stdin

Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/config.h
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/lib/crypto/crypto_scrypt.c
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/lib/crypto/crypto_scrypt.h
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/lib/crypto/crypto_scrypt_smix.c
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/lib/crypto/crypto_scrypt_smix.h
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/lib/crypto/crypto_scrypt_smix_sse2.c
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/lib/crypto/crypto_scrypt_smix_sse2.h
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/lib/scryptenc/scryptenc.c
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/lib/scryptenc/scryptenc.h
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/lib/scryptenc/scryptenc_cpuperf.c
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/lib/scryptenc/scryptenc_cpuperf.h
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/lib/util/memlimit.c
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/lib/util/memlimit.h
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/alg/sha256.c
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/alg/sha256.h
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/cpusupport/cpusupport.h
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/crypto/crypto_aes.c
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/crypto/crypto_aes.h
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/crypto/crypto_aes_aesni.c
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/crypto/crypto_aes_aesni.h
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/crypto/crypto_aesctr.c
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/crypto/crypto_aesctr.h
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/crypto/crypto_entropy.c
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/crypto/crypto_entropy.h
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/util/entropy.c
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/util/entropy.h
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/util/insecure_memzero.c
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/util/insecure_memzero.h
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/util/sysendian.h
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/util/warnp.c
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/util/warnp.h
Examining data/python-scrypt-0.8.0/scrypt-1.2.0/scrypt_platform.h
Examining data/python-scrypt-0.8.0/src/scrypt.c

FINAL RESULTS:

data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/util/warnp.c:57:3:  [4] (format) vfprintf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
		vfprintf(stderr, fmt, ap);
data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/util/warnp.c:72:3:  [4] (format) vfprintf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
		vfprintf(stderr, fmt, ap);
data/python-scrypt-0.8.0/scrypt-1.2.0/lib/scryptenc/scryptenc.c:191:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(header, "scrypt", 6);
data/python-scrypt-0.8.0/scrypt-1.2.0/lib/scryptenc/scryptenc.c:196:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(&header[16], salt, 32);
data/python-scrypt-0.8.0/scrypt-1.2.0/lib/scryptenc/scryptenc.c:202:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(&header[48], hbuf, 16);
data/python-scrypt-0.8.0/scrypt-1.2.0/lib/scryptenc/scryptenc.c:208:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(&header[64], hbuf, 32);
data/python-scrypt-0.8.0/scrypt-1.2.0/lib/scryptenc/scryptenc.c:234:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(salt, &header[16], 32);
data/python-scrypt-0.8.0/scrypt-1.2.0/lib/scryptenc/scryptenc.c:294:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(outbuf, header, 96);
data/python-scrypt-0.8.0/scrypt-1.2.0/lib/scryptenc/scryptenc.c:309:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(&outbuf[96 + inbuflen], hbuf, 32);
data/python-scrypt-0.8.0/scrypt-1.2.0/lib/util/memlimit.c:91:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(&sysctlval, sysctlbuf, sizeof(uint64_t));
data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/alg/sha256.c:87:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(S, state, 32);
data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/alg/sha256.c:213:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(ctx->state, initstate, sizeof(initstate));
data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/alg/sha256.c:238:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(&ctx->buf[r], src, len);
data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/alg/sha256.c:243:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(&ctx->buf[r], src, 64 - r);
data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/alg/sha256.c:256:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(ctx->buf, src, len);
data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/alg/sha256.c:415:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(&hctx, &PShctx, sizeof(HMAC_SHA256_CTX));
data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/alg/sha256.c:420:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(T, U, 32);
data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/alg/sha256.c:437:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
		memcpy(&buf[i * 32], T, clen);
data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/crypto/crypto_entropy.c:80:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(K, drbg.Key, 32);
data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/crypto/crypto_entropy.c:81:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(Vx, drbg.V, 32);
data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/crypto/crypto_entropy.c:107:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(drbg.Key, K, 32);
data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/crypto/crypto_entropy.c:108:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(drbg.V, Vx, 32);
data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/crypto/crypto_entropy.c:160:4:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
			memcpy(&buf[bufpos], drbg.V, 32);
data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/crypto/crypto_entropy.c:162:4:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
			memcpy(&buf[bufpos], drbg.V, buflen - bufpos);
data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/util/entropy.c:43:12:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	if ((fd = open("/dev/urandom", O_RDONLY)) == -1) {
data/python-scrypt-0.8.0/scrypt-1.2.0/lib/crypto/crypto_scrypt.c:199:40:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	    (const uint8_t *)testcase.passwd, strlen(testcase.passwd),
data/python-scrypt-0.8.0/scrypt-1.2.0/lib/crypto/crypto_scrypt.c:200:38:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	    (const uint8_t *)testcase.salt, strlen(testcase.salt),
data/python-scrypt-0.8.0/scrypt-1.2.0/libcperciva/util/entropy.c:50:18:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
		if ((lenread = read(fd, buf, buflen)) == -1) {

ANALYSIS SUMMARY:

Hits = 28
Lines analyzed = 4228 in approximately 0.14 seconds (30698 lines/second)
Physical Source Lines of Code (SLOC) = 2313
Hits@level = [0]  16 [1]   3 [2]  23 [3]   0 [4]   2 [5]   0
Hits@level+ = [0+]  44 [1+]  28 [2+]  25 [3+]   2 [4+]   2 [5+]   0
Hits/KSLOC@level+ = [0+] 19.0229 [1+] 12.1055 [2+] 10.8085 [3+] 0.864678 [4+] 0.864678 [5+]   0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.