Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/jigit-1.22/md5.c Examining data/jigit-1.22/jigdump.c Examining data/jigit-1.22/mkimage.c Examining data/jigit-1.22/endian.h Examining data/jigit-1.22/jig-base64.h Examining data/jigit-1.22/rsync.c Examining data/jigit-1.22/jig-base64.c Examining data/jigit-1.22/jigdo.h Examining data/jigit-1.22/uncompress.c Examining data/jigit-1.22/endian.c Examining data/jigit-1.22/jigsum-sha256.c Examining data/jigit-1.22/jigsum.c Examining data/jigit-1.22/extract-data.c Examining data/jigit-1.22/md5.h Examining data/jigit-1.22/parallel-sums.c Examining data/jigit-1.22/libjte/sha512.h Examining data/jigit-1.22/libjte/test/demo.c Examining data/jigit-1.22/libjte/md5.c Examining data/jigit-1.22/libjte/libjte.h Examining data/jigit-1.22/libjte/jte.h Examining data/jigit-1.22/libjte/sha256.c Examining data/jigit-1.22/libjte/rsync.h Examining data/jigit-1.22/libjte/sha256.h Examining data/jigit-1.22/libjte/rsync.c Examining data/jigit-1.22/libjte/checksum.c Examining data/jigit-1.22/libjte/sha512.c Examining data/jigit-1.22/libjte/libjte_private.h Examining data/jigit-1.22/libjte/checksum.h Examining data/jigit-1.22/libjte/jte.c Examining data/jigit-1.22/libjte/endian.c Examining data/jigit-1.22/libjte/libjte.c Examining data/jigit-1.22/libjte/sha1.h Examining data/jigit-1.22/libjte/sha1.c Examining data/jigit-1.22/libjte/md5.h Examining data/jigit-1.22/libjte/endianconv.h FINAL RESULTS: data/jigit-1.22/jigdump.c:270:11: [4] (buffer) sscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a different input function. If the scanf format is influenceable by an attacker, it's exploitable. ret = sscanf((char *)buf, HEADER_STRING" %s %s", format_version, generator); data/jigit-1.22/libjte/checksum.c:678:9: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(buf, "%s %s", info->prog, filename); data/jigit-1.22/libjte/checksum.c:679:9: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. system(buf); data/jigit-1.22/libjte/jte.c:449:13: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(new_name, "%s:%s", entry->to, &filename[strlen(entry->from)]); data/jigit-1.22/libjte/jte.c:508:14: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. i += sprintf(p, "JigsawDownload template %s libjte-%d.%d.%d \r\n", data/jigit-1.22/libjte/jte.c:512:14: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. i += sprintf(p, "JigsawDownload template %s libjte-%d.%d.%d \r\n", data/jigit-1.22/libjte/jte.c:517:10: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. i += sprintf(p, "%s \r\n", JTE_COMMENT); data/jigit-1.22/libjte/jte.c:1412:9: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(o->message_buffer, "cannot open '%s': (%d)", data/jigit-1.22/libjte/jte.c:1415:9: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(o->message_buffer, "cannot open '%s': %s", data/jigit-1.22/libjte/jte.c:1430:13: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(o->message_buffer, data/jigit-1.22/libjte/libjte.c:194:13: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(o->message_buffer, data/jigit-1.22/libjte/libjte.c:262:9: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(o->message_buffer, "Invalid checksum algorithm name in '%s'", data/jigit-1.22/libjte/libjte.c:457:9: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(o->message_buffer, "Attempted to call libjte_write_match_record() after choosing checksum algorithm '%s'", data/jigit-1.22/libjte/libjte.c:489:9: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(o->message_buffer, "Attempted to call libjte_decide_file_jigdo() after choosing checksum algorithm '%s'", data/jigit-1.22/mkimage.c:284:13: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(path, "%s/%s", entry->mirror_path, jigdo_name); data/jigit-1.22/jigsum-sha256.c:242:13: [3] (buffer) getopt: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. c = getopt(argc, argv, "cv"); data/jigit-1.22/jigsum.c:241:13: [3] (buffer) getopt: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. c = getopt(argc, argv, "cv"); data/jigit-1.22/mkimage.c:1336:13: [3] (buffer) getopt: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. c = getopt(argc, argv, ":ql:o:j:t:f:F:m:M:h?s:e:zvO"); data/jigit-1.22/parallel-sums.c:212:13: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. c = getopt_long(argc, argv, "", opts, &option_index); data/jigit-1.22/extract-data.c:35:15: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). in_file = fopen(in_filename, "rb"); data/jigit-1.22/extract-data.c:42:16: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). out_file = fopen(out_filename, "wb"); data/jigit-1.22/jigdump.c:266:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char format_version[BUF_SIZE] = {0}; data/jigit-1.22/jigdump.c:267:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char generator[BUF_SIZE] = {0}; data/jigit-1.22/jigdump.c:323:10: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fd = open(filename, O_RDONLY); data/jigit-1.22/jigsum-sha256.c:45:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[BUF_SIZE]; data/jigit-1.22/jigsum-sha256.c:46:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char file_sha256[CKSUM_BYTES] = {0}; data/jigit-1.22/jigsum-sha256.c:61:16: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). file = fopen(filename, "rb"); data/jigit-1.22/jigsum-sha256.c:133:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(sha256, base64_sha256, BASE64_CKSUM_BYTES + 1); data/jigit-1.22/jigsum-sha256.c:149:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char base64_sha256[BASE64_CKSUM_BYTES + 1] = {0}; data/jigit-1.22/jigsum-sha256.c:157:16: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). file = fopen(filename, "rb"); data/jigit-1.22/jigsum-sha256.c:234:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char base64_sha256[BASE64_CKSUM_BYTES]; data/jigit-1.22/jigsum.c:44:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[BUF_SIZE]; data/jigit-1.22/jigsum.c:45:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char file_md5[CKSUM_BYTES] = {0}; data/jigit-1.22/jigsum.c:60:16: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). file = fopen(filename, "rb"); data/jigit-1.22/jigsum.c:132:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(md5, base64_md5, BASE64_CKSUM_BYTES + 1); data/jigit-1.22/jigsum.c:148:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char base64_md5[BASE64_CKSUM_BYTES + 1] = {0}; data/jigit-1.22/jigsum.c:156:16: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). file = fopen(filename, "rb"); data/jigit-1.22/jigsum.c:233:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char base64_md5[BASE64_CKSUM_BYTES]; data/jigit-1.22/libjte/checksum.c:64:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(digest, sha1_read(context), 20); data/jigit-1.22/libjte/checksum.c:193:14: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. p += sprintf(p, "%2.2x", buf[i]); data/jigit-1.22/libjte/checksum.c:449:13: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(digest, c->algo[which].digest, algorithms[which].digest_size); data/jigit-1.22/libjte/checksum.c:533:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[32768]; data/jigit-1.22/libjte/checksum.c:546:14: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). infile = fopen(filename, "rb"); data/jigit-1.22/libjte/checksum.c:615:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[1024]; data/jigit-1.22/libjte/checksum.c:629:10: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fd = open(filename, O_RDONLY); data/jigit-1.22/libjte/checksum.c:665:18: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char r[64]; data/jigit-1.22/libjte/jte.c:109:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(o->message_buffer, "Out of memory for %.f new bytes", data/jigit-1.22/libjte/jte.c:239:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(o->message_buffer, data/jigit-1.22/libjte/jte.c:283:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(o->message_buffer, data/jigit-1.22/libjte/jte.c:294:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(o->message_buffer, data/jigit-1.22/libjte/jte.c:323:25: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(o->message_buffer, data/jigit-1.22/libjte/jte.c:395:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(o->message_buffer, data/jigit-1.22/libjte/jte.c:443:17: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(o->message_buffer, data/jigit-1.22/libjte/jte.c:476:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[2048]; data/jigit-1.22/libjte/jte.c:483:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(o->message_buffer, data/jigit-1.22/libjte/jte.c:500:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(o->message_buffer, data/jigit-1.22/libjte/jte.c:520:10: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. i += sprintf(p, "\r\n"); data/jigit-1.22/libjte/jte.c:542:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(new->checksum, checksum, check_algos[o->checksum_algo].raw_bytes); data/jigit-1.22/libjte/jte.c:581:39: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static uint64_t parse_number(unsigned char in[12]) data/jigit-1.22/libjte/jte.c:609:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buf[1024]; data/jigit-1.22/libjte/jte.c:624:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(o->message_buffer, "Ignoring call with checksum list file '%1.1024s'", data/jigit-1.22/libjte/jte.c:634:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(o->message_buffer, "cannot allocate memory to read from checksum list file '%1.1024s'", data/jigit-1.22/libjte/jte.c:642:21: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). checksum_file = fopen(o->jchecksum_list, "rb"); data/jigit-1.22/libjte/jte.c:645:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(o->message_buffer, "cannot open checksum list file '%1.1024s'", data/jigit-1.22/libjte/jte.c:659:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(o->message_buffer, "cannot read from checksum list file '%1.1024s'", data/jigit-1.22/libjte/jte.c:681:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(o->message_buffer, "invalid checksum list file '%1.1024s' - wrong checksum type?", data/jigit-1.22/libjte/jte.c:702:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(o->message_buffer, "cannot parse checksum file '%1.1024s'", data/jigit-1.22/libjte/jte.c:715:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(o->message_buffer, "cannot add checksum entry to list from file '%1.1024s', error %d", data/jigit-1.22/libjte/jte.c:726:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(o->message_buffer, data/jigit-1.22/libjte/jte.c:750:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(o->message_buffer, "cannot allocate iso checksum contexts"); data/jigit-1.22/libjte/jte.c:778:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char comp_size_out[6]; data/jigit-1.22/libjte/jte.c:779:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char uncomp_size_out[6]; data/jigit-1.22/libjte/jte.c:872:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char comp_size_out[6]; data/jigit-1.22/libjte/jte.c:873:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char uncomp_size_out[6]; data/jigit-1.22/libjte/jte.c:979:20: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(o->message_buffer, data/jigit-1.22/libjte/jte.c:1015:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&(o->uncomp_buf[o->uncomp_buf_used]), buffer, size); data/jigit-1.22/libjte/jte.c:1026:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char out_len[6]; data/jigit-1.22/libjte/jte.c:1139:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(o->message_buffer, data/jigit-1.22/libjte/jte.c:1152:14: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. p += sprintf(p, "%c", b64_enc[(value >> bits) & 63U]); data/jigit-1.22/libjte/jte.c:1155:18: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. p += sprintf(p, "%c", b64_enc[(value >> bits) & 63U]); data/jigit-1.22/libjte/jte.c:1161:14: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. p += sprintf(p, "%c", b64_enc[value & 63U]); data/jigit-1.22/libjte/jte.c:1167:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char *uint64_to_dec(uint64_t num, char dec[40]) data/jigit-1.22/libjte/jte.c:1167:42: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char *uint64_to_dec(uint64_t num, char dec[40]) data/jigit-1.22/libjte/jte.c:1196:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *b64, dec[40]; data/jigit-1.22/libjte/jte.c:1201:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(o->message_buffer, data/jigit-1.22/libjte/jte.c:1349:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(new_entry->data.file.checksum, checksum, check_algos[o->checksum_algo].raw_bytes); data/jigit-1.22/libjte/jte.c:1401:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[32768]; data/jigit-1.22/libjte/jte.c:1410:19: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((infile = fopen(filename, "rb")) == NULL) { data/jigit-1.22/libjte/jte.h:156:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char fileLen[6]; data/jigit-1.22/libjte/jte.h:157:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char fileRsync[8]; data/jigit-1.22/libjte/jte.h:158:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char fileMD5[MD5_BYTES]; data/jigit-1.22/libjte/jte.h:164:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char fileLen[6]; data/jigit-1.22/libjte/jte.h:165:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char fileRsync[8]; data/jigit-1.22/libjte/jte.h:166:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char fileSHA256[SHA256_BYTES]; data/jigit-1.22/libjte/jte.h:172:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char skipLen[6]; data/jigit-1.22/libjte/jte.h:178:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char imageLen[6]; data/jigit-1.22/libjte/jte.h:179:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char imageMD5[MD5_BYTES]; data/jigit-1.22/libjte/jte.h:180:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char blockLen[4]; data/jigit-1.22/libjte/jte.h:186:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char imageLen[6]; data/jigit-1.22/libjte/jte.h:187:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char imageSHA256[SHA256_BYTES]; data/jigit-1.22/libjte/jte.h:188:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char blockLen[4]; data/jigit-1.22/libjte/libjte.c:324:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(o->message_buffer, data/jigit-1.22/libjte/libjte.c:334:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(o->message_buffer, data/jigit-1.22/libjte/libjte.c:393:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(o->message_buffer, data/jigit-1.22/libjte/libjte.c:399:21: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). o->jttemplate = fopen(o->jtemplate_out, "wb"); data/jigit-1.22/libjte/libjte.c:401:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(o->message_buffer, data/jigit-1.22/libjte/libjte.c:407:18: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). o->jtjigdo = fopen(o->jjigdo_out, "wb"); data/jigit-1.22/libjte/libjte.c:409:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(o->message_buffer, data/jigit-1.22/libjte/libjte.c:450:29: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *filename, char *mirror_name, int sector_size, data/jigit-1.22/libjte/libjte.c:450:45: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *filename, char *mirror_name, int sector_size, data/jigit-1.22/libjte/libjte.c:451:50: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. off_t size, unsigned char md5[16]) data/jigit-1.22/libjte/libjte.c:484:30: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *filename, off_t size, char **mirror_name, data/jigit-1.22/libjte/libjte.c:484:58: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *filename, off_t size, char **mirror_name, data/jigit-1.22/libjte/libjte.c:485:39: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char md5[16]) data/jigit-1.22/libjte/libjte.h:356:30: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *filename, off_t size, char **mirror_name, data/jigit-1.22/libjte/libjte.h:356:58: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *filename, off_t size, char **mirror_name, data/jigit-1.22/libjte/libjte.h:357:39: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char md5[16]); data/jigit-1.22/libjte/libjte.h:402:10: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *filename, char *mirror_name, int sector_size, data/jigit-1.22/libjte/libjte.h:402:26: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *filename, char *mirror_name, int sector_size, data/jigit-1.22/libjte/libjte.h:403:31: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. off_t size, unsigned char md5[16]); data/jigit-1.22/libjte/libjte_private.h:53:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char message_buffer[4096]; data/jigit-1.22/libjte/md5.c:128:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(p, buf, len); data/jigit-1.22/libjte/md5.c:131:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(p, buf, t); data/jigit-1.22/libjte/md5.c:140:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ctx->in, buf, 64); data/jigit-1.22/libjte/md5.c:148:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ctx->in, buf, len); data/jigit-1.22/libjte/md5.c:156:23: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. mk_MD5Final (unsigned char digest[16], struct mk_MD5Context *ctx) data/jigit-1.22/libjte/md5.c:215:51: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. mk_MD5Transform (mk_uint32 buf[4], const unsigned char inraw[64]) data/jigit-1.22/libjte/md5.c:312:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char checksum[16]; data/jigit-1.22/libjte/md5.h:28:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char in[64]; data/jigit-1.22/libjte/md5.h:34:28: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. void mk_MD5Final (unsigned char digest[16], data/jigit-1.22/libjte/md5.h:36:56: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. void mk_MD5Transform (mk_uint32 buf[4], const unsigned char in[64]); data/jigit-1.22/libjte/sha1.c:114:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (x, data, 64); data/jigit-1.22/libjte/sha1.h:28:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buf[64]; data/jigit-1.22/libjte/sha256.c:52:23: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ }; data/jigit-1.22/libjte/sha256.c:217:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (&ctx->buffer[bytes], fillbuf, pad); data/jigit-1.22/libjte/sha256.c:245:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (&ctx->buffer[left_over], buffer, add); data/jigit-1.22/libjte/sha256.c:254:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (ctx->buffer, &ctx->buffer[(left_over + add) & ~63], data/jigit-1.22/libjte/sha256.c:276:28: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. sha256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx); data/jigit-1.22/libjte/sha256.c:294:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (&ctx->buffer[left_over], buffer, len); data/jigit-1.22/libjte/sha256.c:300:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (ctx->buffer, &ctx->buffer[64], left_over); data/jigit-1.22/libjte/sha256.h:48:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[128] __attribute__ ((__aligned__ (__alignof__ (uint32_t)))); data/jigit-1.22/libjte/sha512.c:59:23: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static const unsigned char fillbuf[128] = { 0x80, 0 /* , 0, 0, ... */ }; data/jigit-1.22/libjte/sha512.c:332:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (&ctx->buffer[bytes], fillbuf, pad); data/jigit-1.22/libjte/sha512.c:360:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (&ctx->buffer[left_over], buffer, add); data/jigit-1.22/libjte/sha512.c:369:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (ctx->buffer, &ctx->buffer[(left_over + add) & ~127], data/jigit-1.22/libjte/sha512.c:391:28: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. sha512_process_block (memcpy (ctx->buffer, buffer, 128), 128, data/jigit-1.22/libjte/sha512.c:410:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (&ctx->buffer[left_over], buffer, len); data/jigit-1.22/libjte/sha512.c:416:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (ctx->buffer, &ctx->buffer[128], left_over); data/jigit-1.22/libjte/sha512.h:48:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[256] __attribute__ ((__aligned__ (__alignof__ (uint64_t)))); data/jigit-1.22/libjte/test/demo.c:109:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char *filev[LIBJTE_DEMO_MAX_FILES + 1]; data/jigit-1.22/libjte/test/demo.c:200:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[LIBJTE_DEMO_BUFSIZE]; data/jigit-1.22/libjte/test/demo.c:204:14: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fp_out = fopen(outfile, "wb"); data/jigit-1.22/libjte/test/demo.c:216:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buf, "test/demo of libjte-%d.%d.%d\n", major, minor, micro); data/jigit-1.22/libjte/test/demo.c:217:5: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat(buf, data/jigit-1.22/libjte/test/demo.c:233:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buf, "name=%1.1024s\nsize=%.f\n", data/jigit-1.22/libjte/test/demo.c:235:9: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat(buf, data/jigit-1.22/libjte/test/demo.c:241:17: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fp_in = fopen(filev[i], "rb"); data/jigit-1.22/libjte/test/demo.c:280:9: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(buf, data/jigit-1.22/libjte/test/demo.c:287:5: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(buf, "test/demo end\n"); data/jigit-1.22/md5.c:106:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(p, buf, len); data/jigit-1.22/md5.c:109:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(p, buf, t); data/jigit-1.22/md5.c:118:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ctx->in, buf, 64); data/jigit-1.22/md5.c:126:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ctx->in, buf, len); data/jigit-1.22/md5.c:134:23: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. mk_MD5Final (unsigned char digest[16], struct mk_MD5Context *ctx) data/jigit-1.22/md5.c:195:51: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. mk_MD5Transform (mk_uint32 buf[4], const unsigned char inraw[64]) data/jigit-1.22/md5.c:293:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char checksum[16]; data/jigit-1.22/md5.h:16:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char in[64]; data/jigit-1.22/md5.h:22:28: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. void mk_MD5Final (unsigned char digest[16], data/jigit-1.22/md5.h:24:56: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. void mk_MD5Transform (mk_uint32 buf[4], const unsigned char in[64]); data/jigit-1.22/mkimage.c:116:24: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). missing_file = fopen(missing, "wb"); data/jigit-1.22/mkimage.c:341:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char bin_md5[MD5_BYTES]; data/jigit-1.22/mkimage.c:367:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[2048]; data/jigit-1.22/mkimage.c:372:12: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). file = fopen(filename, "rb"); data/jigit-1.22/mkimage.c:423:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char bin_sha256[SHA256_BYTES]; data/jigit-1.22/mkimage.c:449:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[2048]; data/jigit-1.22/mkimage.c:454:12: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). file = fopen(filename, "rb"); data/jigit-1.22/mkimage.c:586:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[2048]; data/jigit-1.22/mkimage.c:750:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[BUF_SIZE]; data/jigit-1.22/mkimage.c:754:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char file_md5[MD5_BYTES]; data/jigit-1.22/mkimage.c:767:22: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). input_file = fopen(md5_list_entry->full_path, "rb"); data/jigit-1.22/mkimage.c:842:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char hex_md5[HEX_MD5_BYTES + 1]; data/jigit-1.22/mkimage.c:846:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(hex_md5 + 2 * i, "%2.2x", (unsigned int) md5[i]); data/jigit-1.22/mkimage.c:859:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[BUF_SIZE]; data/jigit-1.22/mkimage.c:863:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char file_sha256[SHA256_BYTES]; data/jigit-1.22/mkimage.c:876:22: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). input_file = fopen(sha256_list_entry->full_path, "rb"); data/jigit-1.22/mkimage.c:951:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char hex_sha256[HEX_SHA256_BYTES + 1]; data/jigit-1.22/mkimage.c:955:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(hex_sha256 + 2 * i, "%2.2x", (unsigned int) sha256[i]); data/jigit-1.22/mkimage.c:979:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char image_md5sum[MD5_BYTES]; data/jigit-1.22/mkimage.c:980:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char image_sha256sum[SHA256_BYTES]; data/jigit-1.22/mkimage.c:981:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char image_md5sum_from_tmpl[MD5_BYTES]; data/jigit-1.22/mkimage.c:982:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char image_sha256sum_from_tmpl[SHA256_BYTES]; data/jigit-1.22/mkimage.c:986:12: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). file = fopen(filename, "rb"); data/jigit-1.22/mkimage.c:1069:17: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(image_md5sum_from_tmpl, (unsigned char*)&bufptr[7], MD5_BYTES); data/jigit-1.22/mkimage.c:1075:17: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(image_sha256sum_from_tmpl, (unsigned char*)&bufptr[7], SHA256_BYTES); data/jigit-1.22/mkimage.c:1349:27: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). logfile = fopen(optarg, "ab"); data/jigit-1.22/mkimage.c:1359:27: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). outfile = fopen(output_name, "wb"); data/jigit-1.22/parallel-sums.c:45:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char d[BUF_SIZE]; data/jigit-1.22/parallel-sums.c:247:35: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). state[i].out_stream = fopen(state[i].out_filename, "wb"); data/jigit-1.22/parallel-sums.c:267:24: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). queue.infile = fopen(argv[optind], "rb"); data/jigit-1.22/rsync.c:119:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[BUF_SIZE]; data/jigit-1.22/rsync.c:131:16: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). file = fopen(filename, "rb"); data/jigit-1.22/uncompress.c:94:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char inbuf[1024]; data/jigit-1.22/jigdump.c:30:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t length = strlen(search); data/jigit-1.22/jigdump.c:293:12: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). hlen = strlen(haystack); data/jigit-1.22/jigdump.c:294:12: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). nlen = strlen(needle); data/jigit-1.22/jigdump.c:355:14: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). bytes = read(fd, buf, BUF_SIZE); data/jigit-1.22/jigdump.c:390:17: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). bytes = read(fd, buf, BUF_SIZE); data/jigit-1.22/jigdump.c:407:17: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). bytes = read(fd, buf, BUF_SIZE); data/jigit-1.22/jigsum-sha256.c:148:13: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ssize_t read; data/jigit-1.22/jigsum-sha256.c:187:13: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if (read > (BASE64_CKSUM_BYTES + 2) data/jigit-1.22/jigsum-sha256.c:195:24: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). line[--read] = '\0'; data/jigit-1.22/jigsum.c:147:13: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ssize_t read; data/jigit-1.22/jigsum.c:186:13: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if (read > (BASE64_CKSUM_BYTES + 2) data/jigit-1.22/jigsum.c:194:24: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). line[--read] = '\0'; data/jigit-1.22/libjte/checksum.c:500:28: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (len == strlen(algorithms[i].name) && data/jigit-1.22/libjte/checksum.c:646:15: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). err = read(fd, buf, sizeof(buf)); data/jigit-1.22/libjte/jte.c:371:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (from == NULL || !strlen(from) || eqpt == arg) data/jigit-1.22/libjte/jte.c:381:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(to, arg, eqpt - arg); data/jigit-1.22/libjte/jte.c:438:45: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!strncmp(filename, entry->from, strlen(entry->from))) data/jigit-1.22/libjte/jte.c:440:38: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). new_name = calloc(1, 2 + strlen(filename) + strlen(entry->to) - strlen(entry->from)); data/jigit-1.22/libjte/jte.c:440:57: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). new_name = calloc(1, 2 + strlen(filename) + strlen(entry->to) - strlen(entry->from)); data/jigit-1.22/libjte/jte.c:440:77: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). new_name = calloc(1, 2 + strlen(filename) + strlen(entry->to) - strlen(entry->from)); data/jigit-1.22/libjte/jte.c:449:61: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sprintf(new_name, "%s:%s", entry->to, &filename[strlen(entry->from)]); data/jigit-1.22/libjte/jte.c:695:17: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (buf[strlen((char *)buf)-1] == '\n') data/jigit-1.22/libjte/jte.c:696:17: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). buf[strlen((char *)buf)-1] = 0; data/jigit-1.22/libjte/libjte.c:511:33: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). libjte_report_no_mem(o, strlen(checksum_name) + 1, 0); data/jigit-1.22/libjte/md5.c:325:36: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). mk_MD5Update (&context, argv[j], strlen (argv[j])); data/jigit-1.22/libjte/test/demo.c:219:34: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ret = libjte_demo_write(buf, strlen(buf), fp_out); data/jigit-1.22/libjte/test/demo.c:237:38: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ret = libjte_demo_write(buf, strlen(buf), fp_out); data/jigit-1.22/libjte/test/demo.c:282:38: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ret = libjte_demo_write(buf, strlen(buf), fp_out); data/jigit-1.22/libjte/test/demo.c:288:34: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ret = libjte_demo_write(buf, strlen(buf), fp_out); data/jigit-1.22/md5.c:306:36: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). mk_MD5Update (&context, argv[j], strlen (argv[j])); data/jigit-1.22/mkimage.c:265:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int jigdo_name_size = strlen(jigdo_name); data/jigit-1.22/mkimage.c:271:36: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int mirror_path_size = strlen(entry->mirror_path); data/jigit-1.22/mkimage.c:352:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(md5_entry, base64_dump(bin_md5, MD5_BYTES), BASE64_MD5_BYTES); data/jigit-1.22/mkimage.c:358:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ('\n' == file_name[strlen(file_name) -1]) data/jigit-1.22/mkimage.c:359:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). file_name[strlen(file_name) - 1] = 0; data/jigit-1.22/mkimage.c:434:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(sha256_entry, base64_dump(bin_sha256, SHA256_BYTES), BASE64_SHA256_BYTES); data/jigit-1.22/mkimage.c:440:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ('\n' == file_name[strlen(file_name) -1]) data/jigit-1.22/mkimage.c:441:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). file_name[strlen(file_name) - 1] = 0; data/jigit-1.22/mkimage.c:510:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). csum_length = strlen(base64_checksum); ANALYSIS SUMMARY: Hits = 241 Lines analyzed = 9984 in approximately 0.34 seconds (28993 lines/second) Physical Source Lines of Code (SLOC) = 7235 Hits@level = [0] 315 [1] 39 [2] 183 [3] 4 [4] 15 [5] 0 Hits@level+ = [0+] 556 [1+] 241 [2+] 202 [3+] 19 [4+] 15 [5+] 0 Hits/KSLOC@level+ = [0+] 76.8487 [1+] 33.3103 [2+] 27.9198 [3+] 2.62612 [4+] 2.07326 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.