Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/ucto-0.21.1/src/my_textcat.cxx
Examining data/ucto-0.21.1/src/setting.cxx
Examining data/ucto-0.21.1/src/tokenize.cxx
Examining data/ucto-0.21.1/src/ucto.cxx
Examining data/ucto-0.21.1/include/ucto/my_textcat.h
Examining data/ucto-0.21.1/include/ucto/setting.h
Examining data/ucto-0.21.1/include/ucto/tokenize.h
FINAL RESULTS:
data/ucto-0.21.1/src/setting.cxx:159:45: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
int Quoting::lookup( const UnicodeString& open, int& stackindex ){
data/ucto-0.21.1/src/setting.cxx:164:12: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ( open.indexOf( *it ) >= 0 ){
data/ucto-0.21.1/src/setting.cxx:322:11: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
open = open.trim().unescape();
data/ucto-0.21.1/src/setting.cxx:324:9: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ( open.isEmpty() || close.isEmpty() ){
data/ucto-0.21.1/src/setting.cxx:328:18: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
quotes.add( open, close );
data/ucto-0.21.1/src/setting.cxx:701:15: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
open = open.trim().unescape();
data/ucto-0.21.1/src/setting.cxx:703:13: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ( open.isEmpty() || close.isEmpty() ){
data/ucto-0.21.1/src/setting.cxx:708:15: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
quotes.add( open, close );
data/ucto-0.21.1/src/tokenize.cxx:1750:31: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
const UnicodeString& open,
data/ucto-0.21.1/src/tokenize.cxx:1754:37: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
int beginindex = quotes.lookup( open, stackindex );
data/ucto-0.21.1/src/tokenize.cxx:1926:8: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ( !open.isEmpty() ) { // we have a closing quote
data/ucto-0.21.1/src/tokenize.cxx:1930:27: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ( !resolveQuote( i, open, quotes )) {
data/ucto-0.21.1/include/ucto/setting.h:92:10: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
bool read( const std::string&, const std::string&, int, TiCC::LogStream* );
data/ucto-0.21.1/src/my_textcat.cxx:92:15: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if ( res && strlen(res) > 0 && strcmp( res, "SHORT" ) != 0 ){
data/ucto-0.21.1/src/setting.cxx:552:17: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
bool Setting::read( const string& settings_name,
data/ucto-0.21.1/src/tokenize.cxx:2762:16: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if ( !set->read( fname, tname, tokDebug, theErrLog ) ){
data/ucto-0.21.1/src/tokenize.cxx:2814:18: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if ( !set->read( fname, add, tokDebug, theErrLog ) ){
ANALYSIS SUMMARY:
Hits = 17
Lines analyzed = 5040 in approximately 0.13 seconds (39443 lines/second)
Physical Source Lines of Code (SLOC) = 4318
Hits@level = [0] 0 [1] 5 [2] 12 [3] 0 [4] 0 [5] 0
Hits@level+ = [0+] 17 [1+] 17 [2+] 12 [3+] 0 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 3.93701 [1+] 3.93701 [2+] 2.77906 [3+] 0 [4+] 0 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.