stdin

Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/rust-tree-sitter-0.17.1/include/tree_sitter/api.h
Examining data/rust-tree-sitter-0.17.1/include/tree_sitter/parser.h
Examining data/rust-tree-sitter-0.17.1/src/alloc.h
Examining data/rust-tree-sitter-0.17.1/src/array.h
Examining data/rust-tree-sitter-0.17.1/src/atomic.h
Examining data/rust-tree-sitter-0.17.1/src/bits.h
Examining data/rust-tree-sitter-0.17.1/src/clock.h
Examining data/rust-tree-sitter-0.17.1/src/error_costs.h
Examining data/rust-tree-sitter-0.17.1/src/get_changed_ranges.c
Examining data/rust-tree-sitter-0.17.1/src/get_changed_ranges.h
Examining data/rust-tree-sitter-0.17.1/src/language.c
Examining data/rust-tree-sitter-0.17.1/src/language.h
Examining data/rust-tree-sitter-0.17.1/src/length.h
Examining data/rust-tree-sitter-0.17.1/src/lexer.c
Examining data/rust-tree-sitter-0.17.1/src/lexer.h
Examining data/rust-tree-sitter-0.17.1/src/lib.c
Examining data/rust-tree-sitter-0.17.1/src/node.c
Examining data/rust-tree-sitter-0.17.1/src/parser.c
Examining data/rust-tree-sitter-0.17.1/src/point.h
Examining data/rust-tree-sitter-0.17.1/src/query.c
Examining data/rust-tree-sitter-0.17.1/src/reduce_action.h
Examining data/rust-tree-sitter-0.17.1/src/reusable_node.h
Examining data/rust-tree-sitter-0.17.1/src/stack.c
Examining data/rust-tree-sitter-0.17.1/src/stack.h
Examining data/rust-tree-sitter-0.17.1/src/subtree.c
Examining data/rust-tree-sitter-0.17.1/src/subtree.h
Examining data/rust-tree-sitter-0.17.1/src/tree.c
Examining data/rust-tree-sitter-0.17.1/src/tree.h
Examining data/rust-tree-sitter-0.17.1/src/tree_cursor.c
Examining data/rust-tree-sitter-0.17.1/src/tree_cursor.h
Examining data/rust-tree-sitter-0.17.1/src/unicode/ptypes.h
Examining data/rust-tree-sitter-0.17.1/src/unicode/umachine.h
Examining data/rust-tree-sitter-0.17.1/src/unicode/urename.h
Examining data/rust-tree-sitter-0.17.1/src/unicode/utf.h
Examining data/rust-tree-sitter-0.17.1/src/unicode/utf16.h
Examining data/rust-tree-sitter-0.17.1/src/unicode/utf8.h
Examining data/rust-tree-sitter-0.17.1/src/unicode.h

FINAL RESULTS:

data/rust-tree-sitter-0.17.1/src/lexer.c:9:5:  [4] (format) snprintf:
  If format strings can be influenced by an attacker, they can be exploited,
  and note that sprintf variations do not always \0-terminate (CWE-134). Use
  a constant for the format specification.
    snprintf(                                \
data/rust-tree-sitter-0.17.1/src/parser.c:24:5:  [4] (format) snprintf:
  If format strings can be influenced by an attacker, they can be exploited,
  and note that sprintf variations do not always \0-terminate (CWE-134). Use
  a constant for the format specification.
    snprintf(self->lexer.debug_buffer, TREE_SITTER_SERIALIZATION_BUFFER_SIZE, __VA_ARGS__); \
data/rust-tree-sitter-0.17.1/src/array.h:164:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(self->contents, other->contents, self->size * element_size);
data/rust-tree-sitter-0.17.1/src/array.h:203:7:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
      memcpy(
data/rust-tree-sitter-0.17.1/src/lexer.c:380:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(self->included_ranges, ranges, size);
data/rust-tree-sitter-0.17.1/src/lexer.h:30:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char debug_buffer[TREE_SITTER_SERIALIZATION_BUFFER_SIZE];
data/rust-tree-sitter-0.17.1/src/query.c:437:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(&self->characters.contents[slice.offset], name, length);
data/rust-tree-sitter-0.17.1/src/subtree.c:32:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(self->long_data, data, length);
data/rust-tree-sitter-0.17.1/src/subtree.c:34:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(self->short_data, data, length);
data/rust-tree-sitter-0.17.1/src/subtree.c:42:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(result.long_data, self->long_data, self->length);
data/rust-tree-sitter-0.17.1/src/subtree.c:76:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(dest->contents, self.contents, self.size * sizeof(Subtree));
data/rust-tree-sitter-0.17.1/src/subtree.c:262:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(new_children, old_children, alloc_size);
data/rust-tree-sitter-0.17.1/src/subtree.c:951:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char scratch_string[1];
data/rust-tree-sitter-0.17.1/src/subtree.h:33:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char short_data[24];
data/rust-tree-sitter-0.17.1/src/tree.c:21:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(result->included_ranges, included_ranges, included_range_count * sizeof(TSRange));
data/rust-tree-sitter-0.17.1/include/tree_sitter/api.h:69:17:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
  const char *(*read)(void *payload, uint32_t byte_index, TSPoint position, uint32_t *bytes_read);
data/rust-tree-sitter-0.17.1/src/lexer.c:59:29:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
  self->chunk = self->input.read(
data/rust-tree-sitter-0.17.1/src/parser.c:1815:33:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
  if (!self->language || !input.read) return NULL;

ANALYSIS SUMMARY:

Hits = 18
Lines analyzed = 14145 in approximately 0.32 seconds (44755 lines/second)
Physical Source Lines of Code (SLOC) = 9913
Hits@level = [0]  84 [1]   3 [2]  13 [3]   0 [4]   2 [5]   0
Hits@level+ = [0+] 102 [1+]  18 [2+]  15 [3+]   2 [4+]   2 [5+]   0
Hits/KSLOC@level+ = [0+] 10.2895 [1+] 1.8158 [2+] 1.51316 [3+] 0.201755 [4+] 0.201755 [5+]   0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.