1 flawfinder .
 2 Flawfinder version 1.31, (C) 2001-2014 David A. Wheeler.
 3 Number of rules (primarily dangerous function names) in C/C++ rule set: 169
 4 Examining ./main.c
 5 Examining ./fuzzgoatNoVulns.c
 6 Examining ./fuzzgoat.c
 7 Warning: Skipping directory with initial dot ./.git
 8 Examining ./fuzzgoat.h
 9 
10 FINAL RESULTS:
11 
12 ./fuzzgoat.c:1049:  [4] (buffer) strcpy:
13   Does not check for buffer overflows when copying to destination (CWE-120).
14   Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily
15   misused).
16 ./fuzzgoatNoVulns.c:928:  [4] (buffer) strcpy:
17   Does not check for buffer overflows when copying to destination (CWE-120).
18   Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily
19   misused).
20 ./fuzzgoat.c:368:  [2] (buffer) memcpy:
21   Does not check for buffer overflows when copying to destination (CWE-120).
22   Make sure destination can always hold the source data.
23 ./fuzzgoat.c:401:  [2] (buffer) sprintf:
24   Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
25   vsnprintf. Risk is low because the source has a constant maximum length.
26 ./fuzzgoat.c:427:  [2] (buffer) sprintf:
27   Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
28   vsnprintf. Risk is low because the source has a constant maximum length.
29 ./fuzzgoat.c:444:  [2] (buffer) sprintf:
30   Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
31   vsnprintf. Risk is low because the source has a constant maximum length.
32 ...shortened...
33 ./main.c:135:  [2] (misc) fopen:
34   Check when opening files - can an attacker redirect it (via symlinks),
35   force the opening of special file type (e.g., device files), move things
36   around to create a race condition, control its ancestors, or change its
37   contents? (CWE-362).
38 
39 ANALYSIS SUMMARY:
40 
41 Hits = 49
42 Lines analyzed = 2545 in approximately 0.04 seconds (69403 lines/second)
43 Physical Source Lines of Code (SLOC) = 1817
44 Hits@level = [0]   0 [1]   0 [2]  47 [3]   0 [4]   2 [5]   0
45 Hits@level+ = [0+]  49 [1+]  49 [2+]  49 [3+]   2 [4+]   2 [5+]   0
46 Hits/KSLOC@level+ = [0+] 26.9675 [1+] 26.9675 [2+] 26.9675 [3+] 1.10072 [4+] 1.10\
47 072 [5+]   0
48 Dot directories skipped = 1 (--followdotdir overrides)
49 Minimum risk level = 1
50 Not every hit is necessarily a security vulnerability.
51 There may be other security vulnerabilities; review your code!
52 See ([http://www.dwheeler.com/secure-programs](http://www.dwheeler.com/secure-pro\
53 grams)) for more information.

 1 flawfinder -I .
 2 Flawfinder version 1.31, (C) 2001-2014 David A. Wheeler.
 3 Number of rules (primarily dangerous function names) in C/C++ ruleset: 169
 4 Examining ./main.c
 5 Examining ./fuzzgoatNoVulns.c
 6 Examining ./fuzzgoat.c
 7 Warning: Skipping directory with initial dot ./.git
 8 Examining ./fuzzgoat.h
 9 
10 FINAL RESULTS:
11 
12 ./main.c:142:  [0] (input) fread:
13   Function accepts input from outside program (CWE-20). Make sure input data
14   is filtered, especially if an attacker could manipulate it.
15 
16 ANALYSIS SUMMARY:
17 
18 Hits = 1
19 Lines analyzed = 2545 in approximately 0.04 seconds (70448 lines/second)
20 Physical Source Lines of Code (SLOC) = 1817
21 Hits@level = [0]   1 [1]   0 [2]   0 [3]   0 [4]   0 [5]   0
22 Hits@level+ = [0+]   1 [1+]   0 [2+]   0 [3+]   0 [4+]   0 [5+]   0
23 Hits/KSLOC@level+ = [0+] 0.550358 [1+]   0 [2+]   0 [3+]   0 [4+]   0 [5+]   0
24 Dot directories skipped = 1 (--followdotdir overrides)
25 Minimum risk level = 0
26 Not every hit is necessarily a security vulnerability.
27 There may be other security vulnerabilities; review your code!
28 See 'Secure Programming for Linux and Unix HOWTO'
29 ([http://www.dwheeler.com/secure-programs](http://www.dwheeler.com/secure-program\
30 s)) for more information.