Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/r-cran-testthat-3.0.0/src/reassign.c
Examining data/r-cran-testthat-3.0.0/src/test-example.cpp
Examining data/r-cran-testthat-3.0.0/src/init.c
Examining data/r-cran-testthat-3.0.0/src/test-runner.cpp
Examining data/r-cran-testthat-3.0.0/src/test-catch.cpp
Examining data/r-cran-testthat-3.0.0/inst/resources/test-example.cpp
Examining data/r-cran-testthat-3.0.0/inst/resources/test-runner.cpp
Examining data/r-cran-testthat-3.0.0/inst/include/testthat.h
Examining data/r-cran-testthat-3.0.0/inst/include/testthat/testthat.h
Examining data/r-cran-testthat-3.0.0/inst/include/testthat/vendor/catch.h
FINAL RESULTS:
data/r-cran-testthat-3.0.0/inst/include/testthat/testthat.h:56:13: [3] (random) srand:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
inline void srand(unsigned) {}
data/r-cran-testthat-3.0.0/inst/include/testthat/vendor/catch.h:8653:13: [3] (random) srand:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
srand( config.rngSeed() );
data/r-cran-testthat-3.0.0/inst/include/testthat/vendor/catch.h:1594:23: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
struct TrueType { char sizer[1]; };
data/r-cran-testthat-3.0.0/inst/include/testthat/vendor/catch.h:1595:24: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
struct FalseType { char sizer[2]; };
data/r-cran-testthat-3.0.0/inst/include/testthat/vendor/catch.h:3185:13: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char storage[sizeof(T)];
data/r-cran-testthat-3.0.0/inst/include/testthat/vendor/catch.h:6161:14: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
void open() {
data/r-cran-testthat-3.0.0/inst/include/testthat/vendor/catch.h:6255:17: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
open();
data/r-cran-testthat-3.0.0/inst/include/testthat/vendor/catch.h:6301:26: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
tracker->open();
data/r-cran-testthat-3.0.0/inst/include/testthat/vendor/catch.h:6490:16: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char altStackMem[SIGSTKSZ];
data/r-cran-testthat-3.0.0/inst/include/testthat/vendor/catch.h:7084:35: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char **utf8Argv = new char *[ argc ];
data/r-cran-testthat-3.0.0/inst/include/testthat/vendor/catch.h:7584:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char data[bufferSize];
data/r-cran-testthat-3.0.0/inst/include/testthat/vendor/catch.h:7621:15: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
m_ofs.open( filename.c_str() );
data/r-cran-testthat-3.0.0/inst/include/testthat/vendor/catch.h:8856:21: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char asChar[sizeof (int)];
data/r-cran-testthat-3.0.0/inst/include/testthat/vendor/catch.h:9491:13: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[maxDoubleSize];
data/r-cran-testthat-3.0.0/inst/include/testthat/vendor/catch.h:9498:13: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(buffer, "%.3f", duration);
data/r-cran-testthat-3.0.0/inst/include/testthat/vendor/catch.h:9724:16: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char line[CATCH_CONFIG_CONSOLE_WIDTH] = {0};
data/r-cran-testthat-3.0.0/inst/include/testthat/vendor/catch.h:10304:13: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char timeStamp[timeStampSize];
data/r-cran-testthat-3.0.0/inst/include/testthat/vendor/catch.h:8577:50: [1] (buffer) equal:
Function does not check the second iterator for over-read conditions
(CWE-126). This function is often discouraged by most C++ coding standards
in favor of its safer alternatives provided since C++14. Consider using a
form of this function that checks the second iterator before potentially
overflowing it.
return s.size() >= prefix.size() && std::equal(prefix.begin(), prefix.end(), s.begin());
data/r-cran-testthat-3.0.0/inst/include/testthat/vendor/catch.h:8583:50: [1] (buffer) equal:
Function does not check the second iterator for over-read conditions
(CWE-126). This function is often discouraged by most C++ coding standards
in favor of its safer alternatives provided since C++14. Consider using a
form of this function that checks the second iterator before potentially
overflowing it.
return s.size() >= suffix.size() && std::equal(suffix.rbegin(), suffix.rend(), s.rbegin());
ANALYSIS SUMMARY:
Hits = 19
Lines analyzed = 11936 in approximately 0.25 seconds (47930 lines/second)
Physical Source Lines of Code (SLOC) = 9311
Hits@level = [0] 0 [1] 2 [2] 15 [3] 2 [4] 0 [5] 0
Hits@level+ = [0+] 19 [1+] 19 [2+] 17 [3+] 2 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 2.0406 [1+] 2.0406 [2+] 1.8258 [3+] 0.2148 [4+] 0 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.