Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/pycurl-7.43.0.6/src/docstrings.c
Examining data/pycurl-7.43.0.6/src/docstrings.h
Examining data/pycurl-7.43.0.6/src/easy.c
Examining data/pycurl-7.43.0.6/src/easycb.c
Examining data/pycurl-7.43.0.6/src/easyinfo.c
Examining data/pycurl-7.43.0.6/src/easyopt.c
Examining data/pycurl-7.43.0.6/src/easyperform.c
Examining data/pycurl-7.43.0.6/src/module.c
Examining data/pycurl-7.43.0.6/src/multi.c
Examining data/pycurl-7.43.0.6/src/oscompat.c
Examining data/pycurl-7.43.0.6/src/pycurl.h
Examining data/pycurl-7.43.0.6/src/pythoncompat.c
Examining data/pycurl-7.43.0.6/src/share.c
Examining data/pycurl-7.43.0.6/src/stringcompat.c
Examining data/pycurl-7.43.0.6/src/threadsupport.c
Examining data/pycurl-7.43.0.6/src/util.c
Examining data/pycurl-7.43.0.6/tests/fake-curl/libcurl/with_gnutls.c
Examining data/pycurl-7.43.0.6/tests/fake-curl/libcurl/with_nss.c
Examining data/pycurl-7.43.0.6/tests/fake-curl/libcurl/with_openssl.c
Examining data/pycurl-7.43.0.6/tests/fake-curl/libcurl/with_unknown_ssl.c
Examining data/pycurl-7.43.0.6/tests/fake-curl/libcurl/without_ssl.c
FINAL RESULTS:
data/pycurl-7.43.0.6/src/easycb.c:572:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ptr, buf, obj_size);
data/pycurl-7.43.0.6/src/easycb.c:607:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ptr, buf, obj_size);
data/pycurl-7.43.0.6/src/module.c:335:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char backends[200];
data/pycurl-7.43.0.6/src/module.c:362:13: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(backends, "none");
data/pycurl-7.43.0.6/src/module.c:473:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(g_pycurl_useragent, PYCURL_VERSION_PREFIX, PYCURL_VERSION_PREFIX_SIZE);
data/pycurl-7.43.0.6/src/module.c:475:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(g_pycurl_useragent + PYCURL_VERSION_PREFIX_SIZE,
data/pycurl-7.43.0.6/src/pycurl.h:438:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char error[CURL_ERROR_SIZE+1];
data/pycurl-7.43.0.6/src/module.c:464:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
libcurl_version_len = strlen(libcurl_version);
ANALYSIS SUMMARY:
Hits = 8
Lines analyzed = 8246 in approximately 0.22 seconds (36664 lines/second)
Physical Source Lines of Code (SLOC) = 6132
Hits@level = [0] 6 [1] 1 [2] 7 [3] 0 [4] 0 [5] 0
Hits@level+ = [0+] 14 [1+] 8 [2+] 7 [3+] 0 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 2.28311 [1+] 1.30463 [2+] 1.14155 [3+] 0 [4+] 0 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.