From e06e2ba3df3bb865071364f3dc306f9f63778bfc Mon Sep 17 00:00:00 2001
From: Jon Hood <squinky86@gmail.com>
Date: Thu, 14 Sep 2017 13:16:22 -0500
Subject: [PATCH] update CWE, risk, and discussion for C++14 STL functions

---
 flawfinder | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/flawfinder b/flawfinder
index 8b765cd..7394946 100755
--- a/flawfinder
+++ b/flawfinder
@@ -1318,9 +1318,11 @@ c_ruleset = {
     # Unsafe STL functions that don't check the second iterator
     "equal|mismatch|is_permutation":
     (cpp_unsafe_stl,
-     2, # need further analysis to consider risk level
-     "Function does not check the second iterator for overflow conditions (CWE-119/CWE-120)",
-     "These functions are typically banned by most C++ coding standards in favor of their safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it",
+     # Like strlen, this is mostly a risk to availability; at worst it
+     # often causes a program crash.
+     1,
+     "Function does not check the second iterator for over-read conditions (CWE-126)",
+     "This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it",
      "buffer", "", {}),
 
     # TODO: detect C++'s:   cin >> charbuf, where charbuf is a char array; the problem