Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/cruft-0.9.39/canonical.c
Examining data/cruft-0.9.39/dash-search.c
Examining data/cruft-0.9.39/filter_shell.c
Examining data/cruft-0.9.39/fn_stream.c
Examining data/cruft-0.9.39/fn_stream.h
Examining data/cruft-0.9.39/merge_diff.c
Examining data/cruft-0.9.39/merge_diff_common.c
Examining data/cruft-0.9.39/merge_diff_common.h
Examining data/cruft-0.9.39/merge_diff_funcs.c
Examining data/cruft-0.9.39/merge_diff_test.c
Examining data/cruft-0.9.39/readlinks.c
Examining data/cruft-0.9.39/river.c
Examining data/cruft-0.9.39/river.h
Examining data/cruft-0.9.39/shellexp.c
Examining data/cruft-0.9.39/shellexptest.c
FINAL RESULTS:
data/cruft-0.9.39/readlinks.c:88:17: [5] (race) readlink:
This accepts filename arguments; if an attacker can move those files or
change the link content, a race condition results. Also, it does not
terminate with ASCII NUL. (CWE-362, CWE-20). Reconsider approach.
numchars = readlink( buffer, basename, sz_buffs - 1 );
data/cruft-0.9.39/canonical.c:93:2: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy( basename, pch + 1 );
data/cruft-0.9.39/canonical.c:99:6: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy( last, buffer );
data/cruft-0.9.39/canonical.c:118:3: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy( cwd, buffer );
data/cruft-0.9.39/dash-search.c:39:7: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy( filename, pde->d_name );
data/cruft-0.9.39/merge_diff_common.c:10:2: [4] (format) vfprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
vfprintf(stderr, fmt, ap);
data/cruft-0.9.39/readlinks.c:93:3: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(buffer,basename);
data/cruft-0.9.39/readlinks.c:116:6: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy( basename, buffer );
data/cruft-0.9.39/readlinks.c:119:6: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy( basename, pch + 1 );
data/cruft-0.9.39/readlinks.c:139:3: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy( cwd, buffer );
data/cruft-0.9.39/readlinks.c:141:3: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy( cwd, last );
data/cruft-0.9.39/readlinks.c:142:3: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
strcat( cwd, buffer ); /* may overflow XXXXX */
data/cruft-0.9.39/river.c:135:2: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(filename, d_name);
data/cruft-0.9.39/dash-search.c:14:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char filename[1000];
data/cruft-0.9.39/dash-search.c:15:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[1000];
data/cruft-0.9.39/dash-search.c:30:6: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
f = fopen( pde->d_name, "r" );
data/cruft-0.9.39/filter_shell.c:16:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char (*strings)[BUFFER_LEN] = calloc(NUM_STRINGS, BUFFER_LEN);
data/cruft-0.9.39/filter_shell.c:17:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[BUFFER_LEN];
data/cruft-0.9.39/filter_shell.c:29:13: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
exp_list = fopen( argv[i], "r" );
data/cruft-0.9.39/fn_stream.c:27:17: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((s->file = fopen(filename, "r")) == NULL) {
data/cruft-0.9.39/fn_stream.h:6:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char line[1000];
data/cruft-0.9.39/readlinks.c:117:6: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy( buffer, "./" );
data/cruft-0.9.39/river.c:134:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char filename[1000];
data/cruft-0.9.39/river.c:137:22: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((r->out[r->n] = fopen(filename, "w")) == NULL) {
data/cruft-0.9.39/canonical.c:57:5: [1] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant character.
strcpy( last, "" );
data/cruft-0.9.39/canonical.c:63:23: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
for ( pch = buffer + strlen(buffer) - 1;
data/cruft-0.9.39/canonical.c:65:15: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
pch += strlen(pch) - 1 )
data/cruft-0.9.39/canonical.c:75:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
pch = buffer + strlen(buffer) - 1;
data/cruft-0.9.39/canonical.c:121:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
pch = cwd + strlen(cwd) - 1;
data/cruft-0.9.39/dash-search.c:33:18: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if ( buffer[strlen(buffer)-1] == '\n' )
data/cruft-0.9.39/dash-search.c:34:10: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
buffer[strlen(buffer)-1] = '\0';
data/cruft-0.9.39/filter_shell.c:66:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
memmove( buffer, pch, strlen(pch) + 1 );
data/cruft-0.9.39/filter_shell.c:81:14: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if ( buffer[strlen(buffer)-1] == '\n' )
data/cruft-0.9.39/filter_shell.c:82:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
buffer[strlen(buffer)-1]='\0';
data/cruft-0.9.39/fn_stream.c:14:10: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
int x = strlen(s->line) - 1;
data/cruft-0.9.39/readlinks.c:54:23: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
for ( pch = buffer + strlen(buffer) - 1;
data/cruft-0.9.39/readlinks.c:56:15: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
pch += strlen(pch) - 1 )
data/cruft-0.9.39/readlinks.c:64:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
pch = buffer + strlen(buffer) - 1;
data/cruft-0.9.39/readlinks.c:68:26: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
assert( pch == buffer + strlen(buffer) - 1 );
data/cruft-0.9.39/readlinks.c:81:2: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy( last, buffer, pch - buffer + 1 );
data/cruft-0.9.39/readlinks.c:110:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
for ( pch = buffer+strlen(buffer);
data/cruft-0.9.39/readlinks.c:133:18: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
pch = cwd + strlen(cwd) - 1;
data/cruft-0.9.39/readlinks.c:144:18: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
pch = cwd + strlen(cwd) - 1;
data/cruft-0.9.39/river.c:136:2: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(filename, r->output_prefix, strlen(r->output_prefix));
data/cruft-0.9.39/river.c:136:38: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strncpy(filename, r->output_prefix, strlen(r->output_prefix));
data/cruft-0.9.39/river.c:180:46: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strncmp(pde->d_name, r->input_prefix, strlen(r->input_prefix)) == 0)
ANALYSIS SUMMARY:
Hits = 46
Lines analyzed = 1075 in approximately 0.12 seconds (9073 lines/second)
Physical Source Lines of Code (SLOC) = 811
Hits@level = [0] 15 [1] 22 [2] 11 [3] 0 [4] 12 [5] 1
Hits@level+ = [0+] 61 [1+] 46 [2+] 24 [3+] 13 [4+] 13 [5+] 1
Hits/KSLOC@level+ = [0+] 75.2158 [1+] 56.7201 [2+] 29.5931 [3+] 16.0296 [4+] 16.0296 [5+] 1.23305
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.