Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/r-cran-pki-0.1-7/src/register.c
Examining data/r-cran-pki-0.1-7/src/init.c
Examining data/r-cran-pki-0.1-7/src/pki-x509.c
Examining data/r-cran-pki-0.1-7/src/asn1.c
Examining data/r-cran-pki-0.1-7/src/pki.h
Examining data/r-cran-pki-0.1-7/src/tools.c
FINAL RESULTS:
data/r-cran-pki-0.1-7/src/asn1.c:60:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(RAW(res), d + i, len);
data/r-cran-pki-0.1-7/src/asn1.c:126:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(d + i, RAW(sWhat), len);
data/r-cran-pki-0.1-7/src/asn1.c:173:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(RAW(res), RAW(tmp), LENGTH(res));
data/r-cran-pki-0.1-7/src/asn1.c:202:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char buf[9], *c = buf + 8;
data/r-cran-pki-0.1-7/src/asn1.c:215:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(RAW(res), c, LENGTH(res));
data/r-cran-pki-0.1-7/src/pki-x509.c:187:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char buf[8192];
data/r-cran-pki-0.1-7/src/pki-x509.c:189:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char cipher_name[32];
data/r-cran-pki-0.1-7/src/pki-x509.c:348:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(RAW(res), buf, len);
data/r-cran-pki-0.1-7/src/pki-x509.c:394:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(RAW(res), buf, len);
data/r-cran-pki-0.1-7/src/pki-x509.c:404:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char hash[32]; /* really, at most 20 bytes are needed */
data/r-cran-pki-0.1-7/src/pki-x509.c:436:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(RAW(res), hash, len);
data/r-cran-pki-0.1-7/src/pki-x509.c:480:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(RAW(res), buf, siglen);
data/r-cran-pki-0.1-7/src/pki-x509.c:667:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(RAW(res), buf, sl);
data/r-cran-pki-0.1-7/src/tools.c:4:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char stbuf[1024];
data/r-cran-pki-0.1-7/src/tools.c:31:6: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char hv[3];
data/r-cran-pki-0.1-7/src/pki-x509.c:207:6: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(cipher) > sizeof(cipher_name) - 1)
data/r-cran-pki-0.1-7/src/pki-x509.c:248:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
int iv_len = strlen(c_iv);
data/r-cran-pki-0.1-7/src/pki-x509.c:261:16: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
key_len = strlen(c_key);
data/r-cran-pki-0.1-7/src/pki-x509.c:415:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
what_len = strlen((const char*) what);
data/r-cran-pki-0.1-7/src/tools.c:40:10: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
sl = strlen(sep);
ANALYSIS SUMMARY:
Hits = 20
Lines analyzed = 1121 in approximately 0.06 seconds (19926 lines/second)
Physical Source Lines of Code (SLOC) = 1028
Hits@level = [0] 0 [1] 5 [2] 15 [3] 0 [4] 0 [5] 0
Hits@level+ = [0+] 20 [1+] 20 [2+] 15 [3+] 0 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 19.4553 [1+] 19.4553 [2+] 14.5914 [3+] 0 [4+] 0 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.