Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_commit.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_diff_hunk.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged.h Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_diff_delta.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_settings.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_remote_collection.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_note.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_branch_collection.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_tag_collection.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_rebase.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_repo.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_submodule_collection.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_patch.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_submodule.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_reference.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_blob.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_branch.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_reference_collection.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_backend.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_signature.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_config.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_diff_line.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_cred.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_tree.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_allocator.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_revwalk.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_diff.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_blame.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_remote.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_object.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_tag.c Examining data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_index.c FINAL RESULTS: data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_branch_collection.c:49:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(ref_name, branch_name); data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_tag_collection.c:53:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(canonical_ref, StringValueCStr(rb_name)); data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged.c:157:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char out[40]; data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged.h:168:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char out[40]; data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_allocator.c:36:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(newstr, str, n); data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_allocator.c:47:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(newstr, str, n); data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_branch_collection.c:48:3: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(ref_name, "refs/"); data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_diff_delta.c:59:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char status_char[2]; data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_reference.c:73:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char oid[GIT_OID_HEXSZ + 1]; data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_tag_collection.c:52:3: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(canonical_ref, "refs/tags/"); data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged.c:527:40: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). is_dotgit = git_path_is_gitfile(path, strlen(path), GIT_PATH_GITFILE_GITMODULES, GIT_PATH_FS_GENERIC); data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged.c:541:40: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). is_dotgit = git_path_is_gitfile(path, strlen(path), GIT_PATH_GITFILE_GITIGNORE, GIT_PATH_FS_GENERIC); data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged.c:555:40: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). is_dotgit = git_path_is_gitfile(path, strlen(path), GIT_PATH_GITFILE_GITATTRIBUTES, GIT_PATH_FS_GENERIC); data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged.h:30:50: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). #define rb_str_new_utf8(str) rb_enc_str_new(str, strlen(str), rb_utf8_encoding()) data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_branch_collection.c:35:43: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strncmp(branch_name, "refs/heads/", strlen("refs/heads/")) == 0 || data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_branch_collection.c:36:45: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strncmp(branch_name, "refs/remotes/", strlen("refs/remotes/")) == 0) data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_branch_collection.c:47:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ref_name = xmalloc((strlen(branch_name) + strlen("refs/") + 1) * sizeof(char)); data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_branch_collection.c:47:45: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ref_name = xmalloc((strlen(branch_name) + strlen("refs/") + 1) * sizeof(char)); data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_commit.c:45:33: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). return rb_enc_str_new(message, strlen(message), encoding); data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_commit.c:88:41: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). rb_ary_push(pair, rb_enc_str_new(key, strlen(key), encoding)); data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_commit.c:91:43: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). rb_ary_push(pair, rb_enc_str_new(value, strlen(value), encoding)); data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_commit.c:128:33: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). return rb_enc_str_new(summary, strlen(summary), encoding); data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_signature.c:28:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). rb_enc_str_new(sig->name, strlen(sig->name), encoding)); data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_signature.c:31:30: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). rb_enc_str_new(sig->email, strlen(sig->email), encoding)); data/ruby-rugged-0.28.4.1+ds/ext/rugged/rugged_tag_collection.c:51:57: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char *canonical_ref = xmalloc((RSTRING_LEN(rb_name) + strlen("refs/tags/") + 1) * sizeof(char)); ANALYSIS SUMMARY: Hits = 25 Lines analyzed = 15529 in approximately 0.36 seconds (43526 lines/second) Physical Source Lines of Code (SLOC) = 8528 Hits@level = [0] 0 [1] 15 [2] 8 [3] 0 [4] 2 [5] 0 Hits@level+ = [0+] 25 [1+] 25 [2+] 10 [3+] 2 [4+] 2 [5+] 0 Hits/KSLOC@level+ = [0+] 2.93152 [1+] 2.93152 [2+] 1.17261 [3+] 0.234522 [4+] 0.234522 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.