Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/libsis-base-java-18.09~pre1+git20180928.45fbd31+dfsg/source/c/copyByteChar.c Examining data/libsis-base-java-18.09~pre1+git20180928.45fbd31+dfsg/source/c/copyByteDouble.c Examining data/libsis-base-java-18.09~pre1+git20180928.45fbd31+dfsg/source/c/copyByteFloat.c Examining data/libsis-base-java-18.09~pre1+git20180928.45fbd31+dfsg/source/c/copyByteInt.c Examining data/libsis-base-java-18.09~pre1+git20180928.45fbd31+dfsg/source/c/copyByteLong.c Examining data/libsis-base-java-18.09~pre1+git20180928.45fbd31+dfsg/source/c/copyByteShort.c Examining data/libsis-base-java-18.09~pre1+git20180928.45fbd31+dfsg/source/c/copyCommon.c Examining data/libsis-base-java-18.09~pre1+git20180928.45fbd31+dfsg/source/c/unix.c FINAL RESULTS: data/libsis-base-java-18.09~pre1+git20180928.45fbd31+dfsg/source/c/unix.c:299:14: [5] (race) readlink: This accepts filename arguments; if an attacker can move those files or change the link content, a race condition results. Also, it does not terminate with ASCII NUL. (CWE-362, CWE-20). Reconsider approach. retval = readlink(plinkname, plinkvalue, linkvallen); data/libsis-base-java-18.09~pre1+git20180928.45fbd31+dfsg/source/c/unix.c:317:14: [5] (race) chmod: This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362). Use fchmod( ) instead. retval = chmod(plinkname, mode); data/libsis-base-java-18.09~pre1+git20180928.45fbd31+dfsg/source/c/unix.c:334:14: [5] (race) chown: This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362). Use fchown( ) instead. retval = chown(plinkname, uid, gid); data/libsis-base-java-18.09~pre1+git20180928.45fbd31+dfsg/source/c/copyCommon.c:46:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char * args[2]; data/libsis-base-java-18.09~pre1+git20180928.45fbd31+dfsg/source/c/copyCommon.c:104:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char * args[2]; data/libsis-base-java-18.09~pre1+git20180928.45fbd31+dfsg/source/c/copyCommon.c:163:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char * args[2]; data/libsis-base-java-18.09~pre1+git20180928.45fbd31+dfsg/source/c/copyCommon.c:221:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char * args[2]; data/libsis-base-java-18.09~pre1+git20180928.45fbd31+dfsg/source/c/unix.c:98:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *args[2]; data/libsis-base-java-18.09~pre1+git20180928.45fbd31+dfsg/source/c/unix.c:295:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char plinkvalue[linkvallen + 1]; ANALYSIS SUMMARY: Hits = 9 Lines analyzed = 1219 in approximately 0.07 seconds (18327 lines/second) Physical Source Lines of Code (SLOC) = 813 Hits@level = [0] 7 [1] 0 [2] 6 [3] 0 [4] 0 [5] 3 Hits@level+ = [0+] 16 [1+] 9 [2+] 9 [3+] 3 [4+] 3 [5+] 3 Hits/KSLOC@level+ = [0+] 19.6802 [1+] 11.0701 [2+] 11.0701 [3+] 3.69004 [4+] 3.69004 [5+] 3.69004 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.