Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/libunibreak-1.1/src/filter_dup.c Examining data/libunibreak-1.1/src/linebreak.c Examining data/libunibreak-1.1/src/linebreak.h Examining data/libunibreak-1.1/src/linebreakdata.c Examining data/libunibreak-1.1/src/linebreakdef.c Examining data/libunibreak-1.1/src/linebreakdef.h Examining data/libunibreak-1.1/src/wordbreak.c Examining data/libunibreak-1.1/src/wordbreak.h Examining data/libunibreak-1.1/src/wordbreakdata.c Examining data/libunibreak-1.1/src/wordbreakdef.h Examining data/libunibreak-1.1/tools/linebreak_test.c Examining data/libunibreak-1.1/tools/wordbreak_test.c FINAL RESULTS: data/libunibreak-1.1/src/filter_dup.c:28:3: [4] (buffer) sscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a different input function. sscanf(s, "\t{ %s %s %s }", beg, end, prop); data/libunibreak-1.1/src/filter_dup.c:37:4: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(lastbeg, beg); data/libunibreak-1.1/src/filter_dup.c:38:4: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(lastprop, prop); data/libunibreak-1.1/src/filter_dup.c:40:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(lastend, end); data/libunibreak-1.1/src/filter_dup.c:6:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char s[80]; data/libunibreak-1.1/src/filter_dup.c:7:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char beg[16]; data/libunibreak-1.1/src/filter_dup.c:8:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char end[16]; data/libunibreak-1.1/src/filter_dup.c:9:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char prop[16]; data/libunibreak-1.1/src/filter_dup.c:10:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char lastbeg[16]; data/libunibreak-1.1/src/filter_dup.c:11:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char lastend[16]; data/libunibreak-1.1/src/filter_dup.c:12:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char lastprop[16]; data/libunibreak-1.1/src/linebreak.c:782:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char brks[2]; data/libunibreak-1.1/tools/linebreak_test.c:62:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char outbuf[5]; data/libunibreak-1.1/tools/linebreak_test.c:115:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char brks[MAXCHARS]; data/libunibreak-1.1/tools/linebreak_test.c:165:16: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ( (fp = fopen(argv[i], "rb")) == NULL) data/libunibreak-1.1/tools/wordbreak_test.c:28:10: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(text); ANALYSIS SUMMARY: Hits = 16 Lines analyzed = 4998 in approximately 0.19 seconds (25770 lines/second) Physical Source Lines of Code (SLOC) = 4160 Hits@level = [0] 15 [1] 1 [2] 11 [3] 0 [4] 4 [5] 0 Hits@level+ = [0+] 31 [1+] 16 [2+] 15 [3+] 4 [4+] 4 [5+] 0 Hits/KSLOC@level+ = [0+] 7.45192 [1+] 3.84615 [2+] 3.60577 [3+] 0.961538 [4+] 0.961538 [5+] 0 Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.