stdin

Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/libjsonparser-1.1.0/bindings/python/wrap_json.c
Examining data/libjsonparser-1.1.0/json.h
Examining data/libjsonparser-1.1.0/examples/test_json.c
Examining data/libjsonparser-1.1.0/json.c

FINAL RESULTS:

data/libjsonparser-1.1.0/json.c:958:10:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
         strcpy (error_buf, error);
data/libjsonparser-1.1.0/bindings/python/wrap_json.c:87:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char error[256];
data/libjsonparser-1.1.0/examples/test_json.c:146:14:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
        fp = fopen(filename, "rt");
data/libjsonparser-1.1.0/json.c:264:4:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
   memcpy (&state.settings, settings, sizeof (json_settings));
data/libjsonparser-1.1.0/json.c:297:16:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
            {  sprintf (error, "Unexpected EOF in string (at %d:%d)", line_and_col);
data/libjsonparser-1.1.0/json.c:323:25:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
                        sprintf (error, "Invalid character value `%c` (at %d:%d)", b, line_and_col);
data/libjsonparser-1.1.0/json.c:340:29:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
                            sprintf (error, "Invalid character value `%c` (at %d:%d)", b, line_and_col);
data/libjsonparser-1.1.0/json.c:469:22:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
                  {  sprintf (error, "%d:%d: Unexpected EOF in block comment", line_and_col);
data/libjsonparser-1.1.0/json.c:485:19:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
               {  sprintf (error, "%d:%d: Comment not allowed here", line_and_col);
data/libjsonparser-1.1.0/json.c:490:19:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
               {  sprintf (error, "%d:%d: EOF unexpected", line_and_col);
data/libjsonparser-1.1.0/json.c:505:22:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
                     sprintf (error, "%d:%d: Unexpected `%c` in comment opening sequence", line_and_col, b);
data/libjsonparser-1.1.0/json.c:523:19:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
                  sprintf (error, "%d:%d: Trailing garbage: `%c`",
data/libjsonparser-1.1.0/json.c:542:22:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
                  {  sprintf (error, "%d:%d: Unexpected ]", line_and_col);
data/libjsonparser-1.1.0/json.c:558:25:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
                        sprintf (error, "%d:%d: Expected , before %c",
data/libjsonparser-1.1.0/json.c:573:25:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
                        sprintf (error, "%d:%d: Expected : before %c",
data/libjsonparser-1.1.0/json.c:699:28:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
                        {  sprintf (error, "%d:%d: Unexpected %c when seeking value", line_and_col, b);
data/libjsonparser-1.1.0/json.c:719:25:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
                     {  sprintf (error, "%d:%d: Expected , before \"", line_and_col);
data/libjsonparser-1.1.0/json.c:745:22:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
                     sprintf (error, "%d:%d: Unexpected `%c` in object", line_and_col, b);
data/libjsonparser-1.1.0/json.c:763:28:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
                        {  sprintf (error, "%d:%d: Unexpected `0` before `%c`", line_and_col, b);
data/libjsonparser-1.1.0/json.c:812:22:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
                  {  sprintf (error, "%d:%d: Expected digit before `.`", line_and_col);
data/libjsonparser-1.1.0/json.c:829:25:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
                     {  sprintf (error, "%d:%d: Expected digit after `.`", line_and_col);
data/libjsonparser-1.1.0/json.c:855:22:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
                  {  sprintf (error, "%d:%d: Expected digit after `e`", line_and_col);
data/libjsonparser-1.1.0/json.c:940:4:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
   sprintf (error, "%d:%d: Unknown value", line_and_col);
data/libjsonparser-1.1.0/json.c:945:4:  [2] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant string.
   strcpy (error, "Memory allocation failure");
data/libjsonparser-1.1.0/json.c:950:4:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
   sprintf (error, "%d:%d: Too long (caught overflow)", line_and_col);
data/libjsonparser-1.1.0/json.c:960:10:  [2] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant string.
         strcpy (error_buf, "Unknown error");
data/libjsonparser-1.1.0/bindings/python/wrap_json.c:88:57:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    json_value * value = json_parse_ex(&settings, data, strlen(data), error);

ANALYSIS SUMMARY:

Hits = 27
Lines analyzed = 1599 in approximately 0.10 seconds (16308 lines/second)
Physical Source Lines of Code (SLOC) = 1139
Hits@level = [0]  17 [1]   1 [2]  25 [3]   0 [4]   1 [5]   0
Hits@level+ = [0+]  44 [1+]  27 [2+]  26 [3+]   1 [4+]   1 [5+]   0
Hits/KSLOC@level+ = [0+] 38.6304 [1+] 23.705 [2+] 22.827 [3+] 0.877963 [4+] 0.877963 [5+]   0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.