Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/ucto-0.21.1/src/my_textcat.cxx Examining data/ucto-0.21.1/src/setting.cxx Examining data/ucto-0.21.1/src/tokenize.cxx Examining data/ucto-0.21.1/src/ucto.cxx Examining data/ucto-0.21.1/include/ucto/my_textcat.h Examining data/ucto-0.21.1/include/ucto/setting.h Examining data/ucto-0.21.1/include/ucto/tokenize.h FINAL RESULTS: data/ucto-0.21.1/src/setting.cxx:159:45: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int Quoting::lookup( const UnicodeString& open, int& stackindex ){ data/ucto-0.21.1/src/setting.cxx:164:12: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ( open.indexOf( *it ) >= 0 ){ data/ucto-0.21.1/src/setting.cxx:322:11: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). open = open.trim().unescape(); data/ucto-0.21.1/src/setting.cxx:324:9: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ( open.isEmpty() || close.isEmpty() ){ data/ucto-0.21.1/src/setting.cxx:328:18: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). quotes.add( open, close ); data/ucto-0.21.1/src/setting.cxx:701:15: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). open = open.trim().unescape(); data/ucto-0.21.1/src/setting.cxx:703:13: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ( open.isEmpty() || close.isEmpty() ){ data/ucto-0.21.1/src/setting.cxx:708:15: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). quotes.add( open, close ); data/ucto-0.21.1/src/tokenize.cxx:1750:31: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). const UnicodeString& open, data/ucto-0.21.1/src/tokenize.cxx:1754:37: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int beginindex = quotes.lookup( open, stackindex ); data/ucto-0.21.1/src/tokenize.cxx:1926:8: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ( !open.isEmpty() ) { // we have a closing quote data/ucto-0.21.1/src/tokenize.cxx:1930:27: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ( !resolveQuote( i, open, quotes )) { data/ucto-0.21.1/include/ucto/setting.h:92:10: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). bool read( const std::string&, const std::string&, int, TiCC::LogStream* ); data/ucto-0.21.1/src/my_textcat.cxx:92:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ( res && strlen(res) > 0 && strcmp( res, "SHORT" ) != 0 ){ data/ucto-0.21.1/src/setting.cxx:552:17: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). bool Setting::read( const string& settings_name, data/ucto-0.21.1/src/tokenize.cxx:2762:16: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if ( !set->read( fname, tname, tokDebug, theErrLog ) ){ data/ucto-0.21.1/src/tokenize.cxx:2814:18: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if ( !set->read( fname, add, tokDebug, theErrLog ) ){ ANALYSIS SUMMARY: Hits = 17 Lines analyzed = 5040 in approximately 0.13 seconds (39443 lines/second) Physical Source Lines of Code (SLOC) = 4318 Hits@level = [0] 0 [1] 5 [2] 12 [3] 0 [4] 0 [5] 0 Hits@level+ = [0+] 17 [1+] 17 [2+] 12 [3+] 0 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 3.93701 [1+] 3.93701 [2+] 2.77906 [3+] 0 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.