Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/hoel-1.4.16/examples/example_mariadb.c
Examining data/hoel-1.4.16/examples/example_mariadb_binary.c
Examining data/hoel-1.4.16/examples/example_mariadb_json.c
Examining data/hoel-1.4.16/examples/example_pgsql.c
Examining data/hoel-1.4.16/examples/example_sqlite3.c
Examining data/hoel-1.4.16/include/h-private.h
Examining data/hoel-1.4.16/include/hoel.h
Examining data/hoel-1.4.16/src/hoel-mariadb.c
Examining data/hoel-1.4.16/src/hoel-pgsql.c
Examining data/hoel-1.4.16/src/hoel-simple-json.c
Examining data/hoel-1.4.16/src/hoel-sqlite.c
Examining data/hoel-1.4.16/src/hoel.c
Examining data/hoel-1.4.16/test/core.c
Examining data/hoel-1.4.16/test/multi.c

FINAL RESULTS:

data/hoel-1.4.16/examples/example_mariadb.c:18:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char buf[64];
data/hoel-1.4.16/examples/example_pgsql.c:19:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char buf[64];
data/hoel-1.4.16/src/hoel-mariadb.c:244:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char date_stamp[20];
data/hoel-1.4.16/src/hoel.c:241:11:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
          memcpy(((struct _h_type_text *)tmp[cols].t_data)->value, ((struct _h_type_text *)data->t_data)->value, (((struct _h_type_text *)data->t_data)->length+1));
data/hoel-1.4.16/src/hoel.c:260:11:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
          memcpy(((struct _h_type_blob *)tmp[cols].t_data)->value, ((struct _h_type_blob *)data->t_data)->value, ((struct _h_type_blob *)data->t_data)->length);
data/hoel-1.4.16/src/hoel.c:535:7:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
      memcpy(((struct _h_type_text *)data->t_data)->value, value, length);
data/hoel-1.4.16/src/hoel.c:567:7:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
      memcpy(((struct _h_type_blob *)data->t_data)->value, value, length);
data/hoel-1.4.16/src/hoel-mariadb.c:124:33:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  char * escaped = o_malloc(2 * strlen(unsafe) + sizeof(char));
data/hoel-1.4.16/src/hoel-mariadb.c:129:97:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  mysql_real_escape_string(((struct _h_mariadb *)conn->connection)->db_handle, escaped, unsafe, strlen(unsafe));
data/hoel-1.4.16/src/hoel-pgsql.c:159:94:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  char * escaped = PQescapeLiteral(((struct _h_pgsql *)conn->connection)->db_handle, unsafe, strlen(unsafe)), * to_return = NULL;
data/hoel-1.4.16/src/hoel-pgsql.c:174:94:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  char * escaped = PQescapeLiteral(((struct _h_pgsql *)conn->connection)->db_handle, unsafe, strlen(unsafe)), * to_return = NULL;
data/hoel-1.4.16/src/hoel-sqlite.c:146:93:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  sql_result = sqlite3_prepare_v2(((struct _h_sqlite *)conn->connection)->db_handle, query, strlen(query)+1, &stmt, NULL);
data/hoel-1.4.16/src/hoel-sqlite.c:250:93:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  sql_result = sqlite3_prepare_v2(((struct _h_sqlite *)conn->connection)->db_handle, query, strlen(query)+1, &stmt, NULL);
data/hoel-1.4.16/test/core.c:279:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("INSERT INTO test_table (integer_col,string_col,date_col) VALUES (1,'value1',date('now'))"));
data/hoel-1.4.16/test/core.c:279:39:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("INSERT INTO test_table (integer_col,string_col,date_col) VALUES (1,'value1',date('now'))"));
data/hoel-1.4.16/test/core.c:333:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("UPDATE test_table SET string_col='new value1' WHERE integer_col='1'"));
data/hoel-1.4.16/test/core.c:333:39:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("UPDATE test_table SET string_col='new value1' WHERE integer_col='1'"));
data/hoel-1.4.16/test/core.c:403:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("DELETE FROM test_table WHERE integer_col='1'"));
data/hoel-1.4.16/test/core.c:403:39:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("DELETE FROM test_table WHERE integer_col='1'"));
data/hoel-1.4.16/test/core.c:467:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE 1=1  "));
data/hoel-1.4.16/test/core.c:467:39:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE 1=1  "));
data/hoel-1.4.16/test/core.c:482:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE integer_col='1'  "));
data/hoel-1.4.16/test/core.c:482:39:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE integer_col='1'  "));
data/hoel-1.4.16/test/core.c:497:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE string_col='value1'  "));
data/hoel-1.4.16/test/core.c:497:39:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE string_col='value1'  "));
data/hoel-1.4.16/test/core.c:512:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE string_col='value''to''escape'  "));
data/hoel-1.4.16/test/core.c:512:39:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE string_col='value''to''escape'  "));
data/hoel-1.4.16/test/core.c:526:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE integer_col IS NOT NULL  "));
data/hoel-1.4.16/test/core.c:526:39:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE integer_col IS NOT NULL  "));
data/hoel-1.4.16/test/core.c:544:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE integer_col >6  "));
data/hoel-1.4.16/test/core.c:544:39:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE integer_col >6  "));
data/hoel-1.4.16/test/core.c:563:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE string_col IS NOT NULL AND integer_col >=1  "));
data/hoel-1.4.16/test/core.c:563:39:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE string_col IS NOT NULL AND integer_col >=1  "));
data/hoel-1.4.16/test/core.c:578:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE integer_col IS NULL  "));
data/hoel-1.4.16/test/core.c:578:39:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE integer_col IS NULL  "));
data/hoel-1.4.16/test/core.c:597:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE integer_col IN (42,66)  "));
data/hoel-1.4.16/test/core.c:597:39:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE integer_col IN (42,66)  "));
data/hoel-1.4.16/test/multi.c:346:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("INSERT INTO test_table (integer_col,string_col,date_col) VALUES (1,'value1',"NOW")"));
data/hoel-1.4.16/test/multi.c:346:39:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("INSERT INTO test_table (integer_col,string_col,date_col) VALUES (1,'value1',"NOW")"));
data/hoel-1.4.16/test/multi.c:414:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("UPDATE test_table SET string_col='new value1' WHERE integer_col='1'"));
data/hoel-1.4.16/test/multi.c:414:39:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("UPDATE test_table SET string_col='new value1' WHERE integer_col='1'"));
data/hoel-1.4.16/test/multi.c:498:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("DELETE FROM test_table WHERE integer_col='1'"));
data/hoel-1.4.16/test/multi.c:498:39:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("DELETE FROM test_table WHERE integer_col='1'"));
data/hoel-1.4.16/test/multi.c:582:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE 1=1  "));
data/hoel-1.4.16/test/multi.c:582:39:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE 1=1  "));
data/hoel-1.4.16/test/multi.c:597:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE integer_col='1'  "));
data/hoel-1.4.16/test/multi.c:597:39:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE integer_col='1'  "));
data/hoel-1.4.16/test/multi.c:612:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE string_col='value1'  "));
data/hoel-1.4.16/test/multi.c:612:39:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE string_col='value1'  "));
data/hoel-1.4.16/test/multi.c:627:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE string_col='value''to''escape'  "));
data/hoel-1.4.16/test/multi.c:627:39:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE string_col='value''to''escape'  "));
data/hoel-1.4.16/test/multi.c:641:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE integer_col IS NOT NULL  "));
data/hoel-1.4.16/test/multi.c:641:39:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE integer_col IS NOT NULL  "));
data/hoel-1.4.16/test/multi.c:659:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE integer_col >6  "));
data/hoel-1.4.16/test/multi.c:659:39:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE integer_col >6  "));
data/hoel-1.4.16/test/multi.c:678:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE string_col IS NOT NULL AND integer_col >=1  "));
data/hoel-1.4.16/test/multi.c:678:39:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE string_col IS NOT NULL AND integer_col >=1  "));
data/hoel-1.4.16/test/multi.c:693:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE integer_col IS NULL  "));
data/hoel-1.4.16/test/multi.c:693:39:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE integer_col IS NULL  "));
data/hoel-1.4.16/test/multi.c:712:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE integer_col IN (42,66)  "));
data/hoel-1.4.16/test/multi.c:712:39:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  ck_assert_int_eq(strlen(str_query), strlen("SELECT * FROM test_table WHERE integer_col IN (42,66)  "));

ANALYSIS SUMMARY:

Hits = 61
Lines analyzed = 5717 in approximately 0.23 seconds (24934 lines/second)
Physical Source Lines of Code (SLOC) = 3963
Hits@level = [0]  66 [1]  54 [2]   7 [3]   0 [4]   0 [5]   0
Hits@level+ = [0+] 127 [1+]  61 [2+]   7 [3+]   0 [4+]   0 [5+]   0
Hits/KSLOC@level+ = [0+] 32.0464 [1+] 15.3924 [2+] 1.76634 [3+]   0 [4+]   0 [5+]   0
Dot directories skipped = 2 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.