Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/lwatch-0.6.2/src/settings.c
Examining data/lwatch-0.6.2/src/defaults.h
Examining data/lwatch-0.6.2/src/acolors.c
Examining data/lwatch-0.6.2/src/settings.h
Examining data/lwatch-0.6.2/src/log.h
Examining data/lwatch-0.6.2/src/strpcre.h
Examining data/lwatch-0.6.2/src/strpcre.c
Examining data/lwatch-0.6.2/src/lwatch.c
Examining data/lwatch-0.6.2/src/yparse.c
Examining data/lwatch-0.6.2/src/control.c
Examining data/lwatch-0.6.2/src/control.h
Examining data/lwatch-0.6.2/src/yparse.h
Examining data/lwatch-0.6.2/src/data.h
Examining data/lwatch-0.6.2/src/daemon.c
Examining data/lwatch-0.6.2/src/log.c
Examining data/lwatch-0.6.2/src/daemon.h
Examining data/lwatch-0.6.2/src/acolors.h

FINAL RESULTS:

data/lwatch-0.6.2/src/control.c:44:5:  [4] (format) vfprintf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
    vfprintf(stderr, s, ap);
data/lwatch-0.6.2/src/log.c:55:9:  [4] (format) vfprintf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
        vfprintf(stderr, fmt, ap);
data/lwatch-0.6.2/src/strpcre.c:112:5:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
    strcpy(ptmp, str);
data/lwatch-0.6.2/src/strpcre.c:123:5:  [4] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused).
    strcat(ptmp, s2);
data/lwatch-0.6.2/src/strpcre.c:241:9:  [4] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf.
        sprintf(cstr, "^%02i%s^%02i%s^%02i%s^%02i%s^01\n",
data/lwatch-0.6.2/src/settings.c:142:17:  [3] (buffer) getopt_long:
  Some older implementations do not protect against internal buffer overflows
  (CWE-120, CWE-20). Check implementation on installation, or limit the size
  of all string inputs.
    while ((c = getopt_long(argc, argv, "vC:f:i:o:Osdht", opt, &idx)) != EOF) {
data/lwatch-0.6.2/src/acolors.c:100:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char numer[3];
data/lwatch-0.6.2/src/acolors.c:116:23:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
                val = atoi(numer);
data/lwatch-0.6.2/src/daemon.c:54:13:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    pidfd = open(pid_file,
data/lwatch-0.6.2/src/daemon.c:58:13:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    pidfd = open(pid_file,
data/lwatch-0.6.2/src/daemon.c:100:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char pid_string[PID_LENGTH];
data/lwatch-0.6.2/src/daemon.c:130:19:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    int devnull = open("/dev/null", O_RDWR);
data/lwatch-0.6.2/src/lwatch.c:50:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char rbuf[BUFSIZE + 1];
data/lwatch-0.6.2/src/lwatch.c:79:23:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
        io_check(fd = open(lw_conf.in_file, O_RDONLY), lw_conf.in_file);
data/lwatch-0.6.2/src/lwatch.c:126:31:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
                io_check(fd = open(lw_conf.in_file, O_RDONLY), lw_conf.in_file);
data/lwatch-0.6.2/src/settings.c:217:22:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    io_fcheck(yyin = fopen(lw_conf.conf_file, "r"), lw_conf.conf_file);
data/lwatch-0.6.2/src/settings.c:253:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(&lw_actions[no_actions], paction, sizeof(struct s_action));
data/lwatch-0.6.2/src/strpcre.c:130:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char ctrl[4];
data/lwatch-0.6.2/src/strpcre.c:136:5:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
    sprintf(ctrl, "^%02i", HL_COLOR);
data/lwatch-0.6.2/src/yparse.c:976:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char errmsg[MAXMSG+1];
data/lwatch-0.6.2/src/yparse.c:979:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char mymsg[MAXMSG+1];
data/lwatch-0.6.2/src/yparse.c:1104:2:  [2] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant string.
	strcpy(mymsg,"input_file");
data/lwatch-0.6.2/src/yparse.c:1115:2:  [2] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant string.
	strcpy(mymsg,"output_file");
data/lwatch-0.6.2/src/yparse.c:1126:2:  [2] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant string.
	strcpy(mymsg,"rule_action");
data/lwatch-0.6.2/src/yparse.c:1138:2:  [2] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant string.
	strcpy(mymsg,"show_unparsed");
data/lwatch-0.6.2/src/yparse.c:1149:2:  [2] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant string.
	strcpy(mymsg,"cfg_ver");
data/lwatch-0.6.2/src/yparse.c:1160:2:  [2] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant string.
	strcpy(mymsg,"use_syslog");
data/lwatch-0.6.2/src/yparse.c:1171:2:  [2] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant string.
	strcpy(mymsg,"log_level");
data/lwatch-0.6.2/src/yparse.c:1182:2:  [2] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant string.
	strcpy(mymsg,"date_color");
data/lwatch-0.6.2/src/yparse.c:1193:2:  [2] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant string.
	strcpy(mymsg,"host_color");
data/lwatch-0.6.2/src/yparse.c:1204:2:  [2] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant string.
	strcpy(mymsg,"serv_color");
data/lwatch-0.6.2/src/yparse.c:1217:2:  [2] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant string.
	strcpy(mymsg,"mesg_color");
data/lwatch-0.6.2/src/yparse.c:1228:2:  [2] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant string.
	strcpy(mymsg,"date_color");
data/lwatch-0.6.2/src/yparse.c:1239:2:  [2] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant string.
	strcpy(mymsg,"host_color");
data/lwatch-0.6.2/src/yparse.c:1250:2:  [2] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant string.
	strcpy(mymsg,"serv_color");
data/lwatch-0.6.2/src/yparse.c:1263:2:  [2] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant string.
	strcpy(mymsg,"mesg_color");
data/lwatch-0.6.2/src/yparse.c:1274:2:  [2] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant string.
	strcpy(mymsg,"highlight_color");
data/lwatch-0.6.2/src/control.h:36:65:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define io_check(res,str) if((res)==-1) die("%s%s[%i] %s\n",str,strlen(str)?": ":"",errno,strerror(errno))
data/lwatch-0.6.2/src/control.h:37:68:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define io_fcheck(res,str) if((res)==NULL) die("%s%s[%i] %s\n",str,strlen(str)?": ":"",errno,strerror(errno))
data/lwatch-0.6.2/src/control.h:38:89:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define sig_check(res,str) if((res)==SIG_ERR) die("%s%sCannot set signal handler\n",str,strlen(str)?": ":"");
data/lwatch-0.6.2/src/daemon.c:110:73:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    send_log(LOG_DEBUG, "Write PID %s(%d) to file fd=%d\n", pid_string, strlen(pid_string), pidfd);
data/lwatch-0.6.2/src/daemon.c:111:44:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    res = write(pidfd, (void *)pid_string, strlen(pid_string));
data/lwatch-0.6.2/src/lwatch.c:140:24:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
        io_check(res = read(fd, (void *)rbuf, BUFSIZE), "read input");
data/lwatch-0.6.2/src/strpcre.c:108:27:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    ptmp = (char *)malloc(strlen(str) + 1);
data/lwatch-0.6.2/src/strpcre.c:110:57:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
        die("Cannot allocate %i byte(s) in newstr()\n", strlen(str) + 1);
data/lwatch-0.6.2/src/strpcre.c:118:40:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    ptmp = (char *)realloc((void *)s1, strlen(s1) + strlen(s2) + 1);
data/lwatch-0.6.2/src/strpcre.c:118:53:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    ptmp = (char *)realloc((void *)s1, strlen(s1) + strlen(s2) + 1);
data/lwatch-0.6.2/src/strpcre.c:121:13:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            strlen(s1) + strlen(s2) + 1);
data/lwatch-0.6.2/src/strpcre.c:121:26:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            strlen(s1) + strlen(s2) + 1);
data/lwatch-0.6.2/src/strpcre.c:137:48:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    while (pcre_exec(act->re, act->rh, pmatch, strlen(pmatch), start_match, 0, (int *)&re_matches, RE_NMATCHES) > 0) {
data/lwatch-0.6.2/src/strpcre.c:139:31:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
        pres = (char *)malloc(strlen(pmatch) + 7); /* ^cc ^00 NULL */
data/lwatch-0.6.2/src/strpcre.c:184:50:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    n = pcre_exec(parser.pre, parser.prh, input, strlen(input), 0, 0,
data/lwatch-0.6.2/src/strpcre.c:207:30:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
                      match, strlen(match), 0, 0,
data/lwatch-0.6.2/src/strpcre.c:239:19:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
        int len = strlen(date_s) + strlen(host_s) + strlen(serv_s) + strlen(mesg_s) + 17;
data/lwatch-0.6.2/src/strpcre.c:239:36:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
        int len = strlen(date_s) + strlen(host_s) + strlen(serv_s) + strlen(mesg_s) + 17;
data/lwatch-0.6.2/src/strpcre.c:239:53:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
        int len = strlen(date_s) + strlen(host_s) + strlen(serv_s) + strlen(mesg_s) + 17;
data/lwatch-0.6.2/src/strpcre.c:239:70:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
        int len = strlen(date_s) + strlen(host_s) + strlen(serv_s) + strlen(mesg_s) + 17;
data/lwatch-0.6.2/src/yparse.c:893:14:  [1] (buffer) getc:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
			     (c = getc( yyin )) != EOF && c != '\n'; ++n ) \
data/lwatch-0.6.2/src/yparse.c:2226:29:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	return yy_scan_bytes(yystr,strlen(yystr) );

ANALYSIS SUMMARY:

Hits = 59
Lines analyzed = 4103 in approximately 0.13 seconds (32715 lines/second)
Physical Source Lines of Code (SLOC) = 2808
Hits@level = [0]  56 [1]  22 [2]  31 [3]   1 [4]   5 [5]   0
Hits@level+ = [0+] 115 [1+]  59 [2+]  37 [3+]   6 [4+]   5 [5+]   0
Hits/KSLOC@level+ = [0+] 40.9544 [1+] 21.0114 [2+] 13.1766 [3+] 2.13675 [4+] 1.78063 [5+]   0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.