Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/argon2.c Examining data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/core.c Examining data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/thread.c Examining data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/encoding.c Examining data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/opt.c Examining data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/ref.c Examining data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/core.h Examining data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/encoding.h Examining data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/thread.h Examining data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/blake2/blake2b.c Examining data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/blake2/blake2-impl.h Examining data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/blake2/blake2.h Examining data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/blake2/blamka-round-ref.h Examining data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/blake2/blamka-round-opt.h Examining data/haskell-argon2-1.3.0.1/phc-winner-argon2/include/argon2.h Examining data/haskell-argon2-1.3.0.1/phc-winner-argon2/include/hs_argon2_mangling.h FINAL RESULTS: data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/argon2.c:161:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(hash, out, hashlen); data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/blake2/blake2-impl.h:51:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&w, src, sizeof w); data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/blake2/blake2-impl.h:66:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&w, src, sizeof w); data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/blake2/blake2-impl.h:84:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dst, &w, sizeof w); data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/blake2/blake2-impl.h:99:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dst, &w, sizeof w); data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/blake2/blake2b.c:158:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(block, key, keylen); data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/blake2/blake2b.c:245:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&S->buf[left], pin, fill); data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/blake2/blake2b.c:259:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&S->buf[S->buflen], pin, inlen); data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/blake2/blake2b.c:287:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(out, buffer, S->outlen); data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/blake2/blake2b.c:367:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(out, out_buffer, BLAKE2B_OUTBYTES / 2); data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/blake2/blake2b.c:372:13: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(in_buffer, out_buffer, BLAKE2B_OUTBYTES); data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/blake2/blake2b.c:375:13: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(out, out_buffer, BLAKE2B_OUTBYTES / 2); data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/blake2/blake2b.c:380:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(in_buffer, out_buffer, BLAKE2B_OUTBYTES); data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/blake2/blake2b.c:383:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(out, out_buffer, toproduce); data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/core.c:60:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dst->v, src->v, sizeof(uint64_t) * ARGON2_QWORDS_IN_BLOCK); data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/core.c:323:17: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&(thr_data[l].pos), &position, data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/encoding.c:381:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dst, str, pp_len + 1); \ data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/encoding.c:388:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tmp[30]; \ data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/encoding.c:389:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(tmp, "%lu", (unsigned long)(x)); \ data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/opt.c:233:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(state, ((instance->memory + prev_offset)->v), ARGON2_BLOCK_SIZE); data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/argon2.c:268:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). encoded_len = strlen(encoded); data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/argon2.c:449:10: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). return strlen("$$v=$m=,t=,p=$$") + strlen(argon2_type2string(type, 0)) + data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/argon2.c:449:38: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). return strlen("$$v=$m=,t=,p=$$") + strlen(argon2_type2string(type, 0)) + data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/encoding.c:263:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t cc_len = strlen(prefix); \ data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/encoding.c:273:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t cc_len = strlen(prefix); \ data/haskell-argon2-1.3.0.1/phc-winner-argon2/src/encoding.c:377:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t pp_len = strlen(str); \ ANALYSIS SUMMARY: Hits = 26 Lines analyzed = 4095 in approximately 0.17 seconds (23764 lines/second) Physical Source Lines of Code (SLOC) = 2698 Hits@level = [0] 0 [1] 6 [2] 20 [3] 0 [4] 0 [5] 0 Hits@level+ = [0+] 26 [1+] 26 [2+] 20 [3+] 0 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 9.63677 [1+] 9.63677 [2+] 7.4129 [3+] 0 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.