stdin

Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/ruby-dataobjects-sqlite3-0.10.17/ext/do_sqlite3/do_common.h
Examining data/ruby-dataobjects-sqlite3-0.10.17/ext/do_sqlite3/do_sqlite3_extension.c
Examining data/ruby-dataobjects-sqlite3-0.10.17/ext/do_sqlite3/do_sqlite3.c
Examining data/ruby-dataobjects-sqlite3-0.10.17/ext/do_sqlite3/compat.h
Examining data/ruby-dataobjects-sqlite3-0.10.17/ext/do_sqlite3/do_sqlite3.h
Examining data/ruby-dataobjects-sqlite3-0.10.17/ext/do_sqlite3/error.h
Examining data/ruby-dataobjects-sqlite3-0.10.17/ext/do_sqlite3/do_common.c

FINAL RESULTS:

data/ruby-dataobjects-sqlite3-0.10.17/ext/do_sqlite3/do_common.c:185:11:  [4] (buffer) sscanf:
  The scanf() family's %s operation, without a limit specification, permits
  buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
  different input function. If the scanf format is influenceable by an
  attacker, it's exploitable.
  switch (sscanf(date, _fmt_date, &year, &month, &day)) {
data/ruby-dataobjects-sqlite3-0.10.17/ext/do_sqlite3/do_common.c:203:11:  [4] (buffer) sscanf:
  The scanf() family's %s operation, without a limit specification, permits
  buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
  different input function. If the scanf format is influenceable by an
  attacker, it's exploitable.
  switch (sscanf(date, _fmt_datetime, &year, &month, &day, &hour, &min, &sec, &subsec)) {
data/ruby-dataobjects-sqlite3-0.10.17/ext/do_sqlite3/do_common.c:245:18:  [4] (buffer) sscanf:
  The scanf() family's %s operation, without a limit specification, permits
  buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
  different input function. If the scanf format is influenceable by an
  attacker, it's exploitable.
  tokens_read  = sscanf(date, fmt_datetime, &year, &month, &day, &hour, &min, &sec, &hour_offset, &minute_offset);

ANALYSIS SUMMARY:

Hits = 3
Lines analyzed = 1339 in approximately 0.05 seconds (25456 lines/second)
Physical Source Lines of Code (SLOC) = 991
Hits@level = [0]   0 [1]   0 [2]   0 [3]   0 [4]   3 [5]   0
Hits@level+ = [0+]   3 [1+]   3 [2+]   3 [3+]   3 [4+]   3 [5+]   0
Hits/KSLOC@level+ = [0+] 3.02725 [1+] 3.02725 [2+] 3.02725 [3+] 3.02725 [4+] 3.02725 [5+]   0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.