Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/python-apsw-3.32.2-r1/src/vtable.c Examining data/python-apsw-3.32.2-r1/src/blob.c Examining data/python-apsw-3.32.2-r1/src/exceptions.c Examining data/python-apsw-3.32.2-r1/src/cursor.c Examining data/python-apsw-3.32.2-r1/src/statementcache.c Examining data/python-apsw-3.32.2-r1/src/util.c Examining data/python-apsw-3.32.2-r1/src/traceback.c Examining data/python-apsw-3.32.2-r1/src/vfs.c Examining data/python-apsw-3.32.2-r1/src/connection.c Examining data/python-apsw-3.32.2-r1/src/backup.c Examining data/python-apsw-3.32.2-r1/src/testextension.c Examining data/python-apsw-3.32.2-r1/src/apsw.c Examining data/python-apsw-3.32.2-r1/src/pyutil.c Examining data/python-apsw-3.32.2-r1/src/apswbuffer.c Examining data/python-apsw-3.32.2-r1/src/apswversion.h FINAL RESULTS: data/python-apsw-3.32.2-r1/src/exceptions.c:177:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(buffy, "apsw.%s", apswexceptions[i].name); data/python-apsw-3.32.2-r1/src/exceptions.c:188:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(buffy, "apsw.%sError", exc_descriptors[i].name); data/python-apsw-3.32.2-r1/src/exceptions.c:193:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(buffy, "%sError", exc_descriptors[i].name); data/python-apsw-3.32.2-r1/src/util.c:340:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(res, source); data/python-apsw-3.32.2-r1/src/vfs.c:638:7: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(filename, PyBytes_AS_STRING(utf8name)); data/python-apsw-3.32.2-r1/src/vfs.c:1924:7: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(self->filename, PyBytes_AS_STRING(utf8name)); data/python-apsw-3.32.2-r1/src/apsw.c:1061:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(res, PyUnicode_AS_UNICODE(value), PyUnicode_GET_DATA_SIZE(value)); data/python-apsw-3.32.2-r1/src/exceptions.c:144:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffy[100]; /* more than enough for anyone :-) */ data/python-apsw-3.32.2-r1/src/pyutil.c:219:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buffy, ptr, size); data/python-apsw-3.32.2-r1/src/vfs.c:446:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(zOut, PyBytes_AS_STRING(utf8), PyBytes_GET_SIZE(utf8)+1); /* Python always null terminates hence +1 */ data/python-apsw-3.32.2-r1/src/vfs.c:892:11: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(zErrMsg, PyBytes_AS_STRING(utf8), len); data/python-apsw-3.32.2-r1/src/vfs.c:983:11: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(zOut, buffer, buflen); data/python-apsw-3.32.2-r1/src/vfs.c:1212:11: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(zErrMsg, PyBytes_AS_STRING(utf8), len); data/python-apsw-3.32.2-r1/src/vfs.c:2049:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(bufout, buffer, size); data/python-apsw-3.32.2-r1/src/vfs.c:2053:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(bufout, buffer, amount); data/python-apsw-3.32.2-r1/src/apswbuffer.c:207:10: [1] (buffer) equal: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. goto equal; data/python-apsw-3.32.2-r1/src/apswbuffer.c:210:10: [1] (buffer) equal: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. goto equal; data/python-apsw-3.32.2-r1/src/apswbuffer.c:215:2: [1] (buffer) equal: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. equal: data/python-apsw-3.32.2-r1/src/cursor.c:633:35: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). keyo=PyUnicode_DecodeUTF8(key, strlen(key), NULL); data/python-apsw-3.32.2-r1/src/exceptions.c:59:40: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). value=PyBytes_FromStringAndSize(msg, strlen(msg)); data/python-apsw-3.32.2-r1/src/pyutil.c:289:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). return convertutf8stringsize(str, strlen(str)); data/python-apsw-3.32.2-r1/src/util.c:338:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char *res=PyMem_Malloc(strlen(source)+1); data/python-apsw-3.32.2-r1/src/vfs.c:632:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len=strlen(PyBytes_AS_STRING(utf8name)); data/python-apsw-3.32.2-r1/src/vfs.c:942:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if(strlen(PyBytes_AS_STRING(res))==0) data/python-apsw-3.32.2-r1/src/vfs.c:958:145: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). AddTraceBackHere(__FILE__, __LINE__, "vfspy.xDlError", "{s: O, s: N}", "self", self, "res", PyBytes_FromStringAndSize(PyBytes_AS_STRING(res), strlen(PyBytes_AS_STRING(res)))); data/python-apsw-3.32.2-r1/src/vfs.c:1643:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if(!strlen(base)) data/python-apsw-3.32.2-r1/src/vfs.c:1918:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len=strlen(PyBytes_AS_STRING(utf8name)); data/python-apsw-3.32.2-r1/src/vfs.c:1931:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if(strlen(vfs)==0) ANALYSIS SUMMARY: Hits = 28 Lines analyzed = 14969 in approximately 0.38 seconds (39750 lines/second) Physical Source Lines of Code (SLOC) = 9436 Hits@level = [0] 1 [1] 13 [2] 9 [3] 0 [4] 6 [5] 0 Hits@level+ = [0+] 29 [1+] 28 [2+] 15 [3+] 6 [4+] 6 [5+] 0 Hits/KSLOC@level+ = [0+] 3.07334 [1+] 2.96736 [2+] 1.58966 [3+] 0.635863 [4+] 0.635863 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.