Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c Examining data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.h FINAL RESULTS: data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:117:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(omnidb_plugin_conninfo, "%s", text_to_cstring(PG_GETARG_TEXT_P(0))); data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:162:19: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(update_context, "UPDATE omnidb.contexts SET function = '%s', hook = 'func_beg', stmttype = 'BEGIN', lineno = NULL where pid = %i", findProcName(func->fn_oid), MyProcPid); data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:257:13: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(update_context, "UPDATE omnidb.contexts SET function = '%s', hook = 'stmt_beg', stmttype = '%s', lineno = %d where pid = %i", findProcName(estate->func->fn_oid), decode_stmt_type(stmt->cmd_type), stmt->lineno, MyProcPid); data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:512:17: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(insert_variable, "INSERT INTO omnidb.variables (pid, name, attribute, vartype, value) VALUES (%i, '%s', NULL, '%s', '%s')", MyProcPid, name, typeName, val); data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:555:17: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(insert_variable, "INSERT INTO omnidb.variables (pid, name, attribute, vartype, value) VALUES (%i, '%s', '%s', '%s', '%s')", MyProcPid, rec->refname, NameStr( tupdesc->attrs[att].attname ), typeName, val); data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:585:15: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(insert_variable, "INSERT INTO omnidb.variables (pid, name, attribute, vartype, value) VALUES (%i, '%s', '%s', '%s', '%s')", MyProcPid, rec->refname, NameStr( rec->tupdesc->attrs[att]->attname ), typeName, val); data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:80:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char omnidb_plugin_conninfo[1024]; data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:156:15: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char select_context[256]; data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:157:15: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(select_context, "SELECT pid FROM omnidb.contexts WHERE pid = %i", MyProcPid); data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:161:19: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char update_context[1024]; data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:215:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char update_context[256]; data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:216:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(update_context, "UPDATE omnidb.contexts SET finished = true WHERE pid = %i", MyProcPid); data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:219:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char unlock[256]; data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:220:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(unlock, "SELECT pg_advisory_unlock(%i) FROM omnidb.contexts WHERE pid = %i", MyProcPid, MyProcPid); data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:244:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char select_breakpoint[256]; data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:245:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(select_breakpoint, "SELECT breakpoint FROM omnidb.contexts WHERE pid = %i", MyProcPid); data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:248:40: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). omnidb_plugin_breakpoint = atoi(PQgetvalue(res, 0, 0)); data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:256:13: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char update_context[1024]; data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:260:13: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char unlock[256]; data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:261:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(unlock, "SELECT pg_advisory_unlock(%i) FROM omnidb.contexts WHERE pid = %i", MyProcPid, MyProcPid); data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:264:13: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char lock[256]; data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:265:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(lock, "SELECT pg_advisory_lock(%i) FROM omnidb.contexts WHERE pid = %i", MyProcPid, MyProcPid); data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:269:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char insert_statistics[256]; data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:270:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(insert_statistics, "INSERT INTO omnidb.statistics (pid, lineno, step, tstart, tend) VALUES (%i, %i, %i, now(), NULL)", MyProcPid, stmt->lineno, omnidb_plugin_step); data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:287:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char update_statistics[256]; data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:288:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(update_statistics, "UPDATE omnidb.statistics SET tend = now() WHERE pid = %i AND lineno = %i AND step = %i", MyProcPid, stmt->lineno, omnidb_plugin_step); data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:484:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char delete_variables[256]; data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:485:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(delete_variables, "DELETE FROM omnidb.variables WHERE pid = %i", MyProcPid); data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:511:17: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char insert_variable[1024]; data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:554:17: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char insert_variable[1024]; data/omnidb-2.17.0+ds/omnidb_plugin/omnidb_plugin.c:584:15: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char insert_variable[1024]; ANALYSIS SUMMARY: Hits = 31 Lines analyzed = 612 in approximately 0.11 seconds (5517 lines/second) Physical Source Lines of Code (SLOC) = 420 Hits@level = [0] 0 [1] 0 [2] 25 [3] 0 [4] 6 [5] 0 Hits@level+ = [0+] 31 [1+] 31 [2+] 31 [3+] 6 [4+] 6 [5+] 0 Hits/KSLOC@level+ = [0+] 73.8095 [1+] 73.8095 [2+] 73.8095 [3+] 14.2857 [4+] 14.2857 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.