Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/r-cran-rprotobuf-0.4.17/src/DescriptorPoolLookup.cpp Examining data/r-cran-rprotobuf-0.4.17/src/ConnectionInputStream.h Examining data/r-cran-rprotobuf-0.4.17/src/streams.cpp Examining data/r-cran-rprotobuf-0.4.17/src/Rcppsupport.h Examining data/r-cran-rprotobuf-0.4.17/src/wrapper_ArrayOutputStream.cpp Examining data/r-cran-rprotobuf-0.4.17/src/ConnectionCopyingInputStream.h Examining data/r-cran-rprotobuf-0.4.17/src/RSourceTree.cpp Examining data/r-cran-rprotobuf-0.4.17/src/rprotobuf.cpp Examining data/r-cran-rprotobuf-0.4.17/src/ConnectionOutputStream.h Examining data/r-cran-rprotobuf-0.4.17/src/RcppMacros.h Examining data/r-cran-rprotobuf-0.4.17/src/RWarningErrorCollector.h Examining data/r-cran-rprotobuf-0.4.17/src/DescriptorPoolLookup.h Examining data/r-cran-rprotobuf-0.4.17/src/ZeroCopyOutputStreamWrapper.cpp Examining data/r-cran-rprotobuf-0.4.17/src/ConnectionCopyingOutputStream.h Examining data/r-cran-rprotobuf-0.4.17/src/extractors.cpp Examining data/r-cran-rprotobuf-0.4.17/src/wrapper_FieldDescriptor.cpp Examining data/r-cran-rprotobuf-0.4.17/src/wrapper_ServiceDescriptor.cpp Examining data/r-cran-rprotobuf-0.4.17/src/RconnectionCopyingInputStream.cpp Examining data/r-cran-rprotobuf-0.4.17/src/wrapper_ZeroCopyInputStream.cpp Examining data/r-cran-rprotobuf-0.4.17/src/wrapper_EnumDescriptor.cpp Examining data/r-cran-rprotobuf-0.4.17/src/init.c Examining data/r-cran-rprotobuf-0.4.17/src/wrapper_ArrayInputStream.cpp Examining data/r-cran-rprotobuf-0.4.17/src/RconnectionCopyingInputStream.h Examining data/r-cran-rprotobuf-0.4.17/src/wrapper_FileDescriptor.cpp Examining data/r-cran-rprotobuf-0.4.17/src/wrapper_MethodDescriptor.cpp Examining data/r-cran-rprotobuf-0.4.17/src/ConnectionCopyingInputStream.cpp Examining data/r-cran-rprotobuf-0.4.17/src/ConnectionInputStream.cpp Examining data/r-cran-rprotobuf-0.4.17/src/mutators.cpp Examining data/r-cran-rprotobuf-0.4.17/src/wrapper_EnumValueDescriptor.cpp Examining data/r-cran-rprotobuf-0.4.17/src/lookup.cpp Examining data/r-cran-rprotobuf-0.4.17/src/ConnectionCopyingOutputStream.cpp Examining data/r-cran-rprotobuf-0.4.17/src/RSourceTree.h Examining data/r-cran-rprotobuf-0.4.17/src/fieldtypes.h Examining data/r-cran-rprotobuf-0.4.17/src/rprotobuf.h Examining data/r-cran-rprotobuf-0.4.17/src/wrapper_Message.cpp Examining data/r-cran-rprotobuf-0.4.17/src/wrapper_Descriptor.cpp Examining data/r-cran-rprotobuf-0.4.17/src/ZeroCopyInputStreamWrapper.cpp Examining data/r-cran-rprotobuf-0.4.17/src/S4_classes.h Examining data/r-cran-rprotobuf-0.4.17/src/extensions.cpp Examining data/r-cran-rprotobuf-0.4.17/src/RWarningErrorCollector.cpp Examining data/r-cran-rprotobuf-0.4.17/src/ConnectionOutputStream.cpp FINAL RESULTS: data/r-cran-rprotobuf-0.4.17/src/ConnectionCopyingInputStream.cpp:22:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buffer, res.begin(), res.size()); data/r-cran-rprotobuf-0.4.17/src/ConnectionCopyingOutputStream.cpp:14:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(payload.begin(), buffer, size); data/r-cran-rprotobuf-0.4.17/src/RSourceTree.cpp:11:27: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int file_descriptor = open(filename.c_str(), O_RDONLY); data/r-cran-rprotobuf-0.4.17/src/RSourceTree.cpp:21:31: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). file_descriptor = open(file.c_str(), O_RDONLY); data/r-cran-rprotobuf-0.4.17/src/RconnectionCopyingInputStream.cpp:33:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buffer, reinterpret_cast<const void*>(res.begin()), len); data/r-cran-rprotobuf-0.4.17/src/streams.cpp:19:14: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int fd = open(CHAR(STRING_ELT(filename, 0)), O_RDONLY | O_BINARY); data/r-cran-rprotobuf-0.4.17/src/streams.cpp:83:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(out, RAW(payload), s); data/r-cran-rprotobuf-0.4.17/src/streams.cpp:110:14: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int fd = open(CHAR(STRING_ELT(filename, 0)), O_WRONLY | O_CREAT | O_TRUNC | O_BINARY, 0666); data/r-cran-rprotobuf-0.4.17/src/wrapper_Descriptor.cpp:129:16: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int file = open(filename.c_str(), O_RDONLY | O_BINARY); data/r-cran-rprotobuf-0.4.17/src/wrapper_Message.cpp:132:16: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int file = open(filename, O_WRONLY | O_CREAT | O_TRUNC | O_BINARY, 0666); ANALYSIS SUMMARY: Hits = 10 Lines analyzed = 6117 in approximately 0.16 seconds (37319 lines/second) Physical Source Lines of Code (SLOC) = 4442 Hits@level = [0] 0 [1] 0 [2] 10 [3] 0 [4] 0 [5] 0 Hits@level+ = [0+] 10 [1+] 10 [2+] 10 [3+] 0 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 2.25124 [1+] 2.25124 [2+] 2.25124 [3+] 0 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.