Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/mtree-netbsd-20180822/compare.c
Examining data/mtree-netbsd-20180822/crc.c
Examining data/mtree-netbsd-20180822/create.c
Examining data/mtree-netbsd-20180822/excludes.c
Examining data/mtree-netbsd-20180822/extern.h
Examining data/mtree-netbsd-20180822/getid.c
Examining data/mtree-netbsd-20180822/misc.c
Examining data/mtree-netbsd-20180822/mtree.c
Examining data/mtree-netbsd-20180822/mtree.h
Examining data/mtree-netbsd-20180822/pack_dev.h
Examining data/mtree-netbsd-20180822/stat_flags.c
Examining data/mtree-netbsd-20180822/stat_flags.h
Examining data/mtree-netbsd-20180822/verify.c
Examining data/mtree-netbsd-20180822/pack_dev.c
Examining data/mtree-netbsd-20180822/spec.c

FINAL RESULTS:

data/mtree-netbsd-20180822/compare.c:537:13:  [5] (race) readlink:
  This accepts filename arguments; if an attacker can move those files or
  change the link content, a race condition results. Also, it does not
  terminate with ASCII NUL. (CWE-362, CWE-20). Reconsider approach.
	if ((len = readlink(name, lbuf, sizeof(lbuf) - 1)) == -1)
data/mtree-netbsd-20180822/create.c:151:6:  [4] (misc) getlogin:
  It's often easy to fool getlogin. Sometimes it does not work at all,
  because some program messed up the utmp file. Often, it gives only the
  first 8 characters of the login name. The user currently logged in on the
  controlling tty of our program need not be the user who started it. Avoid
  getlogin() for security-related purposes (CWE-807). Use getpwuid(geteuid())
  and extract the desired information instead.
	    getlogin(), host, fullpath, ctime(&clocktime));
data/mtree-netbsd-20180822/create.c:433:2:  [4] (format) vsnprintf:
  If format strings can be influenced by an attacker, they can be exploited,
  and note that sprintf variations do not always \0-terminate (CWE-134). Use
  a constant for the format specification.
	vsnprintf(buf, sizeof(buf), fmt, ap);
data/mtree-netbsd-20180822/spec.c:241:3:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
		strcpy(centry->name, p);
data/mtree-netbsd-20180822/verify.c:199:3:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
		strcpy(tail, p->name);
data/mtree-netbsd-20180822/mtree.c:100:15:  [3] (buffer) getopt:
  Some older implementations do not protect against internal buffer overflows
  (CWE-120, CWE-20). Check implementation on installation, or limit the size
  of all string inputs.
	while ((ch = getopt(argc, argv, "cCdDeE:f:I:ik:K:lLmMN:p:PrR:s:tuUWxX:"))
data/mtree-netbsd-20180822/compare.c:161:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char digestbuf[MAXHASHLEN + 1];
data/mtree-netbsd-20180822/compare.c:395:13:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
		if ((fd = open(p->fts_accpath, O_RDONLY, 0)) < 0) {
data/mtree-netbsd-20180822/compare.c:534:9:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	static char lbuf[MAXPATHLEN];
data/mtree-netbsd-20180822/create.c:140:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char host[MAXHOSTNAMELEN + 1];
data/mtree-netbsd-20180822/create.c:141:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char *argv[2];
data/mtree-netbsd-20180822/create.c:195:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char digestbuf[MAXHASHLEN + 1];
data/mtree-netbsd-20180822/create.c:241:13:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
		if ((fd = open(p->fts_accpath, O_RDONLY, 0)) < 0 ||
data/mtree-netbsd-20180822/create.c:430:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char buf[1024];
data/mtree-netbsd-20180822/excludes.c:103:7:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	fp = fopen(name, "r");
data/mtree-netbsd-20180822/getid.c:137:8:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
static	char		grfile[MAXPATHLEN];
data/mtree-netbsd-20180822/getid.c:138:8:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
static	char		pwfile[MAXPATHLEN];
data/mtree-netbsd-20180822/getid.c:140:8:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
static	char		*members[MAXGRP];
data/mtree-netbsd-20180822/getid.c:141:8:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
static	char		grline[MAXLINELENGTH];
data/mtree-netbsd-20180822/getid.c:142:8:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
static	char		pwline[MAXLINELENGTH];
data/mtree-netbsd-20180822/getid.c:235:19:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	return (_gr_fp = fopen(grfile, "r")) ? 1 : 0;
data/mtree-netbsd-20180822/getid.c:376:19:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	return (_pw_fp = fopen(pwfile, "r")) ? 1 : 0;
data/mtree-netbsd-20180822/mtree.c:84:1:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
char	fullpath[MAXPATHLEN];
data/mtree-netbsd-20180822/mtree.h:106:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char	name[1];			/* file name (must be last) */
data/mtree-netbsd-20180822/spec.c:344:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char	path[MAXPATHLEN];
data/mtree-netbsd-20180822/spec.c:430:9:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	static char pathbuf[4*MAXPATHLEN + 1];
data/mtree-netbsd-20180822/stat_flags.c:88:9:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	static char string[128];
data/mtree-netbsd-20180822/verify.c:83:8:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
static char path[MAXPATHLEN];
data/mtree-netbsd-20180822/verify.c:106:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char *argv[2];
data/mtree-netbsd-20180822/crc.c:148:15:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
	while ((nr = read(fd, buf, sizeof(buf))) > 0)
data/mtree-netbsd-20180822/create.c:436:16:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	if (*offset + strlen(buf) > MAXLINELEN - 3) {
data/mtree-netbsd-20180822/getid.c:255:17:  [1] (buffer) getc:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
			while ((ch = getc(_gr_fp)) != '\n' && ch != EOF)
data/mtree-netbsd-20180822/getid.c:396:17:  [1] (buffer) getc:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
			while ((ch = getc(_pw_fp)) != '\n' && ch != EOF)
data/mtree-netbsd-20180822/misc.c:224:9:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
		len = strlen(p) + 3;	/* "," + p + ",\0" */
data/mtree-netbsd-20180822/spec.c:201:10:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
		plen = strlen(p) + 1;
data/mtree-netbsd-20180822/spec.c:237:42:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
		if ((centry = calloc(1, sizeof(NODE) + strlen(p))) == NULL)
data/mtree-netbsd-20180822/spec.c:628:10:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
			len = strlen(val) + 3;	/* "," + str + ",\0" */

ANALYSIS SUMMARY:

Hits = 37
Lines analyzed = 4202 in approximately 0.13 seconds (32659 lines/second)
Physical Source Lines of Code (SLOC) = 3151
Hits@level = [0] 116 [1]   8 [2]  23 [3]   1 [4]   4 [5]   1
Hits@level+ = [0+] 153 [1+]  37 [2+]  29 [3+]   6 [4+]   5 [5+]   1
Hits/KSLOC@level+ = [0+] 48.556 [1+] 11.7423 [2+] 9.20343 [3+] 1.90416 [4+] 1.5868 [5+] 0.31736
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.