Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/golang-github-linuxkit-virtsock-0.0~git20170720.0.0416e3d/c/compat.h
Examining data/golang-github-linuxkit-virtsock-0.0~git20170720.0.0416e3d/c/hvbench.c
Examining data/golang-github-linuxkit-virtsock-0.0~git20170720.0.0416e3d/c/hvstress.c
Examining data/golang-github-linuxkit-virtsock-0.0~git20170720.0.0416e3d/c/hvecho.c
FINAL RESULTS:
data/golang-github-linuxkit-virtsock-0.0~git20170720.0.0416e3d/c/compat.h:226:11: [4] (buffer) sscanf:
The scanf() family's %s operation, without a limit specification, permits
buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
different input function. If the scanf format is influenceable by an
attacker, it's exploitable.
res = sscanf(s, GUID_FMT,
data/golang-github-linuxkit-virtsock-0.0~git20170720.0.0416e3d/c/hvbench.c:37:13: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
printf(__VA_ARGS__); \
data/golang-github-linuxkit-virtsock-0.0~git20170720.0.0416e3d/c/hvbench.c:44:13: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
printf(__VA_ARGS__); \
data/golang-github-linuxkit-virtsock-0.0~git20170720.0.0416e3d/c/hvbench.c:51:13: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
printf(__VA_ARGS__); \
data/golang-github-linuxkit-virtsock-0.0~git20170720.0.0416e3d/c/hvstress.c:44:13: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
printf(__VA_ARGS__); \
data/golang-github-linuxkit-virtsock-0.0~git20170720.0.0416e3d/c/hvstress.c:51:13: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
printf(__VA_ARGS__); \
data/golang-github-linuxkit-virtsock-0.0~git20170720.0.0416e3d/c/hvstress.c:58:13: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
printf(__VA_ARGS__); \
data/golang-github-linuxkit-virtsock-0.0~git20170720.0.0416e3d/c/hvstress.c:426:9: [3] (random) srand:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
srand(time(NULL) + args->id);
data/golang-github-linuxkit-virtsock-0.0~git20170720.0.0416e3d/c/compat.h:121:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char svm_zero[sizeof(struct sockaddr) -
data/golang-github-linuxkit-virtsock-0.0~git20170720.0.0416e3d/c/hvbench.c:25:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char buf[MAX_BUF_LEN];
data/golang-github-linuxkit-virtsock-0.0~git20170720.0.0416e3d/c/hvbench.c:500:25: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
opt_msgsz = atoi(argv[++i]);
data/golang-github-linuxkit-virtsock-0.0~git20170720.0.0416e3d/c/hvecho.c:35:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char recvbuf[MY_BUFLEN];
data/golang-github-linuxkit-virtsock-0.0~git20170720.0.0416e3d/c/hvecho.c:156:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char recvbuf[MY_BUFLEN];
data/golang-github-linuxkit-virtsock-0.0~git20170720.0.0416e3d/c/hvstress.c:67:17: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static unsigned char sendbuf[RXTX_BUF_LEN];
data/golang-github-linuxkit-virtsock-0.0~git20170720.0.0416e3d/c/hvstress.c:107:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char recvbuf[RXTX_BUF_LEN];
data/golang-github-linuxkit-virtsock-0.0~git20170720.0.0416e3d/c/hvstress.c:292:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char tmp[128];
data/golang-github-linuxkit-virtsock-0.0~git20170720.0.0416e3d/c/hvstress.c:329:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char recvbuf[RXTX_BUF_LEN];
data/golang-github-linuxkit-virtsock-0.0~git20170720.0.0416e3d/c/hvstress.c:331:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char tmp[128];
data/golang-github-linuxkit-virtsock-0.0~git20170720.0.0416e3d/c/hvstress.c:512:25: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
opt_conns = atoi(argv[++i]);
data/golang-github-linuxkit-virtsock-0.0~git20170720.0.0416e3d/c/hvstress.c:519:23: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
opt_par = atoi(argv[++i]);
data/golang-github-linuxkit-virtsock-0.0~git20170720.0.0416e3d/c/hvstress.c:526:27: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
opt_max_len = atoi(argv[++i]);
data/golang-github-linuxkit-virtsock-0.0~git20170720.0.0416e3d/c/hvecho.c:192:34: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
res = send(fd, sendbuf, (int)strlen(sendbuf), 0);
ANALYSIS SUMMARY:
Hits = 22
Lines analyzed = 1808 in approximately 0.07 seconds (27015 lines/second)
Physical Source Lines of Code (SLOC) = 1435
Hits@level = [0] 102 [1] 1 [2] 13 [3] 1 [4] 7 [5] 0
Hits@level+ = [0+] 124 [1+] 22 [2+] 21 [3+] 8 [4+] 7 [5+] 0
Hits/KSLOC@level+ = [0+] 86.4111 [1+] 15.331 [2+] 14.6341 [3+] 5.57491 [4+] 4.87805 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.