Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/gadap-2.0/src/Connections.cc Examining data/gadap-2.0/src/Connections.h Examining data/gadap-2.0/src/gadap.h Examining data/gadap-2.0/src/gadap_err.h Examining data/gadap-2.0/src/gadap_types.h Examining data/gadap-2.0/src/NCTypeFactory.cc Examining data/gadap-2.0/src/NCTypeFactory.h Examining data/gadap-2.0/src/gaBaseTypes.h Examining data/gadap-2.0/src/gaTypeFactory.h Examining data/gadap-2.0/src/gaBaseTypes.cc Examining data/gadap-2.0/src/gaConnect.cc Examining data/gadap-2.0/src/gaConnect.h Examining data/gadap-2.0/src/gaReports.cc Examining data/gadap-2.0/src/gaReports.h Examining data/gadap-2.0/src/gaTypeFactory.cc Examining data/gadap-2.0/src/gaUtils.cc Examining data/gadap-2.0/src/gaUtils.h Examining data/gadap-2.0/src/gadap.cc Examining data/gadap-2.0/test/test.cc FINAL RESULTS: data/gadap-2.0/src/gaConnect.cc:348:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(query->url, request_url.c_str()); data/gadap-2.0/src/gaReports.cc:204:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(str,buf->c_str()); data/gadap-2.0/src/gaReports.cc:223:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(str,buf->c_str()); data/gadap-2.0/test/test.cc:121:19: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int varindex1 = atoi(argv[2]); data/gadap-2.0/test/test.cc:122:19: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int varindex2 = atoi(argv[3]); data/gadap-2.0/src/gaBaseTypes.cc:53:13: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). bool gaStr::read(const string &dataset) { data/gadap-2.0/src/gaBaseTypes.cc:78:13: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). bool gaUrl::read(const string &dataset) { data/gadap-2.0/src/gaBaseTypes.cc:101:16: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). virtual bool read(const string &dataset) { data/gadap-2.0/src/gaBaseTypes.cc:114:16: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). virtual bool read(const string &dataset) { data/gadap-2.0/src/gaBaseTypes.cc:127:16: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). virtual bool read(const string &dataset) { data/gadap-2.0/src/gaBaseTypes.cc:140:16: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). virtual bool read(const string &dataset) { data/gadap-2.0/src/gaBaseTypes.cc:153:16: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). virtual bool read(const string &dataset) { data/gadap-2.0/src/gaBaseTypes.cc:166:16: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). virtual bool read(const string &dataset) { data/gadap-2.0/src/gaBaseTypes.cc:179:16: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). virtual bool read(const string &dataset) { data/gadap-2.0/src/gaBaseTypes.cc:192:16: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). virtual bool read(const string &dataset) { data/gadap-2.0/src/gaBaseTypes.cc:205:16: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). virtual bool read(const string &dataset) { data/gadap-2.0/src/gaBaseTypes.cc:218:16: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). virtual bool read(const string &dataset) { data/gadap-2.0/src/gaBaseTypes.cc:232:16: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). virtual bool read(const string &dataset) { data/gadap-2.0/src/gaBaseTypes.cc:245:16: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). virtual bool read(const string &dataset) { data/gadap-2.0/src/gaBaseTypes.h:40:16: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). virtual bool read(const string &dataset); data/gadap-2.0/src/gaBaseTypes.h:54:16: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). virtual bool read(const string &dataset); ANALYSIS SUMMARY: Hits = 21 Lines analyzed = 3895 in approximately 0.14 seconds (28118 lines/second) Physical Source Lines of Code (SLOC) = 2135 Hits@level = [0] 0 [1] 16 [2] 2 [3] 0 [4] 3 [5] 0 Hits@level+ = [0+] 21 [1+] 21 [2+] 5 [3+] 3 [4+] 3 [5+] 0 Hits/KSLOC@level+ = [0+] 9.83607 [1+] 9.83607 [2+] 2.34192 [3+] 1.40515 [4+] 1.40515 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.