Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/pushpin-1.31.0/tools/echo/echo.cpp Examining data/pushpin-1.31.0/tools/publish/main.cpp Examining data/pushpin-1.31.0/src/handler/filter.h Examining data/pushpin-1.31.0/src/handler/main.cpp Examining data/pushpin-1.31.0/src/handler/cidset.h Examining data/pushpin-1.31.0/src/handler/httpsession.h Examining data/pushpin-1.31.0/src/handler/engine.h Examining data/pushpin-1.31.0/src/handler/publishlastids.cpp Examining data/pushpin-1.31.0/src/handler/jsonpatch.cpp Examining data/pushpin-1.31.0/src/handler/httpsession.cpp Examining data/pushpin-1.31.0/src/handler/lastids.h Examining data/pushpin-1.31.0/src/handler/instruct.cpp Examining data/pushpin-1.31.0/src/handler/wscontrolmessage.h Examining data/pushpin-1.31.0/src/handler/conncheckworker.cpp Examining data/pushpin-1.31.0/src/handler/publishitem.cpp Examining data/pushpin-1.31.0/src/handler/controlrequest.cpp Examining data/pushpin-1.31.0/src/handler/httpsessionupdatemanager.cpp Examining data/pushpin-1.31.0/src/handler/detectrule.h Examining data/pushpin-1.31.0/src/handler/filter.cpp Examining data/pushpin-1.31.0/src/handler/app.h Examining data/pushpin-1.31.0/src/handler/jsonpointer.h Examining data/pushpin-1.31.0/src/handler/wscontrolmessage.cpp Examining data/pushpin-1.31.0/src/handler/jsonpointer.cpp Examining data/pushpin-1.31.0/src/handler/jsonpatch.h Examining data/pushpin-1.31.0/src/handler/sequencer.h Examining data/pushpin-1.31.0/src/handler/publishlastids.h Examining data/pushpin-1.31.0/src/handler/deferred.h Examining data/pushpin-1.31.0/src/handler/format.cpp Examining data/pushpin-1.31.0/src/handler/requeststate.h Examining data/pushpin-1.31.0/src/handler/app.cpp Examining data/pushpin-1.31.0/src/handler/refreshworker.h Examining data/pushpin-1.31.0/src/handler/filterstack.h Examining data/pushpin-1.31.0/src/handler/tests/publishformattest/publishformattest.cpp Examining data/pushpin-1.31.0/src/handler/tests/publishitemtest/publishitemtest.cpp Examining data/pushpin-1.31.0/src/handler/tests/instructtest/instructtest.cpp Examining data/pushpin-1.31.0/src/handler/tests/idformattest/idformattest.cpp Examining data/pushpin-1.31.0/src/handler/tests/jsonpatchtest/jsonpatchtest.cpp Examining data/pushpin-1.31.0/src/handler/tests/enginetest/enginetest.cpp Examining data/pushpin-1.31.0/src/handler/simplehttpserver.h Examining data/pushpin-1.31.0/src/handler/filterstack.cpp Examining data/pushpin-1.31.0/src/handler/publishformat.cpp Examining data/pushpin-1.31.0/src/handler/variantutil.h Examining data/pushpin-1.31.0/src/handler/ratelimiter.h Examining data/pushpin-1.31.0/src/handler/conncheckworker.h Examining data/pushpin-1.31.0/src/handler/wssession.cpp Examining data/pushpin-1.31.0/src/handler/publishformat.h Examining data/pushpin-1.31.0/src/handler/sessionrequest.cpp Examining data/pushpin-1.31.0/src/handler/instruct.h Examining data/pushpin-1.31.0/src/handler/variantutil.cpp Examining data/pushpin-1.31.0/src/handler/refreshworker.cpp Examining data/pushpin-1.31.0/src/handler/wssession.h Examining data/pushpin-1.31.0/src/handler/sessionrequest.h Examining data/pushpin-1.31.0/src/handler/httpsessionupdatemanager.h Examining data/pushpin-1.31.0/src/handler/format.h Examining data/pushpin-1.31.0/src/handler/requeststate.cpp Examining data/pushpin-1.31.0/src/handler/idformat.cpp Examining data/pushpin-1.31.0/src/handler/controlrequest.h Examining data/pushpin-1.31.0/src/handler/simplehttpserver.cpp Examining data/pushpin-1.31.0/src/handler/sequencer.cpp Examining data/pushpin-1.31.0/src/handler/deferred.cpp Examining data/pushpin-1.31.0/src/handler/publishitem.h Examining data/pushpin-1.31.0/src/handler/engine.cpp Examining data/pushpin-1.31.0/src/handler/ratelimiter.cpp Examining data/pushpin-1.31.0/src/handler/idformat.h Examining data/pushpin-1.31.0/src/m2adapter/main.cpp Examining data/pushpin-1.31.0/src/m2adapter/m2requestpacket.h Examining data/pushpin-1.31.0/src/m2adapter/m2requestpacket.cpp Examining data/pushpin-1.31.0/src/m2adapter/app.h Examining data/pushpin-1.31.0/src/m2adapter/m2responsepacket.cpp Examining data/pushpin-1.31.0/src/m2adapter/app.cpp Examining data/pushpin-1.31.0/src/m2adapter/m2responsepacket.h Examining data/pushpin-1.31.0/src/proxy/domainmap.h Examining data/pushpin-1.31.0/src/proxy/main.cpp Examining data/pushpin-1.31.0/src/proxy/proxyutil.h Examining data/pushpin-1.31.0/src/proxy/engine.h Examining data/pushpin-1.31.0/src/proxy/websocketoverhttp.h Examining data/pushpin-1.31.0/src/proxy/xffrule.h Examining data/pushpin-1.31.0/src/proxy/acceptrequest.h Examining data/pushpin-1.31.0/src/proxy/routesfile.cpp Examining data/pushpin-1.31.0/src/proxy/websocketoverhttp.cpp Examining data/pushpin-1.31.0/src/proxy/jwt.h Examining data/pushpin-1.31.0/src/proxy/wscontrolsession.h Examining data/pushpin-1.31.0/src/proxy/wsproxysession.cpp Examining data/pushpin-1.31.0/src/proxy/zroutes.h Examining data/pushpin-1.31.0/src/proxy/sockjssession.h Examining data/pushpin-1.31.0/src/proxy/app.h Examining data/pushpin-1.31.0/src/proxy/routesfile.h Examining data/pushpin-1.31.0/src/proxy/proxysession.h Examining data/pushpin-1.31.0/src/proxy/zrpcchecker.h Examining data/pushpin-1.31.0/src/proxy/inspectrequest.cpp Examining data/pushpin-1.31.0/src/proxy/acceptdata.h Examining data/pushpin-1.31.0/src/proxy/testwebsocket.cpp Examining data/pushpin-1.31.0/src/proxy/proxysession.cpp Examining data/pushpin-1.31.0/src/proxy/testhttprequest.cpp Examining data/pushpin-1.31.0/src/proxy/sockjsmanager.h Examining data/pushpin-1.31.0/src/proxy/testhttprequest.h Examining data/pushpin-1.31.0/src/proxy/zroutes.cpp Examining data/pushpin-1.31.0/src/proxy/updater.h Examining data/pushpin-1.31.0/src/proxy/wscontrolmanager.h Examining data/pushpin-1.31.0/src/proxy/connectionmanager.cpp Examining data/pushpin-1.31.0/src/proxy/wscontrolsession.cpp Examining data/pushpin-1.31.0/src/proxy/tests/jwttest/jwttest.cpp Examining data/pushpin-1.31.0/src/proxy/tests/routesfiletest/routesfiletest.cpp Examining data/pushpin-1.31.0/src/proxy/tests/enginetest/enginetest.cpp Examining data/pushpin-1.31.0/src/proxy/connectionmanager.h Examining data/pushpin-1.31.0/src/proxy/jwt.cpp Examining data/pushpin-1.31.0/src/proxy/requestsession.cpp Examining data/pushpin-1.31.0/src/proxy/proxyutil.cpp Examining data/pushpin-1.31.0/src/proxy/wscontrolmanager.cpp Examining data/pushpin-1.31.0/src/proxy/zrpcchecker.cpp Examining data/pushpin-1.31.0/src/proxy/testwebsocket.h Examining data/pushpin-1.31.0/src/proxy/sockjssession.cpp Examining data/pushpin-1.31.0/src/proxy/inspectrequest.h Examining data/pushpin-1.31.0/src/proxy/updater.cpp Examining data/pushpin-1.31.0/src/proxy/domainmap.cpp Examining data/pushpin-1.31.0/src/proxy/requestsession.h Examining data/pushpin-1.31.0/src/proxy/sockjsmanager.cpp Examining data/pushpin-1.31.0/src/proxy/engine.cpp Examining data/pushpin-1.31.0/src/proxy/acceptrequest.cpp Examining data/pushpin-1.31.0/src/proxy/wsproxysession.h Examining data/pushpin-1.31.0/src/proxy/app.cpp Examining data/pushpin-1.31.0/src/runner/condureservice.cpp Examining data/pushpin-1.31.0/src/runner/main.cpp Examining data/pushpin-1.31.0/src/runner/pushpinhandlerservice.cpp Examining data/pushpin-1.31.0/src/runner/listenport.h Examining data/pushpin-1.31.0/src/runner/app.h Examining data/pushpin-1.31.0/src/runner/zurlservice.cpp Examining data/pushpin-1.31.0/src/runner/template.cpp Examining data/pushpin-1.31.0/src/runner/pushpinhandlerservice.h Examining data/pushpin-1.31.0/src/runner/pushpinproxyservice.h Examining data/pushpin-1.31.0/src/runner/app.cpp Examining data/pushpin-1.31.0/src/runner/m2adapterservice.h Examining data/pushpin-1.31.0/src/runner/service.cpp Examining data/pushpin-1.31.0/src/runner/service.h Examining data/pushpin-1.31.0/src/runner/mongrel2service.h Examining data/pushpin-1.31.0/src/runner/tests/templatetest/templatetest.cpp Examining data/pushpin-1.31.0/src/runner/mongrel2service.cpp Examining data/pushpin-1.31.0/src/runner/m2adapterservice.cpp Examining data/pushpin-1.31.0/src/runner/template.h Examining data/pushpin-1.31.0/src/runner/pushpinproxyservice.cpp Examining data/pushpin-1.31.0/src/runner/condureservice.h Examining data/pushpin-1.31.0/src/runner/zurlservice.h Examining data/pushpin-1.31.0/src/corelib/zwebsocket.h Examining data/pushpin-1.31.0/src/corelib/packet/statspacket.cpp Examining data/pushpin-1.31.0/src/corelib/packet/zrpcresponsepacket.h Examining data/pushpin-1.31.0/src/corelib/packet/httprequestdata.h Examining data/pushpin-1.31.0/src/corelib/packet/zrpcrequestpacket.h Examining data/pushpin-1.31.0/src/corelib/packet/retryrequestpacket.h Examining data/pushpin-1.31.0/src/corelib/packet/retryrequestpacket.cpp Examining data/pushpin-1.31.0/src/corelib/packet/statspacket.h Examining data/pushpin-1.31.0/src/corelib/packet/wscontrolpacket.h Examining data/pushpin-1.31.0/src/corelib/packet/wscontrolpacket.cpp Examining data/pushpin-1.31.0/src/corelib/packet/httpresponsedata.h Examining data/pushpin-1.31.0/src/corelib/packet/zrpcrequestpacket.cpp Examining data/pushpin-1.31.0/src/corelib/packet/zrpcresponsepacket.cpp Examining data/pushpin-1.31.0/src/corelib/logutil.h Examining data/pushpin-1.31.0/src/corelib/qzmq/examples/helloclient/helloclient.cpp Examining data/pushpin-1.31.0/src/corelib/qzmq/examples/helloserver/helloserver.cpp Examining data/pushpin-1.31.0/src/corelib/qzmq/src/qzmqreprouter.h Examining data/pushpin-1.31.0/src/corelib/qzmq/src/qzmqcontext.cpp Examining data/pushpin-1.31.0/src/corelib/qzmq/src/qzmqreprouter.cpp Examining data/pushpin-1.31.0/src/corelib/qzmq/src/qzmqsocket.h Examining data/pushpin-1.31.0/src/corelib/qzmq/src/qzmqsocket.cpp Examining data/pushpin-1.31.0/src/corelib/qzmq/src/qzmqreqmessage.h Examining data/pushpin-1.31.0/src/corelib/qzmq/src/qzmqvalve.cpp Examining data/pushpin-1.31.0/src/corelib/qzmq/src/qzmqcontext.h Examining data/pushpin-1.31.0/src/corelib/qzmq/src/qzmqvalve.h Examining data/pushpin-1.31.0/src/corelib/uuidutil.h Examining data/pushpin-1.31.0/src/corelib/zrpcrequest.h Examining data/pushpin-1.31.0/src/corelib/zhttprequest.cpp Examining data/pushpin-1.31.0/src/corelib/zutil.h Examining data/pushpin-1.31.0/src/corelib/zwebsocket.cpp Examining data/pushpin-1.31.0/src/corelib/uuidutil.cpp Examining data/pushpin-1.31.0/src/corelib/zrpcrequest.cpp Examining data/pushpin-1.31.0/src/corelib/websocket.h Examining data/pushpin-1.31.0/src/corelib/zutil.cpp Examining data/pushpin-1.31.0/src/corelib/httprequest.h Examining data/pushpin-1.31.0/src/corelib/common/zhttprequestpacket.cpp Examining data/pushpin-1.31.0/src/corelib/common/processquit.cpp Examining data/pushpin-1.31.0/src/corelib/common/bufferlist.cpp Examining data/pushpin-1.31.0/src/corelib/common/httpheaders.h Examining data/pushpin-1.31.0/src/corelib/common/tnetstring.h Examining data/pushpin-1.31.0/src/corelib/common/httpheaders.cpp Examining data/pushpin-1.31.0/src/corelib/common/zhttpresponsepacket.h Examining data/pushpin-1.31.0/src/corelib/common/log.cpp Examining data/pushpin-1.31.0/src/corelib/common/processquit.h Examining data/pushpin-1.31.0/src/corelib/common/zhttpresponsepacket.cpp Examining data/pushpin-1.31.0/src/corelib/common/zhttprequestpacket.h Examining data/pushpin-1.31.0/src/corelib/common/tests/httpheaderstest/httpheaderstest.cpp Examining data/pushpin-1.31.0/src/corelib/common/bufferlist.h Examining data/pushpin-1.31.0/src/corelib/common/layertracker.h Examining data/pushpin-1.31.0/src/corelib/common/log.h Examining data/pushpin-1.31.0/src/corelib/common/layertracker.cpp Examining data/pushpin-1.31.0/src/corelib/common/tnetstring.cpp Examining data/pushpin-1.31.0/src/corelib/cors.h Examining data/pushpin-1.31.0/src/corelib/cors.cpp Examining data/pushpin-1.31.0/src/corelib/zhttpmanager.h Examining data/pushpin-1.31.0/src/corelib/inspectdata.h Examining data/pushpin-1.31.0/src/corelib/logutil.cpp Examining data/pushpin-1.31.0/src/corelib/statsmanager.cpp Examining data/pushpin-1.31.0/src/corelib/settings.cpp Examining data/pushpin-1.31.0/src/corelib/zrpcmanager.cpp Examining data/pushpin-1.31.0/src/corelib/statsmanager.h Examining data/pushpin-1.31.0/src/corelib/zhttprequest.h Examining data/pushpin-1.31.0/src/corelib/zhttpmanager.cpp Examining data/pushpin-1.31.0/src/corelib/zrpcmanager.h Examining data/pushpin-1.31.0/src/corelib/statusreasons.h Examining data/pushpin-1.31.0/src/corelib/settings.h Examining data/pushpin-1.31.0/src/corelib/statusreasons.cpp Examining data/pushpin-1.31.0/src/corelib/wscontrol.h FINAL RESULTS: data/pushpin-1.31.0/src/corelib/common/log.cpp:66:7: [4] (format) vsprintf: Potential format string problem (CWE-134). Make format string constant. str.vsprintf(fmt, ap); data/pushpin-1.31.0/src/corelib/common/tnetstring.cpp:373:21: [4] (format) sprintf: Potential format string problem (CWE-134). Make format string constant. out += QString().sprintf("\\x%02x", (unsigned char)c); data/pushpin-1.31.0/src/corelib/logutil.cpp:95:6: [4] (format) vsprintf: Potential format string problem (CWE-134). Make format string constant. str.vsprintf(fmt, ap); data/pushpin-1.31.0/src/corelib/logutil.cpp:102:6: [4] (format) vsprintf: Potential format string problem (CWE-134). Make format string constant. str.vsprintf(fmt, ap); data/pushpin-1.31.0/src/corelib/logutil.cpp:109:6: [4] (format) vsprintf: Potential format string problem (CWE-134). Make format string constant. str.vsprintf(fmt, ap); data/pushpin-1.31.0/src/corelib/logutil.cpp:193:20: [4] (format) sprintf: Potential format string problem (CWE-134). Make format string constant. msg += QString().sprintf(" shared=%p", data.sharedBy); data/pushpin-1.31.0/src/corelib/common/bufferlist.cpp:91:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(outp, buf.data() + offset, bsize); data/pushpin-1.31.0/src/corelib/common/bufferlist.cpp:151:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(outp, buf.data() + offset_, bsize); data/pushpin-1.31.0/src/corelib/common/log.cpp:131:12: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *f = fopen(fname.toLocal8Bit().data(), "a"); data/pushpin-1.31.0/src/corelib/qzmq/src/qzmqsocket.cpp:542:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(zmq_msg_data(&msg), buf.data(), buf.size()); data/pushpin-1.31.0/src/corelib/qzmq/src/qzmqvalve.cpp:131:13: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). void Valve::open() data/pushpin-1.31.0/src/corelib/qzmq/src/qzmqvalve.h:45:7: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). void open(); data/pushpin-1.31.0/src/corelib/zhttpmanager.cpp:232:20: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). client_in_valve->open(); data/pushpin-1.31.0/src/corelib/zhttpmanager.cpp:277:20: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). server_in_valve->open(); data/pushpin-1.31.0/src/corelib/zhttpmanager.cpp:301:27: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). server_in_stream_valve->open(); data/pushpin-1.31.0/src/corelib/zhttpmanager.cpp:1186:23: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). d->server_in_valve->open(); data/pushpin-1.31.0/src/corelib/zhttpmanager.cpp:1221:23: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). d->server_in_valve->open(); data/pushpin-1.31.0/src/corelib/zrpcmanager.cpp:115:16: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). clientValve->open(); data/pushpin-1.31.0/src/corelib/zrpcmanager.cpp:140:16: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). serverValve->open(); data/pushpin-1.31.0/src/corelib/zrpcmanager.cpp:309:18: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). d->serverValve->open(); data/pushpin-1.31.0/src/handler/app.cpp:222:13: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if(!file.open(QIODevice::ReadOnly)) data/pushpin-1.31.0/src/handler/engine.cpp:1505:17: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). inPullValve->open(); data/pushpin-1.31.0/src/handler/engine.cpp:1507:16: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). inSubValve->open(); data/pushpin-1.31.0/src/handler/engine.cpp:1509:22: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). wsControlInValve->open(); data/pushpin-1.31.0/src/handler/engine.cpp:1511:21: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). proxyStatsValve->open(); data/pushpin-1.31.0/src/handler/tests/enginetest/enginetest.cpp:114:23: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). zhttpClientInValve->open(); data/pushpin-1.31.0/src/handler/tests/enginetest/enginetest.cpp:115:23: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). zhttpServerInValve->open(); data/pushpin-1.31.0/src/handler/tests/enginetest/enginetest.cpp:116:29: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). zhttpServerInStreamValve->open(); data/pushpin-1.31.0/src/handler/tests/enginetest/enginetest.cpp:123:21: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). proxyAcceptValve->open(); data/pushpin-1.31.0/src/m2adapter/app.cpp:527:16: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). m2_in_valve->open(); data/pushpin-1.31.0/src/m2adapter/app.cpp:530:20: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). zhttp_in_valve->open(); data/pushpin-1.31.0/src/m2adapter/app.cpp:532:18: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). zws_in_valve->open(); data/pushpin-1.31.0/src/m2adapter/app.cpp:567:13: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if(!file.open(QIODevice::ReadOnly)) data/pushpin-1.31.0/src/m2adapter/app.cpp:1976:6: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(data.data() + 2, zresp.body.data(), zresp.body.size()); data/pushpin-1.31.0/src/proxy/app.cpp:247:13: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if(!file.open(QIODevice::ReadOnly)) data/pushpin-1.31.0/src/proxy/domainmap.cpp:178:12: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if(!file.open(QFile::ReadOnly)) data/pushpin-1.31.0/src/proxy/engine.cpp:278:28: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). handler_retry_in_valve->open(); data/pushpin-1.31.0/src/proxy/tests/enginetest/enginetest.cpp:139:23: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). zhttpClientInValve->open(); data/pushpin-1.31.0/src/proxy/tests/enginetest/enginetest.cpp:140:23: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). zhttpServerInValve->open(); data/pushpin-1.31.0/src/proxy/tests/enginetest/enginetest.cpp:141:29: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). zhttpServerInStreamValve->open(); data/pushpin-1.31.0/src/proxy/tests/enginetest/enginetest.cpp:150:24: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). handlerInspectValve->open(); data/pushpin-1.31.0/src/proxy/tests/enginetest/enginetest.cpp:151:23: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). handlerAcceptValve->open(); data/pushpin-1.31.0/src/proxy/websocketoverhttp.cpp:589:6: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf.data() + 2, rawReason.data(), rawReason.size()); data/pushpin-1.31.0/src/proxy/wscontrolmanager.cpp:122:12: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). inValve->open(); data/pushpin-1.31.0/src/runner/app.cpp:351:13: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if(!file.open(QIODevice::ReadOnly)) data/pushpin-1.31.0/src/runner/service.cpp:188:9: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if(!f.open(QFile::WriteOnly | QFile::Truncate)) data/pushpin-1.31.0/src/runner/template.cpp:453:9: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if(!in.open(QFile::ReadOnly | QFile::Text)) data/pushpin-1.31.0/src/runner/template.cpp:473:10: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if(!out.open(QFile::WriteOnly | QFile::Truncate)) data/pushpin-1.31.0/tools/echo/echo.cpp:128:11: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). file.open(QFile::ReadOnly); data/pushpin-1.31.0/tools/publish/main.cpp:328:9: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if(!f.open(QFile::ReadOnly)) data/pushpin-1.31.0/src/corelib/common/processquit.cpp:226:8: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if(::read(sig_pipe[0], &c, 1) == -1) data/pushpin-1.31.0/src/corelib/qzmq/examples/helloclient/helloclient.cpp:36:33: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). QList<QByteArray> resp = sock.read(); data/pushpin-1.31.0/src/corelib/qzmq/examples/helloserver/helloserver.cpp:28:31: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). QZmq::ReqMessage msg = sock.read(); data/pushpin-1.31.0/src/corelib/qzmq/src/qzmqreprouter.cpp:91:23: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ReqMessage RepRouter::read() data/pushpin-1.31.0/src/corelib/qzmq/src/qzmqreprouter.cpp:93:29: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). return ReqMessage(d->sock->read()); data/pushpin-1.31.0/src/corelib/qzmq/src/qzmqreprouter.h:48:13: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ReqMessage read(); data/pushpin-1.31.0/src/corelib/qzmq/src/qzmqsocket.cpp:440:20: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). QList<QByteArray> read() data/pushpin-1.31.0/src/corelib/qzmq/src/qzmqsocket.cpp:748:27: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). QList<QByteArray> Socket::read() data/pushpin-1.31.0/src/corelib/qzmq/src/qzmqsocket.cpp:750:12: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). return d->read(); data/pushpin-1.31.0/src/corelib/qzmq/src/qzmqsocket.h:98:20: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). QList<QByteArray> read(); data/pushpin-1.31.0/src/corelib/qzmq/src/qzmqvalve.cpp:80:34: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). QList<QByteArray> msg = sock->read(); data/pushpin-1.31.0/src/corelib/zhttpmanager.cpp:697:45: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). QList<QByteArray> msg = client_req_sock->read(); data/pushpin-1.31.0/src/handler/simplehttpserver.cpp:231:19: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). inBuf += sock->read(maxHeadersSize - inBuf.size()); data/pushpin-1.31.0/src/handler/simplehttpserver.cpp:318:21: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). reqBody += sock->read(maxBodySize - reqBody.size() + 1); data/pushpin-1.31.0/src/m2adapter/app.cpp:2755:38: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). QList<QByteArray> message = sock->read(); ANALYSIS SUMMARY: Hits = 65 Lines analyzed = 53079 in approximately 1.08 seconds (49270 lines/second) Physical Source Lines of Code (SLOC) = 38225 Hits@level = [0] 36 [1] 15 [2] 44 [3] 0 [4] 6 [5] 0 Hits@level+ = [0+] 101 [1+] 65 [2+] 50 [3+] 6 [4+] 6 [5+] 0 Hits/KSLOC@level+ = [0+] 2.64225 [1+] 1.70046 [2+] 1.30804 [3+] 0.156965 [4+] 0.156965 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.