Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/python-pygit2-1.0.3/pygit2/decl/attr.h Examining data/python-pygit2-1.0.3/pygit2/decl/blame.h Examining data/python-pygit2-1.0.3/pygit2/decl/buffer.h Examining data/python-pygit2-1.0.3/pygit2/decl/checkout.h Examining data/python-pygit2-1.0.3/pygit2/decl/clone.h Examining data/python-pygit2-1.0.3/pygit2/decl/common.h Examining data/python-pygit2-1.0.3/pygit2/decl/config.h Examining data/python-pygit2-1.0.3/pygit2/decl/describe.h Examining data/python-pygit2-1.0.3/pygit2/decl/diff.h Examining data/python-pygit2-1.0.3/pygit2/decl/errors.h Examining data/python-pygit2-1.0.3/pygit2/decl/graph.h Examining data/python-pygit2-1.0.3/pygit2/decl/index.h Examining data/python-pygit2-1.0.3/pygit2/decl/merge.h Examining data/python-pygit2-1.0.3/pygit2/decl/net.h Examining data/python-pygit2-1.0.3/pygit2/decl/oid.h Examining data/python-pygit2-1.0.3/pygit2/decl/pack.h Examining data/python-pygit2-1.0.3/pygit2/decl/proxy.h Examining data/python-pygit2-1.0.3/pygit2/decl/refspec.h Examining data/python-pygit2-1.0.3/pygit2/decl/remote.h Examining data/python-pygit2-1.0.3/pygit2/decl/repository.h Examining data/python-pygit2-1.0.3/pygit2/decl/revert.h Examining data/python-pygit2-1.0.3/pygit2/decl/stash.h Examining data/python-pygit2-1.0.3/pygit2/decl/strarray.h Examining data/python-pygit2-1.0.3/pygit2/decl/submodule.h Examining data/python-pygit2-1.0.3/pygit2/decl/transport.h Examining data/python-pygit2-1.0.3/pygit2/decl/types.h Examining data/python-pygit2-1.0.3/src/blob.c Examining data/python-pygit2-1.0.3/src/blob.h Examining data/python-pygit2-1.0.3/src/branch.c Examining data/python-pygit2-1.0.3/src/branch.h Examining data/python-pygit2-1.0.3/src/commit.c Examining data/python-pygit2-1.0.3/src/commit.h Examining data/python-pygit2-1.0.3/src/diff.c Examining data/python-pygit2-1.0.3/src/diff.h Examining data/python-pygit2-1.0.3/src/error.c Examining data/python-pygit2-1.0.3/src/error.h Examining data/python-pygit2-1.0.3/src/mailmap.c Examining data/python-pygit2-1.0.3/src/mailmap.h Examining data/python-pygit2-1.0.3/src/note.c Examining data/python-pygit2-1.0.3/src/note.h Examining data/python-pygit2-1.0.3/src/object.c Examining data/python-pygit2-1.0.3/src/object.h Examining data/python-pygit2-1.0.3/src/odb.c Examining data/python-pygit2-1.0.3/src/odb.h Examining data/python-pygit2-1.0.3/src/odb_backend.c Examining data/python-pygit2-1.0.3/src/odb_backend.h Examining data/python-pygit2-1.0.3/src/oid.c Examining data/python-pygit2-1.0.3/src/oid.h Examining data/python-pygit2-1.0.3/src/options.c Examining data/python-pygit2-1.0.3/src/options.h Examining data/python-pygit2-1.0.3/src/patch.c Examining data/python-pygit2-1.0.3/src/patch.h Examining data/python-pygit2-1.0.3/src/pygit2.c Examining data/python-pygit2-1.0.3/src/reference.c Examining data/python-pygit2-1.0.3/src/reference.h Examining data/python-pygit2-1.0.3/src/repository.c Examining data/python-pygit2-1.0.3/src/repository.h Examining data/python-pygit2-1.0.3/src/signature.c Examining data/python-pygit2-1.0.3/src/signature.h Examining data/python-pygit2-1.0.3/src/tag.c Examining data/python-pygit2-1.0.3/src/tag.h Examining data/python-pygit2-1.0.3/src/tree.c Examining data/python-pygit2-1.0.3/src/tree.h Examining data/python-pygit2-1.0.3/src/treebuilder.c Examining data/python-pygit2-1.0.3/src/treebuilder.h Examining data/python-pygit2-1.0.3/src/types.h Examining data/python-pygit2-1.0.3/src/utils.c Examining data/python-pygit2-1.0.3/src/utils.h Examining data/python-pygit2-1.0.3/src/walker.c Examining data/python-pygit2-1.0.3/src/walker.h Examining data/python-pygit2-1.0.3/src/worktree.c Examining data/python-pygit2-1.0.3/src/worktree.h FINAL RESULTS: data/python-pygit2-1.0.3/pygit2/decl/oid.h:2:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char id[20]; data/python-pygit2-1.0.3/pygit2/decl/transport.h:21:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char hash_md5[16]; data/python-pygit2-1.0.3/pygit2/decl/transport.h:22:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char hash_sha1[20]; data/python-pygit2-1.0.3/src/commit.c:169:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tree_id[GIT_OID_HEXSZ + 1] = { 0 }; data/python-pygit2-1.0.3/src/error.c:125:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char hex[GIT_OID_HEXSZ + 1]; data/python-pygit2-1.0.3/src/oid.c:137:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char hex[GIT_OID_HEXSZ]; data/python-pygit2-1.0.3/src/oid.c:177:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(self->oid.id, (const unsigned char*)bytes, len); data/python-pygit2-1.0.3/src/diff.c:1013:48: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). err = git_diff_from_buffer(&diff, content, strlen(content)); data/python-pygit2-1.0.3/src/object.c:271:20: [1] (buffer) equal: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. res = (equal) ? Py_False : Py_True; data/python-pygit2-1.0.3/src/object.c:274:20: [1] (buffer) equal: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. res = (equal) ? Py_True : Py_False; data/python-pygit2-1.0.3/src/odb.c:275:17: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). METHOD(Odb, read, METH_O), data/python-pygit2-1.0.3/src/odb_backend.c:103:30: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). err = self->odb_backend->read(&data, &sz, &type, self->odb_backend, &oid); data/python-pygit2-1.0.3/src/odb_backend.c:119:24: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). METHOD(OdbBackend, read, METH_O), data/python-pygit2-1.0.3/src/utils.h:43:49: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). #define to_encoding(x) PyUnicode_DecodeASCII(x, strlen(x), "strict") data/python-pygit2-1.0.3/src/utils.h:61:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). to_unicode_n(x, strlen(x), encoding, errors) ANALYSIS SUMMARY: Hits = 15 Lines analyzed = 12239 in approximately 0.32 seconds (38656 lines/second) Physical Source Lines of Code (SLOC) = 8910 Hits@level = [0] 0 [1] 8 [2] 7 [3] 0 [4] 0 [5] 0 Hits@level+ = [0+] 15 [1+] 15 [2+] 7 [3+] 0 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 1.6835 [1+] 1.6835 [2+] 0.785634 [3+] 0 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.