stdin

Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/node-sqlite3-5.0.0+ds1/src/async.h
Examining data/node-sqlite3-5.0.0+ds1/src/backup.cc
Examining data/node-sqlite3-5.0.0+ds1/src/backup.h
Examining data/node-sqlite3-5.0.0+ds1/src/database.cc
Examining data/node-sqlite3-5.0.0+ds1/src/database.h
Examining data/node-sqlite3-5.0.0+ds1/src/gcc-preinclude.h
Examining data/node-sqlite3-5.0.0+ds1/src/macros.h
Examining data/node-sqlite3-5.0.0+ds1/src/node_sqlite3.cc
Examining data/node-sqlite3-5.0.0+ds1/src/statement.cc
Examining data/node-sqlite3-5.0.0+ds1/src/statement.h
Examining data/node-sqlite3-5.0.0+ds1/src/threading.h
Examining data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/external-napi/node_api.h
Examining data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/napi-inl.deprecated.h
Examining data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/napi-inl.h
Examining data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/napi.h
Examining data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/src/node_api.cc
Examining data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/src/node_api.h
Examining data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/src/node_api_types.h
Examining data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/src/node_internals.cc
Examining data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/src/node_internals.h
Examining data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/src/nothing.c
Examining data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/src/util-inl.h
Examining data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/src/util.h

FINAL RESULTS:

data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/src/node_internals.cc:63:5:  [4] (format) vfprintf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
    vfprintf(stderr, format, ap);
data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/src/node_internals.cc:71:3:  [4] (format) vsprintf:
  Potential format string problem (CWE-134). Make format string constant.
  vsprintf(out.data(), format, ap);
data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/src/node_internals.cc:83:3:  [4] (format) vfprintf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
  vfprintf(stderr, format, ap);
data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/src/node_api.cc:288:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(&local, &v, sizeof(v));
data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/src/node_internals.cc:74:7:  [2] (buffer) MultiByteToWideChar:
  Requires maximum length in CHARACTERS, not bytes (CWE-120).
  n = MultiByteToWideChar(CP_UTF8, 0, out.data(), -1, nullptr, 0);
data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/src/node_internals.cc:77:3:  [2] (buffer) MultiByteToWideChar:
  Requires maximum length in CHARACTERS, not bytes (CWE-120).
  MultiByteToWideChar(CP_UTF8, 0, out.data(), -1, wbuf.data(), n);
data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/src/node_internals.cc:103:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char exepath[256];
data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/src/node_internals.cc:108:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char pid[12] = {0};
data/node-sqlite3-5.0.0+ds1/src/backup.cc:188:23:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    assert(baton->db->open);
data/node-sqlite3-5.0.0+ds1/src/database.cc:37:10:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    if (!open && locked && !queue.empty()) {
data/node-sqlite3-5.0.0+ds1/src/database.cc:66:12:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    while (open && (!locked || pending == 0) && !queue.empty()) {
data/node-sqlite3-5.0.0+ds1/src/database.cc:86:10:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    if (!open && locked) {
data/node-sqlite3-5.0.0+ds1/src/database.cc:100:10:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    if (!open || ((locked || exclusive || serialize) && pending > 0)) {
data/node-sqlite3-5.0.0+ds1/src/database.cc:197:19:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    else if (!db->open) {
data/node-sqlite3-5.0.0+ds1/src/database.cc:202:13:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    if (db->open) {
data/node-sqlite3-5.0.0+ds1/src/database.cc:215:40:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    return Napi::Boolean::New(env, db->open);
data/node-sqlite3-5.0.0+ds1/src/database.cc:231:23:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    assert(baton->db->open);
data/node-sqlite3-5.0.0+ds1/src/database.cc:290:18:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    else if (db->open) {
data/node-sqlite3-5.0.0+ds1/src/database.cc:295:14:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    if (!db->open) {
data/node-sqlite3-5.0.0+ds1/src/database.cc:387:14:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    if (!db->open) {
data/node-sqlite3-5.0.0+ds1/src/database.cc:402:23:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    assert(baton->db->open);
data/node-sqlite3-5.0.0+ds1/src/database.cc:412:23:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    assert(baton->db->open);
data/node-sqlite3-5.0.0+ds1/src/database.cc:451:23:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    assert(baton->db->open);
data/node-sqlite3-5.0.0+ds1/src/database.cc:493:23:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    assert(baton->db->open);
data/node-sqlite3-5.0.0+ds1/src/database.cc:553:23:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    assert(baton->db->open);
data/node-sqlite3-5.0.0+ds1/src/database.cc:633:23:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    assert(baton->db->open);
data/node-sqlite3-5.0.0+ds1/src/database.cc:663:23:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    assert(baton->db->open);
data/node-sqlite3-5.0.0+ds1/src/database.h:96:28:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    bool IsOpen() { return open; }
data/node-sqlite3-5.0.0+ds1/src/database.h:181:10:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    bool open;
data/node-sqlite3-5.0.0+ds1/src/statement.cc:125:23:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    assert(baton->db->open);
data/node-sqlite3-5.0.0+ds1/src/statement.h:55:13:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
            memcpy(value, val, len);
data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/napi-inl.h:745:63:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  napi_status status = napi_create_string_utf8(env, val, std::strlen(val), &value);
data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/napi-inl.h:1045:69:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  napi_status status = napi_create_string_utf8(_env, utf8name, std::strlen(utf8name), &key);
data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/napi-inl.h:2066:12:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
      std::strlen(error_message),
data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/napi-inl.h:2088:47:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  return Error::New<Error>(env, message, std::strlen(message), napi_create_error);
data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/napi-inl.h:2200:51:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  return Error::New<TypeError>(env, message, std::strlen(message), napi_create_type_error);
data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/napi-inl.h:2214:52:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  return Error::New<RangeError>(env, message, std::strlen(message), napi_create_range_error);
data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/src/node_api.cc:997:38:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
        const_cast<char*>(location), strlen(location));
data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/src/node_api.cc:1005:37:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
        const_cast<char*>(message), strlen(message));
data/node-sqlite3-5.0.0+ds1/debian/build_modules/node-addon-api/src/node_api.h:63:29:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
#pragma section(".CRT$XCU", read)

ANALYSIS SUMMARY:

Hits = 40
Lines analyzed = 14674 in approximately 0.33 seconds (44799 lines/second)
Physical Source Lines of Code (SLOC) = 11182
Hits@level = [0]  50 [1]   9 [2]  28 [3]   0 [4]   3 [5]   0
Hits@level+ = [0+]  90 [1+]  40 [2+]  31 [3+]   3 [4+]   3 [5+]   0
Hits/KSLOC@level+ = [0+] 8.04865 [1+] 3.57718 [2+] 2.77231 [3+] 0.268288 [4+] 0.268288 [5+]   0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.