Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/http-parser-2.9.3/bench.c
Examining data/http-parser-2.9.3/contrib/parsertrace.c
Examining data/http-parser-2.9.3/contrib/url_parser.c
Examining data/http-parser-2.9.3/http_parser.c
Examining data/http-parser-2.9.3/http_parser.h
Examining data/http-parser-2.9.3/test.c

FINAL RESULTS:

data/http-parser-2.9.3/test.c:3905:20:  [4] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf.
  size_t buf1len = sprintf(buf1, "%s\r\nConnection: Keep-Alive\r\nContent-Length: %lu\r\n\r\n",
data/http-parser-2.9.3/test.c:3942:3:  [4] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused).
  strcat(total, r1->raw);
data/http-parser-2.9.3/test.c:3943:3:  [4] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused).
  strcat(total, r2->raw);
data/http-parser-2.9.3/test.c:3944:3:  [4] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused).
  strcat(total, r3->raw);
data/http-parser-2.9.3/test.c:3993:3:  [4] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused).
  strcat(total, r1->raw);
data/http-parser-2.9.3/test.c:3994:3:  [4] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused).
  strcat(total, r2->raw);
data/http-parser-2.9.3/test.c:3995:3:  [4] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused).
  strcat(total, r3->raw);
data/http-parser-2.9.3/test.c:4454:5:  [4] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf.
    sprintf(buf, "%s / HTTP/1.1\r\n\r\n", *this_method);
data/http-parser-2.9.3/test.c:4474:5:  [4] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf.
    sprintf(buf, "%s / HTTP/1.1\r\n\r\n", *this_method);
data/http-parser-2.9.3/contrib/parsertrace.c:108:16:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
  FILE* file = fopen(filename, "r");
data/http-parser-2.9.3/http_parser.c:189:14:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
static const char tokens[256] = {
data/http-parser-2.9.3/test.c:54:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char response_status[MAX_ELEMENT_SIZE];
data/http-parser-2.9.3/test.c:55:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char request_path[MAX_ELEMENT_SIZE];
data/http-parser-2.9.3/test.c:56:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char request_url[MAX_ELEMENT_SIZE];
data/http-parser-2.9.3/test.c:57:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char fragment[MAX_ELEMENT_SIZE];
data/http-parser-2.9.3/test.c:58:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char query_string[MAX_ELEMENT_SIZE];
data/http-parser-2.9.3/test.c:59:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char body[MAX_ELEMENT_SIZE];
data/http-parser-2.9.3/test.c:66:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char headers [MAX_HEADERS][2][MAX_ELEMENT_SIZE];
data/http-parser-2.9.3/test.c:2079:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(dst + dlen, src, ncpy);
data/http-parser-2.9.3/test.c:2097:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(dst, src, ncpy);
data/http-parser-2.9.3/test.c:2632:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char ubuf[256];                                                    \
data/http-parser-2.9.3/test.c:2635:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(ubuf, (found)->request_url + (u)->field_data[(fn)].off,   \
data/http-parser-2.9.3/test.c:3904:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char buf1[3000];
data/http-parser-2.9.3/test.c:3935:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char total[ strlen(r1->raw)
data/http-parser-2.9.3/test.c:3988:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char total[80*1024] = "\0";
data/http-parser-2.9.3/test.c:3989:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char buf1[80*1024] = "\0";
data/http-parser-2.9.3/test.c:3990:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char buf2[80*1024] = "\0";
data/http-parser-2.9.3/test.c:3991:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char buf3[80*1024] = "\0";
data/http-parser-2.9.3/test.c:4119:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(buf, headers, headers_len);
data/http-parser-2.9.3/test.c:4124:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(buf + wrote, "400\r\n", 5);
data/http-parser-2.9.3/test.c:4128:5:  [2] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant string.
    strcpy(buf + wrote, "\r\n");
data/http-parser-2.9.3/test.c:4132:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(buf + wrote, "0\r\n\r\n", 6);
data/http-parser-2.9.3/test.c:4453:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char buf[200];
data/http-parser-2.9.3/test.c:4473:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char buf[200];
data/http-parser-2.9.3/contrib/url_parser.c:34:9:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  len = strlen(argv[2]);
data/http-parser-2.9.3/test.c:2680:47:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    if (http_parser_parse_url(m->request_url, strlen(m->request_url), 0, &u)) {
data/http-parser-2.9.3/test.c:2776:12:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    off += strlen(m->raw);
data/http-parser-2.9.3/test.c:2779:14:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
      off -= strlen(m->upgrade);
data/http-parser-2.9.3/test.c:2788:24:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
      *(body + nread + strlen(m->upgrade)) = '\0';
data/http-parser-2.9.3/test.c:2809:22:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  size_t i, j, len = strlen(raw), error_location_line = 0;
data/http-parser-2.9.3/test.c:3451:44:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
                               test->url ? strlen(test->url) : 0,
data/http-parser-2.9.3/test.c:3502:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  size_t raw_len = strlen(message->raw);
data/http-parser-2.9.3/test.c:3507:12:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
    size_t read;
data/http-parser-2.9.3/test.c:3518:70:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
      if (!messages[0].headers_complete_cb_called && parser.nread != read) {
data/http-parser-2.9.3/test.c:3519:32:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
        assert(parser.nread == read);
data/http-parser-2.9.3/test.c:3520:27:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
        print_error(msg1, read);
data/http-parser-2.9.3/test.c:3525:53:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
        messages[num_messages - 1].upgrade = msg1 + read;
data/http-parser-2.9.3/test.c:3529:11:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
      if (read != msg1len) {
data/http-parser-2.9.3/test.c:3530:27:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
        print_error(msg1, read);
data/http-parser-2.9.3/test.c:3539:51:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
      messages[num_messages - 1].upgrade = msg2 + read;
data/http-parser-2.9.3/test.c:3543:9:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
    if (read != msg2len) {
data/http-parser-2.9.3/test.c:3544:25:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
      print_error(msg2, read);
data/http-parser-2.9.3/test.c:3550:9:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
    if (read != 0) {
data/http-parser-2.9.3/test.c:3551:33:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
      print_error(message->raw, read);
data/http-parser-2.9.3/test.c:3571:10:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
  size_t read;
data/http-parser-2.9.3/test.c:3572:14:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  size_t l = strlen(message->raw);
data/http-parser-2.9.3/test.c:3579:9:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
    if (read != toread) {
data/http-parser-2.9.3/test.c:3580:33:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
      print_error(message->raw, read);
data/http-parser-2.9.3/test.c:3587:7:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
  if (read != 0) {
data/http-parser-2.9.3/test.c:3588:31:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
    print_error(message->raw, read);
data/http-parser-2.9.3/test.c:3609:14:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  parse(buf, strlen(buf));
data/http-parser-2.9.3/test.c:3643:62:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  parsed = http_parser_execute(&parser, &settings_null, buf, strlen(buf));
data/http-parser-2.9.3/test.c:3644:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  assert(parsed == strlen(buf));
data/http-parser-2.9.3/test.c:3647:19:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  size_t buflen = strlen(buf);
data/http-parser-2.9.3/test.c:3677:62:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  parsed = http_parser_execute(&parser, &settings_null, buf, strlen(buf));
data/http-parser-2.9.3/test.c:3678:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  assert(parsed == strlen(buf));
data/http-parser-2.9.3/test.c:3681:19:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  size_t buflen = strlen(buf);
data/http-parser-2.9.3/test.c:3711:62:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  parsed = http_parser_execute(&parser, &settings_null, buf, strlen(buf));
data/http-parser-2.9.3/test.c:3712:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  assert(parsed == strlen(buf));
data/http-parser-2.9.3/test.c:3715:19:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  size_t buflen = strlen(buf);
data/http-parser-2.9.3/test.c:3738:62:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  parsed = http_parser_execute(&parser, &settings_null, buf, strlen(buf));
data/http-parser-2.9.3/test.c:3739:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  assert(parsed == strlen(buf));
data/http-parser-2.9.3/test.c:3742:19:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  size_t buflen = strlen(buf);
data/http-parser-2.9.3/test.c:3765:62:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  parsed = http_parser_execute(&parser, &settings_null, buf, strlen(buf));
data/http-parser-2.9.3/test.c:3766:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  assert(parsed == strlen(buf));
data/http-parser-2.9.3/test.c:3769:19:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  size_t buflen = strlen(buf);
data/http-parser-2.9.3/test.c:3814:62:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  parsed = http_parser_execute(&parser, &settings_null, buf, strlen(buf));
data/http-parser-2.9.3/test.c:3815:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  assert(parsed == strlen(buf));
data/http-parser-2.9.3/test.c:3818:19:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  size_t buflen = strlen(buf);
data/http-parser-2.9.3/test.c:3843:62:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  parsed = http_parser_execute(&parser, &settings_null, buf, strlen(buf));
data/http-parser-2.9.3/test.c:3844:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  assert(parsed == strlen(buf));
data/http-parser-2.9.3/test.c:3846:26:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  assert(parser.nread == strlen(buf));
data/http-parser-2.9.3/test.c:3935:15:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  char total[ strlen(r1->raw)
data/http-parser-2.9.3/test.c:3936:15:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            + strlen(r2->raw)
data/http-parser-2.9.3/test.c:3937:15:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            + strlen(r3->raw)
data/http-parser-2.9.3/test.c:3948:10:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
  size_t read;
data/http-parser-2.9.3/test.c:3950:23:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  read = parse(total, strlen(total));
data/http-parser-2.9.3/test.c:3953:32:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
    upgrade_message_fix(total, read, 3, r1, r2, r3);
data/http-parser-2.9.3/test.c:3957:7:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
  if (read != strlen(total)) {
data/http-parser-2.9.3/test.c:3957:15:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  if (read != strlen(total)) {
data/http-parser-2.9.3/test.c:3958:24:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
    print_error(total, read);
data/http-parser-2.9.3/test.c:3964:7:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
  if (read != 0) {
data/http-parser-2.9.3/test.c:3965:24:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
    print_error(total, read);
data/http-parser-2.9.3/test.c:3997:10:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
  size_t read;
data/http-parser-2.9.3/test.c:3999:19:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  int total_len = strlen(total);
data/http-parser-2.9.3/test.c:4037:72:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
        if (!messages[0].headers_complete_cb_called && parser.nread != read) {
data/http-parser-2.9.3/test.c:4038:29:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
          print_error(buf1, read);
data/http-parser-2.9.3/test.c:4044:13:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
        if (read != buf1_len) {
data/http-parser-2.9.3/test.c:4045:29:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
          print_error(buf1, read);
data/http-parser-2.9.3/test.c:4053:13:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
        if (read != buf1_len + buf2_len) {
data/http-parser-2.9.3/test.c:4054:29:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
          print_error(buf2, read);
data/http-parser-2.9.3/test.c:4062:13:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
        if (read != buf1_len + buf2_len + buf3_len) {
data/http-parser-2.9.3/test.c:4063:29:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
          print_error(buf3, read);
data/http-parser-2.9.3/test.c:4071:38:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
          upgrade_message_fix(total, read, 3, r1, r2, r3);
data/http-parser-2.9.3/test.c:4115:24:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  size_t headers_len = strlen(headers);
data/http-parser-2.9.3/test.c:4145:19:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  size_t buflen = strlen(msg->raw);
data/http-parser-2.9.3/test.c:4194:19:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  size_t buflen = strlen(msg->raw);

ANALYSIS SUMMARY:

Hits = 107
Lines analyzed = 7938 in approximately 0.26 seconds (30956 lines/second)
Physical Source Lines of Code (SLOC) = 6461
Hits@level = [0]  91 [1]  73 [2]  25 [3]   0 [4]   9 [5]   0
Hits@level+ = [0+] 198 [1+] 107 [2+]  34 [3+]   9 [4+]   9 [5+]   0
Hits/KSLOC@level+ = [0+] 30.6454 [1+] 16.5609 [2+] 5.26234 [3+] 1.39297 [4+] 1.39297 [5+]   0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.