Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/inspect.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/operation.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/error_handling.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/constants.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/ast_fwd_decl.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/util.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/sass_util.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/to_c.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/context.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/listize.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/plugins.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/kwd_arg_macros.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/functions.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/json.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/eval.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/context.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/environment.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/sass_values.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/paths.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/environment.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/ast_fwd_decl.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/sass.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/parser.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/bind.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/expand.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/ast.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/ast_def_macros.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/color_maps.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/inspect.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/base64vlq.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/output.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/prelexer.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/units.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/util.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/node.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/to_c.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/source_map.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/sass_functions.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/extend.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/parser.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/cssize.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/expand.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/c99func.c Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/plugins.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/memory/SharedPtr.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/memory/SharedPtr.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/include/sass2scss.h Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/include/sass/context.h Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/include/sass/version.h Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/include/sass/functions.h Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/include/sass/base.h Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/include/sass/values.h Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/include/sass.h Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/operators.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/emitter.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/node.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/backtrace.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/to_value.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/sass_util.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/file.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/to_value.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/lexer.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/extend.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/json.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/values.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/error_handling.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/debug.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/utf8_string.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/check_nesting.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/sass_context.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/prelexer.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/check_nesting.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/sass.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/eval.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/values.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/utf8/checked.h Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/utf8/core.h Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/utf8/unchecked.h Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/bind.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/mapping.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/sass_functions.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/b64/encode.h Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/b64/cencode.h Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/cencode.c Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/emitter.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/remove_placeholders.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/functions.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/units.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/source_map.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/backtrace.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/output.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/sass_context.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/position.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/sass_values.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/cssize.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/sass2scss.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/subset_map.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/constants.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/position.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/utf8_string.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/utf8.h Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/listize.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/debugger.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/lexer.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/file.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/operators.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/remove_placeholders.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/base64vlq.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/color_maps.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/subset_map.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/ast.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/operation.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/error_handling.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/util.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/sass_util.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/to_c.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/listize.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/plugins.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/kwd_arg_macros.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/functions.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/json.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/eval.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/context.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/paths.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/environment.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/ast_fwd_decl.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/parser.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/to_string.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/ast.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/SharedPtr.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/inspect.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/base64vlq.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/output.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/prelexer.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/source_map.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/extend.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/expand.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/unity.cpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/node.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/file.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/to_value.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/lexer.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/utf8_string.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/check_nesting.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/values.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/bind.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/mapping.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/cencode.c Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/emitter.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/units.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/cssize.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/constants.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/position.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/utf8.h Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/color_names.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/remove_placeholders.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/color_maps.hpp Examining data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libs/subset_map.hpp FINAL RESULTS: data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/c99func.c:42:5: [4] (format) snprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. int snprintf(char* str, size_t size, const char* format, ...) data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/eval.cpp:1465:16: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). using std::strcpy; data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/json.cpp:43:8: [4] (format) snprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. #ifdef snprintf data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/json.cpp:44:8: [4] (format) snprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. #undef snprintf data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/json.cpp:46:16: [4] (format) snprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. extern "C" int snprintf(char *, size_t, const char *, ...); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/json.cpp:60:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(ret, str); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/json.cpp:1372:9: [4] (format) snprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. snprintf(errmsg, 256, __VA_ARGS__); \ data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/sass2scss.cpp:840:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy (cstr, scss.c_str()); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/context.cpp:817:40: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. register_function(ctx, random_sig, random, env); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/eval.cpp:1592:50: [3] (misc) chroot: chroot can be very helpful, but is hard to use correctly (CWE-250, CWE-22). Make sure the program immediately chdir("/"), closes file descriptors, and drops root privileges, and that all necessary files (and no more!) are in the new root. Selector_List_Obj sl = p.parse_selector_list(chroot); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/functions.cpp:1349:14: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. BUILT_IN(random) data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/functions.hpp:155:14: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. BUILT_IN(random); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/parser.cpp:552:87: [3] (misc) chroot: chroot can be very helpful, but is hard to use correctly (CWE-250, CWE-22). Make sure the program immediately chdir("/"), closes file descriptors, and drops root privileges, and that all necessary files (and no more!) are in the new root. Selector_Schema_Obj Parser::parse_selector_schema(const char* end_of_selector, bool chroot) data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/parser.cpp:662:54: [3] (misc) chroot: chroot can be very helpful, but is hard to use correctly (CWE-250, CWE-22). Make sure the program immediately chdir("/"), closes file descriptors, and drops root privileges, and that all necessary files (and no more!) are in the new root. Selector_List_Obj Parser::parse_selector_list(bool chroot) data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/parser.cpp:684:36: [3] (misc) chroot: chroot can be very helpful, but is hard to use correctly (CWE-250, CWE-22). Make sure the program immediately chdir("/"), closes file descriptors, and drops root privileges, and that all necessary files (and no more!) are in the new root. sel = parse_complex_selector(chroot); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/parser.cpp:718:60: [3] (misc) chroot: chroot can be very helpful, but is hard to use correctly (CWE-250, CWE-22). Make sure the program immediately chdir("/"), closes file descriptors, and drops root privileges, and that all necessary files (and no more!) are in the new root. Complex_Selector_Obj Parser::parse_complex_selector(bool chroot) data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/parser.cpp:771:36: [3] (misc) chroot: chroot can be very helpful, but is hard to use correctly (CWE-250, CWE-22). Make sure the program immediately chdir("/"), closes file descriptors, and drops root privileges, and that all necessary files (and no more!) are in the new root. if (!sel->has_parent_ref() && !chroot) { data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/parser.hpp:259:48: [3] (misc) chroot: chroot can be very helpful, but is hard to use correctly (CWE-250, CWE-22). Make sure the program immediately chdir("/"), closes file descriptors, and drops root privileges, and that all necessary files (and no more!) are in the new root. Selector_List_Obj parse_selector_list(bool chroot); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/parser.hpp:260:54: [3] (misc) chroot: chroot can be very helpful, but is hard to use correctly (CWE-250, CWE-22). Make sure the program immediately chdir("/"), closes file descriptors, and drops root privileges, and that all necessary files (and no more!) are in the new root. Complex_Selector_Obj parse_complex_selector(bool chroot); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/parser.hpp:261:81: [3] (misc) chroot: chroot can be very helpful, but is hard to use correctly (CWE-250, CWE-22). Make sure the program immediately chdir("/"), closes file descriptors, and drops root privileges, and that all necessary files (and no more!) are in the new root. Selector_Schema_Obj parse_selector_schema(const char* end_of_selector, bool chroot); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/sass2scss.cpp:795:10: [3] (random) setstate: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. is.setstate(std::ios::eofbit); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/file.cpp:57:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char wd[wd_len]; data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/file.cpp:64:9: [2] (buffer) wchar_t: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. wchar_t wd[wd_len]; data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/file.cpp:79:9: [2] (buffer) wchar_t: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. wchar_t resolved[32768]; data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/file.cpp:411:9: [2] (buffer) wchar_t: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. wchar_t resolved[32768]; data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/json.cpp:107:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(sb->cur, bytes, count); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/json.cpp:837:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char throwaway_buffer[4]; data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/json.cpp:1227:13: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(b, "\\uFFFD"); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/json.cpp:1288:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[64]; data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/json.cpp:1289:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buf, "%.16g", num); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/json.cpp:1368:39: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. bool json_check(const JsonNode *node, char errmsg[256]) data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/json.hpp:115:39: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. bool json_check(const JsonNode *node, char errmsg[256]); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/parser.hpp:354:34: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). template <Prelexer::prelexer open, Prelexer::prelexer close> data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/parser.hpp:357:17: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (lex < open >(false)) { data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/sass.cpp:47:10: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. std::memcpy(cpy, str, len); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/sass2scss.cpp:701:38: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (IS_CSS_COMMENT(converter) && open != "") data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/sass2scss.cpp:713:25: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). converter.comment = open; data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/util.cpp:292:20: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char u[5] = {0,0,0,0,0}; utf8::append(cp, u); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/util.cpp:381:20: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char u[5] = {0,0,0,0,0}; utf8::append(cp, u); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/b64/encode.h:58:16: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). istream_in.read(plaintext, N); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/eval.cpp:1464:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). using std::strlen; data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/file.cpp:443:16: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). file.read(contents, size); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/functions.cpp:317:21: [1] (buffer) equal: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. return std::equal(calc.begin(), calc.end(), ss.begin()) || data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/functions.cpp:318:21: [1] (buffer) equal: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. std::equal(var.begin(), var.end(), ss.begin()); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/json.cpp:57:30: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char *ret = (char*) malloc(strlen(str) + 1); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/json.cpp:119:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sb_put(sb, str, (int)strlen(str)); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/json.cpp:125:34: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). assert(sb->start <= sb->cur && strlen(sb->start) == (size_t)(sb->cur - sb->start)); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/output.hpp:18:17: [1] (buffer) equal: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. return std::equal(ending.rbegin(), ending.rend(), value.rbegin()); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/parser.cpp:40:31: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). p.end = p.position + strlen(p.position); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/parser.cpp:54:43: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). p.end = end ? end : p.position + strlen(p.position); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/parser.cpp:88:47: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). p.end = t.end ? t.end : p.position + strlen(p.position); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/position.cpp:15:34: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). *this = inc(string, string + strlen(string)); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/position.cpp:32:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). end += strlen(beg); data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/position.hpp:83:42: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). : prefix(str), begin(str), end(str + strlen(str)) { } data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/sass.cpp:45:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t len = strlen(str) + 1; data/golang-github-wellington-go-libsass-0.9.2+git20181130.4ef5b9d/libsass-build/util.cpp:428:28: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). const char* end = it + strlen(it) + 1; ANALYSIS SUMMARY: Hits = 56 Lines analyzed = 38994 in approximately 1.03 seconds (38028 lines/second) Physical Source Lines of Code (SLOC) = 29568 Hits@level = [0] 1 [1] 17 [2] 18 [3] 13 [4] 8 [5] 0 Hits@level+ = [0+] 57 [1+] 56 [2+] 39 [3+] 21 [4+] 8 [5+] 0 Hits/KSLOC@level+ = [0+] 1.92776 [1+] 1.89394 [2+] 1.31899 [3+] 0.710227 [4+] 0.270563 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.