Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/python-pygit2-1.0.3/pygit2/decl/attr.h
Examining data/python-pygit2-1.0.3/pygit2/decl/blame.h
Examining data/python-pygit2-1.0.3/pygit2/decl/buffer.h
Examining data/python-pygit2-1.0.3/pygit2/decl/checkout.h
Examining data/python-pygit2-1.0.3/pygit2/decl/clone.h
Examining data/python-pygit2-1.0.3/pygit2/decl/common.h
Examining data/python-pygit2-1.0.3/pygit2/decl/config.h
Examining data/python-pygit2-1.0.3/pygit2/decl/describe.h
Examining data/python-pygit2-1.0.3/pygit2/decl/diff.h
Examining data/python-pygit2-1.0.3/pygit2/decl/errors.h
Examining data/python-pygit2-1.0.3/pygit2/decl/graph.h
Examining data/python-pygit2-1.0.3/pygit2/decl/index.h
Examining data/python-pygit2-1.0.3/pygit2/decl/merge.h
Examining data/python-pygit2-1.0.3/pygit2/decl/net.h
Examining data/python-pygit2-1.0.3/pygit2/decl/oid.h
Examining data/python-pygit2-1.0.3/pygit2/decl/pack.h
Examining data/python-pygit2-1.0.3/pygit2/decl/proxy.h
Examining data/python-pygit2-1.0.3/pygit2/decl/refspec.h
Examining data/python-pygit2-1.0.3/pygit2/decl/remote.h
Examining data/python-pygit2-1.0.3/pygit2/decl/repository.h
Examining data/python-pygit2-1.0.3/pygit2/decl/revert.h
Examining data/python-pygit2-1.0.3/pygit2/decl/stash.h
Examining data/python-pygit2-1.0.3/pygit2/decl/strarray.h
Examining data/python-pygit2-1.0.3/pygit2/decl/submodule.h
Examining data/python-pygit2-1.0.3/pygit2/decl/transport.h
Examining data/python-pygit2-1.0.3/pygit2/decl/types.h
Examining data/python-pygit2-1.0.3/src/blob.c
Examining data/python-pygit2-1.0.3/src/blob.h
Examining data/python-pygit2-1.0.3/src/branch.c
Examining data/python-pygit2-1.0.3/src/branch.h
Examining data/python-pygit2-1.0.3/src/commit.c
Examining data/python-pygit2-1.0.3/src/commit.h
Examining data/python-pygit2-1.0.3/src/diff.c
Examining data/python-pygit2-1.0.3/src/diff.h
Examining data/python-pygit2-1.0.3/src/error.c
Examining data/python-pygit2-1.0.3/src/error.h
Examining data/python-pygit2-1.0.3/src/mailmap.c
Examining data/python-pygit2-1.0.3/src/mailmap.h
Examining data/python-pygit2-1.0.3/src/note.c
Examining data/python-pygit2-1.0.3/src/note.h
Examining data/python-pygit2-1.0.3/src/object.c
Examining data/python-pygit2-1.0.3/src/object.h
Examining data/python-pygit2-1.0.3/src/odb.c
Examining data/python-pygit2-1.0.3/src/odb.h
Examining data/python-pygit2-1.0.3/src/odb_backend.c
Examining data/python-pygit2-1.0.3/src/odb_backend.h
Examining data/python-pygit2-1.0.3/src/oid.c
Examining data/python-pygit2-1.0.3/src/oid.h
Examining data/python-pygit2-1.0.3/src/options.c
Examining data/python-pygit2-1.0.3/src/options.h
Examining data/python-pygit2-1.0.3/src/patch.c
Examining data/python-pygit2-1.0.3/src/patch.h
Examining data/python-pygit2-1.0.3/src/pygit2.c
Examining data/python-pygit2-1.0.3/src/reference.c
Examining data/python-pygit2-1.0.3/src/reference.h
Examining data/python-pygit2-1.0.3/src/repository.c
Examining data/python-pygit2-1.0.3/src/repository.h
Examining data/python-pygit2-1.0.3/src/signature.c
Examining data/python-pygit2-1.0.3/src/signature.h
Examining data/python-pygit2-1.0.3/src/tag.c
Examining data/python-pygit2-1.0.3/src/tag.h
Examining data/python-pygit2-1.0.3/src/tree.c
Examining data/python-pygit2-1.0.3/src/tree.h
Examining data/python-pygit2-1.0.3/src/treebuilder.c
Examining data/python-pygit2-1.0.3/src/treebuilder.h
Examining data/python-pygit2-1.0.3/src/types.h
Examining data/python-pygit2-1.0.3/src/utils.c
Examining data/python-pygit2-1.0.3/src/utils.h
Examining data/python-pygit2-1.0.3/src/walker.c
Examining data/python-pygit2-1.0.3/src/walker.h
Examining data/python-pygit2-1.0.3/src/worktree.c
Examining data/python-pygit2-1.0.3/src/worktree.h
FINAL RESULTS:
data/python-pygit2-1.0.3/pygit2/decl/oid.h:2:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char id[20];
data/python-pygit2-1.0.3/pygit2/decl/transport.h:21:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char hash_md5[16];
data/python-pygit2-1.0.3/pygit2/decl/transport.h:22:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char hash_sha1[20];
data/python-pygit2-1.0.3/src/commit.c:169:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char tree_id[GIT_OID_HEXSZ + 1] = { 0 };
data/python-pygit2-1.0.3/src/error.c:125:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char hex[GIT_OID_HEXSZ + 1];
data/python-pygit2-1.0.3/src/oid.c:137:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char hex[GIT_OID_HEXSZ];
data/python-pygit2-1.0.3/src/oid.c:177:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(self->oid.id, (const unsigned char*)bytes, len);
data/python-pygit2-1.0.3/src/diff.c:1013:48: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
err = git_diff_from_buffer(&diff, content, strlen(content));
data/python-pygit2-1.0.3/src/object.c:271:20: [1] (buffer) equal:
Function does not check the second iterator for over-read conditions
(CWE-126). This function is often discouraged by most C++ coding standards
in favor of its safer alternatives provided since C++14. Consider using a
form of this function that checks the second iterator before potentially
overflowing it.
res = (equal) ? Py_False : Py_True;
data/python-pygit2-1.0.3/src/object.c:274:20: [1] (buffer) equal:
Function does not check the second iterator for over-read conditions
(CWE-126). This function is often discouraged by most C++ coding standards
in favor of its safer alternatives provided since C++14. Consider using a
form of this function that checks the second iterator before potentially
overflowing it.
res = (equal) ? Py_True : Py_False;
data/python-pygit2-1.0.3/src/odb.c:275:17: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
METHOD(Odb, read, METH_O),
data/python-pygit2-1.0.3/src/odb_backend.c:103:30: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
err = self->odb_backend->read(&data, &sz, &type, self->odb_backend, &oid);
data/python-pygit2-1.0.3/src/odb_backend.c:119:24: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
METHOD(OdbBackend, read, METH_O),
data/python-pygit2-1.0.3/src/utils.h:43:49: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define to_encoding(x) PyUnicode_DecodeASCII(x, strlen(x), "strict")
data/python-pygit2-1.0.3/src/utils.h:61:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
to_unicode_n(x, strlen(x), encoding, errors)
ANALYSIS SUMMARY:
Hits = 15
Lines analyzed = 12239 in approximately 0.32 seconds (38656 lines/second)
Physical Source Lines of Code (SLOC) = 8910
Hits@level = [0] 0 [1] 8 [2] 7 [3] 0 [4] 0 [5] 0
Hits@level+ = [0+] 15 [1+] 15 [2+] 7 [3+] 0 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 1.6835 [1+] 1.6835 [2+] 0.785634 [3+] 0 [4+] 0 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.