Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/stenographer-1.0.1/stenotype/aio.cc Examining data/stenographer-1.0.1/stenotype/aio.h Examining data/stenographer-1.0.1/stenotype/index.cc Examining data/stenographer-1.0.1/stenotype/index.h Examining data/stenographer-1.0.1/stenotype/index_bin.cc Examining data/stenographer-1.0.1/stenotype/packets.cc Examining data/stenographer-1.0.1/stenotype/packets.h Examining data/stenographer-1.0.1/stenotype/util.cc Examining data/stenographer-1.0.1/stenotype/util.h Examining data/stenographer-1.0.1/stenotype/stenotype.cc FINAL RESULTS: data/stenographer-1.0.1/stenotype/aio.cc:189:12: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int fd = open(name.c_str(), O_CREAT | O_WRONLY | O_DSYNC | O_DIRECT, 0600); data/stenographer-1.0.1/stenotype/index.cc:234:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[1 + // First byte is type of index (ip4, ip6, proto, etc) data/stenographer-1.0.1/stenotype/index.cc:238:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf + 1, start, size); data/stenographer-1.0.1/stenotype/index.cc:286:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char versionKeyBuf[1] = {kIndexVersion}; data/stenographer-1.0.1/stenotype/index.cc:287:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char versionBuf[8]; data/stenographer-1.0.1/stenotype/index.h:65:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(current, s->data(), s->size()); data/stenographer-1.0.1/stenotype/index_bin.cc:42:12: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int fd = open(filename, O_RDONLY); data/stenographer-1.0.1/stenotype/index_bin.cc:68:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[1 << 20]; // 1MB data/stenographer-1.0.1/stenotype/stenotype.cc:135:20: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). flag_count = atoi(arg); data/stenographer-1.0.1/stenotype/stenotype.cc:138:21: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). flag_blocks = atoi(arg); data/stenographer-1.0.1/stenotype/stenotype.cc:141:20: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). flag_aiops = atoi(arg); data/stenographer-1.0.1/stenotype/stenotype.cc:144:26: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). flag_filesize_mb = atoi(arg); data/stenographer-1.0.1/stenotype/stenotype.cc:148:22: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). flag_threads = atoi(arg); data/stenographer-1.0.1/stenotype/stenotype.cc:151:26: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). flag_fileage_sec = atoi(arg); data/stenographer-1.0.1/stenotype/stenotype.cc:154:26: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). flag_fanout_type = atoi(arg); data/stenographer-1.0.1/stenotype/stenotype.cc:157:24: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). flag_fanout_id = atoi(arg); data/stenographer-1.0.1/stenotype/stenotype.cc:169:30: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). flag_index_nicelevel = atoi(arg); data/stenographer-1.0.1/stenotype/stenotype.cc:178:34: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). flag_preallocate_file_mb = atoi(arg); data/stenographer-1.0.1/stenotype/stenotype.cc:187:27: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). flag_blockage_sec = atoi(arg); data/stenographer-1.0.1/stenotype/stenotype.cc:197:27: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). flag_stats_blocks = atoi(arg); data/stenographer-1.0.1/stenotype/stenotype.cc:200:24: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). flag_stats_sec = atoi(arg); data/stenographer-1.0.1/stenotype/stenotype.cc:367:50: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). SECCOMP_RULE_ADD(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1, data/stenographer-1.0.1/stenotype/stenotype.cc:369:50: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). SECCOMP_RULE_ADD(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1, data/stenographer-1.0.1/stenotype/stenotype.cc:386:37: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 2, data/stenographer-1.0.1/stenotype/util.cc:31:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char copy[filename.size() + 1]; data/stenographer-1.0.1/stenotype/util.cc:32:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(copy, filename.data(), filename.size()); data/stenographer-1.0.1/stenotype/util.cc:38:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char copy[filename.size() + 1]; data/stenographer-1.0.1/stenotype/util.cc:39:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(copy, filename.data(), filename.size()); data/stenographer-1.0.1/stenotype/util.h:159:7: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(time_buffer_, "STRFTIME_ERROR"); data/stenographer-1.0.1/stenotype/util.h:165:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char time_buffer_[kTimeBufferSize]; data/stenographer-1.0.1/stenotype/index_bin.cc:50:13: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). int n = read(fd, start, limit - start); data/stenographer-1.0.1/stenotype/packets.cc:232:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(ifopts.ifr_name, iface.c_str(), IFNAMSIZ-1); data/stenographer-1.0.1/stenotype/stenotype.cc:300:50: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). SECCOMP_RULE_ADD(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0); data/stenographer-1.0.1/stenotype/stenotype.cc:641:3: [1] (access) umask: Ensure that umask is given most restrictive possible setting (e.g., 066 or 077) (CWE-732). umask(0077); ANALYSIS SUMMARY: Hits = 34 Lines analyzed = 2821 in approximately 0.14 seconds (20887 lines/second) Physical Source Lines of Code (SLOC) = 2085 Hits@level = [0] 6 [1] 4 [2] 30 [3] 0 [4] 0 [5] 0 Hits@level+ = [0+] 40 [1+] 34 [2+] 30 [3+] 0 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 19.1847 [1+] 16.307 [2+] 14.3885 [3+] 0 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.