Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/pg-cron-1.3.0/include/bitstring.h Examining data/pg-cron-1.3.0/include/cron.h Examining data/pg-cron-1.3.0/include/cron_job.h Examining data/pg-cron-1.3.0/include/job_metadata.h Examining data/pg-cron-1.3.0/include/pathnames.h Examining data/pg-cron-1.3.0/include/pg_cron.h Examining data/pg-cron-1.3.0/include/task_states.h Examining data/pg-cron-1.3.0/src/entry.c Examining data/pg-cron-1.3.0/src/job_metadata.c Examining data/pg-cron-1.3.0/src/misc.c Examining data/pg-cron-1.3.0/src/pg_cron.c Examining data/pg-cron-1.3.0/src/task_states.c FINAL RESULTS: data/pg-cron-1.3.0/include/cron.h:108:5: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. printf message; data/pg-cron-1.3.0/src/entry.c:92:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(buffer.data, schedule); data/pg-cron-1.3.0/src/pg_cron.c:1276:4: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(database, cronJob->database); data/pg-cron-1.3.0/src/pg_cron.c:1280:4: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(username, cronJob->userName); data/pg-cron-1.3.0/src/pg_cron.c:1284:4: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(command, cronJob->command); data/pg-cron-1.3.0/include/cron.h:215:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char data[MAX_FILE_BUFFER_LENGTH]; data/pg-cron-1.3.0/include/cron.h:218:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char unget_data[MAX_FILE_BUFFER_LENGTH]; data/pg-cron-1.3.0/src/entry.c:80:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char cmd[MAX_COMMAND]; data/pg-cron-1.3.0/src/entry.c:402:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char temp[MAX_TEMPSTR], *pc; data/pg-cron-1.3.0/src/entry.c:445:13: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). *numptr = atoi(temp); data/pg-cron-1.3.0/src/pg_cron.c:264:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(worker.bgw_library_name, "pg_cron"); data/pg-cron-1.3.0/src/pg_cron.c:265:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(worker.bgw_function_name, "PgCronLauncherMain"); data/pg-cron-1.3.0/src/pg_cron.c:1154:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char nodePortString[12]; data/pg-cron-1.3.0/src/pg_cron.c:1175:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(nodePortString, "%d", cronJob->nodePort); data/pg-cron-1.3.0/src/pg_cron.c:1308:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(worker.bgw_library_name, "pg_cron"); data/pg-cron-1.3.0/src/pg_cron.c:1309:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(worker.bgw_function_name, "CronBackgroundWorker"); data/pg-cron-1.3.0/src/pg_cron.c:1713:4: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char rows[MAXINT8LEN + 1]; data/pg-cron-1.3.0/src/pg_cron.c:1714:4: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char outputrows[MAXINT8LEN + 4 + 1]; data/pg-cron-1.3.0/src/pg_cron.c:1766:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(msg.data, data, nbytes); data/pg-cron-1.3.0/src/pg_cron.c:1968:4: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char completionTag[COMPLETION_TAG_BUFSIZE]; data/pg-cron-1.3.0/src/entry.c:84:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int scheduleLength = strlen(schedule); data/pg-cron-1.3.0/src/pg_cron.c:1253:31: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). shm_toc_estimate_chunk(&e, strlen(cronJob->database) + 1); data/pg-cron-1.3.0/src/pg_cron.c:1254:31: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). shm_toc_estimate_chunk(&e, strlen(cronJob->userName) + 1); data/pg-cron-1.3.0/src/pg_cron.c:1255:31: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). shm_toc_estimate_chunk(&e, strlen(cronJob->command) + 1); data/pg-cron-1.3.0/src/pg_cron.c:1275:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). database = shm_toc_allocate(toc, strlen(cronJob->database) + 1); data/pg-cron-1.3.0/src/pg_cron.c:1279:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). username = shm_toc_allocate(toc, strlen(cronJob->userName) + 1); data/pg-cron-1.3.0/src/pg_cron.c:1283:36: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). command = shm_toc_allocate(toc, strlen(cronJob->command) + 1); ANALYSIS SUMMARY: Hits = 27 Lines analyzed = 4822 in approximately 0.13 seconds (36948 lines/second) Physical Source Lines of Code (SLOC) = 3145 Hits@level = [0] 5 [1] 7 [2] 15 [3] 0 [4] 5 [5] 0 Hits@level+ = [0+] 32 [1+] 27 [2+] 20 [3+] 5 [4+] 5 [5+] 0 Hits/KSLOC@level+ = [0+] 10.1749 [1+] 8.58506 [2+] 6.3593 [3+] 1.58983 [4+] 1.58983 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.