, buf, sizeof(buf) - 1); data/faultstat-0.01.05/faultstat.c:571:13: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if ((ret = read(fd, buffer, sizeof(buffer))) <= 0) { data/faultstat-0.01.05/faultstat.c:597:13: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if ((ret = read(fd, buffer, sizeof(buffer))) <= 0) { data/faultstat-0.01.05/faultstat.c:1727:13: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). nchar = read(0, &ch, 1); ANALYSIS SUMMARY: Hits = 26 Lines analyzed = 1777 in approximately 0.05 seconds (32699 lines/second) Physical Source Lines of Code (SLOC) = 1261 Hits@level = [0] 25 [1] 4 [2] 16 [3] 1 [4] 5 [5] 0 Hits@level+ = [0+] 51 [1+] 26 [2+] 22 [3+] 6 [4+] 5 [5+] 0 Hits/KSLOC@level+ = [0+] 40.4441 [1+] 20.6186 [2+] 17.4465 [3+] 4.75813 [4+] 3.96511 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.