Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/eris-1.3.23/Eris/Account.cpp
Examining data/eris-1.3.23/Eris/Account.h
Examining data/eris-1.3.23/Eris/Alarm.cpp
Examining data/eris-1.3.23/Eris/Alarm.h
Examining data/eris-1.3.23/Eris/Avatar.cpp
Examining data/eris-1.3.23/Eris/Avatar.h
Examining data/eris-1.3.23/Eris/BaseConnection.cpp
Examining data/eris-1.3.23/Eris/BaseConnection.h
Examining data/eris-1.3.23/Eris/Calendar.cpp
Examining data/eris-1.3.23/Eris/Calendar.h
Examining data/eris-1.3.23/Eris/CharacterType.cpp
Examining data/eris-1.3.23/Eris/CharacterType.h
Examining data/eris-1.3.23/Eris/Connection.cpp
Examining data/eris-1.3.23/Eris/Connection.h
Examining data/eris-1.3.23/Eris/CustomEntities.cpp
Examining data/eris-1.3.23/Eris/CustomEntities.h
Examining data/eris-1.3.23/Eris/DeleteLater.cpp
Examining data/eris-1.3.23/Eris/DeleteLater.h
Examining data/eris-1.3.23/Eris/Entity.cpp
Examining data/eris-1.3.23/Eris/Entity.h
Examining data/eris-1.3.23/Eris/EntityRef.cpp
Examining data/eris-1.3.23/Eris/EntityRef.h
Examining data/eris-1.3.23/Eris/EntityRouter.cpp
Examining data/eris-1.3.23/Eris/EntityRouter.h
Examining data/eris-1.3.23/Eris/Exceptions.cpp
Examining data/eris-1.3.23/Eris/Exceptions.h
Examining data/eris-1.3.23/Eris/Factory.cpp
Examining data/eris-1.3.23/Eris/Factory.h
Examining data/eris-1.3.23/Eris/IGRouter.cpp
Examining data/eris-1.3.23/Eris/IGRouter.h
Examining data/eris-1.3.23/Eris/Lobby.cpp
Examining data/eris-1.3.23/Eris/Lobby.h
Examining data/eris-1.3.23/Eris/Log.cpp
Examining data/eris-1.3.23/Eris/Log.h
Examining data/eris-1.3.23/Eris/LogStream.h
Examining data/eris-1.3.23/Eris/MetaQuery.cpp
Examining data/eris-1.3.23/Eris/MetaQuery.h
Examining data/eris-1.3.23/Eris/Metaserver.cpp
Examining data/eris-1.3.23/Eris/Metaserver.h
Examining data/eris-1.3.23/Eris/Operations.cpp
Examining data/eris-1.3.23/Eris/Operations.h
Examining data/eris-1.3.23/Eris/Person.cpp
Examining data/eris-1.3.23/Eris/Person.h
Examining data/eris-1.3.23/Eris/Poll.h
Examining data/eris-1.3.23/Eris/PollDefault.cpp
Examining data/eris-1.3.23/Eris/PollDefault.h
Examining data/eris-1.3.23/Eris/Redispatch.cpp
Examining data/eris-1.3.23/Eris/Redispatch.h
Examining data/eris-1.3.23/Eris/Response.cpp
Examining data/eris-1.3.23/Eris/Response.h
Examining data/eris-1.3.23/Eris/Room.cpp
Examining data/eris-1.3.23/Eris/Room.h
Examining data/eris-1.3.23/Eris/Router.cpp
Examining data/eris-1.3.23/Eris/Router.h
Examining data/eris-1.3.23/Eris/ServerInfo.cpp
Examining data/eris-1.3.23/Eris/ServerInfo.h
Examining data/eris-1.3.23/Eris/SpawnPoint.cpp
Examining data/eris-1.3.23/Eris/SpawnPoint.h
Examining data/eris-1.3.23/Eris/Task.cpp
Examining data/eris-1.3.23/Eris/Task.h
Examining data/eris-1.3.23/Eris/TerrainModObserver.cpp
Examining data/eris-1.3.23/Eris/TerrainModObserver.h
Examining data/eris-1.3.23/Eris/TerrainModTranslator.cpp
Examining data/eris-1.3.23/Eris/TerrainModTranslator.h
Examining data/eris-1.3.23/Eris/TimedEventService.cpp
Examining data/eris-1.3.23/Eris/TimedEventService.h
Examining data/eris-1.3.23/Eris/Timeout.cpp
Examining data/eris-1.3.23/Eris/Timeout.h
Examining data/eris-1.3.23/Eris/TransferInfo.cpp
Examining data/eris-1.3.23/Eris/TransferInfo.h
Examining data/eris-1.3.23/Eris/TypeBoundRedispatch.cpp
Examining data/eris-1.3.23/Eris/TypeBoundRedispatch.h
Examining data/eris-1.3.23/Eris/TypeInfo.cpp
Examining data/eris-1.3.23/Eris/TypeInfo.h
Examining data/eris-1.3.23/Eris/TypeService.cpp
Examining data/eris-1.3.23/Eris/TypeService.h
Examining data/eris-1.3.23/Eris/Types.cpp
Examining data/eris-1.3.23/Eris/Types.h
Examining data/eris-1.3.23/Eris/UIFactory.h
Examining data/eris-1.3.23/Eris/View.cpp
Examining data/eris-1.3.23/Eris/View.h
Examining data/eris-1.3.23/Eris/ViewEntity.cpp
Examining data/eris-1.3.23/Eris/ViewEntity.h
Examining data/eris-1.3.23/Eris/iround.h
Examining data/eris-1.3.23/bindings/polls/glib/PollGlib.h
Examining data/eris-1.3.23/bindings/polls/glib/PollGlibFD.h
Examining data/eris-1.3.23/bindings/polls/glib/PollGlibSource.h
Examining data/eris-1.3.23/bindings/polls/winsock/PollWinsock.h
Examining data/eris-1.3.23/bindings/polls/winsock/PollWinsock_impl.h
Examining data/eris-1.3.23/test/Account_integrationtest.cpp
Examining data/eris-1.3.23/test/Account_unittest.cpp
Examining data/eris-1.3.23/test/Alarm_unittest.cpp
Examining data/eris-1.3.23/test/Avatar_unittest.cpp
Examining data/eris-1.3.23/test/BaseConnection_unittest.cpp
Examining data/eris-1.3.23/test/Calendar_unittest.cpp
Examining data/eris-1.3.23/test/Connection_unittest.cpp
Examining data/eris-1.3.23/test/DeleteLater_unittest.cpp
Examining data/eris-1.3.23/test/ElementExerciser.h
Examining data/eris-1.3.23/test/EntityRef_unittest.cpp
Examining data/eris-1.3.23/test/EntityRouter_unittest.cpp
Examining data/eris-1.3.23/test/Entity_unittest.cpp
Examining data/eris-1.3.23/test/Exceptions_unittest.cpp
Examining data/eris-1.3.23/test/Factory_unittest.cpp
Examining data/eris-1.3.23/test/IGRouter_unittest.cpp
Examining data/eris-1.3.23/test/Lobby_unittest.cpp
Examining data/eris-1.3.23/test/LogStream_unittest.cpp
Examining data/eris-1.3.23/test/Log_unittest.cpp
Examining data/eris-1.3.23/test/MetaQuery_unittest.cpp
Examining data/eris-1.3.23/test/Metaserver_integrationtest.cpp
Examining data/eris-1.3.23/test/Metaserver_unittest.cpp
Examining data/eris-1.3.23/test/Operations_unittest.cpp
Examining data/eris-1.3.23/test/Person_unittest.cpp
Examining data/eris-1.3.23/test/PollDefault_unittest.cpp
Examining data/eris-1.3.23/test/PollWinsock_unittest.cpp
Examining data/eris-1.3.23/test/Poll_unittest.cpp
Examining data/eris-1.3.23/test/Redispatch_unittest.cpp
Examining data/eris-1.3.23/test/Response_unittest.cpp
Examining data/eris-1.3.23/test/Room_unittest.cpp
Examining data/eris-1.3.23/test/Router_unittest.cpp
Examining data/eris-1.3.23/test/ServerInfo_unittest.cpp
Examining data/eris-1.3.23/test/SignalFlagger.h
Examining data/eris-1.3.23/test/Task_unittest.cpp
Examining data/eris-1.3.23/test/TerrainMod_unittest.cpp
Examining data/eris-1.3.23/test/TimedEventService_unittest.cpp
Examining data/eris-1.3.23/test/Timeout_unittest.cpp
Examining data/eris-1.3.23/test/TransferInfo_unittest.cpp
Examining data/eris-1.3.23/test/TypeBoundRedispatch_unittest.cpp
Examining data/eris-1.3.23/test/TypeInfo_unittest.cpp
Examining data/eris-1.3.23/test/TypeService_unittest.cpp
Examining data/eris-1.3.23/test/Types_unittest.cpp
Examining data/eris-1.3.23/test/UIFactory_unittest.cpp
Examining data/eris-1.3.23/test/View_unittest.cpp
Examining data/eris-1.3.23/test/agent.cpp
Examining data/eris-1.3.23/test/agent.h
Examining data/eris-1.3.23/test/avatarTest.cpp
Examining data/eris-1.3.23/test/avatarTest.h
Examining data/eris-1.3.23/test/calendarTest.cpp
Examining data/eris-1.3.23/test/calendarTest.h
Examining data/eris-1.3.23/test/clientConnection.cpp
Examining data/eris-1.3.23/test/clientConnection.h
Examining data/eris-1.3.23/test/commander.cpp
Examining data/eris-1.3.23/test/commander.h
Examining data/eris-1.3.23/test/connect.cpp
Examining data/eris-1.3.23/test/controller.cpp
Examining data/eris-1.3.23/test/controller.h
Examining data/eris-1.3.23/test/metaQuery.cpp
Examining data/eris-1.3.23/test/netTests.cpp
Examining data/eris-1.3.23/test/netTests.h
Examining data/eris-1.3.23/test/objectSummary.h
Examining data/eris-1.3.23/test/setupHelpers.cpp
Examining data/eris-1.3.23/test/setupHelpers.h
Examining data/eris-1.3.23/test/signalHelpers.h
Examining data/eris-1.3.23/test/stubServer.cpp
Examining data/eris-1.3.23/test/stubServer.h
Examining data/eris-1.3.23/test/testOutOfGame.cpp
Examining data/eris-1.3.23/test/testOutOfGame.h
Examining data/eris-1.3.23/test/testUtils.cpp
Examining data/eris-1.3.23/test/testUtils.h
Examining data/eris-1.3.23/test/tests.cpp
Examining data/eris-1.3.23/test/viewTest.cpp
Examining data/eris-1.3.23/test/viewTest.h
FINAL RESULTS:
data/eris-1.3.23/Eris/BaseConnection.cpp:31:9: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
#ifndef snprintf
data/eris-1.3.23/Eris/BaseConnection.cpp:32:9: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
#define snprintf _snprintf
data/eris-1.3.23/Eris/BaseConnection.cpp:32:18: [4] (format) _snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
#define snprintf _snprintf
data/eris-1.3.23/Eris/Metaserver.cpp:28:9: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
#ifndef snprintf
data/eris-1.3.23/Eris/Metaserver.cpp:29:9: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
#define snprintf _snprintf
data/eris-1.3.23/Eris/Metaserver.cpp:29:18: [4] (format) _snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
#define snprintf _snprintf
data/eris-1.3.23/test/agent.cpp:239:13: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
switch (random() % 3) {
data/eris-1.3.23/test/agent.cpp:240:44: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
case 0: return Atlas::Message::Element(random() % 10000);
data/eris-1.3.23/test/agent.cpp:241:44: [3] (random) drand48:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
case 1: return Atlas::Message::Element(drand48() * 1e6);
data/eris-1.3.23/test/agent.cpp:242:52: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
case 2: return Atlas::Message::Element(strings[random() % 10]);
data/eris-1.3.23/test/agent.cpp:314:26: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
unsigned index = random() % m_visible.size();
data/eris-1.3.23/test/agent.cpp:333:30: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
unsigned int index = random() % m_server->m_world.size();
data/eris-1.3.23/test/connect.cpp:68:17: [3] (buffer) getopt:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
int c = getopt(argc, argv, "np:v");
data/eris-1.3.23/Eris/BaseConnection.cpp:235:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char msgBuf[128];
data/eris-1.3.23/Eris/Metaserver.cpp:387:13: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[32];
data/eris-1.3.23/Eris/Metaserver.cpp:462:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buffer, &netorder, sizeof(uint32_t));
data/eris-1.3.23/Eris/Metaserver.cpp:473:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&netorder, buffer, sizeof(uint32_t));
data/eris-1.3.23/Eris/Metaserver.h:170:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char _data[DATA_BUFFER_SIZE];
data/eris-1.3.23/bindings/polls/winsock/PollWinsock.h:69:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[DATA_BUFSIZE];
data/eris-1.3.23/bindings/polls/winsock/PollWinsock_impl.h:73:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[DATA_BUFSIZE];
data/eris-1.3.23/test/clientConnection.cpp:466:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char charId[64];
data/eris-1.3.23/test/commander.cpp:130:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[32];
data/eris-1.3.23/test/stubServer.cpp:65:21: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
m_commandSocket.open("/tmp/eris-test");
data/eris-1.3.23/test/stubServer.cpp:258:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char oid[64];
ANALYSIS SUMMARY:
Hits = 24
Lines analyzed = 24943 in approximately 0.56 seconds (44153 lines/second)
Physical Source Lines of Code (SLOC) = 16523
Hits@level = [0] 46 [1] 0 [2] 11 [3] 7 [4] 6 [5] 0
Hits@level+ = [0+] 70 [1+] 24 [2+] 24 [3+] 13 [4+] 6 [5+] 0
Hits/KSLOC@level+ = [0+] 4.23652 [1+] 1.45252 [2+] 1.45252 [3+] 0.786782 [4+] 0.36313 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.