Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/libjwt-1.10.2/include/jwt.h Examining data/libjwt-1.10.2/libjwt/jwt-openssl.c Examining data/libjwt-1.10.2/libjwt/jwt-gnutls.c Examining data/libjwt-1.10.2/libjwt/jwt.c Examining data/libjwt-1.10.2/libjwt/jwt-private.h Examining data/libjwt-1.10.2/tests/jwt_dump.c Examining data/libjwt-1.10.2/tests/jwt_ec.c Examining data/libjwt-1.10.2/tests/jwt_encode.c Examining data/libjwt-1.10.2/tests/jwt_grant.c Examining data/libjwt-1.10.2/tests/jwt_header.c Examining data/libjwt-1.10.2/tests/jwt_new.c Examining data/libjwt-1.10.2/tests/jwt_rsa.c FINAL RESULTS: data/libjwt-1.10.2/libjwt/jwt.c:871:2: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(new, str); data/libjwt-1.10.2/libjwt/jwt.c:1036:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(buf, head); data/libjwt-1.10.2/libjwt/jwt.c:1038:2: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(buf, body); data/libjwt-1.10.2/libjwt/jwt-gnutls.c:194:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(*out, sig_dat.data, sig_dat.size); data/libjwt-1.10.2/libjwt/jwt-gnutls.c:233:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(*out + r_out_padding, r.data + r_padding, r.size - r_padding); data/libjwt-1.10.2/libjwt/jwt-gnutls.c:234:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(*out + (r.size - r_padding + r_out_padding) + s_out_padding, data/libjwt-1.10.2/libjwt/jwt-openssl.c:86:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char res[EVP_MAX_MD_SIZE]; data/libjwt-1.10.2/libjwt/jwt-openssl.c:247:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(*out, sig, slen); data/libjwt-1.10.2/libjwt/jwt-openssl.c:290:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(*out, raw_buf, buf_len); data/libjwt-1.10.2/libjwt/jwt.c:149:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(jwt->key, key, len); data/libjwt-1.10.2/libjwt/jwt.c:231:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(new->key, jwt->key, jwt->key_len); data/libjwt-1.10.2/libjwt/jwt.c:545:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(new->key, key, key_len); data/libjwt-1.10.2/tests/jwt_dump.c:35:8: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). out = fopen("/dev/null", "w"); data/libjwt-1.10.2/tests/jwt_ec.c:33:17: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static unsigned char key[16384]; data/libjwt-1.10.2/tests/jwt_ec.c:63:13: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *fp = fopen(key_file, "r"); data/libjwt-1.10.2/tests/jwt_ec.c:70:7: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fp = fopen(key_path, "r"); data/libjwt-1.10.2/tests/jwt_encode.c:49:8: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). out = fopen("/dev/null", "w"); data/libjwt-1.10.2/tests/jwt_encode.c:134:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char key256[32] = "012345678901234567890123456789XY"; data/libjwt-1.10.2/tests/jwt_encode.c:173:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char key384[48] = "aaaabbbbccccddddeeeeffffgggghhhh" data/libjwt-1.10.2/tests/jwt_encode.c:214:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char key512[64] = "012345678901234567890123456789XY" data/libjwt-1.10.2/tests/jwt_encode.c:253:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char key512[64] = "012345678901234567890123456789XY" data/libjwt-1.10.2/tests/jwt_encode.c:292:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char key512[64] = "012345678901234567890123456789XY" data/libjwt-1.10.2/tests/jwt_new.c:70:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char key256[32] = "012345678901234567890123456789XY"; data/libjwt-1.10.2/tests/jwt_new.c:219:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char key256[32] = "012345678901234567890123456789XY"; data/libjwt-1.10.2/tests/jwt_new.c:283:17: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const unsigned char key384[48] = "aaaabbbbccccddddeeeeffffg" data/libjwt-1.10.2/tests/jwt_new.c:302:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char key512[64] = "012345678901234567890123456789XY" data/libjwt-1.10.2/tests/jwt_rsa.c:33:17: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static unsigned char key[16384]; data/libjwt-1.10.2/tests/jwt_rsa.c:89:13: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *fp = fopen(key_file, "r"); data/libjwt-1.10.2/tests/jwt_rsa.c:96:7: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fp = fopen(key_path, "r"); data/libjwt-1.10.2/libjwt/jwt-gnutls.c:73:57: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (gnutls_hmac_fast(alg, jwt->key, jwt->key_len, str, strlen(str), *out)) { data/libjwt-1.10.2/libjwt/jwt-gnutls.c:117:3: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(str) data/libjwt-1.10.2/libjwt/jwt-gnutls.c:269:3: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(head) data/libjwt-1.10.2/libjwt/jwt-openssl.c:78:35: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). (const unsigned char *)str, strlen(str), (unsigned char *)*out, data/libjwt-1.10.2/libjwt/jwt-openssl.c:121:36: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). (const unsigned char *)head, strlen(head), res, &res_len); data/libjwt-1.10.2/libjwt/jwt-openssl.c:226:39: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (EVP_DigestSignUpdate(mdctx, str, strlen(str)) != 1) data/libjwt-1.10.2/libjwt/jwt-openssl.c:428:42: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (EVP_DigestVerifyUpdate(mdctx, head, strlen(head)) != 1) data/libjwt-1.10.2/libjwt/jwt.c:51:42: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). _count = base64_decode_block(coded_src, strlen(coded_src), plain_dst, &_state); data/libjwt-1.10.2/libjwt/jwt.c:303:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(src); data/libjwt-1.10.2/libjwt/jwt.c:359:12: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int len = strlen(str); data/libjwt-1.10.2/libjwt/jwt.c:579:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!jwt || !grant || !strlen(grant)) { data/libjwt-1.10.2/libjwt/jwt.c:591:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!jwt || !grant || !strlen(grant)) { data/libjwt-1.10.2/libjwt/jwt.c:603:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!jwt || !grant || !strlen(grant)) { data/libjwt-1.10.2/libjwt/jwt.c:622:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (grant && strlen(grant)) data/libjwt-1.10.2/libjwt/jwt.c:637:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!jwt || !grant || !strlen(grant) || !val) data/libjwt-1.10.2/libjwt/jwt.c:651:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!jwt || !grant || !strlen(grant)) data/libjwt-1.10.2/libjwt/jwt.c:665:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!jwt || !grant || !strlen(grant)) data/libjwt-1.10.2/libjwt/jwt.c:700:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (grant == NULL || !strlen(grant)) data/libjwt-1.10.2/libjwt/jwt.c:729:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!jwt || !header || !strlen(header)) { data/libjwt-1.10.2/libjwt/jwt.c:741:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!jwt || !header || !strlen(header)) { data/libjwt-1.10.2/libjwt/jwt.c:753:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!jwt || !header || !strlen(header)) { data/libjwt-1.10.2/libjwt/jwt.c:772:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (header && strlen(header)) data/libjwt-1.10.2/libjwt/jwt.c:787:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!jwt || !header || !strlen(header) || !val) data/libjwt-1.10.2/libjwt/jwt.c:801:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!jwt || !header || !strlen(header)) data/libjwt-1.10.2/libjwt/jwt.c:815:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!jwt || !header || !strlen(header)) data/libjwt-1.10.2/libjwt/jwt.c:850:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (header == NULL || !strlen(header)) data/libjwt-1.10.2/libjwt/jwt.c:863:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). new = calloc(1, strlen(str) + 1); data/libjwt-1.10.2/libjwt/jwt.c:865:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). new = realloc(*buf, strlen(*buf) + strlen(str) + 1); data/libjwt-1.10.2/libjwt/jwt.c:865:38: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). new = realloc(*buf, strlen(*buf) + strlen(str) + 1); data/libjwt-1.10.2/libjwt/jwt.c:999:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). head = alloca(strlen(buf) * 2); data/libjwt-1.10.2/libjwt/jwt.c:1004:30: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). jwt_Base64encode(head, buf, strlen(buf)); data/libjwt-1.10.2/libjwt/jwt.c:1005:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). head_len = strlen(head); data/libjwt-1.10.2/libjwt/jwt.c:1018:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). body = alloca(strlen(buf) * 2); data/libjwt-1.10.2/libjwt/jwt.c:1023:30: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). jwt_Base64encode(body, buf, strlen(buf)); data/libjwt-1.10.2/libjwt/jwt.c:1024:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). body_len = strlen(body); data/libjwt-1.10.2/libjwt/jwt.c:1037:2: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. strcat(buf, "."); data/libjwt-1.10.2/tests/jwt_dump.c:110:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(key)); data/libjwt-1.10.2/tests/jwt_new.c:268:63: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ret = jwt_decode(&jwt, token, (const unsigned char *)key256, strlen(key256)); ANALYSIS SUMMARY: Hits = 67 Lines analyzed = 4721 in approximately 0.19 seconds (25429 lines/second) Physical Source Lines of Code (SLOC) = 3112 Hits@level = [0] 2 [1] 38 [2] 26 [3] 0 [4] 3 [5] 0 Hits@level+ = [0+] 69 [1+] 67 [2+] 29 [3+] 3 [4+] 3 [5+] 0 Hits/KSLOC@level+ = [0+] 22.1722 [1+] 21.5296 [2+] 9.31877 [3+] 0.96401 [4+] 0.96401 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.