Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/noweb-2.11b/contrib/norman/htmlgif/newer.c Examining data/noweb-2.11b/examples/README.h Examining data/noweb-2.11b/src/c/columns.c Examining data/noweb-2.11b/src/c/columns.h Examining data/noweb-2.11b/src/c/errors.c Examining data/noweb-2.11b/src/c/errors.h Examining data/noweb-2.11b/src/c/finduses.c Examining data/noweb-2.11b/src/c/getline.c Examining data/noweb-2.11b/src/c/getline.h Examining data/noweb-2.11b/src/c/main.c Examining data/noweb-2.11b/src/c/markmain.c Examining data/noweb-2.11b/src/c/markup.c Examining data/noweb-2.11b/src/c/markup.h Examining data/noweb-2.11b/src/c/match.c Examining data/noweb-2.11b/src/c/match.h Examining data/noweb-2.11b/src/c/mnt.c Examining data/noweb-2.11b/src/c/modtrees.c Examining data/noweb-2.11b/src/c/modtrees.h Examining data/noweb-2.11b/src/c/modules.c Examining data/noweb-2.11b/src/c/modules.h Examining data/noweb-2.11b/src/c/notangle.c Examining data/noweb-2.11b/src/c/notangle.h Examining data/noweb-2.11b/src/c/readme.c Examining data/noweb-2.11b/src/c/recognize.c Examining data/noweb-2.11b/src/c/recognize.h Examining data/noweb-2.11b/src/c/strsave.c Examining data/noweb-2.11b/src/c/strsave.h FINAL RESULTS: data/noweb-2.11b/examples/README.h:28:20: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. and <t>write</t> system calls (along with some others) to data/noweb-2.11b/src/c/errors.c:29:1: [4] (format) vfprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. vfprintf(stderr, s, args); data/noweb-2.11b/src/c/errors.c:45:1: [4] (format) vfprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. vfprintf(stderr, s, args); data/noweb-2.11b/src/c/notangle.c:60:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(temp,line+strlen("@file ")); data/noweb-2.11b/src/c/notangle.c:72:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(temp,line+strlen("@line ")); data/noweb-2.11b/src/c/notangle.c:99:1: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(modname,line+strlen("@defn ")); data/noweb-2.11b/src/c/notangle.c:128:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(temp,line+strlen("@file ")); data/noweb-2.11b/src/c/notangle.c:140:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(temp,line+strlen("@line ")); data/noweb-2.11b/src/c/recognize.c:124:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(copy, id); data/noweb-2.11b/src/c/strsave.c:13:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(t,s); data/noweb-2.11b/src/c/mnt.c:23:14: [3] (tmpfile) tempnam: Temporary file race condition (CWE-377). extern char *tempnam (const char *dir, const char *pfx); /* temp file in dir */ data/noweb-2.11b/src/c/mnt.c:25:9: [3] (tmpfile) tempnam: Temporary file race condition (CWE-377). #define tempnam(DIR,PFX) (strsave(tmpnam(NULL))) data/noweb-2.11b/src/c/mnt.c:25:35: [3] (tmpfile) tmpnam: Temporary file race condition (CWE-377). #define tempnam(DIR,PFX) (strsave(tmpnam(NULL))) data/noweb-2.11b/src/c/mnt.c:110:20: [3] (tmpfile) tempnam: Temporary file race condition (CWE-377). char *tempname = tempnam(".", 0); data/noweb-2.11b/examples/README.h:27:34: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). A library that modifies the <t>open</t>, <t>close</t>, <t>read</t>, data/noweb-2.11b/src/c/finduses.c:46:17: [2] (tmpfile) tmpfile: Function tmpfile() has a security flaw on some systems (e.g., older System V systems) (CWE-377). { FILE *tmp = tmpfile(); data/noweb-2.11b/src/c/finduses.c:76:13: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((fp=fopen(argv[i],"r"))==NULL) data/noweb-2.11b/src/c/main.c:34:27: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). tabsize = atoi(argv[i]+2); data/noweb-2.11b/src/c/markmain.c:58:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char modname[MAX_MODNAME+1] = ""; /* name of module currently being read, data/noweb-2.11b/src/c/markmain.c:378:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). tabsize = atoi(argv[i]+2); data/noweb-2.11b/src/c/markmain.c:393:25: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((fp=fopen(argv[i],"r"))==NULL) { data/noweb-2.11b/src/c/mnt.c:61:27: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). tabsize = atoi(argv[i]+1); data/noweb-2.11b/src/c/mnt.c:133:8: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fp = fopen(tempname, "w"); data/noweb-2.11b/src/c/mnt.c:145:10: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). dest = fopen(filename, "r"); data/noweb-2.11b/src/c/mnt.c:148:11: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). tmp = fopen(tempname, "r"); data/noweb-2.11b/src/c/mnt.c:165:16: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *fp = fopen(filename, "w"); data/noweb-2.11b/src/c/notangle.c:41:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char modname[MAX_MODNAME+1] = ""; /* name of module currently being read, data/noweb-2.11b/src/c/notangle.c:57:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. { char temp[MAX_MODNAME+1]; data/noweb-2.11b/src/c/notangle.c:69:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. { char temp[MAX_MODNAME+1]; data/noweb-2.11b/src/c/notangle.c:82:16: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). loc.lineno = atoi(temp); data/noweb-2.11b/src/c/notangle.c:125:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. { char temp[MAX_MODNAME+1]; data/noweb-2.11b/src/c/notangle.c:137:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. { char temp[MAX_MODNAME+1]; data/noweb-2.11b/src/c/notangle.c:150:16: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). loc.lineno = atoi(temp); data/noweb-2.11b/examples/README.h:27:61: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). A library that modifies the <t>open</t>, <t>close</t>, <t>read</t>, data/noweb-2.11b/examples/README.h:29:17: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). transparently read and write files in Unix <t>compress</t> format. data/noweb-2.11b/src/c/finduses.c:58:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (line[strlen(line)-1] == '\n') line[strlen(line)-1] = 0; data/noweb-2.11b/src/c/finduses.c:58:52: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (line[strlen(line)-1] == '\n') line[strlen(line)-1] = 0; data/noweb-2.11b/src/c/finduses.c:61:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (line[strlen(line)-1] == '\n') line[strlen(line)-1] = 0; data/noweb-2.11b/src/c/finduses.c:61:52: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (line[strlen(line)-1] == '\n') line[strlen(line)-1] = 0; data/noweb-2.11b/src/c/finduses.c:93:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (line[strlen(line)-1] == '\n') line[strlen(line)-1] = 0; data/noweb-2.11b/src/c/finduses.c:93:48: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (line[strlen(line)-1] == '\n') line[strlen(line)-1] = 0; data/noweb-2.11b/src/c/finduses.c:122:61: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). info->line = emit_up_to(info->out, info->line, instance + strlen(id)); data/noweb-2.11b/src/c/getline.c:34:17: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). while (buf1[strlen(buf1)-1] != '\n') { /* failed to get whole line */ data/noweb-2.11b/src/c/getline.c:37:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (fgets(buf1+strlen(buf1),buf_size-strlen(buf1),fp)==NULL) data/noweb-2.11b/src/c/getline.c:37:46: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (fgets(buf1+strlen(buf1),buf_size-strlen(buf1),fp)==NULL) data/noweb-2.11b/src/c/markmain.c:37:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int last=strlen(value)-1; data/noweb-2.11b/src/c/markmain.c:69:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). missing_newline = line[strlen(line)-1] != '\n'; data/noweb-2.11b/src/c/markmain.c:148:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (buflen < strlen(line) + 1 + 2) { data/noweb-2.11b/src/c/markmain.c:149:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). while (buflen < strlen(line) + 1 + 2) data/noweb-2.11b/src/c/markup.c:36:12: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). assert(strlen(def_marker) == def_length); data/noweb-2.11b/src/c/markup.c:96:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(dest,q,size-1); data/noweb-2.11b/src/c/markup.c:104:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int searchlen = strlen(search); data/noweb-2.11b/src/c/markup.c:105:39: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int escapelen = (escape != NULL ? strlen(escape) : 0); data/noweb-2.11b/src/c/match.c:7:33: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). return !strncmp(line,search,strlen(search)); data/noweb-2.11b/src/c/match.c:13:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). (line[strlen(keyword)+1]==' ' || line[strlen(keyword)+1]=='\n' || data/noweb-2.11b/src/c/match.c:13:50: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). (line[strlen(keyword)+1]==' ' || line[strlen(keyword)+1]=='\n' || data/noweb-2.11b/src/c/match.c:14:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). line[strlen(keyword)+1]=='\0'); data/noweb-2.11b/src/c/mnt.c:115:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). { int n = strlen(modname) - 1; data/noweb-2.11b/src/c/mnt.c:151:11: [1] (buffer) getc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). x = getc(tmp); data/noweb-2.11b/src/c/mnt.c:152:11: [1] (buffer) getc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). y = getc(dest); data/noweb-2.11b/src/c/modules.c:49:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). { int k = strlen(p->contents)-1; data/noweb-2.11b/src/c/notangle.c:58:7: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(line) >= MAX_MODNAME + strlen("@file ")) data/noweb-2.11b/src/c/notangle.c:58:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(line) >= MAX_MODNAME + strlen("@file ")) data/noweb-2.11b/src/c/notangle.c:60:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strcpy(temp,line+strlen("@file ")); data/noweb-2.11b/src/c/notangle.c:61:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). temp[strlen(temp)-1]='\0'; data/noweb-2.11b/src/c/notangle.c:70:7: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(line) >= MAX_MODNAME + strlen("@line ")) data/noweb-2.11b/src/c/notangle.c:70:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(line) >= MAX_MODNAME + strlen("@line ")) data/noweb-2.11b/src/c/notangle.c:72:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strcpy(temp,line+strlen("@line ")); data/noweb-2.11b/src/c/notangle.c:73:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). temp[strlen(temp)-1]='\0'; data/noweb-2.11b/src/c/notangle.c:99:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strcpy(modname,line+strlen("@defn ")); data/noweb-2.11b/src/c/notangle.c:100:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). modname[strlen(modname)-1]='\0'; data/noweb-2.11b/src/c/notangle.c:126:7: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(line) >= MAX_MODNAME + strlen("@file ")) data/noweb-2.11b/src/c/notangle.c:126:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(line) >= MAX_MODNAME + strlen("@file ")) data/noweb-2.11b/src/c/notangle.c:128:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strcpy(temp,line+strlen("@file ")); data/noweb-2.11b/src/c/notangle.c:129:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). temp[strlen(temp)-1]='\0'; data/noweb-2.11b/src/c/notangle.c:138:7: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(line) >= MAX_MODNAME + strlen("@line ")) data/noweb-2.11b/src/c/notangle.c:138:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(line) >= MAX_MODNAME + strlen("@line ")) data/noweb-2.11b/src/c/notangle.c:140:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strcpy(temp,line+strlen("@line ")); data/noweb-2.11b/src/c/notangle.c:141:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). temp[strlen(temp)-1]='\0'; data/noweb-2.11b/src/c/notangle.c:173:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!strcmp(modname+strlen(modname)-3,"...")) data/noweb-2.11b/src/c/recognize.c:123:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char *copy = malloc(strlen(id) + 1); data/noweb-2.11b/src/c/recognize.c:188:39: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). f(closure, p->name, current - strlen(p->name)); data/noweb-2.11b/src/c/recognize.c:200:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int len = strlen(id); data/noweb-2.11b/src/c/strsave.c:11:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char *t = malloc (strlen(s)+1); ANALYSIS SUMMARY: Hits = 84 Lines analyzed = 1987 in approximately 0.13 seconds (14816 lines/second) Physical Source Lines of Code (SLOC) = 1814 Hits@level = [0] 22 [1] 51 [2] 19 [3] 4 [4] 10 [5] 0 Hits@level+ = [0+] 106 [1+] 84 [2+] 33 [3+] 14 [4+] 10 [5+] 0 Hits/KSLOC@level+ = [0+] 58.4344 [1+] 46.3065 [2+] 18.1918 [3+] 7.71775 [4+] 5.51268 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.