Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/golang-golang-x-exp-0.0~git20181112.a3060d4/shiny/driver/gldriver/x11.c
Examining data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/nbody.c
Examining data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/fannkuch.c
Examining data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/chameneosredux.c
Examining data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/spectral-norm.c
Examining data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/pidigits.c
Examining data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/fasta.c
Examining data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/threadring.c
Examining data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/binary-tree.c
Examining data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/meteor-contest.c
Examining data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/mandelbrot.c
Examining data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/k-nucleotide.c
Examining data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/reverse-complement.c
Examining data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/regex-dna.c

FINAL RESULTS:

data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/chameneosredux.c:129:16:  [4] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf.
      ochar += sprintf( outbuf + ochar, " %s", NUMBERS[ tmp[i] - '0' ] );
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/chameneosredux.c:251:4:  [4] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf.
   sprintf( str, "%u%s", cr->count, numstr );
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/fasta.c:67:23:  [3] (random) random:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
random_init(random_t *random) {
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/fasta.c:74:30:  [3] (random) random:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
random_next_lookup(random_t *random) {
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/fasta.c:75:17:  [3] (random) random:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
    *random = (*random*IA + IC)%IM;
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/fasta.c:77:14:  [3] (random) random:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
    return (*random)*(LOOKUP_SCALE/IM);
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/binary-tree.c:107:9:  [2] (integer) atol:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
    N = atol(argv[1]);
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/chameneosredux.c:118:4:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
   char tmp[64];
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/chameneosredux.c:126:12:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
   ichar = sprintf(tmp, "%d", n);
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/chameneosredux.c:248:4:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
   char numstr[256];
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/chameneosredux.c:260:4:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
   char str[256];
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/chameneosredux.c:318:26:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
   int n = (argc == 2) ? atoi(argv[1]) : 600;
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/fannkuch.c:132:25:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
    int		n = (argc>1) ? atoi(argv[1]) : 0;
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/fasta.c:89:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char buffer[len + LINE_LEN];
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/fasta.c:92:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(buffer, alu, len);
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/fasta.c:93:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(buffer + len, alu, LINE_LEN);
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/fasta.c:146:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char line_buffer[LINE_LEN + 1];
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/fasta.c:209:24:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
    int n = argc > 1 ? atoi( argv[1] ) : 512;
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/k-nucleotide.c:180:4:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
   char buffer[4096];
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/mandelbrot.c:54:13:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
    w = h = atoi(argv[1]);
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/meteor-contest.c:92:1:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
char piece_def[10][4] = {
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/meteor-contest.c:118:1:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
char next_cell[10][50][12];
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/meteor-contest.c:339:4:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
   char temp_board[50];
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/meteor-contest.c:370:4:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
   char rotation, cell[5];
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/meteor-contest.c:410:1:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
char all_rows[32] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/meteor-contest.c:533:1:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
char sol_nums[10];
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/meteor-contest.c:535:8:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
signed char solutions[2100][50];
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/meteor-contest.c:619:23:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
      max_solutions = atoi(argv[1]);
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/nbody.c:163:11:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
  int n = atoi(argv[1]);
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/pidigits.c:123:23:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
  pidigits(argc > 1 ? atoi(argv[1]) : 27);
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/regex-dna.c:101:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(dp, src->buf+pos, clen);
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/regex-dna.c:102:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(dp+clen, r, rlen);
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/regex-dna.c:107:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(dp, src->buf+pos, clen);
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/reverse-complement.c:58:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char xtab[256] = VALL;         // char conversion table
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/spectral-norm.c:72:26:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
  int N = ((argc == 2) ? atoi(argv[1]) : 2000);
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/threadring.c:54:4:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
   char x[PTHREAD_STACK_MIN];
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/threadring.c:95:14:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
   data[0] = atoi(argv[1]);
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/fasta.c:88:15:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    int len = strlen(alu);
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/k-nucleotide.c:157:9:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
   fl = strlen(searchFor);
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/k-nucleotide.c:203:7:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	sz = strlen(buffer);
data/golang-golang-x-exp-0.0~git20181112.a3060d4/shootout/regex-dna.c:95:29:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  for (dst->len = 0, rlen = strlen(r), pos = 0;

ANALYSIS SUMMARY:

Hits = 41
Lines analyzed = 2887 in approximately 0.27 seconds (10872 lines/second)
Physical Source Lines of Code (SLOC) = 1884
Hits@level = [0]  48 [1]   4 [2]  31 [3]   4 [4]   2 [5]   0
Hits@level+ = [0+]  89 [1+]  41 [2+]  37 [3+]   6 [4+]   2 [5+]   0
Hits/KSLOC@level+ = [0+] 47.2399 [1+] 21.7622 [2+] 19.6391 [3+] 3.18471 [4+] 1.06157 [5+]   0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.