Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/pymongo-3.11.0/bson/_cbsonmodule.c
Examining data/pymongo-3.11.0/bson/_cbsonmodule.h
Examining data/pymongo-3.11.0/bson/bson-endian.h
Examining data/pymongo-3.11.0/bson/bson-stdint-win32.h
Examining data/pymongo-3.11.0/bson/buffer.c
Examining data/pymongo-3.11.0/bson/buffer.h
Examining data/pymongo-3.11.0/bson/encoding_helpers.c
Examining data/pymongo-3.11.0/bson/encoding_helpers.h
Examining data/pymongo-3.11.0/bson/time64.c
Examining data/pymongo-3.11.0/bson/time64.h
Examining data/pymongo-3.11.0/bson/time64_config.h
Examining data/pymongo-3.11.0/bson/time64_limits.h
Examining data/pymongo-3.11.0/pymongo/_cmessagemodule.c
FINAL RESULTS:
data/pymongo-3.11.0/bson/_cbsonmodule.h:37:5: [4] (format) _snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
_snprintf((buffer), \
data/pymongo-3.11.0/bson/_cbsonmodule.h:41:30: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
#define STRCAT(dest, n, src) strcat((dest), (src))
data/pymongo-3.11.0/bson/_cbsonmodule.h:45:30: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
#define STRCAT(dest, n, src) strcat((dest), (src))
data/pymongo-3.11.0/bson/time64.c:136:35: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
# define TIME64_TRACE(format) (fprintf(stderr, format))
data/pymongo-3.11.0/bson/time64.c:137:45: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
# define TIME64_TRACE1(format, var1) (fprintf(stderr, format, var1))
data/pymongo-3.11.0/bson/time64.c:138:51: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
# define TIME64_TRACE2(format, var1, var2) (fprintf(stderr, format, var1, var2))
data/pymongo-3.11.0/bson/time64.c:139:57: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
# define TIME64_TRACE3(format, var1, var2, var3) (fprintf(stderr, format, var1, var2, var3))
data/pymongo-3.11.0/bson/_cbsonmodule.c:221:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buffer_get_buffer(buffer) + position, &data_le, 4);
data/pymongo-3.11.0/bson/_cbsonmodule.c:650:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char flags[FLAGS_SIZE];
data/pymongo-3.11.0/bson/_cbsonmodule.c:1124:13: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char name[16];
data/pymongo-3.11.0/bson/_cbsonmodule.c:1784:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&d, buffer + *position, 8);
data/pymongo-3.11.0/bson/_cbsonmodule.c:1796:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&value_length, buffer + *position, 4);
data/pymongo-3.11.0/bson/_cbsonmodule.c:1824:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&size, buffer + *position, 4);
data/pymongo-3.11.0/bson/_cbsonmodule.c:1912:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&size, buffer + *position, 4);
data/pymongo-3.11.0/bson/_cbsonmodule.c:1975:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&length, buffer + *position, 4);
data/pymongo-3.11.0/bson/_cbsonmodule.c:1987:17: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&length2, buffer + *position, 4);
data/pymongo-3.11.0/bson/_cbsonmodule.c:2132:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&millis, buffer + *position, 8);
data/pymongo-3.11.0/bson/_cbsonmodule.c:2261:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&coll_length, buffer + *position, 4);
data/pymongo-3.11.0/bson/_cbsonmodule.c:2307:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&value_length, buffer + *position, 4);
data/pymongo-3.11.0/bson/_cbsonmodule.c:2345:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&c_w_s_size, buffer + *position, 4);
data/pymongo-3.11.0/bson/_cbsonmodule.c:2353:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&code_size, buffer + *position, 4);
data/pymongo-3.11.0/bson/_cbsonmodule.c:2372:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&scope_size, buffer + *position, 4);
data/pymongo-3.11.0/bson/_cbsonmodule.c:2410:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&i, buffer + *position, 4);
data/pymongo-3.11.0/bson/_cbsonmodule.c:2430:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&inc, buffer + *position, 4);
data/pymongo-3.11.0/bson/_cbsonmodule.c:2431:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&time, buffer + *position + 4, 4);
data/pymongo-3.11.0/bson/_cbsonmodule.c:2452:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&ll, buffer + *position, 8);
data/pymongo-3.11.0/bson/_cbsonmodule.c:2817:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&size, string, 4);
data/pymongo-3.11.0/bson/_cbsonmodule.c:2906:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&size, string, 4);
data/pymongo-3.11.0/bson/bson-endian.h:226:4: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&uv, &v, sizeof(v));
data/pymongo-3.11.0/bson/buffer.c:142:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buffer->buffer + buffer->position, data, size);
data/pymongo-3.11.0/bson/encoding_helpers.c:45:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static const char trailingBytesForUTF8[256] = {
data/pymongo-3.11.0/bson/time64.c:405:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(dest, src, sizeof(*dest));
data/pymongo-3.11.0/bson/time64.c:437:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(dest, src, sizeof(*dest));
data/pymongo-3.11.0/bson/time64.c:454:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(result, static_result, sizeof(*result));
data/pymongo-3.11.0/bson/time64.c:471:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(result, static_result, sizeof(*result));
data/pymongo-3.11.0/pymongo/_cmessagemodule.c:1518:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char key[16];
data/pymongo-3.11.0/bson/_cbsonmodule.c:756:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
flags_length = (int)strlen(flags) + 1;
data/pymongo-3.11.0/bson/_cbsonmodule.c:1131:56: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (!buffer_write_bytes(buffer, name, (int)strlen(name) + 1)) {
data/pymongo-3.11.0/bson/_cbsonmodule.c:1450:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(data) != (size_t)(size - 1)) {
data/pymongo-3.11.0/bson/_cbsonmodule.c:1933:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t key_size = strlen(buffer + *position);
data/pymongo-3.11.0/bson/_cbsonmodule.c:2202:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t pattern_length = strlen(buffer + *position);
data/pymongo-3.11.0/bson/_cbsonmodule.c:2213:28: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
flags_length = strlen(buffer + *position);
data/pymongo-3.11.0/bson/_cbsonmodule.c:2620:26: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t name_length = strlen(string + position);
data/pymongo-3.11.0/pymongo/_cmessagemodule.c:1521:51: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
!buffer_write_bytes(buffer, key, (int)strlen(key) + 1)) {
ANALYSIS SUMMARY:
Hits = 44
Lines analyzed = 6982 in approximately 0.20 seconds (35265 lines/second)
Physical Source Lines of Code (SLOC) = 5357
Hits@level = [0] 1 [1] 8 [2] 29 [3] 0 [4] 7 [5] 0
Hits@level+ = [0+] 45 [1+] 44 [2+] 36 [3+] 7 [4+] 7 [5+] 0
Hits/KSLOC@level+ = [0+] 8.40022 [1+] 8.21355 [2+] 6.72018 [3+] 1.3067 [4+] 1.3067 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.