Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/pybdsf-1.9.2/natgrid/Include/nnchead.h Examining data/pybdsf-1.9.2/natgrid/Include/nncheadd.h Examining data/pybdsf-1.9.2/natgrid/Include/nncheads.h Examining data/pybdsf-1.9.2/natgrid/Include/nnexver.h Examining data/pybdsf-1.9.2/natgrid/Include/nnghead.h Examining data/pybdsf-1.9.2/natgrid/Include/nngheadd.h Examining data/pybdsf-1.9.2/natgrid/Include/nngheads.h Examining data/pybdsf-1.9.2/natgrid/Include/nntpvrs.h Examining data/pybdsf-1.9.2/natgrid/Include/nntypes.h Examining data/pybdsf-1.9.2/natgrid/Include/nnuhead.h Examining data/pybdsf-1.9.2/natgrid/Include/nnuheadd.h Examining data/pybdsf-1.9.2/natgrid/Include/nnuheads.h Examining data/pybdsf-1.9.2/natgrid/Include/nnmhead.h Examining data/pybdsf-1.9.2/natgrid/Src/natgrid.c Examining data/pybdsf-1.9.2/natgrid/Src/natgridd.c Examining data/pybdsf-1.9.2/natgrid/Src/natgridmodule.c Examining data/pybdsf-1.9.2/natgrid/Src/natgrids.c Examining data/pybdsf-1.9.2/natgrid/Src/nncrunch.c Examining data/pybdsf-1.9.2/natgrid/Src/nncrunchd.c Examining data/pybdsf-1.9.2/natgrid/Src/nncrunchs.c Examining data/pybdsf-1.9.2/natgrid/Src/nnerror.c Examining data/pybdsf-1.9.2/natgrid/Src/nnuser.c Examining data/pybdsf-1.9.2/natgrid/Src/nnuserd.c Examining data/pybdsf-1.9.2/natgrid/Src/nnusers.c Examining data/pybdsf-1.9.2/src/c++/Fitter_dn2g.cc Examining data/pybdsf-1.9.2/src/c++/Fitter_dnsg.cc Examining data/pybdsf-1.9.2/src/c++/Fitter_lmder.cc Examining data/pybdsf-1.9.2/src/c++/Fitters.h Examining data/pybdsf-1.9.2/src/c++/MGFunction.h Examining data/pybdsf-1.9.2/src/c++/MGFunction1.cc Examining data/pybdsf-1.9.2/src/c++/MGFunction2.cc Examining data/pybdsf-1.9.2/src/c++/boost_python.h Examining data/pybdsf-1.9.2/src/c++/cbdsm_main.cc Examining data/pybdsf-1.9.2/src/c++/num_util/num_util.cpp Examining data/pybdsf-1.9.2/src/c++/num_util/num_util.h Examining data/pybdsf-1.9.2/src/c++/pyndarray.h Examining data/pybdsf-1.9.2/src/c++/stat.cc Examining data/pybdsf-1.9.2/src/c++/stat.h FINAL RESULTS: data/pybdsf-1.9.2/natgrid/Src/nnuser.c:17:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(emsg,"\n Parameter name supplied is: %s\n",pnam); data/pybdsf-1.9.2/natgrid/Src/nnuser.c:63:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(emsg,"\n Parameter name supplied is: %s\n",pnam); data/pybdsf-1.9.2/natgrid/Src/nnuser.c:98:10: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(error_file,vnam); data/pybdsf-1.9.2/natgrid/Src/nnuser.c:102:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(emsg,"\n Parameter name supplied is: %s\n",pnam); data/pybdsf-1.9.2/natgrid/Src/nnuser.c:143:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(emsg,"\n Parameter name supplied is: %s\n",pnam); data/pybdsf-1.9.2/natgrid/Src/nnuserd.c:48:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(emsg,"\n Parameter name supplied is: %s\n",pnam); data/pybdsf-1.9.2/natgrid/Src/nnuserd.c:101:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(emsg,"\n Parameter name supplied is: %s\n",pnam); data/pybdsf-1.9.2/natgrid/Src/nnusers.c:46:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(emsg,"\n Parameter name supplied is: %s\n",pnam); data/pybdsf-1.9.2/natgrid/Src/nnusers.c:99:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(emsg,"\n Parameter name supplied is: %s\n",pnam); data/pybdsf-1.9.2/natgrid/Src/nncrunchd.c:321:4: [3] (random) srand: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. srand(367); data/pybdsf-1.9.2/natgrid/Src/nncrunchs.c:322:4: [3] (random) srand: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. srand(367); data/pybdsf-1.9.2/natgrid/Include/nnchead.h:38:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. extern char tri_file[256], error_file[256], emsg[256]; data/pybdsf-1.9.2/natgrid/Include/nnchead.h:40:18: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). extern FILE *fopen(), *filee; data/pybdsf-1.9.2/natgrid/Include/nnghead.h:38:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. extern char tri_file[256], error_file[256], emsg[256]; data/pybdsf-1.9.2/natgrid/Include/nnghead.h:40:18: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). extern FILE *fopen(), *filee; data/pybdsf-1.9.2/natgrid/Include/nnmhead.h:39:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tri_file[256] = {"nnalg.dat"}, error_file[256] = {"stderr"}, data/pybdsf-1.9.2/natgrid/Include/nnmhead.h:42:10: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *fopen(), *filee = NULL; data/pybdsf-1.9.2/natgrid/Src/natgridmodule.c:200:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *title[6] = { "x", "y ", "z", "xo", "yo", "result" }; /* Titles for print to file */ data/pybdsf-1.9.2/natgrid/Src/natgridmodule.c:235:18: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if((fp = fopen("natgrids.asc", "w")) == NULL) { data/pybdsf-1.9.2/natgrid/Src/natgridmodule.c:522:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char cval[128]; /* the value currently assigned to the control parameter whose name is data/pybdsf-1.9.2/natgrid/Src/natgridmodule.c:707:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *title[3] = {"x", "y ", "z"}; /* Titles for print to file */ data/pybdsf-1.9.2/natgrid/Src/natgridmodule.c:731:18: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if((fp = fopen("pntinits.asc", "w")) == NULL) { data/pybdsf-1.9.2/natgrid/Src/natgridmodule.c:914:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *title[6] = {"x", "y ", "z", "xo", "yo", "result"}; /* Titles for print to file */ data/pybdsf-1.9.2/natgrid/Src/natgridmodule.c:950:18: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if((fp = fopen("natgridd.asc", "w")) == NULL) { data/pybdsf-1.9.2/natgrid/Src/natgridmodule.c:1235:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *title[3] = { "x", "y ", "z" }; /* Titles for print to file */ data/pybdsf-1.9.2/natgrid/Src/natgridmodule.c:1258:18: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if((fp = fopen("pntinitd.asc", "w")) == NULL) { data/pybdsf-1.9.2/natgrid/Src/nncrunch.c:445:20: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((filer = fopen(tri_file,"w")) EQ (FILE *) NULL) data/pybdsf-1.9.2/natgrid/Src/nncrunchd.c:309:16: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(emsg,"\n Coordinates %d and %d are identical.\n",i0,i1); data/pybdsf-1.9.2/natgrid/Src/nncrunchd.c:478:6: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(emsg,"\n\n Current automatically computed scaling " data/pybdsf-1.9.2/natgrid/Src/nncrunchd.c:497:6: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(emsg,"\n Requested row = %d (indices starting with one)\n",row+1); data/pybdsf-1.9.2/natgrid/Src/nncrunchd.c:505:6: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(emsg,"\n Requested column = %d (indices starting with one)\n", data/pybdsf-1.9.2/natgrid/Src/nncrunchd.c:526:6: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(emsg,"\n\n Current automatically computed scaling " data/pybdsf-1.9.2/natgrid/Src/nncrunchd.c:545:6: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(emsg,"\n Requested row = %d (indices starting with one)\n",row+1); data/pybdsf-1.9.2/natgrid/Src/nncrunchd.c:553:6: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(emsg,"\n Requested column = %d (indices starting with one)\n", data/pybdsf-1.9.2/natgrid/Src/nncrunchd.c:617:7: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(emsg,"\n Coordinate = (%f, %f)\n", x, y); data/pybdsf-1.9.2/natgrid/Src/nncrunchs.c:310:16: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(emsg,"\n Coordinates %d and %d are identical.\n",i0,i1); data/pybdsf-1.9.2/natgrid/Src/nncrunchs.c:479:6: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(emsg,"\n\n Current automatically computed scaling " data/pybdsf-1.9.2/natgrid/Src/nncrunchs.c:498:6: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(emsg,"\n Requested row = %d (indices starting with one)\n",row+1); data/pybdsf-1.9.2/natgrid/Src/nncrunchs.c:506:6: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(emsg,"\n Requested column = %d (indices starting with one)\n", data/pybdsf-1.9.2/natgrid/Src/nncrunchs.c:527:6: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(emsg,"\n\n Current automatically computed scaling " data/pybdsf-1.9.2/natgrid/Src/nncrunchs.c:546:6: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(emsg,"\n Requested row = %d (indices starting with one)\n",row+1); data/pybdsf-1.9.2/natgrid/Src/nncrunchs.c:554:6: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(emsg,"\n Requested column = %d (indices starting with one)\n", data/pybdsf-1.9.2/natgrid/Src/nncrunchs.c:618:7: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(emsg,"\n Coordinate = (%f, %f)\n", x, y); data/pybdsf-1.9.2/natgrid/Src/nnerror.c:36:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char *err_list[MAX_ERROR] = { data/pybdsf-1.9.2/natgrid/Src/nnerror.c:130:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. rlist = (char *) err_list[29]; data/pybdsf-1.9.2/natgrid/Src/nnerror.c:133:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. rlist = (char *) err_list[i-1]; data/pybdsf-1.9.2/natgrid/Src/nnuser.c:86:10: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(error_file,"stderr"); data/pybdsf-1.9.2/natgrid/Src/nnuser.c:90:10: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(error_file,"stdout"); data/pybdsf-1.9.2/natgrid/Src/nnuser.c:93:23: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((filee = fopen(vnam,"w")) EQ (FILE *) NULL) data/pybdsf-1.9.2/natgrid/Src/nnuser.c:159:4: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char cdum[256]; data/pybdsf-1.9.2/natgrid/Src/nnuser.c:171:4: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char cdum[256] = {" "}; data/pybdsf-1.9.2/src/c++/num_util/num_util.h:78:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(arr_data, data, PyArray_ITEMSIZE((PyArrayObject*) obj.ptr()) * n); // copies the input data to data/pybdsf-1.9.2/src/c++/num_util/num_util.h:96:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(arr_data, data, PyArray_ITEMSIZE((PyArrayObject*) obj.ptr()) * total); ANALYSIS SUMMARY: Hits = 53 Lines analyzed = 7988 in approximately 0.33 seconds (24092 lines/second) Physical Source Lines of Code (SLOC) = 5439 Hits@level = [0] 125 [1] 0 [2] 42 [3] 2 [4] 9 [5] 0 Hits@level+ = [0+] 178 [1+] 53 [2+] 53 [3+] 11 [4+] 9 [5+] 0 Hits/KSLOC@level+ = [0+] 32.7266 [1+] 9.74444 [2+] 9.74444 [3+] 2.02243 [4+] 1.65472 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.