Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/simplesamlphp-1.18.8/vendor/twig/twig/ext/twig/php_twig.h
Examining data/simplesamlphp-1.18.8/vendor/twig/twig/ext/twig/twig.c
Examining data/simplesamlphp-1.18.8/vendor/symfony/debug/Resources/ext/symfony_debug.c
Examining data/simplesamlphp-1.18.8/vendor/symfony/debug/Resources/ext/php_symfony_debug.h
FINAL RESULTS:
data/simplesamlphp-1.18.8/vendor/twig/twig/ext/twig/twig.c:1006:3: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(tmp_method_name_get, "get%s", lcItem);
data/simplesamlphp-1.18.8/vendor/twig/twig/ext/twig/twig.c:1007:3: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(tmp_method_name_is, "is%s", lcItem);
data/simplesamlphp-1.18.8/vendor/twig/twig/ext/twig/twig.c:1011:3: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(methodForDeprecation, "%s", item);
data/simplesamlphp-1.18.8/vendor/symfony/debug/Resources/ext/symfony_debug.c:99:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char hash[33] = {0};
data/simplesamlphp-1.18.8/vendor/twig/twig/ext/twig/twig.c:132:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (zend_lookup_class(interface, strlen(interface), &pce TSRMLS_CC) == FAILURE) {
data/simplesamlphp-1.18.8/vendor/twig/twig/ext/twig/twig.c:267:57: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
tmp_zval = zend_std_get_static_property(ce, prop_name, strlen(prop_name), 0, NULL TSRMLS_CC);
data/simplesamlphp-1.18.8/vendor/twig/twig/ext/twig/twig.c:269:57: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
tmp_zval = zend_std_get_static_property(ce, prop_name, strlen(prop_name), 0 TSRMLS_CC);
data/simplesamlphp-1.18.8/vendor/twig/twig/ext/twig/twig.c:489:31: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (zend_lookup_class(class, strlen(class), &pce TSRMLS_CC) == FAILURE) {
data/simplesamlphp-1.18.8/vendor/twig/twig/ext/twig/twig.c:555:46: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (zend_lookup_class("Twig_Error_Runtime", strlen("Twig_Error_Runtime"), &pce TSRMLS_CC) == FAILURE) {
data/simplesamlphp-1.18.8/vendor/twig/twig/ext/twig/twig.c:630:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
item_len = strlen(mptr->common.function_name);
data/simplesamlphp-1.18.8/vendor/twig/twig/ext/twig/twig.c:636:42: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (zend_lookup_class("Twig_Template", strlen("Twig_Template"), &twig_template_ce TSRMLS_CC) == FAILURE) {
data/simplesamlphp-1.18.8/vendor/twig/twig/ext/twig/twig.c:909:65: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
tmp_class = TWIG_GET_ARRAY_ELEMENT(tmp_self_cache, class_name, strlen(class_name) TSRMLS_CC);
data/simplesamlphp-1.18.8/vendor/twig/twig/ext/twig/twig.c:913:66: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
tmp_class = TWIG_GET_ARRAY_ELEMENT(tmp_self_cache, class_name, strlen(class_name) TSRMLS_CC);
data/simplesamlphp-1.18.8/vendor/twig/twig/ext/twig/twig.c:936:68: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
tmp_properties = TWIG_GET_ARRAY_ELEMENT(tmp_class, "properties", strlen("properties") TSRMLS_CC);
data/simplesamlphp-1.18.8/vendor/twig/twig/ext/twig/twig.c:1002:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
lcItem_length = strlen(lcItem);
data/simplesamlphp-1.18.8/vendor/twig/twig/ext/twig/twig.c:1009:62: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
tmp_methods = TWIG_GET_ARRAY_ELEMENT(tmp_class, "methods", strlen("methods") TSRMLS_CC);
ANALYSIS SUMMARY:
Hits = 16
Lines analyzed = 1595 in approximately 0.52 seconds (3043 lines/second)
Physical Source Lines of Code (SLOC) = 1138
Hits@level = [0] 0 [1] 12 [2] 1 [3] 0 [4] 3 [5] 0
Hits@level+ = [0+] 16 [1+] 16 [2+] 4 [3+] 3 [4+] 3 [5+] 0
Hits/KSLOC@level+ = [0+] 14.0598 [1+] 14.0598 [2+] 3.51494 [3+] 2.6362 [4+] 2.6362 [5+] 0
Symlinks skipped = 1 (--allowlink overrides but see doc for security issue)
Dot directories skipped = 2 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.