Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/pd-purest-json-1.4.3/src/inc/ctw.c Examining data/pd-purest-json-1.4.3/src/inc/kvp.c Examining data/pd-purest-json-1.4.3/src/inc/string.c Examining data/pd-purest-json-1.4.3/src/inc/strlist.c Examining data/pd-purest-json-1.4.3/src/json-decode.c Examining data/pd-purest-json-1.4.3/src/json-decode.h Examining data/pd-purest-json-1.4.3/src/json-encode.c Examining data/pd-purest-json-1.4.3/src/json-encode.h Examining data/pd-purest-json-1.4.3/src/oauth.c Examining data/pd-purest-json-1.4.3/src/oauth.h Examining data/pd-purest-json-1.4.3/src/purest_json.c Examining data/pd-purest-json-1.4.3/src/purest_json.h Examining data/pd-purest-json-1.4.3/src/rest.c Examining data/pd-purest-json-1.4.3/src/rest.h Examining data/pd-purest-json-1.4.3/src/urlparams.c Examining data/pd-purest-json-1.4.3/src/urlparams.h FINAL RESULTS: data/pd-purest-json-1.4.3/src/inc/ctw.c:222:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(string, temp); data/pd-purest-json-1.4.3/src/inc/ctw.c:561:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(val, temp); data/pd-purest-json-1.4.3/src/inc/ctw.c:589:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(common->out_file, buf); data/pd-purest-json-1.4.3/src/inc/ctw.c:627:4: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(common->proxy_user, tmp); data/pd-purest-json-1.4.3/src/inc/ctw.c:630:4: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(common->proxy_pass, tmp); data/pd-purest-json-1.4.3/src/inc/ctw.c:635:4: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(common->proxy, tmp); data/pd-purest-json-1.4.3/src/inc/ctw.c:682:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(common->cert_path, directory); data/pd-purest-json-1.4.3/src/inc/kvp.c:92:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(created->val.s, s); data/pd-purest-json-1.4.3/src/inc/kvp.c:131:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(created_data->key, key); data/pd-purest-json-1.4.3/src/inc/string.c:46:4: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(cleaned_string, segment); data/pd-purest-json-1.4.3/src/inc/string.c:52:5: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(cleaned_string, masking); data/pd-purest-json-1.4.3/src/inc/string.c:54:4: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(cleaned_string, segment); data/pd-purest-json-1.4.3/src/inc/strlist.c:25:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(created_data->str, val); data/pd-purest-json-1.4.3/src/json-decode.c:215:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(original, sel->s_name); data/pd-purest-json-1.4.3/src/json-decode.c:226:4: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(original, value); data/pd-purest-json-1.4.3/src/json-encode.c:104:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(value, "%s", json_object_get_string(val)); data/pd-purest-json-1.4.3/src/json-encode.c:111:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(value, "%s", json_object_get_string(val)); data/pd-purest-json-1.4.3/src/json-encode.c:123:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(value, "%s", json_object_get_string(array_member)); data/pd-purest-json-1.4.3/src/json-encode.c:221:4: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(value, temp_value); data/pd-purest-json-1.4.3/src/oauth.c:120:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(oauth->oauth.rsa_key, temp); data/pd-purest-json-1.4.3/src/oauth.c:209:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(req_path, oauth->common.base_url); data/pd-purest-json-1.4.3/src/oauth.c:211:2: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(req_path, path); data/pd-purest-json-1.4.3/src/oauth.c:218:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(req_path, cleaned_parameters); data/pd-purest-json-1.4.3/src/oauth.c:228:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(oauth->common.parameters, postargs); data/pd-purest-json-1.4.3/src/oauth.c:238:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(oauth->common.complete_url, req_url); data/pd-purest-json-1.4.3/src/rest.c:85:7: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(rest->common.auth_token, cookie_params); data/pd-purest-json-1.4.3/src/rest.c:134:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(rest->common.parameters, rest->cookie.username); data/pd-purest-json-1.4.3/src/rest.c:136:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(rest->common.parameters, rest->cookie.password); data/pd-purest-json-1.4.3/src/rest.c:140:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(rest->common.complete_url, rest->common.base_url); data/pd-purest-json-1.4.3/src/rest.c:141:2: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(rest->common.complete_url, rest->cookie.login_path); data/pd-purest-json-1.4.3/src/rest.c:250:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(rest->common.complete_url, rest->common.base_url); data/pd-purest-json-1.4.3/src/rest.c:252:2: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(rest->common.complete_url, path); data/pd-purest-json-1.4.3/src/rest.c:262:4: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(rest->common.parameters, cleaned_parameters); data/pd-purest-json-1.4.3/src/urlparams.c:133:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(output, encoded_key_string); data/pd-purest-json-1.4.3/src/urlparams.c:135:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(output, encoded_val_string); data/pd-purest-json-1.4.3/src/urlparams.c:171:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(value, temp_value); data/pd-purest-json-1.4.3/src/inc/ctw.c:42:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char req_type[REQUEST_TYPE_LEN]; /*One of GET, PUT, POST, DELETE, PATCH, HEAD, OPTIONS, CONNECT, TRACE*/ data/pd-purest-json-1.4.3/src/inc/ctw.c:163:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&mem->memory[mem->size], ptr, realsize); data/pd-purest-json-1.4.3/src/inc/ctw.c:177:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(stream_output, ptr, realsize); data/pd-purest-json-1.4.3/src/inc/ctw.c:203:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ptr, mem->memory, to_copy); data/pd-purest-json-1.4.3/src/inc/ctw.c:210:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char temp[MAXPDSTRING]; data/pd-purest-json-1.4.3/src/inc/ctw.c:282:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy((*in_memory).memory, common->parameters, strlen(common->parameters)); data/pd-purest-json-1.4.3/src/inc/ctw.c:352:13: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((fp = fopen(common->out_file, "wb"))) { data/pd-purest-json-1.4.3/src/inc/ctw.c:547:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char temp[MAXPDSTRING]; data/pd-purest-json-1.4.3/src/inc/ctw.c:576:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[MAXPDSTRING]; data/pd-purest-json-1.4.3/src/inc/ctw.c:618:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tmp[MAXPDSTRING]; data/pd-purest-json-1.4.3/src/inc/ctw.c:683:2: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat(common->cert_path, "/cacert.pem"); data/pd-purest-json-1.4.3/src/json-decode.c:196:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char value[MAXPDSTRING]; data/pd-purest-json-1.4.3/src/json-encode.c:196:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char key[MAXPDSTRING]; data/pd-purest-json-1.4.3/src/json-encode.c:211:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char temp_value[MAXPDSTRING]; data/pd-purest-json-1.4.3/src/json-encode.c:273:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[MAXPDSTRING]; data/pd-purest-json-1.4.3/src/json-encode.c:281:9: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). file = fopen(buf, "r"); data/pd-purest-json-1.4.3/src/json-encode.c:310:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[MAXPDSTRING]; data/pd-purest-json-1.4.3/src/json-encode.c:321:14: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((file = fopen(buf, "w"))) { data/pd-purest-json-1.4.3/src/oauth.c:101:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char temp[MAXPDSTRING]; data/pd-purest-json-1.4.3/src/oauth.c:164:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char path[MAXPDSTRING]; data/pd-purest-json-1.4.3/src/oauth.c:200:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char parameters[MAXPDSTRING]; data/pd-purest-json-1.4.3/src/oauth.c:247:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char method_name[11]; data/pd-purest-json-1.4.3/src/rest.c:133:3: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(rest->common.parameters, "name="); data/pd-purest-json-1.4.3/src/rest.c:135:3: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat(rest->common.parameters, "&password="); data/pd-purest-json-1.4.3/src/rest.c:142:2: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(rest->common.req_type, "POST"); data/pd-purest-json-1.4.3/src/rest.c:227:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char path[MAXPDSTRING]; data/pd-purest-json-1.4.3/src/rest.c:254:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char parameters[MAXPDSTRING]; data/pd-purest-json-1.4.3/src/urlparams.c:148:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char key[MAXPDSTRING]; data/pd-purest-json-1.4.3/src/urlparams.c:151:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char temp_value[MAXPDSTRING]; data/pd-purest-json-1.4.3/src/inc/ctw.c:218:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). string = string_create(string_len, strlen(temp)); data/pd-purest-json-1.4.3/src/inc/ctw.c:277:34: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). (*in_memory).memory = getbytes(strlen(common->parameters) + 1); data/pd-purest-json-1.4.3/src/inc/ctw.c:278:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). (*in_memory).size = strlen(common->parameters); data/pd-purest-json-1.4.3/src/inc/ctw.c:282:51: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). memcpy((*in_memory).memory, common->parameters, strlen(common->parameters)); data/pd-purest-json-1.4.3/src/inc/ctw.c:556:17: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). header_len += strlen(temp) + 1; data/pd-purest-json-1.4.3/src/inc/ctw.c:563:4: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. strcat(val, " "); data/pd-purest-json-1.4.3/src/inc/ctw.c:588:60: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). common->out_file = string_create(&(common->out_file_len), strlen(buf)); data/pd-purest-json-1.4.3/src/inc/ctw.c:626:66: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). common->proxy_user = string_create(&(common->proxy_user_len), strlen(tmp)); data/pd-purest-json-1.4.3/src/inc/ctw.c:629:66: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). common->proxy_pass = string_create(&(common->proxy_pass_len), strlen(tmp)); data/pd-purest-json-1.4.3/src/inc/ctw.c:634:56: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). common->proxy = string_create(&(common->proxy_len), strlen(tmp)); data/pd-purest-json-1.4.3/src/inc/ctw.c:681:60: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). common->cert_path = string_create(&common->cert_path_len, strlen(directory) + 11); data/pd-purest-json-1.4.3/src/inc/kvp.c:91:50: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). created->val.s = string_create(&created->slen, strlen(s)); data/pd-purest-json-1.4.3/src/inc/kvp.c:129:60: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). created_data->key = string_create(&created_data->key_len, strlen(key)); data/pd-purest-json-1.4.3/src/inc/string.c:37:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). const size_t len_src = strlen(source_string); data/pd-purest-json-1.4.3/src/json-decode.c:182:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (original_string && strlen(original_string)) { data/pd-purest-json-1.4.3/src/json-decode.c:200:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). original_len += strlen(sel->s_name); data/pd-purest-json-1.4.3/src/json-decode.c:205:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). original_len += 1 + strlen(value); data/pd-purest-json-1.4.3/src/json-decode.c:223:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(original)) { data/pd-purest-json-1.4.3/src/json-decode.c:224:5: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. strcat(original, " "); data/pd-purest-json-1.4.3/src/json-decode.c:229:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(original)) { data/pd-purest-json-1.4.3/src/json-encode.c:69:52: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). } else if (value->val.s[0] == '{' && value->val.s[strlen(value->val.s) - 1] == '}') { data/pd-purest-json-1.4.3/src/json-encode.c:214:17: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). value_len += strlen(temp_value) + 1; data/pd-purest-json-1.4.3/src/json-encode.c:220:4: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. strcat(value, " "); data/pd-purest-json-1.4.3/src/oauth.c:107:17: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). rsa_key_len +=strlen(temp) + 1; data/pd-purest-json-1.4.3/src/oauth.c:112:41: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strncmp(temp, "-----", 5) == 0 && strlen(oauth->oauth.rsa_key) > 1) { data/pd-purest-json-1.4.3/src/oauth.c:113:34: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). memset(oauth->oauth.rsa_key + strlen(oauth->oauth.rsa_key) - 1, 0x00, 1); data/pd-purest-json-1.4.3/src/oauth.c:114:4: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. strcat(oauth->oauth.rsa_key, "\n"); data/pd-purest-json-1.4.3/src/oauth.c:117:7: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(temp) >= 5 && strncmp(temp + strlen(temp) - 5, "-----", 5) == 0) { data/pd-purest-json-1.4.3/src/oauth.c:117:43: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(temp) >= 5 && strncmp(temp + strlen(temp) - 5, "-----", 5) == 0) { data/pd-purest-json-1.4.3/src/oauth.c:123:5: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. strcat(oauth->oauth.rsa_key, "\n"); data/pd-purest-json-1.4.3/src/oauth.c:125:5: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. strcat(oauth->oauth.rsa_key, " "); data/pd-purest-json-1.4.3/src/oauth.c:191:2: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(oauth->common.req_type, req_type, REQUEST_TYPE_LEN - 1); data/pd-purest-json-1.4.3/src/oauth.c:202:7: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(parameters)) { data/pd-purest-json-1.4.3/src/oauth.c:207:33: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). oauth->common.base_url_len + strlen(path) + memsize + 1); data/pd-purest-json-1.4.3/src/oauth.c:214:4: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. strcat(req_path, "&"); data/pd-purest-json-1.4.3/src/oauth.c:216:4: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. strcat(req_path, "?"); data/pd-purest-json-1.4.3/src/oauth.c:227:75: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). oauth->common.parameters = string_create(&oauth->common.parameters_len, strlen(postargs)); data/pd-purest-json-1.4.3/src/oauth.c:237:78: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). oauth->common.complete_url = string_create(&oauth->common.complete_url_len, strlen(req_url)); data/pd-purest-json-1.4.3/src/rest.c:81:10: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(cookie_params)) { data/pd-purest-json-1.4.3/src/rest.c:84:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(cookie_params)); data/pd-purest-json-1.4.3/src/rest.c:240:2: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(rest->common.req_type, req_type, REQUEST_TYPE_LEN - 1); data/pd-purest-json-1.4.3/src/rest.c:248:32: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). rest->common.base_url_len + strlen(path) + 1); data/pd-purest-json-1.4.3/src/rest.c:256:7: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(parameters)) { data/pd-purest-json-1.4.3/src/urlparams.c:63:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). (*str_len) = strlen(str) * 3 + 1; data/pd-purest-json-1.4.3/src/urlparams.c:134:3: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. strcat(output, "="); data/pd-purest-json-1.4.3/src/urlparams.c:139:4: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. strcat(output, "&"); data/pd-purest-json-1.4.3/src/urlparams.c:164:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). value_len += strlen(temp_value) + 1; data/pd-purest-json-1.4.3/src/urlparams.c:170:3: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. strcat(value, " "); ANALYSIS SUMMARY: Hits = 113 Lines analyzed = 2918 in approximately 0.10 seconds (28815 lines/second) Physical Source Lines of Code (SLOC) = 2076 Hits@level = [0] 5 [1] 48 [2] 29 [3] 0 [4] 36 [5] 0 Hits@level+ = [0+] 118 [1+] 113 [2+] 65 [3+] 36 [4+] 36 [5+] 0 Hits/KSLOC@level+ = [0+] 56.8401 [1+] 54.4316 [2+] 31.3102 [3+] 17.341 [4+] 17.341 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.