Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/mmap.h
Examining data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/utils.h
Examining data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/jsmn.c
Examining data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/file_parsing.h
Examining data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/file_reading.h
Examining data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/utils.c
Examining data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/globals.h
Examining data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/value_access.c
Examining data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/file_format.h
Examining data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/file_reading.c
Examining data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/file_parsing.c
Examining data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/hashmap.c
Examining data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/rendering.c
Examining data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/rendering.h
Examining data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/mmap.c
Examining data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/fast_mmaped_file.c
Examining data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/file_format.c
Examining data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/value_access.h
Examining data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/jsmn.h
Examining data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/jsmn.c
Examining data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/example/simple.c
Examining data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/example/jsondump.c
Examining data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/test/test.h
Examining data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/test/tests.c
Examining data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/test/testutil.h
Examining data/ruby-prometheus-client-mmap-0.11.0/vendor/c/hashmap/test/hashmap_test.c
Examining data/ruby-prometheus-client-mmap-0.11.0/vendor/c/hashmap/src/hashmap.c
Examining data/ruby-prometheus-client-mmap-0.11.0/vendor/c/hashmap/src/hashmap.h
FINAL RESULTS:
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/hashmap/test/hashmap_test.c:79:9: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
num = random();
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/hashmap/test/hashmap_test.c:96:20: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
*key = (uint64_t)(random() & 0xffff) << 48 |
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/hashmap/test/hashmap_test.c:97:17: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
(uint64_t)(random() & 0xffff) << 32 |
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/hashmap/test/hashmap_test.c:98:17: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
(uint64_t)(random() & 0xffff) << 16 |
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/hashmap/test/hashmap_test.c:99:17: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
(uint64_t)(random() & 0xffff);
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/hashmap/test/hashmap_test.c:133:2: [3] (random) srandom:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
srandom(99); /* Use reproducible random sequences */
data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/file_parsing.c:75:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(entry->json, source->buffer + pos, encoded_len);
data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/file_parsing.c:84:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&(entry->value), value_ptr, sizeof(double));
data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/file_parsing.c:127:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&used, source->buffer, sizeof(uint32_t));
data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/file_parsing.c:138:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&encoded_len, source->buffer + pos, sizeof(uint32_t));
data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/file_reading.c:9:20: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
source->file = fopen(filepath, "r");
data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/file_reading.c:12:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(source->path, filepath, filepath_len);
data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/hashmap.c:170:4: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(removed_entry, entry, sizeof(*removed_entry));
data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/mmap.c:233:15: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((fd = open(path, smode, perm)) == -1) {
data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/rendering.c:143:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char value[255];
data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/value_access.c:22:19: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((fd = open(i_mm->t->path, i_mm->t->smode)) == -1) {
data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/value_access.c:99:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(pos, &key_length, sizeof(uint32_t));
data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/value_access.c:109:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(pos, &val, sizeof(double));
data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/value_access.c:126:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(pos, &val, sizeof(double));
data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/value_access.c:139:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&value, pos, sizeof(double));
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/hashmap/src/hashmap.c:170:4: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(removed_entry, entry, sizeof(*removed_entry));
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/example/jsondump.c:69:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[BUFSIZ];
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/test/tests.c:211:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(toklarge, toksmall, sizeof(toksmall));
data/ruby-prometheus-client-mmap-0.11.0/ext/fast_mmaped_file/file_reading.c:10:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t filepath_len = strlen(filepath) + sizeof(char);
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/example/jsondump.c:105:3: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(js + jslen, buf, r);
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/example/simple.c:16:40: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (tok->type == JSMN_STRING && (int) strlen(s) == tok->end - tok->start &&
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/example/simple.c:30:34: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
r = jsmn_parse(&p, JSON_STRING, strlen(JSON_STRING), t, sizeof(t)/sizeof(t[0]));
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/test/tests.c:150:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
for (i = 1; i <= strlen(js); i++) {
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/test/tests.c:152:12: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (i == strlen(js)) {
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/test/tests.c:176:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
for (i = 1; i <= strlen(js); i++) {
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/test/tests.c:178:12: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (i == strlen(js)) {
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/test/tests.c:208:26: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
r = jsmn_parse(&p, js, strlen(js), toksmall, i);
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/test/tests.c:213:26: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
r = jsmn_parse(&p, js, strlen(js), toklarge, 10);
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/test/tests.c:236:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
r = jsmn_parse(&p, js, strlen(js), tok, 10);
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/test/tests.c:262:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
r = jsmn_parse(&p, js, strlen(js), tokens, 128);
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/test/tests.c:298:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
check(jsmn_parse(&p, js, strlen(js), NULL, 0) == 1);
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/test/tests.c:302:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
check(jsmn_parse(&p, js, strlen(js), NULL, 0) == 1);
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/test/tests.c:306:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
check(jsmn_parse(&p, js, strlen(js), NULL, 0) == 2);
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/test/tests.c:310:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
check(jsmn_parse(&p, js, strlen(js), NULL, 0) == 3);
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/test/tests.c:314:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
check(jsmn_parse(&p, js, strlen(js), NULL, 0) == 3);
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/test/tests.c:318:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
check(jsmn_parse(&p, js, strlen(js), NULL, 0) == 7);
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/test/tests.c:322:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
check(jsmn_parse(&p, js, strlen(js), NULL, 0) == 5);
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/test/tests.c:326:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
check(jsmn_parse(&p, js, strlen(js), NULL, 0) == 5);
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/test/tests.c:330:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
check(jsmn_parse(&p, js, strlen(js), NULL, 0) == 4);
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/test/tests.c:334:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
check(jsmn_parse(&p, js, strlen(js), NULL, 0) == 7);
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/test/testutil.h:50:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(value) != t[i].end - t[i].start ||
data/ruby-prometheus-client-mmap-0.11.0/vendor/c/jsmn/test/testutil.h:79:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
r = jsmn_parse(&p, s, strlen(s), t, numtok);
ANALYSIS SUMMARY:
Hits = 47
Lines analyzed = 5158 in approximately 0.14 seconds (36161 lines/second)
Physical Source Lines of Code (SLOC) = 3792
Hits@level = [0] 93 [1] 24 [2] 17 [3] 6 [4] 0 [5] 0
Hits@level+ = [0+] 140 [1+] 47 [2+] 23 [3+] 6 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 36.9198 [1+] 12.3945 [2+] 6.0654 [3+] 1.58228 [4+] 0 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.