Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/knot-resolver-5.2.0/bench/bench_lru.c
Examining data/knot-resolver-5.2.0/contrib/base32hex.c
Examining data/knot-resolver-5.2.0/contrib/base32hex.h
Examining data/knot-resolver-5.2.0/contrib/base64.c
Examining data/knot-resolver-5.2.0/contrib/base64.h
Examining data/knot-resolver-5.2.0/contrib/base64url.c
Examining data/knot-resolver-5.2.0/contrib/base64url.h
Examining data/knot-resolver-5.2.0/contrib/ccan/asprintf/asprintf.c
Examining data/knot-resolver-5.2.0/contrib/ccan/asprintf/asprintf.h
Examining data/knot-resolver-5.2.0/contrib/ccan/compiler/compiler.h
Examining data/knot-resolver-5.2.0/contrib/ccan/json/json.c
Examining data/knot-resolver-5.2.0/contrib/ccan/json/json.h
Examining data/knot-resolver-5.2.0/contrib/cleanup.h
Examining data/knot-resolver-5.2.0/contrib/config.h
Examining data/knot-resolver-5.2.0/contrib/dynarray.h
Examining data/knot-resolver-5.2.0/contrib/murmurhash3/murmurhash3.c
Examining data/knot-resolver-5.2.0/contrib/murmurhash3/murmurhash3.h
Examining data/knot-resolver-5.2.0/contrib/ucw/alloc.h
Examining data/knot-resolver-5.2.0/contrib/ucw/config.h
Examining data/knot-resolver-5.2.0/contrib/ucw/lib.h
Examining data/knot-resolver-5.2.0/contrib/ucw/mempool-fmt.c
Examining data/knot-resolver-5.2.0/contrib/ucw/mempool.c
Examining data/knot-resolver-5.2.0/contrib/ucw/mempool.h
Examining data/knot-resolver-5.2.0/contrib/wire.h
Examining data/knot-resolver-5.2.0/daemon/bindings/api.h
Examining data/knot-resolver-5.2.0/daemon/bindings/cache.c
Examining data/knot-resolver-5.2.0/daemon/bindings/event.c
Examining data/knot-resolver-5.2.0/daemon/bindings/impl.c
Examining data/knot-resolver-5.2.0/daemon/bindings/impl.h
Examining data/knot-resolver-5.2.0/daemon/bindings/modules.c
Examining data/knot-resolver-5.2.0/daemon/bindings/net.c
Examining data/knot-resolver-5.2.0/daemon/bindings/worker.c
Examining data/knot-resolver-5.2.0/daemon/engine.c
Examining data/knot-resolver-5.2.0/daemon/engine.h
Examining data/knot-resolver-5.2.0/daemon/ffimodule.c
Examining data/knot-resolver-5.2.0/daemon/ffimodule.h
Examining data/knot-resolver-5.2.0/daemon/http.c
Examining data/knot-resolver-5.2.0/daemon/http.h
Examining data/knot-resolver-5.2.0/daemon/io.c
Examining data/knot-resolver-5.2.0/daemon/io.h
Examining data/knot-resolver-5.2.0/daemon/main.c
Examining data/knot-resolver-5.2.0/daemon/network.c
Examining data/knot-resolver-5.2.0/daemon/network.h
Examining data/knot-resolver-5.2.0/daemon/session.c
Examining data/knot-resolver-5.2.0/daemon/session.h
Examining data/knot-resolver-5.2.0/daemon/tls.c
Examining data/knot-resolver-5.2.0/daemon/tls.h
Examining data/knot-resolver-5.2.0/daemon/tls_ephemeral_credentials.c
Examining data/knot-resolver-5.2.0/daemon/tls_session_ticket-srv.c
Examining data/knot-resolver-5.2.0/daemon/udp_queue.c
Examining data/knot-resolver-5.2.0/daemon/udp_queue.h
Examining data/knot-resolver-5.2.0/daemon/worker.c
Examining data/knot-resolver-5.2.0/daemon/worker.h
Examining data/knot-resolver-5.2.0/daemon/zimport.c
Examining data/knot-resolver-5.2.0/daemon/zimport.h
Examining data/knot-resolver-5.2.0/lib/cache/api.c
Examining data/knot-resolver-5.2.0/lib/cache/api.h
Examining data/knot-resolver-5.2.0/lib/cache/cdb_api.h
Examining data/knot-resolver-5.2.0/lib/cache/cdb_lmdb.c
Examining data/knot-resolver-5.2.0/lib/cache/cdb_lmdb.h
Examining data/knot-resolver-5.2.0/lib/cache/entry_list.c
Examining data/knot-resolver-5.2.0/lib/cache/entry_pkt.c
Examining data/knot-resolver-5.2.0/lib/cache/entry_rr.c
Examining data/knot-resolver-5.2.0/lib/cache/impl.h
Examining data/knot-resolver-5.2.0/lib/cache/knot_pkt.c
Examining data/knot-resolver-5.2.0/lib/cache/nsec1.c
Examining data/knot-resolver-5.2.0/lib/cache/nsec3.c
Examining data/knot-resolver-5.2.0/lib/cache/peek.c
Examining data/knot-resolver-5.2.0/lib/cache/util.h
Examining data/knot-resolver-5.2.0/lib/cookies/alg_containers.c
Examining data/knot-resolver-5.2.0/lib/cookies/alg_containers.h
Examining data/knot-resolver-5.2.0/lib/cookies/alg_sha.c
Examining data/knot-resolver-5.2.0/lib/cookies/alg_sha.h
Examining data/knot-resolver-5.2.0/lib/cookies/control.h
Examining data/knot-resolver-5.2.0/lib/cookies/helper.c
Examining data/knot-resolver-5.2.0/lib/cookies/helper.h
Examining data/knot-resolver-5.2.0/lib/cookies/lru_cache.c
Examining data/knot-resolver-5.2.0/lib/cookies/lru_cache.h
Examining data/knot-resolver-5.2.0/lib/cookies/nonce.c
Examining data/knot-resolver-5.2.0/lib/cookies/nonce.h
Examining data/knot-resolver-5.2.0/lib/defines.h
Examining data/knot-resolver-5.2.0/lib/dnssec/nsec.c
Examining data/knot-resolver-5.2.0/lib/dnssec/nsec.h
Examining data/knot-resolver-5.2.0/lib/dnssec/nsec3.c
Examining data/knot-resolver-5.2.0/lib/dnssec/nsec3.h
Examining data/knot-resolver-5.2.0/lib/dnssec/signature.c
Examining data/knot-resolver-5.2.0/lib/dnssec/signature.h
Examining data/knot-resolver-5.2.0/lib/dnssec/ta.c
Examining data/knot-resolver-5.2.0/lib/dnssec/ta.h
Examining data/knot-resolver-5.2.0/lib/dnssec.c
Examining data/knot-resolver-5.2.0/lib/dnssec.h
Examining data/knot-resolver-5.2.0/lib/generic/array.h
Examining data/knot-resolver-5.2.0/lib/generic/lru.c
Examining data/knot-resolver-5.2.0/lib/generic/lru.h
Examining data/knot-resolver-5.2.0/lib/generic/map.c
Examining data/knot-resolver-5.2.0/lib/generic/map.h
Examining data/knot-resolver-5.2.0/lib/generic/pack.h
Examining data/knot-resolver-5.2.0/lib/generic/queue.c
Examining data/knot-resolver-5.2.0/lib/generic/queue.h
Examining data/knot-resolver-5.2.0/lib/generic/set.h
Examining data/knot-resolver-5.2.0/lib/generic/test_array.c
Examining data/knot-resolver-5.2.0/lib/generic/test_lru.c
Examining data/knot-resolver-5.2.0/lib/generic/test_map.c
Examining data/knot-resolver-5.2.0/lib/generic/test_pack.c
Examining data/knot-resolver-5.2.0/lib/generic/test_queue.c
Examining data/knot-resolver-5.2.0/lib/generic/test_set.c
Examining data/knot-resolver-5.2.0/lib/generic/test_trie.c
Examining data/knot-resolver-5.2.0/lib/generic/trie.c
Examining data/knot-resolver-5.2.0/lib/generic/trie.h
Examining data/knot-resolver-5.2.0/lib/layer/cache.c
Examining data/knot-resolver-5.2.0/lib/layer/iterate.c
Examining data/knot-resolver-5.2.0/lib/layer/iterate.h
Examining data/knot-resolver-5.2.0/lib/layer/validate.c
Examining data/knot-resolver-5.2.0/lib/layer.h
Examining data/knot-resolver-5.2.0/lib/module.c
Examining data/knot-resolver-5.2.0/lib/module.h
Examining data/knot-resolver-5.2.0/lib/nsrep.c
Examining data/knot-resolver-5.2.0/lib/nsrep.h
Examining data/knot-resolver-5.2.0/lib/resolve.c
Examining data/knot-resolver-5.2.0/lib/resolve.h
Examining data/knot-resolver-5.2.0/lib/rplan.c
Examining data/knot-resolver-5.2.0/lib/rplan.h
Examining data/knot-resolver-5.2.0/lib/test_module.c
Examining data/knot-resolver-5.2.0/lib/test_rplan.c
Examining data/knot-resolver-5.2.0/lib/test_utils.c
Examining data/knot-resolver-5.2.0/lib/test_zonecut.c
Examining data/knot-resolver-5.2.0/lib/utils.c
Examining data/knot-resolver-5.2.0/lib/utils.h
Examining data/knot-resolver-5.2.0/lib/zonecut.c
Examining data/knot-resolver-5.2.0/lib/zonecut.h
Examining data/knot-resolver-5.2.0/modules/bogus_log/bogus_log.c
Examining data/knot-resolver-5.2.0/modules/cookies/cookiectl.c
Examining data/knot-resolver-5.2.0/modules/cookies/cookiectl.h
Examining data/knot-resolver-5.2.0/modules/cookies/cookiemonster.c
Examining data/knot-resolver-5.2.0/modules/cookies/cookiemonster.h
Examining data/knot-resolver-5.2.0/modules/cookies/cookies.c
Examining data/knot-resolver-5.2.0/modules/dnstap/dnstap.c
Examining data/knot-resolver-5.2.0/modules/edns_keepalive/edns_keepalive.c
Examining data/knot-resolver-5.2.0/modules/hints/hints.c
Examining data/knot-resolver-5.2.0/modules/http/debug_opensslkeylog.c
Examining data/knot-resolver-5.2.0/modules/nsid/nsid.c
Examining data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/ac.cxx
Examining data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/ac.h
Examining data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/ac_fast.cxx
Examining data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/ac_fast.hpp
Examining data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/ac_lua.cxx
Examining data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/ac_slow.cxx
Examining data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/ac_slow.hpp
Examining data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/ac_util.hpp
Examining data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/mytest.cxx
Examining data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/tests/ac_bench.cxx
Examining data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/tests/ac_test_aggr.cxx
Examining data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/tests/ac_test_simple.cxx
Examining data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/tests/test_base.hpp
Examining data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/tests/test_bigfile.cxx
Examining data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/tests/test_main.cxx
Examining data/knot-resolver-5.2.0/modules/refuse_nord/refuse_nord.c
Examining data/knot-resolver-5.2.0/modules/stats/stats.c
Examining data/knot-resolver-5.2.0/tests/pytests/proxy/tls-proxy.c
Examining data/knot-resolver-5.2.0/tests/pytests/proxy/tls-proxy.h
Examining data/knot-resolver-5.2.0/tests/pytests/proxy/tlsproxy.c
Examining data/knot-resolver-5.2.0/tests/unit/mock_cmodule.c
Examining data/knot-resolver-5.2.0/tests/unit/test.h
Examining data/knot-resolver-5.2.0/utils/cache_gc/categories.c
Examining data/knot-resolver-5.2.0/utils/cache_gc/categories.h
Examining data/knot-resolver-5.2.0/utils/cache_gc/db.c
Examining data/knot-resolver-5.2.0/utils/cache_gc/db.h
Examining data/knot-resolver-5.2.0/utils/cache_gc/kr_cache_gc.c
Examining data/knot-resolver-5.2.0/utils/cache_gc/kr_cache_gc.h
Examining data/knot-resolver-5.2.0/utils/cache_gc/main.c
Examining data/knot-resolver-5.2.0/utils/client/kresc.c

FINAL RESULTS:

data/knot-resolver-5.2.0/bench/bench_lru.c:19:2:  [4] (format) printf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
	printf(__VA_ARGS__); \
data/knot-resolver-5.2.0/bench/bench_lru.c:22:20:  [4] (format) fprintf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
#define p_err(...) fprintf(stderr, __VA_ARGS__)
data/knot-resolver-5.2.0/contrib/ccan/asprintf/asprintf.c:31:8:  [4] (format) vsnprintf:
  If format strings can be influenced by an attacker, they can be exploited,
  and note that sprintf variations do not always \0-terminate (CWE-134). Use
  a constant for the format specification.
	len = vsnprintf(NULL, 0, fmt, ap_copy);
data/knot-resolver-5.2.0/contrib/ccan/asprintf/asprintf.c:43:9:  [4] (format) vsprintf:
  Potential format string problem (CWE-134). Make format string constant.
	return vsprintf(*strp, fmt, ap);
data/knot-resolver-5.2.0/contrib/ccan/json/json.c:24:2:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
	strcpy(ret, str);
data/knot-resolver-5.2.0/contrib/ccan/json/json.c:1298:5:  [4] (format) snprintf:
  If format strings can be influenced by an attacker, they can be exploited,
  and note that sprintf variations do not always \0-terminate (CWE-134). Use
  a constant for the format specification.
				snprintf(errmsg, 256, __VA_ARGS__); \
data/knot-resolver-5.2.0/contrib/ucw/mempool-fmt.c:25:13:  [4] (format) vsnprintf:
  If format strings can be influenced by an attacker, they can be exploited,
  and note that sprintf variations do not always \0-terminate (CWE-134). Use
  a constant for the format specification.
  int cnt = vsnprintf(ret, mp_avail(mp) - ofs, fmt, args2);
data/knot-resolver-5.2.0/contrib/ucw/mempool-fmt.c:34:11:  [4] (format) vsnprintf:
  If format strings can be influenced by an attacker, they can be exploited,
  and note that sprintf variations do not always \0-terminate (CWE-134). Use
  a constant for the format specification.
    cnt = vsnprintf(ret, mp_avail(mp) - ofs, fmt, args2);
data/knot-resolver-5.2.0/contrib/ucw/mempool-fmt.c:43:7:  [4] (format) vsnprintf:
  If format strings can be influenced by an attacker, they can be exploited,
  and note that sprintf variations do not always \0-terminate (CWE-134). Use
  a constant for the format specification.
      vsnprintf(ret, cnt + 1, fmt, args2);
data/knot-resolver-5.2.0/contrib/ucw/mempool.h:540:72:  [4] (format) printf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
char *mp_printf(struct mempool *mp, const char *fmt, ...) FORMAT_CHECK(printf,2,3) LIKE_MALLOC;
data/knot-resolver-5.2.0/contrib/ucw/mempool.h:559:90:  [4] (format) printf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
char *mp_printf_append(struct mempool *mp, char *ptr, const char *fmt, ...) FORMAT_CHECK(printf,3,4);
data/knot-resolver-5.2.0/daemon/main.c:431:7:  [4] (race) access:
  This usually indicates a security flaw. If an attacker can change anything
  along the path between the call to access() and the file's actual use
  (e.g., by moving files), the attacker can exploit the race condition
  (CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
  and try to open the file directly.
		if (access(the_args->rundir, W_OK) != 0
data/knot-resolver-5.2.0/daemon/main.c:448:14:  [4] (race) access:
  This usually indicates a security flaw. If an attacker can change anything
  along the path between the call to access() and the file's actual use
  (e.g., by moving files), the attacker can exploit the race condition
  (CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
  and try to open the file directly.
		} else if (access(config, R_OK) != 0) {
data/knot-resolver-5.2.0/daemon/main.c:457:35:  [4] (race) access:
  This usually indicates a security flaw. If an attacker can change anything
  along the path between the call to access() and the file's actual use
  (e.g., by moving files), the attacker can exploit the race condition
  (CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
  and try to open the file directly.
	if (the_args->config.len == 0 && access("config", R_OK) == 0)
data/knot-resolver-5.2.0/lib/defines.h:19:45:  [4] (format) printf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
#define KR_PRINTF(n) __attribute__((format (printf, n, (n+1))))
data/knot-resolver-5.2.0/lib/generic/test_map.c:61:2:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
	strcpy(in, dict[23]);
data/knot-resolver-5.2.0/lib/generic/test_set.c:86:2:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
	strcpy(in, dict[23]);
data/knot-resolver-5.2.0/lib/utils.h:43:21:  [4] (format) printf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
#define kr_log_info printf
data/knot-resolver-5.2.0/lib/utils.h:44:27:  [4] (format) fprintf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
#define kr_log_error(...) fprintf(stderr, ## __VA_ARGS__)
data/knot-resolver-5.2.0/lib/utils.h:45:31:  [4] (format) fprintf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
#define kr_log_deprecate(...) fprintf(stderr, "deprecation WARNING: " __VA_ARGS__)
data/knot-resolver-5.2.0/lib/utils.h:96:43:  [4] (format) printf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
#define kr_log_verbose if(VERBOSE_STATUS) printf
data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/tests/ac_bench.cxx:393:5:  [4] (format) fprintf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
    fprintf(stdout, msg, prog_name);
data/knot-resolver-5.2.0/tests/unit/test.h:53:3:  [4] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf.
		sprintf(buf, "%s/%s", path, ent->d_name);
data/knot-resolver-5.2.0/bench/bench_lru.c:65:3:  [3] (random) srandom:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
		srandom(now.tv_sec * 1000000 + now.tv_usec);
data/knot-resolver-5.2.0/bench/bench_lru.c:135:18:  [3] (random) random:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
		size_t j = i + random() % (lines - i);
data/knot-resolver-5.2.0/contrib/ucw/mempool.c:473:3:  [3] (random) srand:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
  srand(time(NULL));
data/knot-resolver-5.2.0/daemon/engine.c:462:33:  [3] (buffer) getenv:
  Environment variables are untrustable input if they can be set by an
  attacker. They can have any content and length, and the same variable can
  be set more than once (CWE-807, CWE-20). Check environment variables
  carefully before using them.
	const char * const statspath = getenv("KRESD_COVERAGE_STATS");
data/knot-resolver-5.2.0/daemon/main.c:228:14:  [3] (buffer) getopt_long:
  Some older implementations do not protect against internal buffer overflows
  (CWE-120, CWE-20). Check implementation on installation, or limit the size
  of all string inputs.
	while ((c = getopt_long(argc, argv, "a:t:c:f:nvqVhS:", opts, &li)) != -1) {
data/knot-resolver-5.2.0/daemon/network.c:447:25:  [3] (buffer) getenv:
  Environment variables are untrustable input if they can be set by an
  attacker. They can have any content and length, and the same variable can
  be set more than once (CWE-807, CWE-20). Check environment variables
  carefully before using them.
	const char *inst_str = getenv("SYSTEMD_INSTANCE");
data/knot-resolver-5.2.0/daemon/worker.c:2224:26:  [3] (buffer) getenv:
  Environment variables are untrustable input if they can be set by an
  attacker. They can have any content and length, and the same variable can
  be set more than once (CWE-807, CWE-20). Check environment variables
  carefully before using them.
	const char *inst_name = getenv("SYSTEMD_INSTANCE");
data/knot-resolver-5.2.0/modules/http/debug_opensslkeylog.c:113:28:  [3] (buffer) getenv:
  Environment variables are untrustable input if they can be set by an
  attacker. They can have any content and length, and the same variable can
  be set more than once (CWE-807, CWE-20). Check environment variables
  carefully before using them.
    const char *filename = getenv("OPENSSLKEYLOGFILE");
data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/tests/ac_bench.cxx:405:17:  [3] (buffer) getopt_long:
  Some older implementations do not protect against internal buffer overflows
  (CWE-120, CWE-20). Check implementation on installation, or limit the size
  of all string inputs.
        int c = getopt_long(argc, argv, short_opt, long_opts, &opt_index);
data/knot-resolver-5.2.0/tests/pytests/proxy/tlsproxy.c:82:14:  [3] (buffer) getopt_long:
  Some older implementations do not protect against internal buffer overflows
  (CWE-120, CWE-20). Check implementation on installation, or limit the size
  of all string inputs.
	while ((c = getopt_long(argc, argv, "l:p:u:d:t:k:c:f:rav", opts, &li)) != -1) {
data/knot-resolver-5.2.0/utils/cache_gc/main.c:83:14:  [3] (buffer) getopt:
  Some older implementations do not protect against internal buffer overflows
  (CWE-120, CWE-20). Check implementation on installation, or limit the size
  of all string inputs.
	while ((o = getopt(argc, argv, "hnvc:d:l:L:m:u:f:w:t:")) != -1) {
data/knot-resolver-5.2.0/utils/client/kresc.c:374:20:  [3] (buffer) getenv:
  Environment variables are untrustable input if they can be set by an
  attacker. They can have any content and length, and the same variable can
  be set more than once (CWE-807, CWE-20). Check environment variables
  carefully before using them.
	char *data_home = getenv("XDG_DATA_HOME");
data/knot-resolver-5.2.0/utils/client/kresc.c:378:22:  [3] (buffer) getenv:
  Environment variables are untrustable input if they can be set by an
  attacker. They can have any content and length, and the same variable can
  be set more than once (CWE-807, CWE-20). Check environment variables
  carefully before using them.
		const char *home = getenv("HOME");	//This should be set on any POSIX compliant OS, even for nobody
data/knot-resolver-5.2.0/bench/bench_lru.c:87:11:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	int fd = open(fname, O_RDONLY);
data/knot-resolver-5.2.0/bench/bench_lru.c:174:20:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
		size_t run_log = atoi(argv[1]);
data/knot-resolver-5.2.0/bench/bench_lru.c:182:34:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
	const int lru_size = argc > 4 ? atoi(argv[4]) : LRU_RTT_SIZE;
data/knot-resolver-5.2.0/contrib/ccan/json/json.c:71:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(sb->cur, bytes, count);
data/knot-resolver-5.2.0/contrib/ccan/json/json.c:778:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char throwaway_buffer[4];
data/knot-resolver-5.2.0/contrib/ccan/json/json.c:1153:7:  [2] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant string.
						strcpy(b, "\\uFFFD");
data/knot-resolver-5.2.0/contrib/ccan/json/json.c:1214:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char buf[64];
data/knot-resolver-5.2.0/contrib/ccan/json/json.c:1215:2:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
	sprintf(buf, "%.16g", num);
data/knot-resolver-5.2.0/contrib/ccan/json/json.c:1294:39:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
bool json_check(const JsonNode *node, char errmsg[256])
data/knot-resolver-5.2.0/contrib/ccan/json/json.h:97:49:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
KR_EXPORT bool json_check(const JsonNode *node, char errmsg[256]);
data/knot-resolver-5.2.0/contrib/dynarray.h:96:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
				memcpy(new_arr, prefix ## _dynarray_arr(dynarray), \
data/knot-resolver-5.2.0/contrib/ucw/mempool.c:63:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(new, ptr, old_size);
data/knot-resolver-5.2.0/contrib/ucw/mempool.c:372:7:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
      memcpy(p, ptr, avail);
data/knot-resolver-5.2.0/contrib/ucw/mempool.h:357:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(q, block, size);
data/knot-resolver-5.2.0/contrib/wire.h:94:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy((uint8_t *)&input + 1, pos, 6);
data/knot-resolver-5.2.0/contrib/wire.h:147:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(pos, (uint8_t *)&swapped + 1, 6);
data/knot-resolver-5.2.0/daemon/bindings/cache.c:80:11:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	add_stat(open);
data/knot-resolver-5.2.0/daemon/bindings/cache.c:201:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
		char cwd[PATH_MAX];
data/knot-resolver-5.2.0/daemon/bindings/cache.c:283:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char name[KNOT_DNAME_TXT_MAXLEN];
data/knot-resolver-5.2.0/daemon/bindings/cache.c:302:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char type_buf[KR_RRTYPE_STR_MAXLEN] = { '\0' };
data/knot-resolver-5.2.0/daemon/bindings/cache.c:384:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char msg[128];
data/knot-resolver-5.2.0/daemon/bindings/impl.h:88:8:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
       memcpy(addr, &p, sizeof(void *));
data/knot-resolver-5.2.0/daemon/bindings/net.c:269:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char kind_buf[kind_alen];
data/knot-resolver-5.2.0/daemon/bindings/net.c:271:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(kind_buf, flags.kind, kind_alen);
data/knot-resolver-5.2.0/daemon/bindings/net.c:311:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char buf[INET6_ADDRSTRLEN]; /* https://tools.ietf.org/html/rfc4291 */
data/knot-resolver-5.2.0/daemon/bindings/net.c:343:4:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
			sprintf(p, "%.2x:", (uint8_t)iface.phys_addr[k]);
data/knot-resolver-5.2.0/daemon/bindings/net.c:471:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
		char str[INET6_ADDRSTRLEN + 1 + 5 + 1];
data/knot-resolver-5.2.0/daemon/bindings/net.c:706:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char buf[INET6_ADDRSTRLEN + 1];
data/knot-resolver-5.2.0/daemon/bindings/net.c:750:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char buf[INET6_ADDRSTRLEN + 1];
data/knot-resolver-5.2.0/daemon/bindings/net.c:855:13:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	FILE *fp = fopen(file_name, "r");
data/knot-resolver-5.2.0/daemon/bindings/net.c:861:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char secret_buf[TLS_SESSION_TICKET_SECRET_MAX_LEN];
data/knot-resolver-5.2.0/daemon/bindings/net.c:907:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
		char addr_buf[INET6_ADDRSTRLEN];
data/knot-resolver-5.2.0/daemon/engine.c:155:9:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	static char hostname_str[KNOT_DNAME_MAXLEN];
data/knot-resolver-5.2.0/daemon/engine.c:489:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char l_paths[MAXPATHLEN] = { 0 };
data/knot-resolver-5.2.0/daemon/engine.c:634:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char cwd[PATH_MAX];
data/knot-resolver-5.2.0/daemon/ffimodule.c:111:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(&kr_layer_t_static, ctx, sizeof(*ctx));
data/knot-resolver-5.2.0/daemon/http.c:251:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(ctx->buf + ctx->buf_pos, data, len);
data/knot-resolver-5.2.0/daemon/http.c:468:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char size[MAX_DECIMAL_LENGTH(pkt->size)] = { 0 };
data/knot-resolver-5.2.0/daemon/io.c:745:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(pool, &_pool, sizeof(*pool));
data/knot-resolver-5.2.0/daemon/main.c:316:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
		char addr_buf[INET6_ADDRSTRLEN + 1];
data/knot-resolver-5.2.0/daemon/main.c:449:4:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
			char cwd[PATH_MAX];
data/knot-resolver-5.2.0/daemon/network.c:241:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(&ep_array->at[ep_array->len++], ep, sizeof(*ep));
data/knot-resolver-5.2.0/daemon/network.c:416:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char addr_buf[INET6_ADDRSTRLEN]; /* https://tools.ietf.org/html/rfc4291 */
data/knot-resolver-5.2.0/daemon/network.c:478:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char ifname_buf[64] UNUSED;
data/knot-resolver-5.2.0/daemon/session.c:704:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(session->wire_buf, wirebuf_data_start, wirebuf_data_size);
data/knot-resolver-5.2.0/daemon/tls.c:84:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(buf, t->buf + t->consumed, transfer);
data/knot-resolver-5.2.0/daemon/tls.c:200:4:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
			memcpy(buf + off, uv_buf[i].base, uv_buf[i].len);
data/knot-resolver-5.2.0/daemon/tls.c:574:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char raw_pin[TLS_SHA256_RAW_LEN]; /* TMP buffer if raw == false */
data/knot-resolver-5.2.0/daemon/tls.c:612:4:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
			char pin[TLS_SHA256_BASE64_BUFLEN] = { 0 };
data/knot-resolver-5.2.0/daemon/tls.c:852:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(key, &addr->ip4.sin_port, sizeof(addr->ip4.sin_port));
data/knot-resolver-5.2.0/daemon/tls.c:853:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(key + sizeof(addr->ip4.sin_port), &addr->ip4.sin_addr,
data/knot-resolver-5.2.0/daemon/tls.c:858:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(key, &addr->ip6.sin6_port, sizeof(addr->ip6.sin6_port));
data/knot-resolver-5.2.0/daemon/tls.c:859:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(key + sizeof(addr->ip6.sin6_port), &addr->ip6.sin6_addr,
data/knot-resolver-5.2.0/daemon/tls.c:883:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char key[sizeof(ia->ip6.sin6_port) + sizeof(ia->ip6.sin6_addr)];
data/knot-resolver-5.2.0/daemon/tls.c:895:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char key[sizeof(ia->ip6.sin6_port) + sizeof(ia->ip6.sin6_addr)];
data/knot-resolver-5.2.0/daemon/tls.c:933:4:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
			char pin_base64[TLS_SHA256_BASE64_BUFLEN];
data/knot-resolver-5.2.0/daemon/tls.c:945:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
		char cert_pin[TLS_SHA256_RAW_LEN];
data/knot-resolver-5.2.0/daemon/tls_ephemeral_credentials.c:34:18:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	lock_t lockfd = open(fname, O_RDONLY|O_CREAT, 0400);
data/knot-resolver-5.2.0/daemon/tls_ephemeral_credentials.c:79:11:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	datafd = open(EPHEMERAL_PRIVKEY_FILENAME, O_RDONLY);
data/knot-resolver-5.2.0/daemon/tls_ephemeral_credentials.c:129:13:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
			datafd = open(EPHEMERAL_PRIVKEY_FILENAME, O_WRONLY|O_CREAT, 0600);
data/knot-resolver-5.2.0/daemon/tls_session_ticket-srv.c:46:11:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	unsigned char key[SESSION_KEY_SIZE]; /**< the key itself */
data/knot-resolver-5.2.0/daemon/tls_session_ticket-srv.c:98:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(ctx->hash_data + sizeof(time_t), secret, secret_len);
data/knot-resolver-5.2.0/daemon/tls_session_ticket-srv.c:119:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(ctx->key, key_tmp.data, SESSION_KEY_SIZE);
data/knot-resolver-5.2.0/daemon/tls_session_ticket-srv.c:137:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(ctx->hash_data, &epoch, sizeof(epoch));
data/knot-resolver-5.2.0/daemon/worker.c:287:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(out.eth_from, &ctx->source.eth_addrs[0], 6);
data/knot-resolver-5.2.0/daemon/worker.c:288:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(out.eth_to,   &ctx->source.eth_addrs[1], 6);
data/knot-resolver-5.2.0/daemon/worker.c:378:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(&ctx->source.addr.ip, addr, kr_sockaddr_len(addr));
data/knot-resolver-5.2.0/daemon/worker.c:382:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(&ctx->source.dst_addr.ip, dst_addr, kr_sockaddr_len(dst_addr));
data/knot-resolver-5.2.0/daemon/worker.c:1139:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(peer, addr, kr_sockaddr_len(addr));
data/knot-resolver-5.2.0/daemon/worker.c:1183:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char key[SUBREQ_KEY_LEN];
data/knot-resolver-5.2.0/daemon/worker.c:1211:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char key[SUBREQ_KEY_LEN];
data/knot-resolver-5.2.0/daemon/worker.c:1230:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char key[SUBREQ_KEY_LEN];
data/knot-resolver-5.2.0/daemon/worker.c:1270:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(&msg.ip_from, ip_from, kr_sockaddr_len(ip_from));
data/knot-resolver-5.2.0/daemon/worker.c:1271:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(&msg.ip_to,   ip_to,   kr_sockaddr_len(ip_to));
data/knot-resolver-5.2.0/daemon/worker.c:1495:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(peer, addr, kr_sockaddr_len(addr));
data/knot-resolver-5.2.0/daemon/worker.c:2239:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char cwd[PATH_MAX];
data/knot-resolver-5.2.0/daemon/zimport.c:202:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char key[KR_RRKEY_LEN];
data/knot-resolver-5.2.0/daemon/zimport.c:480:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char key[KR_RRKEY_LEN];
data/knot-resolver-5.2.0/daemon/zimport.c:648:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char key[KR_RRKEY_LEN];
data/knot-resolver-5.2.0/lib/cache/api.c:122:24:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	int ret = cache->api->open(&cache->db, &cache->stats, opts, mm);
data/knot-resolver-5.2.0/lib/cache/api.c:135:21:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
		ret = cache->api->open(&cache->db, &cache->stats, &opts2, mm);
data/knot-resolver-5.2.0/lib/cache/api.c:320:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(k->buf + name_len + 3, &type, 2);
data/knot-resolver-5.2.0/lib/cache/api.c:584:4:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
			memcpy(*npp, rdata->data, np_dlen);
data/knot-resolver-5.2.0/lib/cache/api.c:794:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(el[0].data, &valid_until, sizeof(valid_until));
data/knot-resolver-5.2.0/lib/cache/api.c:796:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy((uint8_t *)el[0].data + sizeof(valid_until), nsec_p,
data/knot-resolver-5.2.0/lib/cache/api.c:931:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(type, tag + 1, sizeof(uint16_t));
data/knot-resolver-5.2.0/lib/cache/api.c:959:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(keys[i].data, keyval[i][0].data, keys[i].len);
data/knot-resolver-5.2.0/lib/cache/cdb_api.h:18:11:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	uint64_t open;
data/knot-resolver-5.2.0/lib/cache/cdb_api.h:52:8:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	int (*open)(kr_cdb_pt *db, struct kr_cdb_stats *stat, struct kr_cdb_opts *opts, knot_mm_t *mm);
data/knot-resolver-5.2.0/lib/cache/cdb_lmdb.c:498:17:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	const int fd = open(path, O_CREAT|O_RDWR, S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP);
data/knot-resolver-5.2.0/lib/cache/entry_list.c:30:4:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
			memcpy(it, list[i].data, list[i].len);
data/knot-resolver-5.2.0/lib/cache/entry_list.c:279:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(val.data, buf, val.len); /* we also copy the "empty" space, but well... */
data/knot-resolver-5.2.0/lib/cache/entry_pkt.c:128:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(eh->data, &pkt_size, sizeof(pkt_size));
data/knot-resolver-5.2.0/lib/cache/entry_pkt.c:129:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(eh->data + sizeof(pkt_size), pkt->wire, pkt_size);
data/knot-resolver-5.2.0/lib/cache/entry_pkt.c:165:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(pkt->wire, eh->data + 2, pkt_len);
data/knot-resolver-5.2.0/lib/cache/entry_rr.c:24:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(data, &rr_count, sizeof(rr_count));
data/knot-resolver-5.2.0/lib/cache/entry_rr.c:28:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(data, rds->rdata, size);
data/knot-resolver-5.2.0/lib/cache/entry_rr.c:65:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(rds->rdata, d, rds_size);
data/knot-resolver-5.2.0/lib/cache/nsec3.c:40:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(begin + 2, &nsec_p_hash, sizeof(nsec_p_hash));
data/knot-resolver-5.2.0/lib/cache/nsec3.c:108:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(knot_db_val_bound(val), hash.data, NSEC3_HASH_LEN);
data/knot-resolver-5.2.0/lib/cache/nsec3.c:259:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(text, owner + 1, MIN(owner[0], NSEC3_HASH_TXT_LEN));
data/knot-resolver-5.2.0/lib/cache/nsec3.c:293:4:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
			char hash_txt[NSEC3_HASH_TXT_LEN + 1];
data/knot-resolver-5.2.0/lib/cache/nsec3.c:352:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
				char hash_low_txt[NSEC3_HASH_TXT_LEN + 1];
data/knot-resolver-5.2.0/lib/cache/nsec3.c:429:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
		char hash_txt[NSEC3_HASH_TXT_LEN + 1];
data/knot-resolver-5.2.0/lib/cache/nsec3.c:461:4:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
			char hash_low_txt[NSEC3_HASH_TXT_LEN + 1];
data/knot-resolver-5.2.0/lib/cookies/helper.c:210:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(cookie, sc_input->cc, sc_input->cc_len);
data/knot-resolver-5.2.0/lib/cookies/lru_cache.c:54:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(cached->opt_data, opt, opt_size);
data/knot-resolver-5.2.0/lib/dnssec/nsec3.c:343:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(tgt, "\1*", 3);
data/knot-resolver-5.2.0/lib/dnssec/nsec3.c:469:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(wildcard + 2, encloser, encloser_len);
data/knot-resolver-5.2.0/lib/dnssec/signature.c:97:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(wire + i, &new_ttl, sizeof(uint32_t));
data/knot-resolver-5.2.0/lib/dnssec/signature.c:100:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(&rdlen, wire + i, sizeof(uint16_t));
data/knot-resolver-5.2.0/lib/generic/lru.c:238:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(it->data, key, key_len);
data/knot-resolver-5.2.0/lib/generic/map.c:107:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(x->key, str, len);
data/knot-resolver-5.2.0/lib/generic/pack.h:160:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(endp, (char *)&len, sizeof(len));
data/knot-resolver-5.2.0/lib/generic/pack.h:161:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(endp + sizeof(len), obj, len);
data/knot-resolver-5.2.0/lib/generic/pack.h:228:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy((*dst)->at, src->at, src->len);
data/knot-resolver-5.2.0/lib/generic/queue.c:60:4:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
			memcpy(t->data, t->data + t->begin * q->item_size,
data/knot-resolver-5.2.0/lib/generic/queue.c:95:4:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
			memcpy(h->data + (h->cap - cnt) * q->item_size, h->data,
data/knot-resolver-5.2.0/lib/generic/test_array.c:54:4:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
			memcpy(new_mem, *mem, (*have) * elm_size);
data/knot-resolver-5.2.0/lib/generic/test_lru.c:71:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char key[16];
data/knot-resolver-5.2.0/lib/generic/test_trie.c:72:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char *dict_sorted[dict_size];
data/knot-resolver-5.2.0/lib/generic/test_trie.c:73:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(dict_sorted, dict, sizeof(dict));
data/knot-resolver-5.2.0/lib/generic/test_trie.c:107:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
		char key_buf[len];
data/knot-resolver-5.2.0/lib/generic/trie.c:410:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(key, found.l->key->chars, found.l->key->len);
data/knot-resolver-5.2.0/lib/generic/trie.c:469:4:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
			memcpy(st, ns->stack, ns->len * sizeof(node_t *));
data/knot-resolver-5.2.0/lib/generic/trie.c:741:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(k->chars, key, len);
data/knot-resolver-5.2.0/lib/layer/iterate.c:162:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
		char name_str[KR_DNAME_STR_MAXLEN];
data/knot-resolver-5.2.0/lib/layer/iterate.c:163:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
		char addr_str[INET6_ADDRSTRLEN];
data/knot-resolver-5.2.0/lib/layer/iterate.c:278:4:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
			memcpy(parent, cut, sizeof(*parent));
data/knot-resolver-5.2.0/lib/nsrep.c:26:6:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    	memcpy(&sa ## _addr, (addr), (len)); \
data/knot-resolver-5.2.0/lib/nsrep.c:176:4:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
			char sa_str[INET6_ADDRSTRLEN];
data/knot-resolver-5.2.0/lib/nsrep.c:476:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(dst, src, sizeof(struct kr_nsrep));
data/knot-resolver-5.2.0/lib/resolve.c:875:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
				char addr_str[INET6_ADDRSTRLEN];
data/knot-resolver-5.2.0/lib/resolve.c:888:6:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
			 	char addr_str[INET6_ADDRSTRLEN];
data/knot-resolver-5.2.0/lib/rplan.c:35:12:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
		unsigned char chars[sizeof(struct kr_qflags)];
data/knot-resolver-5.2.0/lib/test_utils.c:27:32:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	auto_fclose FILE* null_file = fopen("/dev/null", "r");
data/knot-resolver-5.2.0/lib/test_utils.c:37:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char addr_buf[16] = {'\0'};
data/knot-resolver-5.2.0/lib/test_utils.c:58:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char ip4_sub[4], ip6_sub[16];
data/knot-resolver-5.2.0/lib/utils.c:50:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
				memcpy(p, what,
data/knot-resolver-5.2.0/lib/utils.c:203:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
				memcpy(stream, item, len + 1);
data/knot-resolver-5.2.0/lib/utils.c:221:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
		char buf[PATH_MAX];
data/knot-resolver-5.2.0/lib/utils.c:248:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(mem_new, *mem, (*have)*(elm_size));
data/knot-resolver-5.2.0/lib/utils.c:270:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(buf, pkt->wire, base_size);
data/knot-resolver-5.2.0/lib/utils.c:277:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(pkt->wire, buf, base_size);
data/knot-resolver-5.2.0/lib/utils.c:505:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(res->sun_path, addr, alen);
data/knot-resolver-5.2.0/lib/utils.c:546:28:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
int kr_straddr_split(const char *instr, char ipaddr[static restrict (INET6_ADDRSTRLEN + 1)],
data/knot-resolver-5.2.0/lib/utils.c:546:41:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
int kr_straddr_split(const char *instr, char ipaddr[static restrict (INET6_ADDRSTRLEN + 1)],
data/knot-resolver-5.2.0/lib/utils.c:567:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(ipaddr, instr, addrlen);
data/knot-resolver-5.2.0/lib/utils.c:589:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(buf, addr, len + 1);
data/knot-resolver-5.2.0/lib/utils.c:889:6:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
					memcpy(raw_it, ra->at[i], size);
data/knot-resolver-5.2.0/lib/utils.c:957:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
		char name[3];
data/knot-resolver-5.2.0/lib/utils.c:1034:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char flags[32];
data/knot-resolver-5.2.0/lib/utils.c:1195:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(d, lf + label_start, label_len);
data/knot-resolver-5.2.0/lib/utils.c:1227:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(d, buf + buf_begin, size1);
data/knot-resolver-5.2.0/lib/utils.c:1236:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(d, buf, size);
data/knot-resolver-5.2.0/lib/utils.h:99:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char dname_str[KR_DNAME_STR_MAXLEN]; \
data/knot-resolver-5.2.0/lib/utils.h:104:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char rrtype_str[KR_RRTYPE_STR_MAXLEN]; \
data/knot-resolver-5.2.0/lib/utils.h:351:9:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	static char str[INET6_ADDRSTRLEN + 1 + 5 + 1];
data/knot-resolver-5.2.0/lib/utils.h:385:28:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
int kr_straddr_split(const char *instr, char ipaddr[static restrict (INET6_ADDRSTRLEN + 1)],
data/knot-resolver-5.2.0/lib/utils.h:385:41:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
int kr_straddr_split(const char *instr, char ipaddr[static restrict (INET6_ADDRSTRLEN + 1)],
data/knot-resolver-5.2.0/lib/utils.h:470:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char type_str[32] = {0};
data/knot-resolver-5.2.0/lib/utils.h:483:11:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	unsigned char swap_temp[sizeof(x) == sizeof(y) ? (ssize_t)sizeof(x) : -1]; \
data/knot-resolver-5.2.0/lib/utils.h:484:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(swap_temp, &y, sizeof(x)); \
data/knot-resolver-5.2.0/lib/utils.h:485:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(&y,        &x, sizeof(x)); \
data/knot-resolver-5.2.0/lib/utils.h:531:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(dst + 1, right_aligned_dname_start + 1, len);
data/knot-resolver-5.2.0/lib/zonecut.c:93:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(to, from, sizeof(*to));
data/knot-resolver-5.2.0/modules/bogus_log/bogus_log.c:45:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char key[sizeof(type) + KNOT_DNAME_MAXLEN];
data/knot-resolver-5.2.0/modules/bogus_log/bogus_log.c:46:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(key, &type, sizeof(type));
data/knot-resolver-5.2.0/modules/cookies/cookiectl.c:141:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(sq->data, sec->data, sq->size);
data/knot-resolver-5.2.0/modules/hints/hints.c:188:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char reverse_addr[REV_MAXLEN];
data/knot-resolver-5.2.0/modules/hints/hints.c:317:25:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	auto_fclose FILE *fp = fopen(path, "r");
data/knot-resolver-5.2.0/modules/hints/hints.c:441:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char buf[INET6_ADDRSTRLEN];
data/knot-resolver-5.2.0/modules/hints/hints.c:631:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(pool, &_pool, sizeof(*pool));
data/knot-resolver-5.2.0/modules/http/debug_opensslkeylog.c:85:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char line[PREFIX_LEN + 2 * SSL3_RANDOM_SIZE + 1 +
data/knot-resolver-5.2.0/modules/http/debug_opensslkeylog.c:88:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(line, PREFIX, PREFIX_LEN);
data/knot-resolver-5.2.0/modules/http/debug_opensslkeylog.c:116:19:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	keylog_file_fd = open(filename, O_WRONLY | O_APPEND | O_CREAT, 0600);
data/knot-resolver-5.2.0/modules/http/debug_opensslkeylog.c:119:13:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
            char txtnow[30] = { '#', ' ', 0 };
data/knot-resolver-5.2.0/modules/http/debug_opensslkeylog.c:161:14:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
data/knot-resolver-5.2.0/modules/http/debug_opensslkeylog.c:190:9:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
        memcpy(master_key_out, session->master_key,
data/knot-resolver-5.2.0/modules/http/debug_opensslkeylog.c:208:9:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
        memcpy(client_random, ssl->s3->client_random, SSL3_RANDOM_SIZE);
data/knot-resolver-5.2.0/modules/http/debug_opensslkeylog.c:251:14:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    unsigned char client_random[SSL3_RANDOM_SIZE];
data/knot-resolver-5.2.0/modules/http/debug_opensslkeylog.c:252:14:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/ac_slow.cxx:190:15:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    FILE* f = fopen(txtfile, "w+");
data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/ac_slow.cxx:224:15:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    FILE* f = fopen(dotfile, "w+");
data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/ac_slow.cxx:309:9:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
        memcpy(_pattern_buf + ofst, strv[i], l);
data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/tests/ac_bench.cxx:78:11:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    _fd = open(filepath, 0);
data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/tests/ac_bench.cxx:327:15:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
        _fd = open(_infile, 0);
data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/tests/ac_bench.cxx:416:25:  [2] (integer) atol:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
            iteration = atol(optarg);
data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/tests/ac_bench.cxx:430:26:  [2] (integer) atol:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
            piece_size = atol(optarg);
data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/tests/ac_test_aggr.cxx:61:9:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
        memcpy(t, key, len);
data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/tests/test_bigfile.cxx:88:22:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    int fd = _fd = ::open(_filepath, O_RDONLY);
data/knot-resolver-5.2.0/modules/stats/stats.c:113:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(key, &type, sizeof(type));
data/knot-resolver-5.2.0/modules/stats/stats.c:124:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char key[sizeof(uint16_t) + KNOT_DNAME_MAXLEN];
data/knot-resolver-5.2.0/modules/stats/stats.c:163:17:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	case AF_INET:  memcpy(e, src, sizeof(struct sockaddr_in)); break;
data/knot-resolver-5.2.0/modules/stats/stats.c:164:17:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	case AF_INET6: memcpy(e, src, sizeof(struct sockaddr_in6)); break;
data/knot-resolver-5.2.0/modules/stats/stats.c:324:4:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
			sprintf(ret, "%zu", const_metrics[i].val);
data/knot-resolver-5.2.0/modules/stats/stats.c:334:2:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
	sprintf(ret, "%zu", (size_t) val);
data/knot-resolver-5.2.0/modules/stats/stats.c:433:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
		char addr_str[INET6_ADDRSTRLEN];
data/knot-resolver-5.2.0/tests/pytests/proxy/tls-proxy.c:74:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char uv_wire_buf[65535 * 2];
data/knot-resolver-5.2.0/tests/pytests/proxy/tls-proxy.c:137:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char str[INET6_ADDRSTRLEN + 6];
data/knot-resolver-5.2.0/tests/pytests/proxy/tls-proxy.c:149:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(buf, str, len + 1);
data/knot-resolver-5.2.0/tests/pytests/proxy/tls-proxy.c:160:9:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	static char str[INET6_ADDRSTRLEN + 6];
data/knot-resolver-5.2.0/tests/pytests/proxy/tls-proxy.c:386:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(&upstream->addr, &proxy->upstream_addr, sizeof(struct sockaddr_storage));
data/knot-resolver-5.2.0/tests/pytests/proxy/tls-proxy.c:570:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(b->buf, buf, b->size);
data/knot-resolver-5.2.0/tests/pytests/proxy/tls-proxy.c:583:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(b->buf, buf, b->size);
data/knot-resolver-5.2.0/tests/pytests/proxy/tls-proxy.c:615:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(buf, t->buf + t->consumed, transfer);
data/knot-resolver-5.2.0/tests/pytests/proxy/tls-proxy.c:633:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(data, buf, len);
data/knot-resolver-5.2.0/tests/unit/test.h:42:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char buf[512];
data/knot-resolver-5.2.0/tests/unit/test.h:64:9:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	static char env_path[64];
data/knot-resolver-5.2.0/tests/unit/test.h:65:2:  [2] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant string.
	strcpy(env_path, "./tmpXXXXXX");
data/knot-resolver-5.2.0/utils/cache_gc/db.c:15:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char cache_data[strlen(cache_path) + 10];
data/knot-resolver-5.2.0/utils/cache_gc/db.c:249:4:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
			memcpy(key_storage, key.data, key.len);
data/knot-resolver-5.2.0/utils/cache_gc/kr_cache_gc.c:59:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(to, from, sizeof(knot_db_val_t));
data/knot-resolver-5.2.0/utils/cache_gc/kr_cache_gc.c:61:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(to->data, from->data, from->len);
data/knot-resolver-5.2.0/utils/cache_gc/kr_cache_gc.c:86:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char type_s[32] = { 0 };
data/knot-resolver-5.2.0/utils/client/kresc.c:300:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(addr.sun_path, path, plen + 1);
data/knot-resolver-5.2.0/utils/client/kresc.c:381:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
		char *dirs[3] =
data/knot-resolver-5.2.0/bench/bench_lru.c:70:15:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	size_t len = strlen(s);
data/knot-resolver-5.2.0/bench/bench_lru.c:98:6:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
	if (read(fd, fbuf, flen) < 0)
data/knot-resolver-5.2.0/contrib/ccan/json/json.c:21:29:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	char *ret = (char*) malloc(strlen(str) + 1);
data/knot-resolver-5.2.0/contrib/ccan/json/json.c:83:18:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	sb_put(sb, str, strlen(str));
data/knot-resolver-5.2.0/contrib/ccan/json/json.c:89:33:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	assert(sb->start <= sb->cur && strlen(sb->start) == (size_t)(sb->cur - sb->start));
data/knot-resolver-5.2.0/contrib/ucw/mempool.h:368:40:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  return mp_append_block(pool, p, str, strlen(str));
data/knot-resolver-5.2.0/daemon/bindings/cache.c:87:11:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
	add_stat(read);
data/knot-resolver-5.2.0/daemon/bindings/cache.c:115:33:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
		if (strncmp(*conf, api->name, strlen(api->name)) == 0) {
data/knot-resolver-5.2.0/daemon/bindings/cache.c:116:13:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
			*conf += strlen(api->name) + strlen("://");
data/knot-resolver-5.2.0/daemon/bindings/cache.c:116:33:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
			*conf += strlen(api->name) + strlen("://");
data/knot-resolver-5.2.0/daemon/bindings/cache.c:196:12:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
		(conf && strlen(conf)) ? conf : ".",
data/knot-resolver-5.2.0/daemon/bindings/cache.c:388:3:  [1] (buffer) strncpy:
  Easily used incorrectly; doesn't always \0-terminate or check for invalid
  pointers [MS-banned] (CWE-120). Risk is low because the source is a
  constant string.
		strncpy(msg, "internal error, empty worker pointer", sizeof(msg));
data/knot-resolver-5.2.0/daemon/bindings/cache.c:393:3:  [1] (buffer) strncpy:
  Easily used incorrectly; doesn't always \0-terminate or check for invalid
  pointers [MS-banned] (CWE-120). Risk is low because the source is a
  constant string.
		strncpy(msg, "import already started", sizeof(msg));
data/knot-resolver-5.2.0/daemon/bindings/cache.c:402:3:  [1] (buffer) strncpy:
  Easily used incorrectly; doesn't always \0-terminate or check for invalid
  pointers [MS-banned] (CWE-120). Risk is low because the source is a
  constant string.
		strncpy(msg, "expected 'cache.zone_import(path to zone file)'", sizeof(msg));
data/knot-resolver-5.2.0/daemon/bindings/cache.c:416:4:  [1] (buffer) strncpy:
  Easily used incorrectly; doesn't always \0-terminate or check for invalid
  pointers [MS-banned] (CWE-120). Risk is low because the source is a
  constant string.
			strncpy(msg, "can't allocate zone import context", sizeof(msg));
data/knot-resolver-5.2.0/daemon/bindings/cache.c:426:3:  [1] (buffer) strncpy:
  Easily used incorrectly; doesn't always \0-terminate or check for invalid
  pointers [MS-banned] (CWE-120). Risk is low because the source is a
  constant string.
		strncpy(msg, "zone file successfully parsed, import started", sizeof(msg));
data/knot-resolver-5.2.0/daemon/bindings/cache.c:428:3:  [1] (buffer) strncpy:
  Easily used incorrectly; doesn't always \0-terminate or check for invalid
  pointers [MS-banned] (CWE-120). Risk is low because the source is a
  constant string.
		strncpy(msg, "TA not found", sizeof(msg));
data/knot-resolver-5.2.0/daemon/bindings/cache.c:430:3:  [1] (buffer) strncpy:
  Easily used incorrectly; doesn't always \0-terminate or check for invalid
  pointers [MS-banned] (CWE-120). Risk is low because the source is a
  constant string.
		strncpy(msg, "error parsing zone file", sizeof(msg));
data/knot-resolver-5.2.0/daemon/bindings/net.c:268:37:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	const int kind_alen = flags.kind ? strlen(flags.kind) + 1 : 1 /* 0 length isn't C standard */;
data/knot-resolver-5.2.0/daemon/bindings/net.c:583:5:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
		h[strlen(h) - 1] = '\0';
data/knot-resolver-5.2.0/daemon/bindings/net.c:651:53:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
			int ret = kr_base64_decode((const uint8_t *)pin, strlen(pin),
data/knot-resolver-5.2.0/daemon/bindings/net.c:655:16:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
					pin, (int)strlen(pin), knot_strerror(ret));
data/knot-resolver-5.2.0/daemon/bindings/net.c:852:6:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	if (strlen(file_name) == 0)
data/knot-resolver-5.2.0/daemon/engine.c:245:6:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	if (strlen(file) == 0 || !ctx) {
data/knot-resolver-5.2.0/daemon/engine.c:501:45:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	int ret = l_dobytecode(engine->L, l_paths, strlen(l_paths), "");
data/knot-resolver-5.2.0/daemon/http.c:151:15:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
		end = beg + strlen(beg);
data/knot-resolver-5.2.0/daemon/io.c:647:30:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
			data->blen = data->blen + strlen(cmd);
data/knot-resolver-5.2.0/daemon/network.c:46:5:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
				strlen(ep->flags.kind));
data/knot-resolver-5.2.0/daemon/network.c:106:5:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
				strlen(ep->flags.kind));
data/knot-resolver-5.2.0/daemon/tls.c:1083:23:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
					entry->hostname, strlen(entry->hostname));
data/knot-resolver-5.2.0/daemon/tls_ephemeral_credentials.c:93:16:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
		bytes_read = read(datafd, data.data, stat.st_size);
data/knot-resolver-5.2.0/daemon/tls_ephemeral_credentials.c:163:19:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	size_t namelen = strlen(servicename);
data/knot-resolver-5.2.0/daemon/zimport.c:621:37:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	if (knot_dname_size(s->r_owner) != strlen((const char *)(s->r_owner)) + 1) {
data/knot-resolver-5.2.0/lib/cache/api.c:74:28:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
	int ret = cache_op(cache, read, &key, &val, 1);
data/knot-resolver-5.2.0/lib/cache/api.c:281:41:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	const bool ret = knot_dname_size(n) == strlen((const char *)n) + 1;
data/knot-resolver-5.2.0/lib/cache/api.c:635:24:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
	ret = cache_op(cache, read, &key, &val, 1);
data/knot-resolver-5.2.0/lib/cache/api.c:742:24:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
	ret = cache_op(cache, read, &key, &val_orig, 1);
data/knot-resolver-5.2.0/lib/cache/api.c:829:24:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
	ret = cache_op(cache, read, &key, &val, 1);
data/knot-resolver-5.2.0/lib/cache/cdb_api.h:24:11:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
	uint64_t read;
data/knot-resolver-5.2.0/lib/cache/cdb_api.h:62:8:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
	int (*read)(kr_cdb_pt db, struct kr_cdb_stats *stat,
data/knot-resolver-5.2.0/lib/cache/entry_list.c:221:25:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
		ret = cache_op(cache, read, &key, &val, 1);
data/knot-resolver-5.2.0/lib/cache/peek.c:131:25:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
		ret = cache_op(cache, read, &key, &val, 1);
data/knot-resolver-5.2.0/lib/cache/peek.c:257:25:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
		ret = cache_op(cache, read, &key, &val, 1);
data/knot-resolver-5.2.0/lib/cache/peek.c:572:28:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
	int ret = cache_op(cache, read, &key, &val, 1);
data/knot-resolver-5.2.0/lib/cache/peek.c:676:29:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
		int ret = cache_op(cache, read, &key, &val, 1);
data/knot-resolver-5.2.0/lib/generic/map.c:116:22:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	const size_t ulen = strlen(str);
data/knot-resolver-5.2.0/lib/generic/map.c:164:22:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	const size_t ulen = strlen(str);
data/knot-resolver-5.2.0/lib/generic/map.c:265:22:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	const size_t ulen = strlen(str);
data/knot-resolver-5.2.0/lib/generic/map.c:324:22:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	const size_t ulen = strlen(prefix);
data/knot-resolver-5.2.0/lib/generic/map.c:350:6:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	if (strlen((const char *)data->key) < ulen || memcmp(data->key, prefix, ulen) != 0) {
data/knot-resolver-5.2.0/lib/generic/test_lru.c:15:21:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define KEY_LEN(x) (strlen(x) + 1)
data/knot-resolver-5.2.0/lib/generic/test_map.c:60:14:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	in = malloc(strlen(dict[23])+1);
data/knot-resolver-5.2.0/lib/generic/test_map.c:66:5:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	in[strlen(in)/2] = '\0';
data/knot-resolver-5.2.0/lib/generic/test_set.c:85:14:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	in = malloc(strlen(dict[23])+1);
data/knot-resolver-5.2.0/lib/generic/test_set.c:91:5:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	in[strlen(in)/2] = '\0';
data/knot-resolver-5.2.0/lib/generic/test_trie.c:33:21:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define KEY_LEN(x) (strlen(x) + 1)
data/knot-resolver-5.2.0/lib/utils.c:82:31:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define strlen_safe(x) ((x) ? strlen(x) : 0)
data/knot-resolver-5.2.0/lib/utils.c:202:18:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
				size_t len = strlen(item);
data/knot-resolver-5.2.0/lib/utils.c:440:18:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	const int len = strlen(buf);
data/knot-resolver-5.2.0/lib/utils.c:499:23:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
		const size_t alen = strlen(addr) + 1;
data/knot-resolver-5.2.0/lib/utils.c:564:53:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	const size_t addrlen = p_start ? p_start - instr : strlen(instr);
data/knot-resolver-5.2.0/lib/utils.c:584:12:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	int len = strlen(addr);
data/knot-resolver-5.2.0/lib/utils.c:1146:40:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	if (err == NULL || err != time1_str + strlen(time1_str))
data/knot-resolver-5.2.0/lib/utils.c:1154:40:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	if (err == NULL || err != time0_str + strlen(time0_str))
data/knot-resolver-5.2.0/lib/utils.h:192:3:  [1] (buffer) strncpy:
  Easily used incorrectly; doesn't always \0-terminate or check for invalid
  pointers [MS-banned] (CWE-120).
		strncpy(out, errprefix, len);
data/knot-resolver-5.2.0/modules/cookies/cookiectl.c:69:15:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	size_t len = strlen(hexstr);
data/knot-resolver-5.2.0/modules/cookies/cookiectl.c:230:15:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	size_t len = strlen(hexstr);
data/knot-resolver-5.2.0/modules/cookies/cookiectl.c:535:16:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	if (!args || !strlen(args)) {
data/knot-resolver-5.2.0/modules/cookies/cookiectl.c:539:16:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	if (!args || !strlen(args)) {
data/knot-resolver-5.2.0/modules/dnstap/dnstap.c:253:4:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
			strlen(DNSTAP_CONTENT_TYPE));
data/knot-resolver-5.2.0/modules/dnstap/dnstap.c:304:15:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	if (!conf || strlen(conf) < 1) {
data/knot-resolver-5.2.0/modules/hints/hints.c:337:44:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
		if (addr == NULL || strchr(addr, '#') || strlen(addr) == 0) {
data/knot-resolver-5.2.0/modules/http/debug_opensslkeylog.c:122:43:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            write(keylog_file_fd, txtnow, strlen(txtnow));
data/knot-resolver-5.2.0/modules/http/debug_opensslkeylog.c:345:37:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
        write(keylog_file_fd, line, strlen(line));
data/knot-resolver-5.2.0/modules/nsid/nsid.c:75:28:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
		config->local_nsid_len = strlen(args);
data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/ac_slow.hpp:104:63:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    Match_Result Match(const char* s) const { return Match(s, strlen(s)); }
data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/mytest.cxx:105:23:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            int len = strlen(str);
data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/mytest.cxx:137:28:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
                int mlen = strlen(match);
data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/tests/ac_test_simple.cxx:102:27:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            strlen_v[i] = strlen(s);
data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/tests/ac_test_simple.cxx:121:23:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            int len = strlen(str);
data/knot-resolver-5.2.0/modules/policy/lua-aho-corasick/tests/ac_test_simple.cxx:161:28:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
                int mlen = strlen(match);
data/knot-resolver-5.2.0/modules/stats/stats.c:356:27:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	size_t args_len = args ? strlen(args) : 0;
data/knot-resolver-5.2.0/tests/pytests/proxy/tls-proxy.c:141:12:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	int len = strlen(str);
data/knot-resolver-5.2.0/utils/cache_gc/db.c:15:18:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	char cache_data[strlen(cache_path) + 10];
data/knot-resolver-5.2.0/utils/cache_gc/kr_cache_gc.c:317:5:  [1] (obsolete) usleep:
  This C routine is considered obsolete (as opposed to the shell command by
  the same name). The interaction of this function with SIGALRM and other
  timer functions such as sleep(), alarm(), setitimer(), and nanosleep() is
  unspecified (CWE-676). Use nanosleep(2) or setitimer(2) instead.
				usleep(cfg->rw_txn_delay);
data/knot-resolver-5.2.0/utils/cache_gc/main.c:158:3:  [1] (obsolete) usleep:
  This C routine is considered obsolete (as opposed to the shell command by
  the same name). The interaction of this function with SIGALRM and other
  timer functions such as sleep(), alarm(), setitimer(), and nanosleep() is
  unspecified (CWE-676). Use nanosleep(2) or setitimer(2) instead.
		usleep(cfg.gc_interval);
data/knot-resolver-5.2.0/utils/client/kresc.c:35:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	if (strncmp(a, b, strlen(b)) == 0)
data/knot-resolver-5.2.0/utils/client/kresc.c:74:9:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
		type[(strlen(type)) - 1] = '\0';
data/knot-resolver-5.2.0/utils/client/kresc.c:130:32:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
		if (!dot || dot - str + 1 == strlen(str)) {
data/knot-resolver-5.2.0/utils/client/kresc.c:294:16:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	size_t plen = strlen(path);

ANALYSIS SUMMARY:

Hits = 343
Lines analyzed = 48150 in approximately 6.00 seconds (8023 lines/second)
Physical Source Lines of Code (SLOC) = 34590
Hits@level = [0] 235 [1]  90 [2] 217 [3]  13 [4]  23 [5]   0
Hits@level+ = [0+] 578 [1+] 343 [2+] 253 [3+]  36 [4+]  23 [5+]   0
Hits/KSLOC@level+ = [0+] 16.71 [1+] 9.91616 [2+] 7.31425 [3+] 1.04076 [4+] 0.664932 [5+]   0
Symlinks skipped = 3 (--allowlink overrides but see doc for security issue)
Dot directories skipped = 33 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.