commit flawfinder for openSUSE:Factory

Source-Sync Wed, 01 Sep 2021 12:37:54 -0700

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package flawfinder for openSUSE:Factory 
checked in at 2021-09-01 21:37:15
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/flawfinder (Old)
 and      /work/SRC/openSUSE:Factory/.flawfinder.new.1899 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "flawfinder"

Wed Sep  1 21:37:15 2021 rev:7 rq:915449 version:2.0.19

Changes:
--------
--- /work/SRC/openSUSE:Factory/flawfinder/flawfinder.changes    2021-06-25 
15:02:22.924227995 +0200
+++ /work/SRC/openSUSE:Factory/.flawfinder.new.1899/flawfinder.changes  
2021-09-01 21:37:37.864909391 +0200
@@ -1,0 +2,9 @@
+Wed Sep  1 10:20:50 UTC 2021 - Michael Vetter <mvet...@suse.com>
+
+- Update to 2.0.19:
+  * entrypoint.sh: Don't require output filename to be escaped
+  * entrypoint.sh: Make minor improvements (#54)
+  * print warning messages to stderr (#58)
+  * changes to github actions
+
+-------------------------------------------------------------------

Old:
----
  flawfinder-2.0.18.tar.gz

New:
----
  flawfinder-2.0.19.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ flawfinder.spec ++++++
--- /var/tmp/diff_new_pack.tAuYdy/_old  2021-09-01 21:37:38.308909925 +0200
+++ /var/tmp/diff_new_pack.tAuYdy/_new  2021-09-01 21:37:38.312909930 +0200
@@ -17,7 +17,7 @@
 
 
 Name:           flawfinder
-Version:        2.0.18
+Version:        2.0.19
 Release:        0
 Summary:        C/C++ source code security flaw examination tool
 License:        GPL-2.0-or-later

++++++ flawfinder-2.0.18.tar.gz -> flawfinder-2.0.19.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/flawfinder-2.0.18/ChangeLog 
new/flawfinder-2.0.19/ChangeLog
--- old/flawfinder-2.0.18/ChangeLog     2021-06-25 02:24:50.000000000 +0200
+++ new/flawfinder-2.0.19/ChangeLog     2021-08-29 22:26:42.000000000 +0200
@@ -1,3 +1,10 @@
+2021-08-29 David A. Wheeler
+       * Version 2.0.19
+       * Fix so we send error messages to stderr instead of stdout.
+         Originally we sent some to stdout by mistake, which could
+         mess up results since the error messages would be mixed up
+         with the results.
+
 2021-06-24 David A. Wheeler
        * Version 2.0.18
        * Fix SARIF output. SARIF output is new to flawfinder, and
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/flawfinder-2.0.18/Dockerfile 
new/flawfinder-2.0.19/Dockerfile
--- old/flawfinder-2.0.18/Dockerfile    1970-01-01 01:00:00.000000000 +0100
+++ new/flawfinder-2.0.19/Dockerfile    2021-06-27 22:28:54.000000000 +0200
@@ -0,0 +1,10 @@
+# Container image that runs your code
+FROM python:3
+
+# Copies your code file from your action repository to the filesystem path `/` 
of the container
+COPY entrypoint.sh /entrypoint.sh
+
+RUN pip install flawfinder
+
+# Code file to execute when the docker container starts up (`entrypoint.sh`)
+ENTRYPOINT ["/entrypoint.sh"]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/flawfinder-2.0.18/README.md 
new/flawfinder-2.0.19/README.md
--- old/flawfinder-2.0.18/README.md     2021-01-03 18:54:13.000000000 +0100
+++ new/flawfinder-2.0.19/README.md     2021-08-29 22:24:03.000000000 +0200
@@ -94,6 +94,40 @@
 Flawfinder also doesn't get as confused by macro definitions
 and other oddities that more sophisticated tools have trouble with.
 
+# Flawfinder GitHub Action
+
+There's a GitHub action available for those who use GitHub.
+
+## Usage
+
+See 
[action.yml](https://github.com/david-a-wheeler/flawfinder/blob/main/action.yml)
+
+Create a .yml file under .github/workflows with the following contents:
+
+### Basic demo:
+
+```yml
+- name: flawfinder_scan
+  uses: david-a-wheeler/flawfinder@2.0.19
+  with:
+    arguments: '--sarif ./'
+    output: 'flawfinder_results.sarif'
+```
+
+You can add many other additions to the arguments.
+For example, `--error-level=4` will cause an error to be returned if
+flawfinder finds a vulnerability of level 4 or higher.
+Notice the version number after the `@` symbol; you can select a
+different version.
+
+You can find the action name and version string from 
[Marketplace](https://github.com/marketplace/actions/flawfinder_scan)
+by clicking "Use latest/xxx version" button.
+
+### Input options:
+
+- arguments: [Flawfinder command 
arguments](ttps://github.com/david-a-wheeler/flawfinder/blob/master/README.md#usage)
+- output: Flawfinder output file name. Can be uploaded to GitHub.
+
 # Contributions
 
 We love contributions!  For more information on contributing, see
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/flawfinder-2.0.18/action.yml 
new/flawfinder-2.0.19/action.yml
--- old/flawfinder-2.0.18/action.yml    1970-01-01 01:00:00.000000000 +0100
+++ new/flawfinder-2.0.19/action.yml    2021-07-17 22:43:56.000000000 +0200
@@ -0,0 +1,17 @@
+name: 'flawfinder_scan'
+description: 'Execute Flawfinder to scan source code for vulnerabilities'
+inputs:
+  arguments:
+    description: 'Command arguments to be sent to Flawfinder'
+    required: true
+    default: ''
+  output:
+    description: 'Output file name'
+    required: true
+    default: ''
+runs:
+  using: 'docker'
+  image: 'Dockerfile'
+  args:
+    - ${{ inputs.arguments }}
+    - ${{ inputs.output }}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/flawfinder-2.0.18/entrypoint.sh 
new/flawfinder-2.0.19/entrypoint.sh
--- old/flawfinder-2.0.18/entrypoint.sh 1970-01-01 01:00:00.000000000 +0100
+++ new/flawfinder-2.0.19/entrypoint.sh 2021-06-30 00:53:57.000000000 +0200
@@ -0,0 +1,11 @@
+#!/bin/sh -l
+# $1 whitespace-separated arguments. Some filenames may need to be escaped.
+# $2 output filename
+
+output="${2:-flawfinder-output.txt}"
+
+flawfinder $1 > "$output"
+result="$?"
+
+cat "$output"
+exit "$result"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/flawfinder-2.0.18/flawfinder.py 
new/flawfinder-2.0.19/flawfinder.py
--- old/flawfinder-2.0.18/flawfinder.py 2021-06-25 02:21:18.000000000 +0200
+++ new/flawfinder-2.0.19/flawfinder.py 2021-08-29 22:19:58.000000000 +0200
@@ -55,7 +55,7 @@
 import hashlib
 import json
 
-version = "2.0.18"
+version = "2.0.19"
 
 # Program Options - these are the default values.
 # TODO: Switch to boolean types where appropriate.
@@ -675,7 +675,7 @@
 
 
 def internal_warn(message):
-    print(h(message))
+    print(h(message), file=sys.stderr)
 
 
 # C Language Specific
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/flawfinder-2.0.18/flawfinder.spec 
new/flawfinder-2.0.19/flawfinder.spec
--- old/flawfinder-2.0.18/flawfinder.spec       2021-06-25 02:21:30.000000000 
+0200
+++ new/flawfinder-2.0.19/flawfinder.spec       2021-08-29 22:20:24.000000000 
+0200
@@ -1,6 +1,6 @@
 Name: flawfinder
 Summary: Examines C/C++ source code for security flaws
-Version: 2.0.18
+Version: 2.0.19
 Release: 1%{?dist}
 License: GPLv2+
 Group: Development/Tools
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/flawfinder-2.0.18/makefile 
new/flawfinder-2.0.19/makefile
--- old/flawfinder-2.0.18/makefile      2021-06-25 02:20:57.000000000 +0200
+++ new/flawfinder-2.0.19/makefile      2021-08-29 22:20:05.000000000 +0200
@@ -6,7 +6,7 @@
 # how to change version numbers.
 
 NAME=flawfinder
-VERSION=2.0.18
+VERSION=2.0.19
 RPM_VERSION=1
 VERSIONEDNAME=$(NAME)-$(VERSION)
 ARCH=noarch
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/flawfinder-2.0.18/setup.py 
new/flawfinder-2.0.19/setup.py
--- old/flawfinder-2.0.18/setup.py      2021-06-25 02:21:39.000000000 +0200
+++ new/flawfinder-2.0.19/setup.py      2021-08-29 22:20:35.000000000 +0200
@@ -9,7 +9,7 @@
 
 setup (# Distribution meta-data
        name = "flawfinder",
-       version = "2.0.18",
+       version = "2.0.19",
        # We install a script, not a separate package.
        # packages = ["flawfinder"], # Must be same as name
        # Do not need: packages=find_packages(),
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/flawfinder-2.0.18/test/correct-results-008.txt 
new/flawfinder-2.0.19/test/correct-results-008.txt
--- old/flawfinder-2.0.18/test/correct-results-008.txt  2021-06-25 
02:22:26.000000000 +0200
+++ new/flawfinder-2.0.19/test/correct-results-008.txt  2021-08-29 
22:21:29.000000000 +0200
@@ -1,4 +1,4 @@
-Flawfinder version 2.0.18, (C) 2001-2019 David A. Wheeler.
+Flawfinder version 2.0.19, (C) 2001-2019 David A. Wheeler.
 Showing hits not in test-saved-hitlist-008.txt
 Number of rules (primarily dangerous function names) in C/C++ ruleset: 222
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/flawfinder-2.0.18/test/correct-results.csv 
new/flawfinder-2.0.19/test/correct-results.csv
--- old/flawfinder-2.0.18/test/correct-results.csv      2021-06-25 
02:22:25.351086000 +0200
+++ new/flawfinder-2.0.19/test/correct-results.csv      2021-08-29 
22:21:28.121843000 +0200
@@ -1,40 +1,40 @@
 
File,Line,Column,DefaultLevel,Level,Category,Name,Warning,Suggestion,Note,CWEs,Context,Fingerprint,ToolVersion,RuleId,HelpUri
-test.c,32,2,5,5,buffer,gets,"Does not check for buffer overflows (CWE-120, 
CWE-20).",Use fgets() instead.,,"CWE-120, CWE-20", 
gets(f);,6a5bb383fb44030b0d9428b17359e94ba3979bc1ce702be450427f85592c649a,2.0.18,FF1014,https://cwe.mitre.org/data/definitions/120.html
-test.c,60,3,1,5,buffer,strncat,"Easily used incorrectly (e.g., incorrectly 
computing the correct maximum size to add) [MS-banned] (CWE-120).","Consider 
strcat_s, strlcat, snprintf, or automatically resizing strings.","Risk is high; 
the length parameter appears to be a constant, instead of computing the number 
of characters left.",CWE-120,"  strncat(d,s,sizeof(d)); /* Misuse - this should 
be flagged as riskier. 
*/",cbd19c308547e79af13436d8f7dbcf6c62e49e4f62ba9aee38fbef29e0772f74,2.0.18,FF1010,https://cwe.mitre.org/data/definitions/120.html
-test.c,61,3,1,5,buffer,_tcsncat,"Easily used incorrectly (e.g., incorrectly 
computing the correct maximum size to add) [MS-banned] (CWE-120).","Consider 
strcat_s, strlcat, or automatically resizing strings.","Risk is high; the 
length parameter appears to be a constant, instead of computing the number of 
characters left.",CWE-120,"  _tcsncat(d,s,sizeof(d)); /* Misuse - flag as 
riskier 
*/",c3f6ba2c710efc878e66df4578894fd408452cb7cdec7ae6f492a3b1796f8c42,2.0.18,FF1011,https://cwe.mitre.org/data/definitions/120.html
-test.c,64,3,2,5,buffer,MultiByteToWideChar,"Requires maximum length in 
CHARACTERS, not bytes (CWE-120).",,"Risk is high, it appears that the size is 
given as bytes, but the function requires size as characters.",CWE-120,"  
MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof(wszUserName));",4f5b73ff337a54d6e1d9a369659ca0ddb4f80e6b7e38a17e5b112f6d3e266e69,2.0.18,FF1023,https://cwe.mitre.org/data/definitions/120.html
-test.c,66,3,2,5,buffer,MultiByteToWideChar,"Requires maximum length in 
CHARACTERS, not bytes (CWE-120).",,"Risk is high, it appears that the size is 
given as bytes, but the function requires size as characters.",CWE-120,"  
MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof 
wszUserName);",9ecdc1e903acc16a646bf7909a630ae22a7593b70952c39ce6bd9c5a23fad0fd,2.0.18,FF1023,https://cwe.mitre.org/data/definitions/120.html
-test.c,77,3,5,5,misc,SetSecurityDescriptorDacl,"Never create NULL ACLs; an 
attacker can set it to Everyone (Deny All Access), which would even forbid 
administrator access (CWE-732).",,,CWE-732,"  
SetSecurityDescriptorDacl(&sd,TRUE,NULL,FALSE);",5fed1e135b593b4c943e66e89a26ff131eba18b83a32a8af37d1c0bd7b01aadb,2.0.18,FF1060,https://cwe.mitre.org/data/definitions/732.html
-test.c,77,3,5,5,misc,SetSecurityDescriptorDacl,"Never create NULL ACLs; an 
attacker can set it to Everyone (Deny All Access), which would even forbid 
administrator access (CWE-732).",,,CWE-732,"  
SetSecurityDescriptorDacl(&sd,TRUE,NULL,FALSE);",5fed1e135b593b4c943e66e89a26ff131eba18b83a32a8af37d1c0bd7b01aadb,2.0.18,FF1060,https://cwe.mitre.org/data/definitions/732.html
-test.c,17,2,4,4,buffer,strcpy,Does not check for buffer overflows when copying 
to destination [MS-banned] (CWE-120).,"Consider using snprintf, strcpy_s, or 
strlcpy (warning: strncpy easily misused).",,CWE-120," strcpy(b, 
a);",c01c8472bb53022e912da4da2faebc67d537855da324020c44bfd5e608a79b77,2.0.18,FF1001,https://cwe.mitre.org/data/definitions/120.html
-test.c,20,2,4,4,buffer,sprintf,Does not check for buffer overflows 
(CWE-120).,"Use sprintf_s, snprintf, or vsnprintf.",,CWE-120," sprintf(s, 
""hello %s"", 
bug);",814237858ab012010f3355a49480dd6fa0a2cb8cf8356a98ac1c17c9febf6521,2.0.18,FF1015,https://cwe.mitre.org/data/definitions/120.html
-test.c,21,2,4,4,buffer,sprintf,Does not check for buffer overflows 
(CWE-120).,"Use sprintf_s, snprintf, or vsnprintf.",,CWE-120," sprintf(s, 
gettext(""hello %s""), 
bug);",b793f18f143fb2297c49e0639384ad73db86eb01a44377aa4d5d09b44b03d747,2.0.18,FF1015,https://cwe.mitre.org/data/definitions/120.html
-test.c,22,2,4,4,format,sprintf,Potential format string problem (CWE-134).,Make 
format string constant.,,CWE-134," sprintf(s, unknown, 
bug);",16ebc2ff96ee4bab2695783709e97b597ca9c8b8cc149e33aed859f0fafd3431,2.0.18,FF1015,https://cwe.mitre.org/data/definitions/134.html
-test.c,23,2,4,4,format,printf,"If format strings can be influenced by an 
attacker, they can be exploited (CWE-134).",Use a constant for the format 
specification.,,CWE-134," printf(bf, 
x);",46f42896019245d2dffc4caf4fe018b073ce2a58203676eaa28b6374558a5b5d,2.0.18,FF1016,https://cwe.mitre.org/data/definitions/134.html
-test.c,25,2,4,4,buffer,scanf,"The scanf() family's %s operation, without a 
limit specification, permits buffer overflows (CWE-120, CWE-20).","Specify a 
limit to %s, or use a different input function.",,"CWE-120, CWE-20"," 
scanf(""%s"", 
s);",3f169dd9fe508f70438f818770a3cb8b0f228e4245ea11a929a5fb0a7839fd5f,2.0.18,FF1020,https://cwe.mitre.org/data/definitions/120.html
-test.c,27,2,4,4,buffer,scanf,"The scanf() family's %s operation, without a 
limit specification, permits buffer overflows (CWE-120, CWE-20).","Specify a 
limit to %s, or use a different input function.",,"CWE-120, CWE-20"," 
scanf(""%s"", 
s);",3f169dd9fe508f70438f818770a3cb8b0f228e4245ea11a929a5fb0a7839fd5f,2.0.18,FF1020,https://cwe.mitre.org/data/definitions/120.html
-test.c,38,2,4,4,format,syslog,"If syslog's format strings can be influenced by 
an attacker, they can be exploited (CWE-134).",Use a constant format string for 
syslog.,,CWE-134," syslog(LOG_ERR, 
attacker_string);",22e98963d5af7b197a090bd522d2d39b8d8ee7bdf08453fd2008939c92cd9677,2.0.18,FF1018,https://cwe.mitre.org/data/definitions/134.html
-test.c,49,3,4,4,buffer,_mbscpy,Does not check for buffer overflows when 
copying to destination [MS-banned] (CWE-120).,Consider using a function version 
that stops copying at the end of the buffer.,,CWE-120,"  _mbscpy(d,s); /* like 
strcpy, this doesn't check for buffer overflow 
*/",e00a4a1a0a3603db98a23fcff3c9cdfd9012f5a81826814d9508e0f22089b993,2.0.18,FF1003,https://cwe.mitre.org/data/definitions/120.html
-test.c,56,3,4,4,buffer,lstrcat,Does not check for buffer overflows when 
concatenating to destination [MS-banned] (CWE-120).,,,CWE-120,"  
lstrcat(d,s);",364b4c512862fdccbca27d2fa7737995b5d24b637a760976c940ae636218d340,2.0.18,FF1006,https://cwe.mitre.org/data/definitions/120.html
-test.c,79,3,3,3,shell,CreateProcess,This causes a new process to execute and 
is difficult to use safely (CWE-78).,"Specify the application path in the first 
argument, NOT as part of the second, or embedded spaces could allow an attacker 
to force a different program to run.",,CWE-78,"  CreateProcess(NULL, 
""C:\\Program Files\\GoodGuy\\GoodGuy.exe -x"", 
"""");",3c712b38d0857bde3832d85ad35ac9859be55c5f5f1c20af659a577dd4d0acbf,2.0.18,FF1046,https://cwe.mitre.org/data/definitions/78.html
-test.c,79,3,3,3,shell,CreateProcess,This causes a new process to execute and 
is difficult to use safely (CWE-78).,"Specify the application path in the first 
argument, NOT as part of the second, or embedded spaces could allow an attacker 
to force a different program to run.",,CWE-78,"  CreateProcess(NULL, 
""C:\\Program Files\\GoodGuy\\GoodGuy.exe -x"", 
"""");",3c712b38d0857bde3832d85ad35ac9859be55c5f5f1c20af659a577dd4d0acbf,2.0.18,FF1046,https://cwe.mitre.org/data/definitions/78.html
-test.c,81,10,3,3,misc,LoadLibraryEx,"Ensure that the full path to the library 
is specified, or current directory may be used (CWE-829, CWE-20).",Use a flag 
like LOAD_LIBRARY_SEARCH_SYSTEM32 or LOAD_LIBRARY_SEARCH_APPLICATION_DIR to 
search only desired folders.,,"CWE-829, CWE-20","  (void) 
LoadLibraryEx(L""user32.dll"", nullptr, 
LOAD_LIBRARY_AS_DATAFILE);",b1f99ecaa31e682487d795afbf03282fd56ad9f2aa630d0196219b277d2a68c9,2.0.18,FF1059,https://cwe.mitre.org/data/definitions/829.html
-test.c,99,20,3,3,buffer,getopt_long,"Some older implementations do not protect 
against internal buffer overflows (CWE-120, CWE-20).","Check implementation on 
installation, or limit the size of all string inputs.",,"CWE-120, CWE-20","    
while ((optc = getopt_long (argc, argv, ""a"",longopts, NULL )) != EOF) 
{",5bedf6e5bccf596008ef191ec4c5d4cc51a32cff0c05ef62d5f10fab93d0cc24,2.0.18,FF1027,https://cwe.mitre.org/data/definitions/120.html
-test.c,16,2,4,2,buffer,strcpy,Does not check for buffer overflows when copying 
to destination [MS-banned] (CWE-120).,"Consider using snprintf, strcpy_s, or 
strlcpy (warning: strncpy easily misused).",Risk is low because the source is a 
constant string.,CWE-120," strcpy(a, gettext(""Hello there"")); // Did this 
work?",d64070fb93ff0bb797fb926f4dddc7212d42f77e288d5ceb0cd30ed2979fa28d,2.0.18,FF1001,https://cwe.mitre.org/data/definitions/120.html
-test.c,19,2,4,2,buffer,sprintf,Does not check for buffer overflows 
(CWE-120).,"Use sprintf_s, snprintf, or vsnprintf.",Risk is low because the 
source has a constant maximum length.,CWE-120," sprintf(s, 
""hello"");",907b46be1c3ea7b38f90a4d1b0f43b7751cd8cbe38fae840930ff006b702157d,2.0.18,FF1015,https://cwe.mitre.org/data/definitions/120.html
-test.c,45,3,2,2,buffer,char,"Statically-sized arrays can be improperly 
restricted, leading to potential overflows or other issues 
(CWE-119!/CWE-120).","Perform bounds checking, use functions that limit length, 
or ensure that the size is larger than the maximum possible 
length.",,CWE-119!/CWE-120,  char 
d[20];,36c87517700337a59cc3ad3218cfdde56cad37d69cdeccee5a55ab232d5c7946,2.0.18,FF1013,https://cwe.mitre.org/data/definitions/119.html
-test.c,46,3,2,2,buffer,char,"Statically-sized arrays can be improperly 
restricted, leading to potential overflows or other issues 
(CWE-119!/CWE-120).","Perform bounds checking, use functions that limit length, 
or ensure that the size is larger than the maximum possible 
length.",,CWE-119!/CWE-120,  char 
s[20];,213de8e8815fc84c423b55fd845fea541f25744718e486234364bb457863b597,2.0.18,FF1013,https://cwe.mitre.org/data/definitions/119.html
-test.c,50,3,2,2,buffer,memcpy,Does not check for buffer overflows when copying 
to destination (CWE-120).,Make sure destination can always hold the source 
data.,,CWE-120,"  memcpy(d,s); // fail - no 
size",e667b352fb0748c67b607b11577b11bad87545779c39923e61839dd04056055f,2.0.18,FF1004,https://cwe.mitre.org/data/definitions/120.html
-test.c,53,3,2,2,buffer,memcpy,Does not check for buffer overflows when copying 
to destination (CWE-120).,Make sure destination can always hold the source 
data.,,CWE-120,"  memcpy(&n,s,sizeof(s)); // fail - sizeof not of 
destination",01bcc2c8ba2d928ac3315b4dcc6593042ea05e62888a10a6d2cf16797a65ed32,2.0.18,FF1004,https://cwe.mitre.org/data/definitions/120.html
-test.c,54,3,2,2,buffer,memcpy,Does not check for buffer overflows when copying 
to destination (CWE-120).,Make sure destination can always hold the source 
data.,,CWE-120,"  memcpy(d,s,n); // fail - size 
unguessable",2517a2fb5981193a6017cca660d16e85aab133706cbec302df97aaa623fc77ef,2.0.18,FF1004,https://cwe.mitre.org/data/definitions/120.html
-test.c,55,3,2,2,buffer,CopyMemory,Does not check for buffer overflows when 
copying to destination (CWE-120).,Make sure destination can always hold the 
source data.,,CWE-120,"  
CopyMemory(d,s);",977f8c805ddd76ff32e0f7aea08701ba97d9ce6955136e98b308ed4f70eb2e11,2.0.18,FF1004,https://cwe.mitre.org/data/definitions/120.html
-test.c,105,7,2,2,misc,fopen,"Check when opening files - can an attacker 
redirect it (via symlinks), force the opening of special file type (e.g., 
device files), move things around to create a race condition, control its 
ancestors, or change its contents? (CWE-362).",,,CWE-362,"  f = 
fopen(""/etc/passwd"", ""r""); 
",2ec6928c77a8b54caa61d0459f367c4394ee1f5e6f488753f587bfa9c780bad8,2.0.18,FF1040,https://cwe.mitre.org/data/definitions/362.html
-test.c,15,2,4,1,buffer,strcpy,Does not check for buffer overflows when copying 
to destination [MS-banned] (CWE-120).,"Consider using snprintf, strcpy_s, or 
strlcpy (warning: strncpy easily misused).",Risk is low because the source is a 
constant character.,CWE-120," strcpy(a, ""\n""); // Did this 
work?",0badc5f4c500d17b42794feaca54ee0f49e607a32510af3ed749579001017edb,2.0.18,FF1001,https://cwe.mitre.org/data/definitions/120.html
-test.c,18,2,4,1,buffer,sprintf,Does not check for buffer overflows 
(CWE-120).,"Use sprintf_s, snprintf, or vsnprintf.",Risk is low because the 
source is a constant character.,CWE-120," sprintf(s, 
""\n"");",c65fbd60851f3c8ace22332805966606488c0d242c1823493c582e267609b1a7,2.0.18,FF1015,https://cwe.mitre.org/data/definitions/120.html
-test.c,26,2,4,1,buffer,scanf,It's unclear if the %s limit in the format string 
is small enough (CWE-120).,"Check that the limit is sufficiently small, or use 
a different input function.",,CWE-120," scanf(""%10s"", 
s);",e24c4c801f10acfa93098b2bef58524efe4f88237f2dd8b58be9afa838616afe,2.0.18,FF1020,https://cwe.mitre.org/data/definitions/120.html
-test.c,57,3,1,1,buffer,strncpy,Easily used incorrectly; doesn't always 
\0-terminate or check for invalid pointers [MS-banned] (CWE-120).,,,CWE-120,"  
strncpy(d,s);",8fa14bf72393a00f667ffcc06b7b7e5f0b6d2f16d8d67444db06b0deb35b5f5e,2.0.18,FF1008,https://cwe.mitre.org/data/definitions/120.html
-test.c,58,3,1,1,buffer,_tcsncpy,Easily used incorrectly; doesn't always 
\0-terminate or check for invalid pointers [MS-banned] (CWE-120).,,,CWE-120,"  
_tcsncpy(d,s);",691fabd4ca960a00e4c538eee0187ee0fdf59bd43dd71e792c14175150369b8b,2.0.18,FF1009,https://cwe.mitre.org/data/definitions/120.html
-test.c,59,3,1,1,buffer,strncat,"Easily used incorrectly (e.g., incorrectly 
computing the correct maximum size to add) [MS-banned] (CWE-120).","Consider 
strcat_s, strlcat, snprintf, or automatically resizing strings.",,CWE-120,"  
strncat(d,s,10);",dd92f996a554bfbc038bea27640ba25dcf298383140a8330dca7cdacf493a701,2.0.18,FF1010,https://cwe.mitre.org/data/definitions/120.html
-test.c,62,7,1,1,buffer,strlen,Does not handle strings that are not 
\0-terminated; if given one it may perform an over-read (it could cause a crash 
if unprotected) (CWE-126).,,,CWE-126,  n = 
strlen(d);,db7201c7df7f543ea76febb060bda167e414e71e3d18095fe1def69f8c47a4f6,2.0.18,FF1022,https://cwe.mitre.org/data/definitions/126.html
-test.c,68,3,2,1,buffer,MultiByteToWideChar,"Requires maximum length in 
CHARACTERS, not bytes (CWE-120).",,"Risk is very low, the length appears to be 
in characters not bytes.",CWE-120,"  
MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof(wszUserName)/sizeof(wszUserName[0]));",1813fc329227b38abae867d8023a9e29c7517d679fe55c86f8300dde681b6470,2.0.18,FF1023,https://cwe.mitre.org/data/definitions/120.html
-test.c,70,3,2,1,buffer,MultiByteToWideChar,"Requires maximum length in 
CHARACTERS, not bytes (CWE-120).",,"Risk is very low, the length appears to be 
in characters not bytes.",CWE-120,"  
MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof wszUserName 
/sizeof(wszUserName[0]));",7c6cdcb10ad3a16b8bfd56e3dac84829f9bc3e39d4dde74a2be9bbe000102fc5,2.0.18,FF1023,https://cwe.mitre.org/data/definitions/120.html
+test.c,32,2,5,5,buffer,gets,"Does not check for buffer overflows (CWE-120, 
CWE-20).",Use fgets() instead.,,"CWE-120, CWE-20", 
gets(f);,6a5bb383fb44030b0d9428b17359e94ba3979bc1ce702be450427f85592c649a,2.0.19,FF1014,https://cwe.mitre.org/data/definitions/120.html
+test.c,60,3,1,5,buffer,strncat,"Easily used incorrectly (e.g., incorrectly 
computing the correct maximum size to add) [MS-banned] (CWE-120).","Consider 
strcat_s, strlcat, snprintf, or automatically resizing strings.","Risk is high; 
the length parameter appears to be a constant, instead of computing the number 
of characters left.",CWE-120,"  strncat(d,s,sizeof(d)); /* Misuse - this should 
be flagged as riskier. 
*/",cbd19c308547e79af13436d8f7dbcf6c62e49e4f62ba9aee38fbef29e0772f74,2.0.19,FF1010,https://cwe.mitre.org/data/definitions/120.html
+test.c,61,3,1,5,buffer,_tcsncat,"Easily used incorrectly (e.g., incorrectly 
computing the correct maximum size to add) [MS-banned] (CWE-120).","Consider 
strcat_s, strlcat, or automatically resizing strings.","Risk is high; the 
length parameter appears to be a constant, instead of computing the number of 
characters left.",CWE-120,"  _tcsncat(d,s,sizeof(d)); /* Misuse - flag as 
riskier 
*/",c3f6ba2c710efc878e66df4578894fd408452cb7cdec7ae6f492a3b1796f8c42,2.0.19,FF1011,https://cwe.mitre.org/data/definitions/120.html
+test.c,64,3,2,5,buffer,MultiByteToWideChar,"Requires maximum length in 
CHARACTERS, not bytes (CWE-120).",,"Risk is high, it appears that the size is 
given as bytes, but the function requires size as characters.",CWE-120,"  
MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof(wszUserName));",4f5b73ff337a54d6e1d9a369659ca0ddb4f80e6b7e38a17e5b112f6d3e266e69,2.0.19,FF1023,https://cwe.mitre.org/data/definitions/120.html
+test.c,66,3,2,5,buffer,MultiByteToWideChar,"Requires maximum length in 
CHARACTERS, not bytes (CWE-120).",,"Risk is high, it appears that the size is 
given as bytes, but the function requires size as characters.",CWE-120,"  
MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof 
wszUserName);",9ecdc1e903acc16a646bf7909a630ae22a7593b70952c39ce6bd9c5a23fad0fd,2.0.19,FF1023,https://cwe.mitre.org/data/definitions/120.html
+test.c,77,3,5,5,misc,SetSecurityDescriptorDacl,"Never create NULL ACLs; an 
attacker can set it to Everyone (Deny All Access), which would even forbid 
administrator access (CWE-732).",,,CWE-732,"  
SetSecurityDescriptorDacl(&sd,TRUE,NULL,FALSE);",5fed1e135b593b4c943e66e89a26ff131eba18b83a32a8af37d1c0bd7b01aadb,2.0.19,FF1060,https://cwe.mitre.org/data/definitions/732.html
+test.c,77,3,5,5,misc,SetSecurityDescriptorDacl,"Never create NULL ACLs; an 
attacker can set it to Everyone (Deny All Access), which would even forbid 
administrator access (CWE-732).",,,CWE-732,"  
SetSecurityDescriptorDacl(&sd,TRUE,NULL,FALSE);",5fed1e135b593b4c943e66e89a26ff131eba18b83a32a8af37d1c0bd7b01aadb,2.0.19,FF1060,https://cwe.mitre.org/data/definitions/732.html
+test.c,17,2,4,4,buffer,strcpy,Does not check for buffer overflows when copying 
to destination [MS-banned] (CWE-120).,"Consider using snprintf, strcpy_s, or 
strlcpy (warning: strncpy easily misused).",,CWE-120," strcpy(b, 
a);",c01c8472bb53022e912da4da2faebc67d537855da324020c44bfd5e608a79b77,2.0.19,FF1001,https://cwe.mitre.org/data/definitions/120.html
+test.c,20,2,4,4,buffer,sprintf,Does not check for buffer overflows 
(CWE-120).,"Use sprintf_s, snprintf, or vsnprintf.",,CWE-120," sprintf(s, 
""hello %s"", 
bug);",814237858ab012010f3355a49480dd6fa0a2cb8cf8356a98ac1c17c9febf6521,2.0.19,FF1015,https://cwe.mitre.org/data/definitions/120.html
+test.c,21,2,4,4,buffer,sprintf,Does not check for buffer overflows 
(CWE-120).,"Use sprintf_s, snprintf, or vsnprintf.",,CWE-120," sprintf(s, 
gettext(""hello %s""), 
bug);",b793f18f143fb2297c49e0639384ad73db86eb01a44377aa4d5d09b44b03d747,2.0.19,FF1015,https://cwe.mitre.org/data/definitions/120.html
+test.c,22,2,4,4,format,sprintf,Potential format string problem (CWE-134).,Make 
format string constant.,,CWE-134," sprintf(s, unknown, 
bug);",16ebc2ff96ee4bab2695783709e97b597ca9c8b8cc149e33aed859f0fafd3431,2.0.19,FF1015,https://cwe.mitre.org/data/definitions/134.html
+test.c,23,2,4,4,format,printf,"If format strings can be influenced by an 
attacker, they can be exploited (CWE-134).",Use a constant for the format 
specification.,,CWE-134," printf(bf, 
x);",46f42896019245d2dffc4caf4fe018b073ce2a58203676eaa28b6374558a5b5d,2.0.19,FF1016,https://cwe.mitre.org/data/definitions/134.html
+test.c,25,2,4,4,buffer,scanf,"The scanf() family's %s operation, without a 
limit specification, permits buffer overflows (CWE-120, CWE-20).","Specify a 
limit to %s, or use a different input function.",,"CWE-120, CWE-20"," 
scanf(""%s"", 
s);",3f169dd9fe508f70438f818770a3cb8b0f228e4245ea11a929a5fb0a7839fd5f,2.0.19,FF1020,https://cwe.mitre.org/data/definitions/120.html
+test.c,27,2,4,4,buffer,scanf,"The scanf() family's %s operation, without a 
limit specification, permits buffer overflows (CWE-120, CWE-20).","Specify a 
limit to %s, or use a different input function.",,"CWE-120, CWE-20"," 
scanf(""%s"", 
s);",3f169dd9fe508f70438f818770a3cb8b0f228e4245ea11a929a5fb0a7839fd5f,2.0.19,FF1020,https://cwe.mitre.org/data/definitions/120.html
+test.c,38,2,4,4,format,syslog,"If syslog's format strings can be influenced by 
an attacker, they can be exploited (CWE-134).",Use a constant format string for 
syslog.,,CWE-134," syslog(LOG_ERR, 
attacker_string);",22e98963d5af7b197a090bd522d2d39b8d8ee7bdf08453fd2008939c92cd9677,2.0.19,FF1018,https://cwe.mitre.org/data/definitions/134.html
+test.c,49,3,4,4,buffer,_mbscpy,Does not check for buffer overflows when 
copying to destination [MS-banned] (CWE-120).,Consider using a function version 
that stops copying at the end of the buffer.,,CWE-120,"  _mbscpy(d,s); /* like 
strcpy, this doesn't check for buffer overflow 
*/",e00a4a1a0a3603db98a23fcff3c9cdfd9012f5a81826814d9508e0f22089b993,2.0.19,FF1003,https://cwe.mitre.org/data/definitions/120.html
+test.c,56,3,4,4,buffer,lstrcat,Does not check for buffer overflows when 
concatenating to destination [MS-banned] (CWE-120).,,,CWE-120,"  
lstrcat(d,s);",364b4c512862fdccbca27d2fa7737995b5d24b637a760976c940ae636218d340,2.0.19,FF1006,https://cwe.mitre.org/data/definitions/120.html
+test.c,79,3,3,3,shell,CreateProcess,This causes a new process to execute and 
is difficult to use safely (CWE-78).,"Specify the application path in the first 
argument, NOT as part of the second, or embedded spaces could allow an attacker 
to force a different program to run.",,CWE-78,"  CreateProcess(NULL, 
""C:\\Program Files\\GoodGuy\\GoodGuy.exe -x"", 
"""");",3c712b38d0857bde3832d85ad35ac9859be55c5f5f1c20af659a577dd4d0acbf,2.0.19,FF1046,https://cwe.mitre.org/data/definitions/78.html
+test.c,79,3,3,3,shell,CreateProcess,This causes a new process to execute and 
is difficult to use safely (CWE-78).,"Specify the application path in the first 
argument, NOT as part of the second, or embedded spaces could allow an attacker 
to force a different program to run.",,CWE-78,"  CreateProcess(NULL, 
""C:\\Program Files\\GoodGuy\\GoodGuy.exe -x"", 
"""");",3c712b38d0857bde3832d85ad35ac9859be55c5f5f1c20af659a577dd4d0acbf,2.0.19,FF1046,https://cwe.mitre.org/data/definitions/78.html
+test.c,81,10,3,3,misc,LoadLibraryEx,"Ensure that the full path to the library 
is specified, or current directory may be used (CWE-829, CWE-20).",Use a flag 
like LOAD_LIBRARY_SEARCH_SYSTEM32 or LOAD_LIBRARY_SEARCH_APPLICATION_DIR to 
search only desired folders.,,"CWE-829, CWE-20","  (void) 
LoadLibraryEx(L""user32.dll"", nullptr, 
LOAD_LIBRARY_AS_DATAFILE);",b1f99ecaa31e682487d795afbf03282fd56ad9f2aa630d0196219b277d2a68c9,2.0.19,FF1059,https://cwe.mitre.org/data/definitions/829.html
+test.c,99,20,3,3,buffer,getopt_long,"Some older implementations do not protect 
against internal buffer overflows (CWE-120, CWE-20).","Check implementation on 
installation, or limit the size of all string inputs.",,"CWE-120, CWE-20","    
while ((optc = getopt_long (argc, argv, ""a"",longopts, NULL )) != EOF) 
{",5bedf6e5bccf596008ef191ec4c5d4cc51a32cff0c05ef62d5f10fab93d0cc24,2.0.19,FF1027,https://cwe.mitre.org/data/definitions/120.html
+test.c,16,2,4,2,buffer,strcpy,Does not check for buffer overflows when copying 
to destination [MS-banned] (CWE-120).,"Consider using snprintf, strcpy_s, or 
strlcpy (warning: strncpy easily misused).",Risk is low because the source is a 
constant string.,CWE-120," strcpy(a, gettext(""Hello there"")); // Did this 
work?",d64070fb93ff0bb797fb926f4dddc7212d42f77e288d5ceb0cd30ed2979fa28d,2.0.19,FF1001,https://cwe.mitre.org/data/definitions/120.html
+test.c,19,2,4,2,buffer,sprintf,Does not check for buffer overflows 
(CWE-120).,"Use sprintf_s, snprintf, or vsnprintf.",Risk is low because the 
source has a constant maximum length.,CWE-120," sprintf(s, 
""hello"");",907b46be1c3ea7b38f90a4d1b0f43b7751cd8cbe38fae840930ff006b702157d,2.0.19,FF1015,https://cwe.mitre.org/data/definitions/120.html
+test.c,45,3,2,2,buffer,char,"Statically-sized arrays can be improperly 
restricted, leading to potential overflows or other issues 
(CWE-119!/CWE-120).","Perform bounds checking, use functions that limit length, 
or ensure that the size is larger than the maximum possible 
length.",,CWE-119!/CWE-120,  char 
d[20];,36c87517700337a59cc3ad3218cfdde56cad37d69cdeccee5a55ab232d5c7946,2.0.19,FF1013,https://cwe.mitre.org/data/definitions/119.html
+test.c,46,3,2,2,buffer,char,"Statically-sized arrays can be improperly 
restricted, leading to potential overflows or other issues 
(CWE-119!/CWE-120).","Perform bounds checking, use functions that limit length, 
or ensure that the size is larger than the maximum possible 
length.",,CWE-119!/CWE-120,  char 
s[20];,213de8e8815fc84c423b55fd845fea541f25744718e486234364bb457863b597,2.0.19,FF1013,https://cwe.mitre.org/data/definitions/119.html
+test.c,50,3,2,2,buffer,memcpy,Does not check for buffer overflows when copying 
to destination (CWE-120).,Make sure destination can always hold the source 
data.,,CWE-120,"  memcpy(d,s); // fail - no 
size",e667b352fb0748c67b607b11577b11bad87545779c39923e61839dd04056055f,2.0.19,FF1004,https://cwe.mitre.org/data/definitions/120.html
+test.c,53,3,2,2,buffer,memcpy,Does not check for buffer overflows when copying 
to destination (CWE-120).,Make sure destination can always hold the source 
data.,,CWE-120,"  memcpy(&n,s,sizeof(s)); // fail - sizeof not of 
destination",01bcc2c8ba2d928ac3315b4dcc6593042ea05e62888a10a6d2cf16797a65ed32,2.0.19,FF1004,https://cwe.mitre.org/data/definitions/120.html
+test.c,54,3,2,2,buffer,memcpy,Does not check for buffer overflows when copying 
to destination (CWE-120).,Make sure destination can always hold the source 
data.,,CWE-120,"  memcpy(d,s,n); // fail - size 
unguessable",2517a2fb5981193a6017cca660d16e85aab133706cbec302df97aaa623fc77ef,2.0.19,FF1004,https://cwe.mitre.org/data/definitions/120.html
+test.c,55,3,2,2,buffer,CopyMemory,Does not check for buffer overflows when 
copying to destination (CWE-120).,Make sure destination can always hold the 
source data.,,CWE-120,"  
CopyMemory(d,s);",977f8c805ddd76ff32e0f7aea08701ba97d9ce6955136e98b308ed4f70eb2e11,2.0.19,FF1004,https://cwe.mitre.org/data/definitions/120.html
+test.c,105,7,2,2,misc,fopen,"Check when opening files - can an attacker 
redirect it (via symlinks), force the opening of special file type (e.g., 
device files), move things around to create a race condition, control its 
ancestors, or change its contents? (CWE-362).",,,CWE-362,"  f = 
fopen(""/etc/passwd"", ""r""); 
",2ec6928c77a8b54caa61d0459f367c4394ee1f5e6f488753f587bfa9c780bad8,2.0.19,FF1040,https://cwe.mitre.org/data/definitions/362.html
+test.c,15,2,4,1,buffer,strcpy,Does not check for buffer overflows when copying 
to destination [MS-banned] (CWE-120).,"Consider using snprintf, strcpy_s, or 
strlcpy (warning: strncpy easily misused).",Risk is low because the source is a 
constant character.,CWE-120," strcpy(a, ""\n""); // Did this 
work?",0badc5f4c500d17b42794feaca54ee0f49e607a32510af3ed749579001017edb,2.0.19,FF1001,https://cwe.mitre.org/data/definitions/120.html
+test.c,18,2,4,1,buffer,sprintf,Does not check for buffer overflows 
(CWE-120).,"Use sprintf_s, snprintf, or vsnprintf.",Risk is low because the 
source is a constant character.,CWE-120," sprintf(s, 
""\n"");",c65fbd60851f3c8ace22332805966606488c0d242c1823493c582e267609b1a7,2.0.19,FF1015,https://cwe.mitre.org/data/definitions/120.html
+test.c,26,2,4,1,buffer,scanf,It's unclear if the %s limit in the format string 
is small enough (CWE-120).,"Check that the limit is sufficiently small, or use 
a different input function.",,CWE-120," scanf(""%10s"", 
s);",e24c4c801f10acfa93098b2bef58524efe4f88237f2dd8b58be9afa838616afe,2.0.19,FF1020,https://cwe.mitre.org/data/definitions/120.html
+test.c,57,3,1,1,buffer,strncpy,Easily used incorrectly; doesn't always 
\0-terminate or check for invalid pointers [MS-banned] (CWE-120).,,,CWE-120,"  
strncpy(d,s);",8fa14bf72393a00f667ffcc06b7b7e5f0b6d2f16d8d67444db06b0deb35b5f5e,2.0.19,FF1008,https://cwe.mitre.org/data/definitions/120.html
+test.c,58,3,1,1,buffer,_tcsncpy,Easily used incorrectly; doesn't always 
\0-terminate or check for invalid pointers [MS-banned] (CWE-120).,,,CWE-120,"  
_tcsncpy(d,s);",691fabd4ca960a00e4c538eee0187ee0fdf59bd43dd71e792c14175150369b8b,2.0.19,FF1009,https://cwe.mitre.org/data/definitions/120.html
+test.c,59,3,1,1,buffer,strncat,"Easily used incorrectly (e.g., incorrectly 
computing the correct maximum size to add) [MS-banned] (CWE-120).","Consider 
strcat_s, strlcat, snprintf, or automatically resizing strings.",,CWE-120,"  
strncat(d,s,10);",dd92f996a554bfbc038bea27640ba25dcf298383140a8330dca7cdacf493a701,2.0.19,FF1010,https://cwe.mitre.org/data/definitions/120.html
+test.c,62,7,1,1,buffer,strlen,Does not handle strings that are not 
\0-terminated; if given one it may perform an over-read (it could cause a crash 
if unprotected) (CWE-126).,,,CWE-126,  n = 
strlen(d);,db7201c7df7f543ea76febb060bda167e414e71e3d18095fe1def69f8c47a4f6,2.0.19,FF1022,https://cwe.mitre.org/data/definitions/126.html
+test.c,68,3,2,1,buffer,MultiByteToWideChar,"Requires maximum length in 
CHARACTERS, not bytes (CWE-120).",,"Risk is very low, the length appears to be 
in characters not bytes.",CWE-120,"  
MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof(wszUserName)/sizeof(wszUserName[0]));",1813fc329227b38abae867d8023a9e29c7517d679fe55c86f8300dde681b6470,2.0.19,FF1023,https://cwe.mitre.org/data/definitions/120.html
+test.c,70,3,2,1,buffer,MultiByteToWideChar,"Requires maximum length in 
CHARACTERS, not bytes (CWE-120).",,"Risk is very low, the length appears to be 
in characters not bytes.",CWE-120,"  
MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof wszUserName 
/sizeof(wszUserName[0]));",7c6cdcb10ad3a16b8bfd56e3dac84829f9bc3e39d4dde74a2be9bbe000102fc5,2.0.19,FF1023,https://cwe.mitre.org/data/definitions/120.html
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/flawfinder-2.0.18/test/correct-results.html 
new/flawfinder-2.0.19/test/correct-results.html
--- old/flawfinder-2.0.18/test/correct-results.html     2021-06-25 
02:22:25.000000000 +0200
+++ new/flawfinder-2.0.19/test/correct-results.html     2021-08-29 
22:21:28.000000000 +0200
@@ -9,7 +9,7 @@
 <body>
 <h1>Flawfinder Results</h1>
 Here are the security scan results from
-<a href="https://dwheeler.com/flawfinder";>Flawfinder version 2.0.18</a>,
+<a href="https://dwheeler.com/flawfinder";>Flawfinder version 2.0.19</a>,
 (C) 2001-2019 <a href="https://dwheeler.com";>David A. Wheeler</a>.
 Number of rules (primarily dangerous function names) in C/C++ ruleset: 222
 <p>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/flawfinder-2.0.18/test/correct-results.txt 
new/flawfinder-2.0.19/test/correct-results.txt
--- old/flawfinder-2.0.18/test/correct-results.txt      2021-06-25 
02:22:25.000000000 +0200
+++ new/flawfinder-2.0.19/test/correct-results.txt      2021-08-29 
22:21:27.000000000 +0200
@@ -1,4 +1,4 @@
-Flawfinder version 2.0.18, (C) 2001-2019 David A. Wheeler.
+Flawfinder version 2.0.19, (C) 2001-2019 David A. Wheeler.
 Number of rules (primarily dangerous function names) in C/C++ ruleset: 222
 Examining test.c
 Examining test2.c
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/flawfinder-2.0.18/test/test-results-008.txt 
new/flawfinder-2.0.19/test/test-results-008.txt
--- old/flawfinder-2.0.18/test/test-results-008.txt     2021-06-25 
02:22:37.000000000 +0200
+++ new/flawfinder-2.0.19/test/test-results-008.txt     2021-08-29 
22:21:41.000000000 +0200
@@ -1,4 +1,4 @@
-Flawfinder version 2.0.18, (C) 2001-2019 David A. Wheeler.
+Flawfinder version 2.0.19, (C) 2001-2019 David A. Wheeler.
 Showing hits not in test-saved-hitlist-008.txt
 Number of rules (primarily dangerous function names) in C/C++ ruleset: 222
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/flawfinder-2.0.18/test/test-results.csv 
new/flawfinder-2.0.19/test/test-results.csv
--- old/flawfinder-2.0.18/test/test-results.csv 2021-06-25 02:22:36.282435000 
+0200
+++ new/flawfinder-2.0.19/test/test-results.csv 2021-08-29 22:21:39.902645000 
+0200
@@ -1,40 +1,40 @@
 
File,Line,Column,DefaultLevel,Level,Category,Name,Warning,Suggestion,Note,CWEs,Context,Fingerprint,ToolVersion,RuleId,HelpUri
-test.c,32,2,5,5,buffer,gets,"Does not check for buffer overflows (CWE-120, 
CWE-20).",Use fgets() instead.,,"CWE-120, CWE-20", 
gets(f);,6a5bb383fb44030b0d9428b17359e94ba3979bc1ce702be450427f85592c649a,2.0.18,FF1014,https://cwe.mitre.org/data/definitions/120.html
-test.c,60,3,1,5,buffer,strncat,"Easily used incorrectly (e.g., incorrectly 
computing the correct maximum size to add) [MS-banned] (CWE-120).","Consider 
strcat_s, strlcat, snprintf, or automatically resizing strings.","Risk is high; 
the length parameter appears to be a constant, instead of computing the number 
of characters left.",CWE-120,"  strncat(d,s,sizeof(d)); /* Misuse - this should 
be flagged as riskier. 
*/",cbd19c308547e79af13436d8f7dbcf6c62e49e4f62ba9aee38fbef29e0772f74,2.0.18,FF1010,https://cwe.mitre.org/data/definitions/120.html
-test.c,61,3,1,5,buffer,_tcsncat,"Easily used incorrectly (e.g., incorrectly 
computing the correct maximum size to add) [MS-banned] (CWE-120).","Consider 
strcat_s, strlcat, or automatically resizing strings.","Risk is high; the 
length parameter appears to be a constant, instead of computing the number of 
characters left.",CWE-120,"  _tcsncat(d,s,sizeof(d)); /* Misuse - flag as 
riskier 
*/",c3f6ba2c710efc878e66df4578894fd408452cb7cdec7ae6f492a3b1796f8c42,2.0.18,FF1011,https://cwe.mitre.org/data/definitions/120.html
-test.c,64,3,2,5,buffer,MultiByteToWideChar,"Requires maximum length in 
CHARACTERS, not bytes (CWE-120).",,"Risk is high, it appears that the size is 
given as bytes, but the function requires size as characters.",CWE-120,"  
MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof(wszUserName));",4f5b73ff337a54d6e1d9a369659ca0ddb4f80e6b7e38a17e5b112f6d3e266e69,2.0.18,FF1023,https://cwe.mitre.org/data/definitions/120.html
-test.c,66,3,2,5,buffer,MultiByteToWideChar,"Requires maximum length in 
CHARACTERS, not bytes (CWE-120).",,"Risk is high, it appears that the size is 
given as bytes, but the function requires size as characters.",CWE-120,"  
MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof 
wszUserName);",9ecdc1e903acc16a646bf7909a630ae22a7593b70952c39ce6bd9c5a23fad0fd,2.0.18,FF1023,https://cwe.mitre.org/data/definitions/120.html
-test.c,77,3,5,5,misc,SetSecurityDescriptorDacl,"Never create NULL ACLs; an 
attacker can set it to Everyone (Deny All Access), which would even forbid 
administrator access (CWE-732).",,,CWE-732,"  
SetSecurityDescriptorDacl(&sd,TRUE,NULL,FALSE);",5fed1e135b593b4c943e66e89a26ff131eba18b83a32a8af37d1c0bd7b01aadb,2.0.18,FF1060,https://cwe.mitre.org/data/definitions/732.html
-test.c,77,3,5,5,misc,SetSecurityDescriptorDacl,"Never create NULL ACLs; an 
attacker can set it to Everyone (Deny All Access), which would even forbid 
administrator access (CWE-732).",,,CWE-732,"  
SetSecurityDescriptorDacl(&sd,TRUE,NULL,FALSE);",5fed1e135b593b4c943e66e89a26ff131eba18b83a32a8af37d1c0bd7b01aadb,2.0.18,FF1060,https://cwe.mitre.org/data/definitions/732.html
-test.c,17,2,4,4,buffer,strcpy,Does not check for buffer overflows when copying 
to destination [MS-banned] (CWE-120).,"Consider using snprintf, strcpy_s, or 
strlcpy (warning: strncpy easily misused).",,CWE-120," strcpy(b, 
a);",c01c8472bb53022e912da4da2faebc67d537855da324020c44bfd5e608a79b77,2.0.18,FF1001,https://cwe.mitre.org/data/definitions/120.html
-test.c,20,2,4,4,buffer,sprintf,Does not check for buffer overflows 
(CWE-120).,"Use sprintf_s, snprintf, or vsnprintf.",,CWE-120," sprintf(s, 
""hello %s"", 
bug);",814237858ab012010f3355a49480dd6fa0a2cb8cf8356a98ac1c17c9febf6521,2.0.18,FF1015,https://cwe.mitre.org/data/definitions/120.html
-test.c,21,2,4,4,buffer,sprintf,Does not check for buffer overflows 
(CWE-120).,"Use sprintf_s, snprintf, or vsnprintf.",,CWE-120," sprintf(s, 
gettext(""hello %s""), 
bug);",b793f18f143fb2297c49e0639384ad73db86eb01a44377aa4d5d09b44b03d747,2.0.18,FF1015,https://cwe.mitre.org/data/definitions/120.html
-test.c,22,2,4,4,format,sprintf,Potential format string problem (CWE-134).,Make 
format string constant.,,CWE-134," sprintf(s, unknown, 
bug);",16ebc2ff96ee4bab2695783709e97b597ca9c8b8cc149e33aed859f0fafd3431,2.0.18,FF1015,https://cwe.mitre.org/data/definitions/134.html
-test.c,23,2,4,4,format,printf,"If format strings can be influenced by an 
attacker, they can be exploited (CWE-134).",Use a constant for the format 
specification.,,CWE-134," printf(bf, 
x);",46f42896019245d2dffc4caf4fe018b073ce2a58203676eaa28b6374558a5b5d,2.0.18,FF1016,https://cwe.mitre.org/data/definitions/134.html
-test.c,25,2,4,4,buffer,scanf,"The scanf() family's %s operation, without a 
limit specification, permits buffer overflows (CWE-120, CWE-20).","Specify a 
limit to %s, or use a different input function.",,"CWE-120, CWE-20"," 
scanf(""%s"", 
s);",3f169dd9fe508f70438f818770a3cb8b0f228e4245ea11a929a5fb0a7839fd5f,2.0.18,FF1020,https://cwe.mitre.org/data/definitions/120.html
-test.c,27,2,4,4,buffer,scanf,"The scanf() family's %s operation, without a 
limit specification, permits buffer overflows (CWE-120, CWE-20).","Specify a 
limit to %s, or use a different input function.",,"CWE-120, CWE-20"," 
scanf(""%s"", 
s);",3f169dd9fe508f70438f818770a3cb8b0f228e4245ea11a929a5fb0a7839fd5f,2.0.18,FF1020,https://cwe.mitre.org/data/definitions/120.html
-test.c,38,2,4,4,format,syslog,"If syslog's format strings can be influenced by 
an attacker, they can be exploited (CWE-134).",Use a constant format string for 
syslog.,,CWE-134," syslog(LOG_ERR, 
attacker_string);",22e98963d5af7b197a090bd522d2d39b8d8ee7bdf08453fd2008939c92cd9677,2.0.18,FF1018,https://cwe.mitre.org/data/definitions/134.html
-test.c,49,3,4,4,buffer,_mbscpy,Does not check for buffer overflows when 
copying to destination [MS-banned] (CWE-120).,Consider using a function version 
that stops copying at the end of the buffer.,,CWE-120,"  _mbscpy(d,s); /* like 
strcpy, this doesn't check for buffer overflow 
*/",e00a4a1a0a3603db98a23fcff3c9cdfd9012f5a81826814d9508e0f22089b993,2.0.18,FF1003,https://cwe.mitre.org/data/definitions/120.html
-test.c,56,3,4,4,buffer,lstrcat,Does not check for buffer overflows when 
concatenating to destination [MS-banned] (CWE-120).,,,CWE-120,"  
lstrcat(d,s);",364b4c512862fdccbca27d2fa7737995b5d24b637a760976c940ae636218d340,2.0.18,FF1006,https://cwe.mitre.org/data/definitions/120.html
-test.c,79,3,3,3,shell,CreateProcess,This causes a new process to execute and 
is difficult to use safely (CWE-78).,"Specify the application path in the first 
argument, NOT as part of the second, or embedded spaces could allow an attacker 
to force a different program to run.",,CWE-78,"  CreateProcess(NULL, 
""C:\\Program Files\\GoodGuy\\GoodGuy.exe -x"", 
"""");",3c712b38d0857bde3832d85ad35ac9859be55c5f5f1c20af659a577dd4d0acbf,2.0.18,FF1046,https://cwe.mitre.org/data/definitions/78.html
-test.c,79,3,3,3,shell,CreateProcess,This causes a new process to execute and 
is difficult to use safely (CWE-78).,"Specify the application path in the first 
argument, NOT as part of the second, or embedded spaces could allow an attacker 
to force a different program to run.",,CWE-78,"  CreateProcess(NULL, 
""C:\\Program Files\\GoodGuy\\GoodGuy.exe -x"", 
"""");",3c712b38d0857bde3832d85ad35ac9859be55c5f5f1c20af659a577dd4d0acbf,2.0.18,FF1046,https://cwe.mitre.org/data/definitions/78.html
-test.c,81,10,3,3,misc,LoadLibraryEx,"Ensure that the full path to the library 
is specified, or current directory may be used (CWE-829, CWE-20).",Use a flag 
like LOAD_LIBRARY_SEARCH_SYSTEM32 or LOAD_LIBRARY_SEARCH_APPLICATION_DIR to 
search only desired folders.,,"CWE-829, CWE-20","  (void) 
LoadLibraryEx(L""user32.dll"", nullptr, 
LOAD_LIBRARY_AS_DATAFILE);",b1f99ecaa31e682487d795afbf03282fd56ad9f2aa630d0196219b277d2a68c9,2.0.18,FF1059,https://cwe.mitre.org/data/definitions/829.html
-test.c,99,20,3,3,buffer,getopt_long,"Some older implementations do not protect 
against internal buffer overflows (CWE-120, CWE-20).","Check implementation on 
installation, or limit the size of all string inputs.",,"CWE-120, CWE-20","    
while ((optc = getopt_long (argc, argv, ""a"",longopts, NULL )) != EOF) 
{",5bedf6e5bccf596008ef191ec4c5d4cc51a32cff0c05ef62d5f10fab93d0cc24,2.0.18,FF1027,https://cwe.mitre.org/data/definitions/120.html
-test.c,16,2,4,2,buffer,strcpy,Does not check for buffer overflows when copying 
to destination [MS-banned] (CWE-120).,"Consider using snprintf, strcpy_s, or 
strlcpy (warning: strncpy easily misused).",Risk is low because the source is a 
constant string.,CWE-120," strcpy(a, gettext(""Hello there"")); // Did this 
work?",d64070fb93ff0bb797fb926f4dddc7212d42f77e288d5ceb0cd30ed2979fa28d,2.0.18,FF1001,https://cwe.mitre.org/data/definitions/120.html
-test.c,19,2,4,2,buffer,sprintf,Does not check for buffer overflows 
(CWE-120).,"Use sprintf_s, snprintf, or vsnprintf.",Risk is low because the 
source has a constant maximum length.,CWE-120," sprintf(s, 
""hello"");",907b46be1c3ea7b38f90a4d1b0f43b7751cd8cbe38fae840930ff006b702157d,2.0.18,FF1015,https://cwe.mitre.org/data/definitions/120.html
-test.c,45,3,2,2,buffer,char,"Statically-sized arrays can be improperly 
restricted, leading to potential overflows or other issues 
(CWE-119!/CWE-120).","Perform bounds checking, use functions that limit length, 
or ensure that the size is larger than the maximum possible 
length.",,CWE-119!/CWE-120,  char 
d[20];,36c87517700337a59cc3ad3218cfdde56cad37d69cdeccee5a55ab232d5c7946,2.0.18,FF1013,https://cwe.mitre.org/data/definitions/119.html
-test.c,46,3,2,2,buffer,char,"Statically-sized arrays can be improperly 
restricted, leading to potential overflows or other issues 
(CWE-119!/CWE-120).","Perform bounds checking, use functions that limit length, 
or ensure that the size is larger than the maximum possible 
length.",,CWE-119!/CWE-120,  char 
s[20];,213de8e8815fc84c423b55fd845fea541f25744718e486234364bb457863b597,2.0.18,FF1013,https://cwe.mitre.org/data/definitions/119.html
-test.c,50,3,2,2,buffer,memcpy,Does not check for buffer overflows when copying 
to destination (CWE-120).,Make sure destination can always hold the source 
data.,,CWE-120,"  memcpy(d,s); // fail - no 
size",e667b352fb0748c67b607b11577b11bad87545779c39923e61839dd04056055f,2.0.18,FF1004,https://cwe.mitre.org/data/definitions/120.html
-test.c,53,3,2,2,buffer,memcpy,Does not check for buffer overflows when copying 
to destination (CWE-120).,Make sure destination can always hold the source 
data.,,CWE-120,"  memcpy(&n,s,sizeof(s)); // fail - sizeof not of 
destination",01bcc2c8ba2d928ac3315b4dcc6593042ea05e62888a10a6d2cf16797a65ed32,2.0.18,FF1004,https://cwe.mitre.org/data/definitions/120.html
-test.c,54,3,2,2,buffer,memcpy,Does not check for buffer overflows when copying 
to destination (CWE-120).,Make sure destination can always hold the source 
data.,,CWE-120,"  memcpy(d,s,n); // fail - size 
unguessable",2517a2fb5981193a6017cca660d16e85aab133706cbec302df97aaa623fc77ef,2.0.18,FF1004,https://cwe.mitre.org/data/definitions/120.html
-test.c,55,3,2,2,buffer,CopyMemory,Does not check for buffer overflows when 
copying to destination (CWE-120).,Make sure destination can always hold the 
source data.,,CWE-120,"  
CopyMemory(d,s);",977f8c805ddd76ff32e0f7aea08701ba97d9ce6955136e98b308ed4f70eb2e11,2.0.18,FF1004,https://cwe.mitre.org/data/definitions/120.html
-test.c,105,7,2,2,misc,fopen,"Check when opening files - can an attacker 
redirect it (via symlinks), force the opening of special file type (e.g., 
device files), move things around to create a race condition, control its 
ancestors, or change its contents? (CWE-362).",,,CWE-362,"  f = 
fopen(""/etc/passwd"", ""r""); 
",2ec6928c77a8b54caa61d0459f367c4394ee1f5e6f488753f587bfa9c780bad8,2.0.18,FF1040,https://cwe.mitre.org/data/definitions/362.html
-test.c,15,2,4,1,buffer,strcpy,Does not check for buffer overflows when copying 
to destination [MS-banned] (CWE-120).,"Consider using snprintf, strcpy_s, or 
strlcpy (warning: strncpy easily misused).",Risk is low because the source is a 
constant character.,CWE-120," strcpy(a, ""\n""); // Did this 
work?",0badc5f4c500d17b42794feaca54ee0f49e607a32510af3ed749579001017edb,2.0.18,FF1001,https://cwe.mitre.org/data/definitions/120.html
-test.c,18,2,4,1,buffer,sprintf,Does not check for buffer overflows 
(CWE-120).,"Use sprintf_s, snprintf, or vsnprintf.",Risk is low because the 
source is a constant character.,CWE-120," sprintf(s, 
""\n"");",c65fbd60851f3c8ace22332805966606488c0d242c1823493c582e267609b1a7,2.0.18,FF1015,https://cwe.mitre.org/data/definitions/120.html
-test.c,26,2,4,1,buffer,scanf,It's unclear if the %s limit in the format string 
is small enough (CWE-120).,"Check that the limit is sufficiently small, or use 
a different input function.",,CWE-120," scanf(""%10s"", 
s);",e24c4c801f10acfa93098b2bef58524efe4f88237f2dd8b58be9afa838616afe,2.0.18,FF1020,https://cwe.mitre.org/data/definitions/120.html
-test.c,57,3,1,1,buffer,strncpy,Easily used incorrectly; doesn't always 
\0-terminate or check for invalid pointers [MS-banned] (CWE-120).,,,CWE-120,"  
strncpy(d,s);",8fa14bf72393a00f667ffcc06b7b7e5f0b6d2f16d8d67444db06b0deb35b5f5e,2.0.18,FF1008,https://cwe.mitre.org/data/definitions/120.html
-test.c,58,3,1,1,buffer,_tcsncpy,Easily used incorrectly; doesn't always 
\0-terminate or check for invalid pointers [MS-banned] (CWE-120).,,,CWE-120,"  
_tcsncpy(d,s);",691fabd4ca960a00e4c538eee0187ee0fdf59bd43dd71e792c14175150369b8b,2.0.18,FF1009,https://cwe.mitre.org/data/definitions/120.html
-test.c,59,3,1,1,buffer,strncat,"Easily used incorrectly (e.g., incorrectly 
computing the correct maximum size to add) [MS-banned] (CWE-120).","Consider 
strcat_s, strlcat, snprintf, or automatically resizing strings.",,CWE-120,"  
strncat(d,s,10);",dd92f996a554bfbc038bea27640ba25dcf298383140a8330dca7cdacf493a701,2.0.18,FF1010,https://cwe.mitre.org/data/definitions/120.html
-test.c,62,7,1,1,buffer,strlen,Does not handle strings that are not 
\0-terminated; if given one it may perform an over-read (it could cause a crash 
if unprotected) (CWE-126).,,,CWE-126,  n = 
strlen(d);,db7201c7df7f543ea76febb060bda167e414e71e3d18095fe1def69f8c47a4f6,2.0.18,FF1022,https://cwe.mitre.org/data/definitions/126.html
-test.c,68,3,2,1,buffer,MultiByteToWideChar,"Requires maximum length in 
CHARACTERS, not bytes (CWE-120).",,"Risk is very low, the length appears to be 
in characters not bytes.",CWE-120,"  
MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof(wszUserName)/sizeof(wszUserName[0]));",1813fc329227b38abae867d8023a9e29c7517d679fe55c86f8300dde681b6470,2.0.18,FF1023,https://cwe.mitre.org/data/definitions/120.html
-test.c,70,3,2,1,buffer,MultiByteToWideChar,"Requires maximum length in 
CHARACTERS, not bytes (CWE-120).",,"Risk is very low, the length appears to be 
in characters not bytes.",CWE-120,"  
MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof wszUserName 
/sizeof(wszUserName[0]));",7c6cdcb10ad3a16b8bfd56e3dac84829f9bc3e39d4dde74a2be9bbe000102fc5,2.0.18,FF1023,https://cwe.mitre.org/data/definitions/120.html
+test.c,32,2,5,5,buffer,gets,"Does not check for buffer overflows (CWE-120, 
CWE-20).",Use fgets() instead.,,"CWE-120, CWE-20", 
gets(f);,6a5bb383fb44030b0d9428b17359e94ba3979bc1ce702be450427f85592c649a,2.0.19,FF1014,https://cwe.mitre.org/data/definitions/120.html
+test.c,60,3,1,5,buffer,strncat,"Easily used incorrectly (e.g., incorrectly 
computing the correct maximum size to add) [MS-banned] (CWE-120).","Consider 
strcat_s, strlcat, snprintf, or automatically resizing strings.","Risk is high; 
the length parameter appears to be a constant, instead of computing the number 
of characters left.",CWE-120,"  strncat(d,s,sizeof(d)); /* Misuse - this should 
be flagged as riskier. 
*/",cbd19c308547e79af13436d8f7dbcf6c62e49e4f62ba9aee38fbef29e0772f74,2.0.19,FF1010,https://cwe.mitre.org/data/definitions/120.html
+test.c,61,3,1,5,buffer,_tcsncat,"Easily used incorrectly (e.g., incorrectly 
computing the correct maximum size to add) [MS-banned] (CWE-120).","Consider 
strcat_s, strlcat, or automatically resizing strings.","Risk is high; the 
length parameter appears to be a constant, instead of computing the number of 
characters left.",CWE-120,"  _tcsncat(d,s,sizeof(d)); /* Misuse - flag as 
riskier 
*/",c3f6ba2c710efc878e66df4578894fd408452cb7cdec7ae6f492a3b1796f8c42,2.0.19,FF1011,https://cwe.mitre.org/data/definitions/120.html
+test.c,64,3,2,5,buffer,MultiByteToWideChar,"Requires maximum length in 
CHARACTERS, not bytes (CWE-120).",,"Risk is high, it appears that the size is 
given as bytes, but the function requires size as characters.",CWE-120,"  
MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof(wszUserName));",4f5b73ff337a54d6e1d9a369659ca0ddb4f80e6b7e38a17e5b112f6d3e266e69,2.0.19,FF1023,https://cwe.mitre.org/data/definitions/120.html
+test.c,66,3,2,5,buffer,MultiByteToWideChar,"Requires maximum length in 
CHARACTERS, not bytes (CWE-120).",,"Risk is high, it appears that the size is 
given as bytes, but the function requires size as characters.",CWE-120,"  
MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof 
wszUserName);",9ecdc1e903acc16a646bf7909a630ae22a7593b70952c39ce6bd9c5a23fad0fd,2.0.19,FF1023,https://cwe.mitre.org/data/definitions/120.html
+test.c,77,3,5,5,misc,SetSecurityDescriptorDacl,"Never create NULL ACLs; an 
attacker can set it to Everyone (Deny All Access), which would even forbid 
administrator access (CWE-732).",,,CWE-732,"  
SetSecurityDescriptorDacl(&sd,TRUE,NULL,FALSE);",5fed1e135b593b4c943e66e89a26ff131eba18b83a32a8af37d1c0bd7b01aadb,2.0.19,FF1060,https://cwe.mitre.org/data/definitions/732.html
+test.c,77,3,5,5,misc,SetSecurityDescriptorDacl,"Never create NULL ACLs; an 
attacker can set it to Everyone (Deny All Access), which would even forbid 
administrator access (CWE-732).",,,CWE-732,"  
SetSecurityDescriptorDacl(&sd,TRUE,NULL,FALSE);",5fed1e135b593b4c943e66e89a26ff131eba18b83a32a8af37d1c0bd7b01aadb,2.0.19,FF1060,https://cwe.mitre.org/data/definitions/732.html
+test.c,17,2,4,4,buffer,strcpy,Does not check for buffer overflows when copying 
to destination [MS-banned] (CWE-120).,"Consider using snprintf, strcpy_s, or 
strlcpy (warning: strncpy easily misused).",,CWE-120," strcpy(b, 
a);",c01c8472bb53022e912da4da2faebc67d537855da324020c44bfd5e608a79b77,2.0.19,FF1001,https://cwe.mitre.org/data/definitions/120.html
+test.c,20,2,4,4,buffer,sprintf,Does not check for buffer overflows 
(CWE-120).,"Use sprintf_s, snprintf, or vsnprintf.",,CWE-120," sprintf(s, 
""hello %s"", 
bug);",814237858ab012010f3355a49480dd6fa0a2cb8cf8356a98ac1c17c9febf6521,2.0.19,FF1015,https://cwe.mitre.org/data/definitions/120.html
+test.c,21,2,4,4,buffer,sprintf,Does not check for buffer overflows 
(CWE-120).,"Use sprintf_s, snprintf, or vsnprintf.",,CWE-120," sprintf(s, 
gettext(""hello %s""), 
bug);",b793f18f143fb2297c49e0639384ad73db86eb01a44377aa4d5d09b44b03d747,2.0.19,FF1015,https://cwe.mitre.org/data/definitions/120.html
+test.c,22,2,4,4,format,sprintf,Potential format string problem (CWE-134).,Make 
format string constant.,,CWE-134," sprintf(s, unknown, 
bug);",16ebc2ff96ee4bab2695783709e97b597ca9c8b8cc149e33aed859f0fafd3431,2.0.19,FF1015,https://cwe.mitre.org/data/definitions/134.html
+test.c,23,2,4,4,format,printf,"If format strings can be influenced by an 
attacker, they can be exploited (CWE-134).",Use a constant for the format 
specification.,,CWE-134," printf(bf, 
x);",46f42896019245d2dffc4caf4fe018b073ce2a58203676eaa28b6374558a5b5d,2.0.19,FF1016,https://cwe.mitre.org/data/definitions/134.html
+test.c,25,2,4,4,buffer,scanf,"The scanf() family's %s operation, without a 
limit specification, permits buffer overflows (CWE-120, CWE-20).","Specify a 
limit to %s, or use a different input function.",,"CWE-120, CWE-20"," 
scanf(""%s"", 
s);",3f169dd9fe508f70438f818770a3cb8b0f228e4245ea11a929a5fb0a7839fd5f,2.0.19,FF1020,https://cwe.mitre.org/data/definitions/120.html
+test.c,27,2,4,4,buffer,scanf,"The scanf() family's %s operation, without a 
limit specification, permits buffer overflows (CWE-120, CWE-20).","Specify a 
limit to %s, or use a different input function.",,"CWE-120, CWE-20"," 
scanf(""%s"", 
s);",3f169dd9fe508f70438f818770a3cb8b0f228e4245ea11a929a5fb0a7839fd5f,2.0.19,FF1020,https://cwe.mitre.org/data/definitions/120.html
+test.c,38,2,4,4,format,syslog,"If syslog's format strings can be influenced by 
an attacker, they can be exploited (CWE-134).",Use a constant format string for 
syslog.,,CWE-134," syslog(LOG_ERR, 
attacker_string);",22e98963d5af7b197a090bd522d2d39b8d8ee7bdf08453fd2008939c92cd9677,2.0.19,FF1018,https://cwe.mitre.org/data/definitions/134.html
+test.c,49,3,4,4,buffer,_mbscpy,Does not check for buffer overflows when 
copying to destination [MS-banned] (CWE-120).,Consider using a function version 
that stops copying at the end of the buffer.,,CWE-120,"  _mbscpy(d,s); /* like 
strcpy, this doesn't check for buffer overflow 
*/",e00a4a1a0a3603db98a23fcff3c9cdfd9012f5a81826814d9508e0f22089b993,2.0.19,FF1003,https://cwe.mitre.org/data/definitions/120.html
+test.c,56,3,4,4,buffer,lstrcat,Does not check for buffer overflows when 
concatenating to destination [MS-banned] (CWE-120).,,,CWE-120,"  
lstrcat(d,s);",364b4c512862fdccbca27d2fa7737995b5d24b637a760976c940ae636218d340,2.0.19,FF1006,https://cwe.mitre.org/data/definitions/120.html
+test.c,79,3,3,3,shell,CreateProcess,This causes a new process to execute and 
is difficult to use safely (CWE-78).,"Specify the application path in the first 
argument, NOT as part of the second, or embedded spaces could allow an attacker 
to force a different program to run.",,CWE-78,"  CreateProcess(NULL, 
""C:\\Program Files\\GoodGuy\\GoodGuy.exe -x"", 
"""");",3c712b38d0857bde3832d85ad35ac9859be55c5f5f1c20af659a577dd4d0acbf,2.0.19,FF1046,https://cwe.mitre.org/data/definitions/78.html
+test.c,79,3,3,3,shell,CreateProcess,This causes a new process to execute and 
is difficult to use safely (CWE-78).,"Specify the application path in the first 
argument, NOT as part of the second, or embedded spaces could allow an attacker 
to force a different program to run.",,CWE-78,"  CreateProcess(NULL, 
""C:\\Program Files\\GoodGuy\\GoodGuy.exe -x"", 
"""");",3c712b38d0857bde3832d85ad35ac9859be55c5f5f1c20af659a577dd4d0acbf,2.0.19,FF1046,https://cwe.mitre.org/data/definitions/78.html
+test.c,81,10,3,3,misc,LoadLibraryEx,"Ensure that the full path to the library 
is specified, or current directory may be used (CWE-829, CWE-20).",Use a flag 
like LOAD_LIBRARY_SEARCH_SYSTEM32 or LOAD_LIBRARY_SEARCH_APPLICATION_DIR to 
search only desired folders.,,"CWE-829, CWE-20","  (void) 
LoadLibraryEx(L""user32.dll"", nullptr, 
LOAD_LIBRARY_AS_DATAFILE);",b1f99ecaa31e682487d795afbf03282fd56ad9f2aa630d0196219b277d2a68c9,2.0.19,FF1059,https://cwe.mitre.org/data/definitions/829.html
+test.c,99,20,3,3,buffer,getopt_long,"Some older implementations do not protect 
against internal buffer overflows (CWE-120, CWE-20).","Check implementation on 
installation, or limit the size of all string inputs.",,"CWE-120, CWE-20","    
while ((optc = getopt_long (argc, argv, ""a"",longopts, NULL )) != EOF) 
{",5bedf6e5bccf596008ef191ec4c5d4cc51a32cff0c05ef62d5f10fab93d0cc24,2.0.19,FF1027,https://cwe.mitre.org/data/definitions/120.html
+test.c,16,2,4,2,buffer,strcpy,Does not check for buffer overflows when copying 
to destination [MS-banned] (CWE-120).,"Consider using snprintf, strcpy_s, or 
strlcpy (warning: strncpy easily misused).",Risk is low because the source is a 
constant string.,CWE-120," strcpy(a, gettext(""Hello there"")); // Did this 
work?",d64070fb93ff0bb797fb926f4dddc7212d42f77e288d5ceb0cd30ed2979fa28d,2.0.19,FF1001,https://cwe.mitre.org/data/definitions/120.html
+test.c,19,2,4,2,buffer,sprintf,Does not check for buffer overflows 
(CWE-120).,"Use sprintf_s, snprintf, or vsnprintf.",Risk is low because the 
source has a constant maximum length.,CWE-120," sprintf(s, 
""hello"");",907b46be1c3ea7b38f90a4d1b0f43b7751cd8cbe38fae840930ff006b702157d,2.0.19,FF1015,https://cwe.mitre.org/data/definitions/120.html
+test.c,45,3,2,2,buffer,char,"Statically-sized arrays can be improperly 
restricted, leading to potential overflows or other issues 
(CWE-119!/CWE-120).","Perform bounds checking, use functions that limit length, 
or ensure that the size is larger than the maximum possible 
length.",,CWE-119!/CWE-120,  char 
d[20];,36c87517700337a59cc3ad3218cfdde56cad37d69cdeccee5a55ab232d5c7946,2.0.19,FF1013,https://cwe.mitre.org/data/definitions/119.html
+test.c,46,3,2,2,buffer,char,"Statically-sized arrays can be improperly 
restricted, leading to potential overflows or other issues 
(CWE-119!/CWE-120).","Perform bounds checking, use functions that limit length, 
or ensure that the size is larger than the maximum possible 
length.",,CWE-119!/CWE-120,  char 
s[20];,213de8e8815fc84c423b55fd845fea541f25744718e486234364bb457863b597,2.0.19,FF1013,https://cwe.mitre.org/data/definitions/119.html
+test.c,50,3,2,2,buffer,memcpy,Does not check for buffer overflows when copying 
to destination (CWE-120).,Make sure destination can always hold the source 
data.,,CWE-120,"  memcpy(d,s); // fail - no 
size",e667b352fb0748c67b607b11577b11bad87545779c39923e61839dd04056055f,2.0.19,FF1004,https://cwe.mitre.org/data/definitions/120.html
+test.c,53,3,2,2,buffer,memcpy,Does not check for buffer overflows when copying 
to destination (CWE-120).,Make sure destination can always hold the source 
data.,,CWE-120,"  memcpy(&n,s,sizeof(s)); // fail - sizeof not of 
destination",01bcc2c8ba2d928ac3315b4dcc6593042ea05e62888a10a6d2cf16797a65ed32,2.0.19,FF1004,https://cwe.mitre.org/data/definitions/120.html
+test.c,54,3,2,2,buffer,memcpy,Does not check for buffer overflows when copying 
to destination (CWE-120).,Make sure destination can always hold the source 
data.,,CWE-120,"  memcpy(d,s,n); // fail - size 
unguessable",2517a2fb5981193a6017cca660d16e85aab133706cbec302df97aaa623fc77ef,2.0.19,FF1004,https://cwe.mitre.org/data/definitions/120.html
+test.c,55,3,2,2,buffer,CopyMemory,Does not check for buffer overflows when 
copying to destination (CWE-120).,Make sure destination can always hold the 
source data.,,CWE-120,"  
CopyMemory(d,s);",977f8c805ddd76ff32e0f7aea08701ba97d9ce6955136e98b308ed4f70eb2e11,2.0.19,FF1004,https://cwe.mitre.org/data/definitions/120.html
+test.c,105,7,2,2,misc,fopen,"Check when opening files - can an attacker 
redirect it (via symlinks), force the opening of special file type (e.g., 
device files), move things around to create a race condition, control its 
ancestors, or change its contents? (CWE-362).",,,CWE-362,"  f = 
fopen(""/etc/passwd"", ""r""); 
",2ec6928c77a8b54caa61d0459f367c4394ee1f5e6f488753f587bfa9c780bad8,2.0.19,FF1040,https://cwe.mitre.org/data/definitions/362.html
+test.c,15,2,4,1,buffer,strcpy,Does not check for buffer overflows when copying 
to destination [MS-banned] (CWE-120).,"Consider using snprintf, strcpy_s, or 
strlcpy (warning: strncpy easily misused).",Risk is low because the source is a 
constant character.,CWE-120," strcpy(a, ""\n""); // Did this 
work?",0badc5f4c500d17b42794feaca54ee0f49e607a32510af3ed749579001017edb,2.0.19,FF1001,https://cwe.mitre.org/data/definitions/120.html
+test.c,18,2,4,1,buffer,sprintf,Does not check for buffer overflows 
(CWE-120).,"Use sprintf_s, snprintf, or vsnprintf.",Risk is low because the 
source is a constant character.,CWE-120," sprintf(s, 
""\n"");",c65fbd60851f3c8ace22332805966606488c0d242c1823493c582e267609b1a7,2.0.19,FF1015,https://cwe.mitre.org/data/definitions/120.html
+test.c,26,2,4,1,buffer,scanf,It's unclear if the %s limit in the format string 
is small enough (CWE-120).,"Check that the limit is sufficiently small, or use 
a different input function.",,CWE-120," scanf(""%10s"", 
s);",e24c4c801f10acfa93098b2bef58524efe4f88237f2dd8b58be9afa838616afe,2.0.19,FF1020,https://cwe.mitre.org/data/definitions/120.html
+test.c,57,3,1,1,buffer,strncpy,Easily used incorrectly; doesn't always 
\0-terminate or check for invalid pointers [MS-banned] (CWE-120).,,,CWE-120,"  
strncpy(d,s);",8fa14bf72393a00f667ffcc06b7b7e5f0b6d2f16d8d67444db06b0deb35b5f5e,2.0.19,FF1008,https://cwe.mitre.org/data/definitions/120.html
+test.c,58,3,1,1,buffer,_tcsncpy,Easily used incorrectly; doesn't always 
\0-terminate or check for invalid pointers [MS-banned] (CWE-120).,,,CWE-120,"  
_tcsncpy(d,s);",691fabd4ca960a00e4c538eee0187ee0fdf59bd43dd71e792c14175150369b8b,2.0.19,FF1009,https://cwe.mitre.org/data/definitions/120.html
+test.c,59,3,1,1,buffer,strncat,"Easily used incorrectly (e.g., incorrectly 
computing the correct maximum size to add) [MS-banned] (CWE-120).","Consider 
strcat_s, strlcat, snprintf, or automatically resizing strings.",,CWE-120,"  
strncat(d,s,10);",dd92f996a554bfbc038bea27640ba25dcf298383140a8330dca7cdacf493a701,2.0.19,FF1010,https://cwe.mitre.org/data/definitions/120.html
+test.c,62,7,1,1,buffer,strlen,Does not handle strings that are not 
\0-terminated; if given one it may perform an over-read (it could cause a crash 
if unprotected) (CWE-126).,,,CWE-126,  n = 
strlen(d);,db7201c7df7f543ea76febb060bda167e414e71e3d18095fe1def69f8c47a4f6,2.0.19,FF1022,https://cwe.mitre.org/data/definitions/126.html
+test.c,68,3,2,1,buffer,MultiByteToWideChar,"Requires maximum length in 
CHARACTERS, not bytes (CWE-120).",,"Risk is very low, the length appears to be 
in characters not bytes.",CWE-120,"  
MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof(wszUserName)/sizeof(wszUserName[0]));",1813fc329227b38abae867d8023a9e29c7517d679fe55c86f8300dde681b6470,2.0.19,FF1023,https://cwe.mitre.org/data/definitions/120.html
+test.c,70,3,2,1,buffer,MultiByteToWideChar,"Requires maximum length in 
CHARACTERS, not bytes (CWE-120).",,"Risk is very low, the length appears to be 
in characters not bytes.",CWE-120,"  
MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof wszUserName 
/sizeof(wszUserName[0]));",7c6cdcb10ad3a16b8bfd56e3dac84829f9bc3e39d4dde74a2be9bbe000102fc5,2.0.19,FF1023,https://cwe.mitre.org/data/definitions/120.html
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/flawfinder-2.0.18/test/test-results.html 
new/flawfinder-2.0.19/test/test-results.html
--- old/flawfinder-2.0.18/test/test-results.html        2021-06-25 
02:22:36.000000000 +0200
+++ new/flawfinder-2.0.19/test/test-results.html        2021-08-29 
22:21:39.000000000 +0200
@@ -9,7 +9,7 @@
 <body>
 <h1>Flawfinder Results</h1>
 Here are the security scan results from
-<a href="https://dwheeler.com/flawfinder";>Flawfinder version 2.0.18</a>,
+<a href="https://dwheeler.com/flawfinder";>Flawfinder version 2.0.19</a>,
 (C) 2001-2019 <a href="https://dwheeler.com";>David A. Wheeler</a>.
 Number of rules (primarily dangerous function names) in C/C++ ruleset: 222
 <p>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/flawfinder-2.0.18/test/test-results.txt 
new/flawfinder-2.0.19/test/test-results.txt
--- old/flawfinder-2.0.18/test/test-results.txt 2021-06-25 02:22:36.000000000 
+0200
+++ new/flawfinder-2.0.19/test/test-results.txt 2021-08-29 22:21:39.000000000 
+0200
@@ -1,4 +1,4 @@
-Flawfinder version 2.0.18, (C) 2001-2019 David A. Wheeler.
+Flawfinder version 2.0.19, (C) 2001-2019 David A. Wheeler.
 Number of rules (primarily dangerous function names) in C/C++ ruleset: 222
 Examining test.c
 Examining test2.c

commit flawfinder for openSUSE:Factory

Reply via email to