Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/ruby-mysql2-0.5.3/ext/mysql2/client.h Examining data/ruby-mysql2-0.5.3/ext/mysql2/infile.c Examining data/ruby-mysql2-0.5.3/ext/mysql2/infile.h Examining data/ruby-mysql2-0.5.3/ext/mysql2/mysql2_ext.c Examining data/ruby-mysql2-0.5.3/ext/mysql2/mysql2_ext.h Examining data/ruby-mysql2-0.5.3/ext/mysql2/mysql_enc_name_to_ruby.h Examining data/ruby-mysql2-0.5.3/ext/mysql2/mysql_enc_to_ruby.h Examining data/ruby-mysql2-0.5.3/ext/mysql2/result.c Examining data/ruby-mysql2-0.5.3/ext/mysql2/result.h Examining data/ruby-mysql2-0.5.3/ext/mysql2/statement.c Examining data/ruby-mysql2-0.5.3/ext/mysql2/statement.h Examining data/ruby-mysql2-0.5.3/ext/mysql2/wait_for_single_fd.h Examining data/ruby-mysql2-0.5.3/ext/mysql2/client.c FINAL RESULTS: data/ruby-mysql2-0.5.3/ext/mysql2/client.c:233:16: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int sockfd = open("/dev/null", O_RDWR | O_CLOEXEC); data/ruby-mysql2-0.5.3/ext/mysql2/client.c:245:14: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). sockfd = open("/dev/null", O_RDWR); data/ruby-mysql2-0.5.3/ext/mysql2/infile.c:14:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char error[ERROR_LEN]; data/ruby-mysql2-0.5.3/ext/mysql2/infile.c:42:14: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). data->fd = open(filename, O_RDONLY); data/ruby-mysql2-0.5.3/ext/mysql2/result.c:571:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char msec_char[7] = {'0','0','0','0','0','0','\0'}; data/ruby-mysql2-0.5.3/ext/mysql2/result.c:593:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char msec_char[7] = {'0','0','0','0','0','0','\0'}; data/ruby-mysql2-0.5.3/ext/mysql2/infile.c:64:16: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). count = (int)read(data->fd, buf, buf_len); data/ruby-mysql2-0.5.3/ext/mysql2/result.c:573:20: [1] (buffer) sscanf: It's unclear if the %s limit in the format string is small enough (CWE-120). Check that the limit is sufficiently small, or use a different input function. tokens = sscanf(row[i], "%2u:%2u:%2u.%6s", &hour, &min, &sec, msec_char); data/ruby-mysql2-0.5.3/ext/mysql2/result.c:596:20: [1] (buffer) sscanf: It's unclear if the %s limit in the format string is small enough (CWE-120). Check that the limit is sufficiently small, or use a different input function. tokens = sscanf(row[i], "%4u-%2u-%2u %2u:%2u:%2u.%6s", &year, &month, &day, &hour, &min, &sec, msec_char); ANALYSIS SUMMARY: Hits = 9 Lines analyzed = 4039 in approximately 0.14 seconds (29666 lines/second) Physical Source Lines of Code (SLOC) = 3072 Hits@level = [0] 8 [1] 3 [2] 6 [3] 0 [4] 0 [5] 0 Hits@level+ = [0+] 17 [1+] 9 [2+] 6 [3+] 0 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 5.53385 [1+] 2.92969 [2+] 1.95312 [3+] 0 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.