Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/puma-4.3.6/ext/puma_http11/ext_help.h Examining data/puma-4.3.6/ext/puma_http11/http11_parser.c Examining data/puma-4.3.6/ext/puma_http11/http11_parser.h Examining data/puma-4.3.6/ext/puma_http11/io_buffer.c Examining data/puma-4.3.6/ext/puma_http11/mini_ssl.c Examining data/puma-4.3.6/ext/puma_http11/puma_http11.c FINAL RESULTS: data/puma-4.3.6/ext/puma_http11/http11_parser.h:52:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[BUFFER_LEN]; data/puma-4.3.6/ext/puma_http11/io_buffer.c:56:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(top, old, used); data/puma-4.3.6/ext/puma_http11/io_buffer.c:63:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(b->cur, RSTRING_PTR(str), str_len); data/puma-4.3.6/ext/puma_http11/io_buffer.c:97:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(top, old, used); data/puma-4.3.6/ext/puma_http11/io_buffer.c:108:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(b->cur, RSTRING_PTR(str), str_len); data/puma-4.3.6/ext/puma_http11/mini_ssl.c:300:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[512]; data/puma-4.3.6/ext/puma_http11/mini_ssl.c:301:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char msg[512]; data/puma-4.3.6/ext/puma_http11/mini_ssl.c:333:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[512]; data/puma-4.3.6/ext/puma_http11/mini_ssl.c:385:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[512]; data/puma-4.3.6/ext/puma_http11/puma_http11.c:134:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tmp[256]; /* MAX_FIELD_NAME_LENGTH */ data/puma-4.3.6/ext/puma_http11/puma_http11.c:135:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(tmp, HTTP_PREFIX, HTTP_PREFIX_LEN); data/puma-4.3.6/ext/puma_http11/puma_http11.c:141:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(tmp + HTTP_PREFIX_LEN, cf->name, cf->len + 1); data/puma-4.3.6/ext/puma_http11/puma_http11.c:198:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(hp->buf, HTTP_PREFIX, HTTP_PREFIX_LEN); data/puma-4.3.6/ext/puma_http11/puma_http11.c:199:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(hp->buf + HTTP_PREFIX_LEN, field, flen); data/puma-4.3.6/ext/puma_http11/mini_ssl.c:25:8: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). BIO* read; data/puma-4.3.6/ext/puma_http11/mini_ssl.c:54:22: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). BIO_set_nbio(conn->read, 1); data/puma-4.3.6/ext/puma_http11/mini_ssl.c:256:26: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). SSL_set_bio(ssl, conn->read, conn->write); data/puma-4.3.6/ext/puma_http11/mini_ssl.c:274:32: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). SSL_set_bio(conn->ssl, conn->read, conn->write); data/puma-4.3.6/ext/puma_http11/mini_ssl.c:288:26: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). used = BIO_write(conn->read, RSTRING_PTR(str), (int)RSTRING_LEN(str)); ANALYSIS SUMMARY: Hits = 19 Lines analyzed = 2337 in approximately 0.10 seconds (23784 lines/second) Physical Source Lines of Code (SLOC) = 1897 Hits@level = [0] 5 [1] 5 [2] 14 [3] 0 [4] 0 [5] 0 Hits@level+ = [0+] 24 [1+] 19 [2+] 14 [3+] 0 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 12.6516 [1+] 10.0158 [2+] 7.38007 [3+] 0 [4+] 0 [5+] 0 Dot directories skipped = 2 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.