Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/lua-apr-0.23.2.dfsg/etc/apreq_standalone.c
Examining data/lua-apr-0.23.2.dfsg/src/base64.c
Examining data/lua-apr-0.23.2.dfsg/src/buffer.c
Examining data/lua-apr-0.23.2.dfsg/src/crypt.c
Examining data/lua-apr-0.23.2.dfsg/src/date.c
Examining data/lua-apr-0.23.2.dfsg/src/dbd.c
Examining data/lua-apr-0.23.2.dfsg/src/dbm.c
Examining data/lua-apr-0.23.2.dfsg/src/env.c
Examining data/lua-apr-0.23.2.dfsg/src/errno.c
Examining data/lua-apr-0.23.2.dfsg/src/filepath.c
Examining data/lua-apr-0.23.2.dfsg/src/fnmatch.c
Examining data/lua-apr-0.23.2.dfsg/src/getopt.c
Examining data/lua-apr-0.23.2.dfsg/src/http.c
Examining data/lua-apr-0.23.2.dfsg/src/io_dir.c
Examining data/lua-apr-0.23.2.dfsg/src/io_file.c
Examining data/lua-apr-0.23.2.dfsg/src/io_net.c
Examining data/lua-apr-0.23.2.dfsg/src/io_pipe.c
Examining data/lua-apr-0.23.2.dfsg/src/ldap.c
Examining data/lua-apr-0.23.2.dfsg/src/lua_apr.c
Examining data/lua-apr-0.23.2.dfsg/src/lua_apr.h
Examining data/lua-apr-0.23.2.dfsg/src/memcache.c
Examining data/lua-apr-0.23.2.dfsg/src/memory_pool.c
Examining data/lua-apr-0.23.2.dfsg/src/object.c
Examining data/lua-apr-0.23.2.dfsg/src/permissions.c
Examining data/lua-apr-0.23.2.dfsg/src/pollset.c
Examining data/lua-apr-0.23.2.dfsg/src/proc.c
Examining data/lua-apr-0.23.2.dfsg/src/serialize.c
Examining data/lua-apr-0.23.2.dfsg/src/shm.c
Examining data/lua-apr-0.23.2.dfsg/src/signal.c
Examining data/lua-apr-0.23.2.dfsg/src/stat.c
Examining data/lua-apr-0.23.2.dfsg/src/str.c
Examining data/lua-apr-0.23.2.dfsg/src/thread.c
Examining data/lua-apr-0.23.2.dfsg/src/thread_queue.c
Examining data/lua-apr-0.23.2.dfsg/src/time.c
Examining data/lua-apr-0.23.2.dfsg/src/uri.c
Examining data/lua-apr-0.23.2.dfsg/src/user.c
Examining data/lua-apr-0.23.2.dfsg/src/uuid.c
Examining data/lua-apr-0.23.2.dfsg/src/xlate.c
Examining data/lua-apr-0.23.2.dfsg/src/xml.c

FINAL RESULTS:

data/lua-apr-0.23.2.dfsg/etc/apreq_standalone.c:26:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char message[LUA_APR_MSGSIZE];
data/lua-apr-0.23.2.dfsg/src/buffer.c:199:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char buffer[LUA_APR_MAXSTR2NUM + 1];
data/lua-apr-0.23.2.dfsg/src/buffer.c:219:9:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
        memcpy(buffer, CURSOR(B) + offset, test);
data/lua-apr-0.23.2.dfsg/src/buffer.c:481:11:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
          memcpy(&B->data[B->limit], data, size);
data/lua-apr-0.23.2.dfsg/src/buffer.c:487:11:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
          memcpy(&B->data[B->limit], "\r\n", 2);
data/lua-apr-0.23.2.dfsg/src/crypt.c:69:14:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
    if (2 != sprintf(&formatted[i*2], "%02x", digest[i]))
data/lua-apr-0.23.2.dfsg/src/crypt.c:103:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char digest[120];
data/lua-apr-0.23.2.dfsg/src/crypt.c:161:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char password[256]; /* arbitrary limit */
data/lua-apr-0.23.2.dfsg/src/crypt.c:255:12:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  unsigned char digest[APR_MD5_DIGESTSIZE];
data/lua-apr-0.23.2.dfsg/src/crypt.c:256:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char formatted[APR_MD5_DIGESTSIZE*2 + 1];
data/lua-apr-0.23.2.dfsg/src/crypt.c:374:12:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  unsigned char digest[APR_SHA1_DIGESTSIZE];
data/lua-apr-0.23.2.dfsg/src/crypt.c:375:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char formatted[APR_SHA1_DIGESTSIZE*2 + 1];
data/lua-apr-0.23.2.dfsg/src/dbm.c:45:56:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
static lua_apr_dbm *dbm_check(lua_State *L, int i, int open)
data/lua-apr-0.23.2.dfsg/src/dbm.c:48:7:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
  if (open && dbm->handle == NULL)
data/lua-apr-0.23.2.dfsg/src/getopt.c:72:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char buffer[2] = { '\0', '\0' };
data/lua-apr-0.23.2.dfsg/src/http.c:113:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char buffer[LUA_APR_MSGSIZE];
data/lua-apr-0.23.2.dfsg/src/http.c:489:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(string, encoded, enclen);
data/lua-apr-0.23.2.dfsg/src/io_file.c:52:51:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
lua_apr_file *file_check(lua_State *L, int i, int open)
data/lua-apr-0.23.2.dfsg/src/io_file.c:55:7:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
  if (open && file->handle == NULL)
data/lua-apr-0.23.2.dfsg/src/io_file.c:83:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char message[LUA_APR_MSGSIZE];
data/lua-apr-0.23.2.dfsg/src/io_net.c:64:62:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
static lua_apr_socket* socket_check(lua_State *L, int i, int open)
data/lua-apr-0.23.2.dfsg/src/io_net.c:67:7:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
  if (open && object->handle == NULL)
data/lua-apr-0.23.2.dfsg/src/io_net.c:160:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char hostname[APRMAXHOSTLEN + 1];
data/lua-apr-0.23.2.dfsg/src/io_net.c:385:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char buffer[1024], ip_addr[APRMAXHOSTLEN];
data/lua-apr-0.23.2.dfsg/src/lua_apr.c:420:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char message[LUA_APR_MSGSIZE];
data/lua-apr-0.23.2.dfsg/src/object.c:52:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(clone, object, T->objsize);
data/lua-apr-0.23.2.dfsg/src/permissions.c:73:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char str[9], *p = str;
data/lua-apr-0.23.2.dfsg/src/pollset.c:43:73:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
static lua_apr_pollset_object* check_pollset(lua_State *L, int idx, int open) {
data/lua-apr-0.23.2.dfsg/src/pollset.c:45:7:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
  if (open && object->pollset == NULL)
data/lua-apr-0.23.2.dfsg/src/serialize.c:50:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char uuid[APR_UUID_FORMATTED_LENGTH + 1];
data/lua-apr-0.23.2.dfsg/src/str.c:138:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char buffer[5];
data/lua-apr-0.23.2.dfsg/src/thread.c:325:7:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
      char message[LUA_APR_MSGSIZE];
data/lua-apr-0.23.2.dfsg/src/time.c:254:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char formatted[1024];
data/lua-apr-0.23.2.dfsg/src/uri.c:115:36:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
    components.port = (apr_port_t) atoi(components.port_str);
data/lua-apr-0.23.2.dfsg/src/uuid.c:51:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char formatted[APR_UUID_FORMATTED_LENGTH + 1];
data/lua-apr-0.23.2.dfsg/src/xml.c:80:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char message[LUA_APR_MSGSIZE];
data/lua-apr-0.23.2.dfsg/src/xml.c:254:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char message[LUA_APR_MSGSIZE];
data/lua-apr-0.23.2.dfsg/src/buffer.c:149:19:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
  status = input->read(input->object, &B->data[B->limit], &len);
data/lua-apr-0.23.2.dfsg/src/buffer.c:318:20:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
    lua_apr_buf_rf read,
data/lua-apr-0.23.2.dfsg/src/buffer.c:328:17:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
  input->read = read;
data/lua-apr-0.23.2.dfsg/src/filepath.c:107:12:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  length = strlen(buffer);
data/lua-apr-0.23.2.dfsg/src/filepath.c:165:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
      ext = name + strlen(name);
data/lua-apr-0.23.2.dfsg/src/http.c:482:14:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  apr_size_t strlen;
data/lua-apr-0.23.2.dfsg/src/http.c:491:34:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  status = apreq_decode(string, &strlen, encoded, enclen);
data/lua-apr-0.23.2.dfsg/src/http.c:495:30:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  lua_pushlstring(L, string, strlen);
data/lua-apr-0.23.2.dfsg/src/lua_apr.c:423:12:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  length = strlen(message);
data/lua-apr-0.23.2.dfsg/src/lua_apr.h:180:18:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
  lua_apr_buf_rf read;
data/lua-apr-0.23.2.dfsg/src/memcache.c:445:12:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  length = strlen(value);

ANALYSIS SUMMARY:

Hits = 48
Lines analyzed = 15195 in approximately 0.41 seconds (37224 lines/second)
Physical Source Lines of Code (SLOC) = 8836
Hits@level = [0]   4 [1]  11 [2]  37 [3]   0 [4]   0 [5]   0
Hits@level+ = [0+]  52 [1+]  48 [2+]  37 [3+]   0 [4+]   0 [5+]   0
Hits/KSLOC@level+ = [0+] 5.88502 [1+] 5.43232 [2+] 4.18742 [3+]   0 [4+]   0 [5+]   0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.