Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/timblserver-1.14/src/ClientBase.cxx
Examining data/timblserver-1.14/src/TimblThread.cxx
Examining data/timblserver-1.14/src/TcpServer.cxx
Examining data/timblserver-1.14/src/HttpServer.cxx
Examining data/timblserver-1.14/src/JsonServer.cxx
Examining data/timblserver-1.14/src/TimblClient.cxx
Examining data/timblserver-1.14/src/TimblServer.cxx
Examining data/timblserver-1.14/include/timblserver/ClientBase.h
Examining data/timblserver-1.14/include/timblserver/TimblServer.h
Examining data/timblserver-1.14/demos/sockettestClient.cxx
Examining data/timblserver-1.14/demos/sockettestServer.cxx
FINAL RESULTS:
data/timblserver-1.14/demos/sockettestClient.cxx:83:16: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
long int r = random();
data/timblserver-1.14/demos/sockettestServer.cxx:70:16: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
long int r = random();
data/timblserver-1.14/demos/sockettestServer.cxx:51:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char line[256];
data/timblserver-1.14/demos/sockettestServer.cxx:52:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf( line, "Server: Thread %lu, on Socket %d",
data/timblserver-1.14/demos/sockettestServer.cxx:87:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char line[256];
data/timblserver-1.14/demos/sockettestServer.cxx:88:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf( line, "ToServer: Thread %lu, on Socket %d",
data/timblserver-1.14/src/HttpServer.cxx:88:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char logLine[256];
data/timblserver-1.14/src/HttpServer.cxx:89:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf( logLine, "Thread %lu, on Socket %d", (uintptr_t)pthread_self(),
data/timblserver-1.14/src/JsonServer.cxx:180:6: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char line[256];
data/timblserver-1.14/src/JsonServer.cxx:181:6: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf( line, "Thread %lu, on Socket %d",
data/timblserver-1.14/src/TcpServer.cxx:187:4: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char line[256];
data/timblserver-1.14/src/TcpServer.cxx:188:4: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf( line, "Thread %lu, on Socket %d",
data/timblserver-1.14/src/TimblClient.cxx:80:22: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ( (input_file.open( value, ios::in ), !input_file.good() ) ){
data/timblserver-1.14/src/TimblClient.cxx:88:23: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ( (output_file.open( value, ios::out ), !output_file.good() ) ){
data/timblserver-1.14/demos/sockettestClient.cxx:49:17: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if ( client.read( resultLine ) ){
data/timblserver-1.14/demos/sockettestClient.cxx:56:16: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if ( client.read( resultLine ) ){
data/timblserver-1.14/demos/sockettestClient.cxx:98:17: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if ( client.read( resultLine, timeOut ) ){
data/timblserver-1.14/demos/sockettestClient.cxx:111:16: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if ( client.read( resultLine, timeOut ) ){
data/timblserver-1.14/demos/sockettestServer.cxx:57:18: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
while( mysock->read( buf ) ){
data/timblserver-1.14/demos/sockettestServer.cxx:93:18: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
while( mysock->read( buf, timeOut ) ){
data/timblserver-1.14/src/ClientBase.cxx:76:19: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if ( client.read( line ) ){
data/timblserver-1.14/src/ClientBase.cxx:80:16: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if ( client.read( line, 1 ) ){
data/timblserver-1.14/src/ClientBase.cxx:113:14: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if ( client.read( line ) ){
data/timblserver-1.14/src/ClientBase.cxx:207:19: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
while ( client.read( line ) ){
data/timblserver-1.14/src/ClientBase.cxx:236:17: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
while ( client.read( response ) ){
data/timblserver-1.14/src/ClientBase.cxx:295:27: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
while ( more && client.read( response ) ){
data/timblserver-1.14/src/ClientBase.cxx:320:18: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
while ( client.read( response ) ){
data/timblserver-1.14/src/ClientBase.cxx:330:23: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
while ( client.read( response ) ){
ANALYSIS SUMMARY:
Hits = 28
Lines analyzed = 2166 in approximately 0.08 seconds (28700 lines/second)
Physical Source Lines of Code (SLOC) = 1701
Hits@level = [0] 0 [1] 14 [2] 12 [3] 2 [4] 0 [5] 0
Hits@level+ = [0+] 28 [1+] 28 [2+] 14 [3+] 2 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 16.4609 [1+] 16.4609 [2+] 8.23045 [3+] 1.17578 [4+] 0 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.