Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/ruby-bcrypt-3.1.15/ext/mri/crypt_blowfish.h
Examining data/ruby-bcrypt-3.1.15/ext/mri/wrapper.c
Examining data/ruby-bcrypt-3.1.15/ext/mri/crypt_gensalt.c
Examining data/ruby-bcrypt-3.1.15/ext/mri/crypt.h
Examining data/ruby-bcrypt-3.1.15/ext/mri/crypt_gensalt.h
Examining data/ruby-bcrypt-3.1.15/ext/mri/crypt_blowfish.c
Examining data/ruby-bcrypt-3.1.15/ext/mri/bcrypt_ext.c
Examining data/ruby-bcrypt-3.1.15/ext/mri/ow-crypt.h
Examining data/ruby-bcrypt-3.1.15/ext/mri/crypt.c
FINAL RESULTS:
data/ruby-bcrypt-3.1.15/ext/mri/ow-crypt.h:26:14: [4] (crypto) crypt:
The crypt functions use a poor one-way hashing algorithm; since they only
accept passwords of 8 characters or fewer and only a two-byte salt, they
are excessively vulnerable to dictionary attacks given today's faster
computing equipment (CWE-327). Use a different algorithm, such as SHA-256,
with a larger, non-repeating salt.
extern char *crypt(__const char *key, __const char *setting);
data/ruby-bcrypt-3.1.15/ext/mri/ow-crypt.h:27:14: [4] (crypto) crypt_r:
The crypt functions use a poor one-way hashing algorithm; since they only
accept passwords of 8 characters or fewer and only a two-byte salt, they
are excessively vulnerable to dictionary attacks given today's faster
computing equipment (CWE-327). Use a different algorithm, such as SHA-256,
with a larger, non-repeating salt.
extern char *crypt_r(__const char *key, __const char *setting, void *data);
data/ruby-bcrypt-3.1.15/ext/mri/wrapper.c:182:7: [4] (crypto) crypt_r:
The crypt functions use a poor one-way hashing algorithm; since they only
accept passwords of 8 characters or fewer and only a two-byte salt, they
are excessively vulnerable to dictionary attacks given today's faster
computing equipment (CWE-327). Use a different algorithm, such as SHA-256,
with a larger, non-repeating salt.
char *crypt_r(const char *key, const char *setting, void *data)
data/ruby-bcrypt-3.1.15/ext/mri/wrapper.c:189:7: [4] (crypto) crypt:
The crypt functions use a poor one-way hashing algorithm; since they only
accept passwords of 8 characters or fewer and only a two-byte salt, they
are excessively vulnerable to dictionary attacks given today's faster
computing equipment (CWE-327). Use a different algorithm, such as SHA-256,
with a larger, non-repeating salt.
char *crypt(const char *key, const char *setting)
data/ruby-bcrypt-3.1.15/ext/mri/wrapper.c:272:23: [4] (crypto) crypt_r:
The crypt functions use a poor one-way hashing algorithm; since they only
accept passwords of 8 characters or fewer and only a two-byte salt, they
are excessively vulnerable to dictionary attacks given today's faster
computing equipment (CWE-327). Use a different algorithm, such as SHA-256,
with a larger, non-repeating salt.
weak_alias(__crypt_r, crypt_r)
data/ruby-bcrypt-3.1.15/ext/mri/wrapper.c:273:21: [4] (crypto) crypt:
The crypt functions use a poor one-way hashing algorithm; since they only
accept passwords of 8 characters or fewer and only a two-byte salt, they
are excessively vulnerable to dictionary attacks given today's faster
computing equipment (CWE-327). Use a different algorithm, such as SHA-256,
with a larger, non-repeating salt.
weak_alias(__crypt, crypt)
data/ruby-bcrypt-3.1.15/ext/mri/wrapper.c:277:12: [4] (crypto) crypt:
The crypt functions use a poor one-way hashing algorithm; since they only
accept passwords of 8 characters or fewer and only a two-byte salt, they
are excessively vulnerable to dictionary attacks given today's faster
computing equipment (CWE-327). Use a different algorithm, such as SHA-256,
with a larger, non-repeating salt.
weak_alias(crypt, fcrypt)
data/ruby-bcrypt-3.1.15/ext/mri/wrapper.c:440:7: [4] (crypto) crypt:
The crypt functions use a poor one-way hashing algorithm; since they only
accept passwords of 8 characters or fewer and only a two-byte salt, they
are excessively vulnerable to dictionary attacks given today's faster
computing equipment (CWE-327). Use a different algorithm, such as SHA-256,
with a larger, non-repeating salt.
p = crypt(key, setting);
data/ruby-bcrypt-3.1.15/ext/mri/wrapper.c:446:20: [4] (crypto) crypt:
The crypt functions use a poor one-way hashing algorithm; since they only
accept passwords of 8 characters or fewer and only a two-byte salt, they
are excessively vulnerable to dictionary attacks given today's faster
computing equipment (CWE-327). Use a different algorithm, such as SHA-256,
with a larger, non-repeating salt.
if (ok && strcmp(crypt(key, hash), hash)) {
data/ruby-bcrypt-3.1.15/ext/mri/wrapper.c:454:4: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(o_buf, x);
data/ruby-bcrypt-3.1.15/ext/mri/crypt_blowfish.c:364:23: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static const unsigned char BF_itoa64[64 + 1] =
data/ruby-bcrypt-3.1.15/ext/mri/crypt_blowfish.c:367:17: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static unsigned char BF_atoi64[0x60] = {
data/ruby-bcrypt-3.1.15/ext/mri/crypt_blowfish.c:641:23: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static const unsigned char flags_by_subtype[26] =
data/ruby-bcrypt-3.1.15/ext/mri/crypt_blowfish.c:764:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(output, setting, 7 + 22 - 1);
data/ruby-bcrypt-3.1.15/ext/mri/crypt_blowfish.c:817:15: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static const char * const test_hashes[2] =
data/ruby-bcrypt-3.1.15/ext/mri/crypt_blowfish.c:825:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char s[7 + 22 + 1];
data/ruby-bcrypt-3.1.15/ext/mri/crypt_blowfish.c:826:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char o[7 + 22 + 31 + 1 + 1 + 1];
data/ruby-bcrypt-3.1.15/ext/mri/crypt_gensalt.c:31:16: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const unsigned char _crypt_itoa64[64 + 1] =
data/ruby-bcrypt-3.1.15/ext/mri/wrapper.c:191:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char output[CRYPT_OUTPUT_SIZE];
data/ruby-bcrypt-3.1.15/ext/mri/wrapper.c:242:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char output[CRYPT_GENSALT_OUTPUT_SIZE];
data/ruby-bcrypt-3.1.15/ext/mri/wrapper.c:263:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char output[CRYPT_GENSALT_OUTPUT_SIZE];
data/ruby-bcrypt-3.1.15/ext/mri/wrapper.c:432:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char s_buf[30], o_buf[61];
data/ruby-bcrypt-3.1.15/ext/mri/wrapper.c:391:18: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (setting && strlen(hash) < 30) /* not for benchmark */
data/ruby-bcrypt-3.1.15/ext/mri/wrapper.c:430:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
int ok = !setting || strlen(hash) >= 30;
ANALYSIS SUMMARY:
Hits = 24
Lines analyzed = 1826 in approximately 0.07 seconds (24854 lines/second)
Physical Source Lines of Code (SLOC) = 1353
Hits@level = [0] 7 [1] 2 [2] 12 [3] 0 [4] 10 [5] 0
Hits@level+ = [0+] 31 [1+] 24 [2+] 22 [3+] 10 [4+] 10 [5+] 0
Hits/KSLOC@level+ = [0+] 22.912 [1+] 17.7384 [2+] 16.2602 [3+] 7.39098 [4+] 7.39098 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.