Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/skstream-0.3.9/skstream/skserver.h Examining data/skstream-0.3.9/skstream/skstream.cpp Examining data/skstream-0.3.9/skstream/skstream_unix.h Examining data/skstream-0.3.9/skstream/sksocket.h Examining data/skstream-0.3.9/skstream/skpoll.h Examining data/skstream-0.3.9/skstream/skserver_unix.h Examining data/skstream-0.3.9/skstream/skserver.cpp Examining data/skstream-0.3.9/skstream/skstream.h Examining data/skstream-0.3.9/skstream/skpoll.cpp Examining data/skstream-0.3.9/skstream/skaddress.h Examining data/skstream-0.3.9/skstream/skstreamconfig.h Examining data/skstream-0.3.9/skstream/skaddress.cpp Examining data/skstream-0.3.9/skstream/sksocket.cpp Examining data/skstream-0.3.9/skstream/sasproto.h Examining data/skstream-0.3.9/test/skstreamtestrunner.cpp Examining data/skstream-0.3.9/test/basicskstreamtest.h Examining data/skstream-0.3.9/test/skservertest.h Examining data/skstream-0.3.9/test/childskstreamtest.h Examining data/skstream-0.3.9/test/socketbuftest.h Examining data/skstream-0.3.9/ping/ping.cpp Examining data/skstream-0.3.9/ping/ping.h Examining data/skstream-0.3.9/tools/cat.cpp FINAL RESULTS: data/skstream-0.3.9/tools/cat.cpp:58:17: [3] (buffer) getopt: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt(argc, argv, "nv"); data/skstream-0.3.9/ping/ping.cpp:155:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char hbuf[NI_MAXHOST]; data/skstream-0.3.9/ping/ping.cpp:215:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char hbuf[NI_MAXHOST]; data/skstream-0.3.9/ping/ping.h:43:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char cData[REQ_DATASIZE]; data/skstream-0.3.9/skstream/skserver.cpp:155:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. ::memcpy(&iaddr, i->ai_addr, i->ai_addrlen); data/skstream-0.3.9/skstream/skserver.cpp:170:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char serviceName[32]; data/skstream-0.3.9/skstream/skserver.cpp:172:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. ::sprintf(serviceName, "%d", service); data/skstream-0.3.9/skstream/skserver.cpp:214:24: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int tcp_socket_server::open(int service) data/skstream-0.3.9/skstream/skserver.cpp:234:24: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int tcp_socket_server::open(struct addrinfo * i) data/skstream-0.3.9/skstream/skserver.cpp:263:24: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int udp_socket_server::open(int service) data/skstream-0.3.9/skstream/skserver.cpp:301:25: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int unix_socket_server::open(const std::string & service) { data/skstream-0.3.9/skstream/skserver.h:107:7: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int open(int service); data/skstream-0.3.9/skstream/skserver.h:108:7: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int open(struct addrinfo *); data/skstream-0.3.9/skstream/skserver.h:119:5: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). open(service); data/skstream-0.3.9/skstream/skserver.h:125:7: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int open(int service); data/skstream-0.3.9/skstream/skserver_unix.h:45:5: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). open(service); data/skstream-0.3.9/skstream/skserver_unix.h:53:7: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int open(const std::string & service); data/skstream-0.3.9/skstream/skstream.cpp:380:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char portName[32]; data/skstream-0.3.9/skstream/skstream.cpp:382:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. ::sprintf(portName, "%d", port); data/skstream-0.3.9/skstream/skstream.cpp:396:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. ::memcpy(&out_peer, i->ai_addr, i->ai_addrlen); data/skstream-0.3.9/skstream/skstream.cpp:674:3: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). open(address, service, nonblock); data/skstream-0.3.9/skstream/skstream.cpp:683:3: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). open(address, service, milliseconds); data/skstream-0.3.9/skstream/skstream.cpp:693:24: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int tcp_socket_stream::open(const std::string & address, data/skstream-0.3.9/skstream/skstream.cpp:707:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char serviceName[32]; data/skstream-0.3.9/skstream/skstream.cpp:709:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. ::sprintf(serviceName, "%d", service); data/skstream-0.3.9/skstream/skstream.cpp:772:24: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int tcp_socket_stream::open(const std::string & address, int service, data/skstream-0.3.9/skstream/skstream.cpp:775:7: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (open(address, service, true) != 0) { data/skstream-0.3.9/skstream/skstream.cpp:786:24: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int tcp_socket_stream::open(struct addrinfo * i, bool nonblock) data/skstream-0.3.9/skstream/skstream.cpp:913:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char hbuf[NI_MAXHOST]; data/skstream-0.3.9/skstream/skstream.cpp:929:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char sbuf[NI_MAXSERV]; data/skstream-0.3.9/skstream/skstream.cpp:1032:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char serviceName[32]; data/skstream-0.3.9/skstream/skstream.cpp:1034:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. ::sprintf(serviceName, "%d", service); data/skstream-0.3.9/skstream/skstream.cpp:1091:24: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int udp_socket_stream::open(int service) data/skstream-0.3.9/skstream/skstream.cpp:1126:3: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). open(address, nonblock); data/skstream-0.3.9/skstream/skstream.cpp:1132:3: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). open(address, milliseconds); data/skstream-0.3.9/skstream/skstream.cpp:1138:3: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). open(other, nonblock); data/skstream-0.3.9/skstream/skstream.cpp:1150:26: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). void unix_socket_stream::open(const std::string & address, bool nonblock) data/skstream-0.3.9/skstream/skstream.cpp:1203:26: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). void unix_socket_stream::open(const std::string & address, data/skstream-0.3.9/skstream/skstream.cpp:1206:3: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). open(address, true); data/skstream-0.3.9/skstream/skstream.cpp:1212:26: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). void unix_socket_stream::open(unix_socket_stream & other, bool nonblock) data/skstream-0.3.9/skstream/skstream.h:307:7: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int open(const std::string& address, int service, bool nonblock = false); data/skstream-0.3.9/skstream/skstream.h:308:7: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int open(const std::string& address, int service, unsigned int milliseconds); data/skstream-0.3.9/skstream/skstream.h:309:7: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int open(struct addrinfo *, bool nonblock = false); data/skstream-0.3.9/skstream/skstream.h:376:7: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int open(int service); data/skstream-0.3.9/skstream/skstream_unix.h:59:8: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). void open(const std::string& address, bool nonblock = false); data/skstream-0.3.9/skstream/skstream_unix.h:60:8: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). void open(const std::string& address, unsigned int milliseconds); data/skstream-0.3.9/skstream/skstream_unix.h:61:8: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). void open(unix_socket_stream & other, bool nonblock = false); data/skstream-0.3.9/test/childskstreamtest.h:154:23: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). skstream->open(hostname, port); data/skstream-0.3.9/test/childskstreamtest.h:172:23: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). skstream->open(hostname, port, true); data/skstream-0.3.9/test/skservertest.h:125:23: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). skserver->open(7777); data/skstream-0.3.9/test/skservertest.h:175:23: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). skserver->open(7777); data/skstream-0.3.9/tools/cat.cpp:35:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buffer[BUF_SIZE]; data/skstream-0.3.9/tools/cat.cpp:90:8: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). s->open(argv[optind], port, option_nonblock); data/skstream-0.3.9/tools/cat.cpp:154:20: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buffer[BUF_SIZE]; data/skstream-0.3.9/ping/ping.cpp:189:8: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). sock.read((char*)&reply,sizeof(ECHO_REPLY)); data/skstream-0.3.9/skstream/skserver.cpp:318:3: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(sa.sun_path, service.c_str(), 108); data/skstream-0.3.9/skstream/skstream.cpp:1177:3: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(sa.sun_path, address.c_str(), sizeof(sa.sun_path)); ANALYSIS SUMMARY: Hits = 57 Lines analyzed = 4573 in approximately 0.14 seconds (33427 lines/second) Physical Source Lines of Code (SLOC) = 2619 Hits@level = [0] 2 [1] 3 [2] 53 [3] 1 [4] 0 [5] 0 Hits@level+ = [0+] 59 [1+] 57 [2+] 54 [3+] 1 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 22.5277 [1+] 21.764 [2+] 20.6186 [3+] 0.381825 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.