Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/stenographer-1.0.1/stenotype/aio.cc
Examining data/stenographer-1.0.1/stenotype/aio.h
Examining data/stenographer-1.0.1/stenotype/index.cc
Examining data/stenographer-1.0.1/stenotype/index.h
Examining data/stenographer-1.0.1/stenotype/index_bin.cc
Examining data/stenographer-1.0.1/stenotype/packets.cc
Examining data/stenographer-1.0.1/stenotype/packets.h
Examining data/stenographer-1.0.1/stenotype/util.cc
Examining data/stenographer-1.0.1/stenotype/util.h
Examining data/stenographer-1.0.1/stenotype/stenotype.cc
FINAL RESULTS:
data/stenographer-1.0.1/stenotype/aio.cc:189:12: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
int fd = open(name.c_str(), O_CREAT | O_WRONLY | O_DSYNC | O_DIRECT, 0600);
data/stenographer-1.0.1/stenotype/index.cc:234:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[1 + // First byte is type of index (ip4, ip6, proto, etc)
data/stenographer-1.0.1/stenotype/index.cc:238:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buf + 1, start, size);
data/stenographer-1.0.1/stenotype/index.cc:286:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char versionKeyBuf[1] = {kIndexVersion};
data/stenographer-1.0.1/stenotype/index.cc:287:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char versionBuf[8];
data/stenographer-1.0.1/stenotype/index.h:65:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(current, s->data(), s->size());
data/stenographer-1.0.1/stenotype/index_bin.cc:42:12: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
int fd = open(filename, O_RDONLY);
data/stenographer-1.0.1/stenotype/index_bin.cc:68:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[1 << 20]; // 1MB
data/stenographer-1.0.1/stenotype/stenotype.cc:135:20: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
flag_count = atoi(arg);
data/stenographer-1.0.1/stenotype/stenotype.cc:138:21: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
flag_blocks = atoi(arg);
data/stenographer-1.0.1/stenotype/stenotype.cc:141:20: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
flag_aiops = atoi(arg);
data/stenographer-1.0.1/stenotype/stenotype.cc:144:26: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
flag_filesize_mb = atoi(arg);
data/stenographer-1.0.1/stenotype/stenotype.cc:148:22: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
flag_threads = atoi(arg);
data/stenographer-1.0.1/stenotype/stenotype.cc:151:26: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
flag_fileage_sec = atoi(arg);
data/stenographer-1.0.1/stenotype/stenotype.cc:154:26: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
flag_fanout_type = atoi(arg);
data/stenographer-1.0.1/stenotype/stenotype.cc:157:24: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
flag_fanout_id = atoi(arg);
data/stenographer-1.0.1/stenotype/stenotype.cc:169:30: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
flag_index_nicelevel = atoi(arg);
data/stenographer-1.0.1/stenotype/stenotype.cc:178:34: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
flag_preallocate_file_mb = atoi(arg);
data/stenographer-1.0.1/stenotype/stenotype.cc:187:27: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
flag_blockage_sec = atoi(arg);
data/stenographer-1.0.1/stenotype/stenotype.cc:197:27: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
flag_stats_blocks = atoi(arg);
data/stenographer-1.0.1/stenotype/stenotype.cc:200:24: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
flag_stats_sec = atoi(arg);
data/stenographer-1.0.1/stenotype/stenotype.cc:367:50: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
SECCOMP_RULE_ADD(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1,
data/stenographer-1.0.1/stenotype/stenotype.cc:369:50: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
SECCOMP_RULE_ADD(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1,
data/stenographer-1.0.1/stenotype/stenotype.cc:386:37: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 2,
data/stenographer-1.0.1/stenotype/util.cc:31:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char copy[filename.size() + 1];
data/stenographer-1.0.1/stenotype/util.cc:32:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(copy, filename.data(), filename.size());
data/stenographer-1.0.1/stenotype/util.cc:38:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char copy[filename.size() + 1];
data/stenographer-1.0.1/stenotype/util.cc:39:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(copy, filename.data(), filename.size());
data/stenographer-1.0.1/stenotype/util.h:159:7: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(time_buffer_, "STRFTIME_ERROR");
data/stenographer-1.0.1/stenotype/util.h:165:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char time_buffer_[kTimeBufferSize];
data/stenographer-1.0.1/stenotype/index_bin.cc:50:13: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
int n = read(fd, start, limit - start);
data/stenographer-1.0.1/stenotype/packets.cc:232:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(ifopts.ifr_name, iface.c_str(), IFNAMSIZ-1);
data/stenographer-1.0.1/stenotype/stenotype.cc:300:50: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
SECCOMP_RULE_ADD(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
data/stenographer-1.0.1/stenotype/stenotype.cc:641:3: [1] (access) umask:
Ensure that umask is given most restrictive possible setting (e.g., 066 or
077) (CWE-732).
umask(0077);
ANALYSIS SUMMARY:
Hits = 34
Lines analyzed = 2821 in approximately 0.14 seconds (20887 lines/second)
Physical Source Lines of Code (SLOC) = 2085
Hits@level = [0] 6 [1] 4 [2] 30 [3] 0 [4] 0 [5] 0
Hits@level+ = [0+] 40 [1+] 34 [2+] 30 [3+] 0 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 19.1847 [1+] 16.307 [2+] 14.3885 [3+] 0 [4+] 0 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.