Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/clevis-13/src/luks/udisks2/clevis-luks-udisks2.c
Examining data/clevis-13/src/pins/sss/clevis-decrypt-sss.c
Examining data/clevis-13/src/pins/sss/clevis-encrypt-sss.c
Examining data/clevis-13/src/pins/sss/sss.c
Examining data/clevis-13/src/pins/sss/sss.h
FINAL RESULTS:
data/clevis-13/src/luks/udisks2/clevis-luks-udisks2.c:127:9: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(pkt.data, dev);
data/clevis-13/src/luks/udisks2/clevis-luks-udisks2.c:360:9: [4] (shell) execle:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
execle(BINDIR "/clevis", "clevis", "decrypt", NULL, env);
data/clevis-13/src/pins/sss/sss.c:367:9: [4] (shell) execvp:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
execvp(argv[0], argv);
data/clevis-13/src/luks/udisks2/clevis-luks-udisks2.c:502:22: [3] (buffer) getopt_long:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
for (int c; (c = getopt_long(argc, argv, sopts, lopts, NULL)) >= 0; ) {
data/clevis-13/src/luks/udisks2/clevis-luks-udisks2.c:55:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char data[MAX_UDP];
data/clevis-13/src/luks/udisks2/clevis-luks-udisks2.c:400:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char msg[4096] = {};
data/clevis-13/src/pins/sss/clevis-decrypt-sss.c:239:21: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&pin->pt[pin->ptl], buf, rd);
data/clevis-13/src/pins/sss/clevis-encrypt-sss.c:114:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[1024] = {};
data/clevis-13/src/luks/udisks2/clevis-luks-udisks2.c:123:20: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
pkt.used = strlen(dev) + 1;
data/clevis-13/src/luks/udisks2/clevis-luks-udisks2.c:378:17: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
block = read(pull[PIPE_RD], &out[bytes], max - bytes);
data/clevis-13/src/pins/sss/clevis-decrypt-sss.c:91:18: [1] (buffer) fgetc:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
for (int c = fgetc(file); c != EOF && c != '.' && !isspace(c); c = fgetc(file)) {
data/clevis-13/src/pins/sss/clevis-decrypt-sss.c:91:72: [1] (buffer) fgetc:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
for (int c = fgetc(file); c != EOF && c != '.' && !isspace(c); c = fgetc(file)) {
data/clevis-13/src/pins/sss/clevis-decrypt-sss.c:293:22: [1] (buffer) fgetc:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
for (int b = fgetc(stdin); b != EOF && b != '.'; b = fgetc(stdin)) {
data/clevis-13/src/pins/sss/clevis-decrypt-sss.c:293:62: [1] (buffer) fgetc:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
for (int b = fgetc(stdin); b != EOF && b != '.'; b = fgetc(stdin)) {
data/clevis-13/src/pins/sss/clevis-encrypt-sss.c:67:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
OPENSSL_cleanse(*str, strlen(*str));
ANALYSIS SUMMARY:
Hits = 15
Lines analyzed = 1757 in approximately 0.11 seconds (16668 lines/second)
Physical Source Lines of Code (SLOC) = 1260
Hits@level = [0] 57 [1] 7 [2] 4 [3] 1 [4] 3 [5] 0
Hits@level+ = [0+] 72 [1+] 15 [2+] 8 [3+] 4 [4+] 3 [5+] 0
Hits/KSLOC@level+ = [0+] 57.1429 [1+] 11.9048 [2+] 6.34921 [3+] 3.1746 [4+] 2.38095 [5+] 0
Dot directories skipped = 2 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.