Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/python-pygit2-1.2.1+dfsg1/pygit2/decl/attr.h
Examining data/python-pygit2-1.2.1+dfsg1/pygit2/decl/blame.h
Examining data/python-pygit2-1.2.1+dfsg1/pygit2/decl/buffer.h
Examining data/python-pygit2-1.2.1+dfsg1/pygit2/decl/callbacks.h
Examining data/python-pygit2-1.2.1+dfsg1/pygit2/decl/checkout.h
Examining data/python-pygit2-1.2.1+dfsg1/pygit2/decl/clone.h
Examining data/python-pygit2-1.2.1+dfsg1/pygit2/decl/common.h
Examining data/python-pygit2-1.2.1+dfsg1/pygit2/decl/config.h
Examining data/python-pygit2-1.2.1+dfsg1/pygit2/decl/describe.h
Examining data/python-pygit2-1.2.1+dfsg1/pygit2/decl/diff.h
Examining data/python-pygit2-1.2.1+dfsg1/pygit2/decl/errors.h
Examining data/python-pygit2-1.2.1+dfsg1/pygit2/decl/graph.h
Examining data/python-pygit2-1.2.1+dfsg1/pygit2/decl/index.h
Examining data/python-pygit2-1.2.1+dfsg1/pygit2/decl/indexer.h
Examining data/python-pygit2-1.2.1+dfsg1/pygit2/decl/merge.h
Examining data/python-pygit2-1.2.1+dfsg1/pygit2/decl/net.h
Examining data/python-pygit2-1.2.1+dfsg1/pygit2/decl/oid.h
Examining data/python-pygit2-1.2.1+dfsg1/pygit2/decl/pack.h
Examining data/python-pygit2-1.2.1+dfsg1/pygit2/decl/proxy.h
Examining data/python-pygit2-1.2.1+dfsg1/pygit2/decl/refspec.h
Examining data/python-pygit2-1.2.1+dfsg1/pygit2/decl/remote.h
Examining data/python-pygit2-1.2.1+dfsg1/pygit2/decl/repository.h
Examining data/python-pygit2-1.2.1+dfsg1/pygit2/decl/revert.h
Examining data/python-pygit2-1.2.1+dfsg1/pygit2/decl/stash.h
Examining data/python-pygit2-1.2.1+dfsg1/pygit2/decl/strarray.h
Examining data/python-pygit2-1.2.1+dfsg1/pygit2/decl/submodule.h
Examining data/python-pygit2-1.2.1+dfsg1/pygit2/decl/transport.h
Examining data/python-pygit2-1.2.1+dfsg1/pygit2/decl/types.h
Examining data/python-pygit2-1.2.1+dfsg1/src/blob.c
Examining data/python-pygit2-1.2.1+dfsg1/src/blob.h
Examining data/python-pygit2-1.2.1+dfsg1/src/branch.c
Examining data/python-pygit2-1.2.1+dfsg1/src/branch.h
Examining data/python-pygit2-1.2.1+dfsg1/src/commit.c
Examining data/python-pygit2-1.2.1+dfsg1/src/commit.h
Examining data/python-pygit2-1.2.1+dfsg1/src/diff.c
Examining data/python-pygit2-1.2.1+dfsg1/src/diff.h
Examining data/python-pygit2-1.2.1+dfsg1/src/error.c
Examining data/python-pygit2-1.2.1+dfsg1/src/error.h
Examining data/python-pygit2-1.2.1+dfsg1/src/mailmap.c
Examining data/python-pygit2-1.2.1+dfsg1/src/mailmap.h
Examining data/python-pygit2-1.2.1+dfsg1/src/note.c
Examining data/python-pygit2-1.2.1+dfsg1/src/note.h
Examining data/python-pygit2-1.2.1+dfsg1/src/object.c
Examining data/python-pygit2-1.2.1+dfsg1/src/object.h
Examining data/python-pygit2-1.2.1+dfsg1/src/odb.c
Examining data/python-pygit2-1.2.1+dfsg1/src/odb.h
Examining data/python-pygit2-1.2.1+dfsg1/src/odb_backend.c
Examining data/python-pygit2-1.2.1+dfsg1/src/odb_backend.h
Examining data/python-pygit2-1.2.1+dfsg1/src/oid.c
Examining data/python-pygit2-1.2.1+dfsg1/src/oid.h
Examining data/python-pygit2-1.2.1+dfsg1/src/options.c
Examining data/python-pygit2-1.2.1+dfsg1/src/options.h
Examining data/python-pygit2-1.2.1+dfsg1/src/patch.c
Examining data/python-pygit2-1.2.1+dfsg1/src/patch.h
Examining data/python-pygit2-1.2.1+dfsg1/src/pygit2.c
Examining data/python-pygit2-1.2.1+dfsg1/src/refdb.c
Examining data/python-pygit2-1.2.1+dfsg1/src/refdb.h
Examining data/python-pygit2-1.2.1+dfsg1/src/refdb_backend.c
Examining data/python-pygit2-1.2.1+dfsg1/src/refdb_backend.h
Examining data/python-pygit2-1.2.1+dfsg1/src/reference.c
Examining data/python-pygit2-1.2.1+dfsg1/src/reference.h
Examining data/python-pygit2-1.2.1+dfsg1/src/repository.c
Examining data/python-pygit2-1.2.1+dfsg1/src/repository.h
Examining data/python-pygit2-1.2.1+dfsg1/src/signature.c
Examining data/python-pygit2-1.2.1+dfsg1/src/signature.h
Examining data/python-pygit2-1.2.1+dfsg1/src/tag.c
Examining data/python-pygit2-1.2.1+dfsg1/src/tag.h
Examining data/python-pygit2-1.2.1+dfsg1/src/tree.c
Examining data/python-pygit2-1.2.1+dfsg1/src/tree.h
Examining data/python-pygit2-1.2.1+dfsg1/src/treebuilder.c
Examining data/python-pygit2-1.2.1+dfsg1/src/treebuilder.h
Examining data/python-pygit2-1.2.1+dfsg1/src/types.h
Examining data/python-pygit2-1.2.1+dfsg1/src/utils.c
Examining data/python-pygit2-1.2.1+dfsg1/src/utils.h
Examining data/python-pygit2-1.2.1+dfsg1/src/walker.c
Examining data/python-pygit2-1.2.1+dfsg1/src/walker.h
Examining data/python-pygit2-1.2.1+dfsg1/src/wildmatch.c
Examining data/python-pygit2-1.2.1+dfsg1/src/wildmatch.h
Examining data/python-pygit2-1.2.1+dfsg1/src/worktree.c
Examining data/python-pygit2-1.2.1+dfsg1/src/worktree.h
FINAL RESULTS:
data/python-pygit2-1.2.1+dfsg1/pygit2/decl/oid.h:2:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char id[20];
data/python-pygit2-1.2.1+dfsg1/pygit2/decl/transport.h:21:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char hash_md5[16];
data/python-pygit2-1.2.1+dfsg1/pygit2/decl/transport.h:22:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char hash_sha1[20];
data/python-pygit2-1.2.1+dfsg1/src/commit.c:169:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char tree_id[GIT_OID_HEXSZ + 1] = { 0 };
data/python-pygit2-1.2.1+dfsg1/src/error.c:124:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char hex[GIT_OID_HEXSZ + 1];
data/python-pygit2-1.2.1+dfsg1/src/odb_backend.c:94:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(*ptr, bytes, *sz);
data/python-pygit2-1.2.1+dfsg1/src/odb_backend.c:132:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(*ptr, bytes, *sz);
data/python-pygit2-1.2.1+dfsg1/src/oid.c:137:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char hex[GIT_OID_HEXSZ];
data/python-pygit2-1.2.1+dfsg1/src/oid.c:177:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(self->oid.id, (const unsigned char*)bytes, len);
data/python-pygit2-1.2.1+dfsg1/src/wildmatch.c:44:23: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static const unsigned char sane_ctype[256] = {
data/python-pygit2-1.2.1+dfsg1/src/diff.c:1038:52: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
int err = git_diff_from_buffer(&diff, content, strlen(content));
data/python-pygit2-1.2.1+dfsg1/src/object.c:274:20: [1] (buffer) equal:
Function does not check the second iterator for over-read conditions
(CWE-126). This function is often discouraged by most C++ coding standards
in favor of its safer alternatives provided since C++14. Consider using a
form of this function that checks the second iterator before potentially
overflowing it.
res = (equal) ? Py_False : Py_True;
data/python-pygit2-1.2.1+dfsg1/src/object.c:277:20: [1] (buffer) equal:
Function does not check the second iterator for over-read conditions
(CWE-126). This function is often discouraged by most C++ coding standards
in favor of its safer alternatives provided since C++14. Consider using a
form of this function that checks the second iterator before potentially
overflowing it.
res = (equal) ? Py_True : Py_False;
data/python-pygit2-1.2.1+dfsg1/src/odb.c:296:17: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
METHOD(Odb, read, METH_O),
data/python-pygit2-1.2.1+dfsg1/src/odb_backend.c:51:15: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
PyObject *read,
data/python-pygit2-1.2.1+dfsg1/src/odb_backend.c:76:38: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
result = PyObject_CallObject(be->read, args);
data/python-pygit2-1.2.1+dfsg1/src/odb_backend.c:383:22: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
Py_CLEAR(be->read);
data/python-pygit2-1.2.1+dfsg1/src/odb_backend.c:463:30: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
err = self->odb_backend->read(&data, &sz, &type, self->odb_backend, &oid);
data/python-pygit2-1.2.1+dfsg1/src/odb_backend.c:642:24: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
METHOD(OdbBackend, read, METH_O),
data/python-pygit2-1.2.1+dfsg1/src/utils.h:47:49: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define to_encoding(x) PyUnicode_DecodeASCII(x, strlen(x), "strict")
data/python-pygit2-1.2.1+dfsg1/src/utils.h:64:57: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define to_unicode(x, encoding, errors) to_unicode_n(x, strlen(x), encoding, errors)
ANALYSIS SUMMARY:
Hits = 21
Lines analyzed = 14606 in approximately 0.36 seconds (40786 lines/second)
Physical Source Lines of Code (SLOC) = 10689
Hits@level = [0] 0 [1] 11 [2] 10 [3] 0 [4] 0 [5] 0
Hits@level+ = [0+] 21 [1+] 21 [2+] 10 [3+] 0 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 1.96464 [1+] 1.96464 [2+] 0.935541 [3+] 0 [4+] 0 [5+] 0
Dot directories skipped = 2 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.