Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/colorized-logs-2.5/ansi2html.c Examining data/colorized-logs-2.5/ansi2txt.c Examining data/colorized-logs-2.5/pipetty.c Examining data/colorized-logs-2.5/signals.c Examining data/colorized-logs-2.5/ttyrec2ansi.c FINAL RESULTS: data/colorized-logs-2.5/ansi2html.c:125:13: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. cl+=sprintf(cl, " %s", cols[_fg]); data/colorized-logs-2.5/ansi2html.c:131:13: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. cl+=sprintf(cl, " B%s", cols[_bg]); data/colorized-logs-2.5/ansi2html.c:136:13: [4] (format) sprintf: Potential format string problem (CWE-134). Make format string constant. cl+=sprintf(cl, (fl&STRIKE)?" UNDSTR":" UND"); data/colorized-logs-2.5/ansi2html.c:207:9: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. printf(no_header?"</span>":"</b>"); data/colorized-logs-2.5/pipetty.c:31:5: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(stderr, PN ": "); data/colorized-logs-2.5/pipetty.c:33:5: [4] (format) vfprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. vfprintf(stderr, msg, ap); data/colorized-logs-2.5/pipetty.c:84:9: [4] (shell) execvp: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. execvp(argv[1], (char*const*)argv+1); data/colorized-logs-2.5/pipetty.c:106:13: [4] (shell) execlp: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. execlp("less", "less", "-R", "-", 0); data/colorized-logs-2.5/ansi2html.c:245:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "-nwt:lc", long_options, 0); data/colorized-logs-2.5/ansi2html.c:81:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char clbuf[32], *cl=clbuf; data/colorized-logs-2.5/ansi2html.c:128:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. cl+=sprintf(cl, " BOLD"); data/colorized-logs-2.5/ansi2html.c:134:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. cl+=sprintf(cl, " ITA"); data/colorized-logs-2.5/ansi2html.c:138:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. cl+=sprintf(cl, " STR"); data/colorized-logs-2.5/pipetty.c:116:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[16384]; data/colorized-logs-2.5/ttyrec2ansi.c:50:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[BUFFER_SIZE]; data/colorized-logs-2.5/ansi2html.c:345:12: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). int ch=getchar(); data/colorized-logs-2.5/ansi2html.c:361:12: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch=getchar(); data/colorized-logs-2.5/ansi2html.c:365:12: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch=getchar(); data/colorized-logs-2.5/ansi2html.c:369:12: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch=getchar(); data/colorized-logs-2.5/ansi2html.c:373:12: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch=getchar(); data/colorized-logs-2.5/ansi2html.c:378:12: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch=getchar(); data/colorized-logs-2.5/ansi2html.c:384:12: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch=getchar(); data/colorized-logs-2.5/ansi2html.c:388:12: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch=getchar(); data/colorized-logs-2.5/ansi2html.c:392:12: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch=getchar(); data/colorized-logs-2.5/ansi2html.c:396:12: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch=getchar(); data/colorized-logs-2.5/ansi2html.c:400:12: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch=getchar(); data/colorized-logs-2.5/ansi2html.c:404:12: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch=getchar(); data/colorized-logs-2.5/ansi2html.c:414:12: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch=getchar(); data/colorized-logs-2.5/ansi2html.c:417:19: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). for (;;ch=getchar()) data/colorized-logs-2.5/ansi2html.c:421:20: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch=getchar(); /* want ESC \ but we accept ESC anything */ data/colorized-logs-2.5/ansi2html.c:423:20: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch=getchar(); /* BELL is the alternate terminator */ data/colorized-logs-2.5/ansi2html.c:428:12: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch=getchar(); data/colorized-logs-2.5/ansi2html.c:430:12: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch=getchar(); data/colorized-logs-2.5/ansi2html.c:434:8: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch=getchar(); data/colorized-logs-2.5/ansi2html.c:442:12: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch=getchar(); data/colorized-logs-2.5/ansi2html.c:448:12: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch=getchar(); data/colorized-logs-2.5/ansi2html.c:453:12: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch=getchar(); data/colorized-logs-2.5/ansi2html.c:568:12: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch=getchar(); data/colorized-logs-2.5/ansi2html.c:578:12: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch=getchar(); data/colorized-logs-2.5/ansi2html.c:583:12: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch=getchar(); /* invalid/unimplemented code, ignore */ data/colorized-logs-2.5/ansi2html.c:591:12: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch=getchar(); data/colorized-logs-2.5/ansi2html.c:594:8: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch=getchar(); data/colorized-logs-2.5/ansi2txt.c:8:12: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch=getchar(); data/colorized-logs-2.5/ansi2txt.c:10:21: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if ((ch=getchar())!=10) data/colorized-logs-2.5/ansi2txt.c:13:21: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if ((ch=getchar())=='[') data/colorized-logs-2.5/ansi2txt.c:14:28: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). while ((ch=getchar())==';'||(ch>='0'&&ch<='9')||ch=='?'); data/colorized-logs-2.5/ansi2txt.c:15:35: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). else if (ch==']'&&(ch=getchar())>=0&&ch<='9') data/colorized-logs-2.5/ansi2txt.c:18:29: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if ((ch=getchar())==EOF||ch==7) data/colorized-logs-2.5/ansi2txt.c:21:29: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). {ch=getchar(); break;} data/colorized-logs-2.5/ansi2txt.c:24:20: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch=getchar(); data/colorized-logs-2.5/pipetty.c:43:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int plen = strlen(proc); data/colorized-logs-2.5/pipetty.c:44:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int nlen = strlen(name); data/colorized-logs-2.5/pipetty.c:118:15: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). while ((r=read(master, buf, sizeof(buf)))>0) ANALYSIS SUMMARY: Hits = 53 Lines analyzed = 891 in approximately 0.07 seconds (12370 lines/second) Physical Source Lines of Code (SLOC) = 822 Hits@level = [0] 58 [1] 38 [2] 6 [3] 1 [4] 8 [5] 0 Hits@level+ = [0+] 111 [1+] 53 [2+] 15 [3+] 9 [4+] 8 [5+] 0 Hits/KSLOC@level+ = [0+] 135.036 [1+] 64.4769 [2+] 18.2482 [3+] 10.9489 [4+] 9.73236 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.