Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/ruby-nokogumbo-1.4.2+ds/ext/nokogumboc/nokogumbo.c
FINAL RESULTS:
data/ruby-nokogumbo-1.4.2+ds/ext/nokogumboc/nokogumbo.c:70:49: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
#define xmlCreateIntSubset(doc, name, external, system) \
data/ruby-nokogumbo-1.4.2+ds/ext/nokogumboc/nokogumbo.c:73:6: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
(system ? rb_str_new2(system) : Qnil));
data/ruby-nokogumbo-1.4.2+ds/ext/nokogumboc/nokogumbo.c:73:27: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
(system ? rb_str_new2(system) : Qnil));
data/ruby-nokogumbo-1.4.2+ds/ext/nokogumboc/nokogumbo.c:142:7: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(name, ns);
data/ruby-nokogumbo-1.4.2+ds/ext/nokogumboc/nokogumbo.c:143:7: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
strcat(name, attr->name);
data/ruby-nokogumbo-1.4.2+ds/ext/nokogumboc/nokogumbo.c:199:15: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
(strlen(system) ? CONST_CAST system : NIL));
data/ruby-nokogumbo-1.4.2+ds/ext/nokogumboc/nokogumbo.c:199:36: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
(strlen(system) ? CONST_CAST system : NIL));
data/ruby-nokogumbo-1.4.2+ds/ext/nokogumboc/nokogumbo.c:98:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char name[tag.length+1];
data/ruby-nokogumbo-1.4.2+ds/ext/nokogumboc/nokogumbo.c:100:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(name, tag.data, tag.length);
data/ruby-nokogumbo-1.4.2+ds/ext/nokogumboc/nokogumbo.c:132:11: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(ns) + strlen(attr->name) + 1 > namelen) {
data/ruby-nokogumbo-1.4.2+ds/ext/nokogumboc/nokogumbo.c:132:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(ns) + strlen(attr->name) + 1 > namelen) {
data/ruby-nokogumbo-1.4.2+ds/ext/nokogumboc/nokogumbo.c:138:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
namelen = strlen(ns) + strlen(attr->name) + 1;
data/ruby-nokogumbo-1.4.2+ds/ext/nokogumboc/nokogumbo.c:138:32: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
namelen = strlen(ns) + strlen(attr->name) + 1;
data/ruby-nokogumbo-1.4.2+ds/ext/nokogumboc/nokogumbo.c:198:8: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
(strlen(public) ? CONST_CAST public : NIL),
data/ruby-nokogumbo-1.4.2+ds/ext/nokogumboc/nokogumbo.c:199:8: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
(strlen(system) ? CONST_CAST system : NIL));
ANALYSIS SUMMARY:
Hits = 15
Lines analyzed = 236 in approximately 0.02 seconds (14225 lines/second)
Physical Source Lines of Code (SLOC) = 170
Hits@level = [0] 0 [1] 7 [2] 1 [3] 0 [4] 7 [5] 0
Hits@level+ = [0+] 15 [1+] 15 [2+] 8 [3+] 7 [4+] 7 [5+] 0
Hits/KSLOC@level+ = [0+] 88.2353 [1+] 88.2353 [2+] 47.0588 [3+] 41.1765 [4+] 41.1765 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.