Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/golang-golang-x-exp-0.0~git20181112.a3060d4/shiny/driver/gldriver/x11.c Examining data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/nbody.c Examining data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/fannkuch.c Examining data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/chameneosredux.c Examining data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/spectral-norm.c Examining data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/pidigits.c Examining data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/fasta.c Examining data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/threadring.c Examining data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/binary-tree.c Examining data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/meteor-contest.c Examining data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/mandelbrot.c Examining data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/k-nucleotide.c Examining data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/reverse-complement.c Examining data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/regex-dna.c FINAL RESULTS: data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/chameneosredux.c:129:16: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. ochar += sprintf( outbuf + ochar, " %s", NUMBERS[ tmp[i] - '0' ] ); data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/chameneosredux.c:251:4: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf( str, "%u%s", cr->count, numstr ); data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/fasta.c:67:23: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. random_init(random_t *random) { data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/fasta.c:74:30: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. random_next_lookup(random_t *random) { data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/fasta.c:75:17: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. *random = (*random*IA + IC)%IM; data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/fasta.c:77:14: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. return (*random)*(LOOKUP_SCALE/IM); data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/binary-tree.c:107:9: [2] (integer) atol: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). N = atol(argv[1]); data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/chameneosredux.c:118:4: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tmp[64]; data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/chameneosredux.c:126:12: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. ichar = sprintf(tmp, "%d", n); data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/chameneosredux.c:248:4: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char numstr[256]; data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/chameneosredux.c:260:4: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char str[256]; data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/chameneosredux.c:318:26: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int n = (argc == 2) ? atoi(argv[1]) : 600; data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/fannkuch.c:132:25: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int n = (argc>1) ? atoi(argv[1]) : 0; data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/fasta.c:89:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[len + LINE_LEN]; data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/fasta.c:92:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buffer, alu, len); data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/fasta.c:93:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buffer + len, alu, LINE_LEN); data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/fasta.c:146:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char line_buffer[LINE_LEN + 1]; data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/fasta.c:209:24: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int n = argc > 1 ? atoi( argv[1] ) : 512; data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/k-nucleotide.c:180:4: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[4096]; data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/mandelbrot.c:54:13: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). w = h = atoi(argv[1]); data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/meteor-contest.c:92:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char piece_def[10][4] = { data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/meteor-contest.c:118:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char next_cell[10][50][12]; data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/meteor-contest.c:339:4: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char temp_board[50]; data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/meteor-contest.c:370:4: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char rotation, cell[5]; data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/meteor-contest.c:410:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char all_rows[32] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/meteor-contest.c:533:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char sol_nums[10]; data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/meteor-contest.c:535:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. signed char solutions[2100][50]; data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/meteor-contest.c:619:23: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). max_solutions = atoi(argv[1]); data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/nbody.c:163:11: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int n = atoi(argv[1]); data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/pidigits.c:123:23: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). pidigits(argc > 1 ? atoi(argv[1]) : 27); data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/regex-dna.c:101:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dp, src->buf+pos, clen); data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/regex-dna.c:102:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dp+clen, r, rlen); data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/regex-dna.c:107:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dp, src->buf+pos, clen); data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/reverse-complement.c:58:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char xtab[256] = VALL; // char conversion table data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/spectral-norm.c:72:26: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int N = ((argc == 2) ? atoi(argv[1]) : 2000); data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/threadring.c:54:4: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char x[PTHREAD_STACK_MIN]; data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/threadring.c:95:14: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). data[0] = atoi(argv[1]); data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/fasta.c:88:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int len = strlen(alu); data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/k-nucleotide.c:157:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). fl = strlen(searchFor); data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/k-nucleotide.c:203:7: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sz = strlen(buffer); data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/regex-dna.c:95:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). for (dst->len = 0, rlen = strlen(r), pos = 0; ANALYSIS SUMMARY: Hits = 41 Lines analyzed = 2887 in approximately 0.27 seconds (10872 lines/second) Physical Source Lines of Code (SLOC) = 1884 Hits@level = [0] 48 [1] 4 [2] 31 [3] 4 [4] 2 [5] 0 Hits@level+ = [0+] 89 [1+] 41 [2+] 37 [3+] 6 [4+] 2 [5+] 0 Hits/KSLOC@level+ = [0+] 47.2399 [1+] 21.7622 [2+] 19.6391 [3+] 3.18471 [4+] 1.06157 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.