The following issues were found

src/third_party/wiredtiger/dist/wtperf_config.py
2 issues
Constant name "d" doesn't conform to UPPER_CASE naming style
Error

Line: 18 Column: 13 

              
    if v[3] == 'boolean':
        if v[2] == '0':
            d = 'false'
        else:
            d = 'true'
    elif v[3] == 'string':
        d = '"' + v[2] + '"'
    else:

Reported by Pylint.

Constant name "d" doesn't conform to UPPER_CASE naming style
Error

Line: 20 Column: 13 

                      if v[2] == '0':
            d = 'false'
        else:
            d = 'true'
    elif v[3] == 'string':
        d = '"' + v[2] + '"'
    else:
        d = v[2]
    print('@par ' + v[0] + ' (' + v[3] + ', default=' + d + ')')

Reported by Pylint.

src/third_party/unwind/dist/tests/Gtest-trace.c
2 issues
fprintf - If format strings can be influenced by an attacker, they can be exploited
Security

Line: 44 Column: 4 CWE codes: 134
Suggestion: Use a constant for the format specification 

              #include <libunwind.h>

#define panic(args...)				\
	{ fprintf (stderr, args); exit (-1); }

#define SIG_STACK_SIZE 0x100000

int verbose;
int num_errors;

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 53 Column: 1 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              
/* These variables are global because they
 * cause the signal stack to overflow */
char buf[512], name[256];
void *addresses[3][128];
unw_cursor_t cursor;
unw_context_t uc;

static void

Reported by FlawFinder.

src/third_party/wiredtiger/ext/compressors/nop/nop_compress.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 69 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                      return (0);
    }

    memcpy(dst, src, src_len);
    *result_lenp = src_len;

    return (0);
}
/*! [WT_COMPRESSOR compress] */

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 95 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                  /*
     * The destination length is the number of uncompressed bytes we're expected to return.
     */
    memcpy(dst, src, dst_len);
    *result_lenp = dst_len;
    return (0);
}
/*! [WT_COMPRESSOR decompress] */

Reported by FlawFinder.

src/third_party/wiredtiger/ext/encryptors/sodium/sodium_encrypt.c
2 issues
Memory leak: new
Error

Line: 323 CWE codes: 401 

                  }

    *customp = (WT_ENCRYPTOR *)new;
    return (0);

err:
    sodium_free(new->secretkey);
    free(new);
    return (ret);

Reported by Cppcheck.

Memory leak: sodium_encryptor
Error

Line: 395 CWE codes: 401 

              
    /* Initialize the crypto library. */
    if (sodium_init() < 0)
        return (WT_ERROR);

    /* Configure the extension. */
    if ((ret = sodium_configure(sodium_encryptor, config)) != 0) {
        free(sodium_encryptor);
        return (ret);

Reported by Cppcheck.

src/third_party/unwind/dist/tests/Gtest-init.cxx
2 issues
fprintf - If format strings can be influenced by an attacker, they can be exploited
Security

Line: 39 Column: 14 CWE codes: 134
Suggestion: Use a constant for the format specification 

              int verbose, errors;

#define panic(args...)					\
	{ ++errors; fprintf (stderr, args); return; }

class Test_Class {
  public:
  Test_Class (void);
};

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 51 Column: 3 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              static void
do_backtrace (void)
{
  char name[128], off[32];
  unw_word_t ip, offset;
  unw_cursor_t cursor;
  unw_context_t uc;
  int ret, count = 0;

Reported by FlawFinder.

src/third_party/unwind/dist/tests/Gtest-exc.c
2 issues
fprintf - If format strings can be influenced by an attacker, they can be exploited
Security

Line: 42 Column: 15 CWE codes: 134
Suggestion: Use a constant for the format specification 

              #endif

#define panic(args...)				\
	{ ++nerrors; fprintf (stderr, args); }

int nerrors = 0;
int verbose = 0;
int depth = 13;
volatile int got_here = 0;

Reported by FlawFinder.

atol - Unless checked, the resulting number can exceed the expected range
Security

Line: 141 Column: 15 CWE codes: 190
Suggestion: If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended) 

                if (argc > 1)
    {
      ++verbose;
      depth = atol (argv[1]);
      if (depth < 1)
	{
	  fprintf (stderr, "Usage: %s depth\n"
		   "  depth must be >= 1\n", argv[0]);
	  exit (-1);

Reported by FlawFinder.

src/third_party/wiredtiger/src/block/block_open.c
2 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 219 Column: 24 CWE codes: 362 

                      LF_SET(WT_FS_OPEN_DIRECTIO);
    block->file_flags = flags;
    if (block->has_objects)
        WT_ERR(opener->open(opener, session, WT_TIERED_CURRENT_ID, WT_FS_OPEN_FILE_TYPE_DATA,
          block->file_flags, &block->fh));
    else
        WT_ERR(
          __wt_open(session, filename, WT_FS_OPEN_FILE_TYPE_DATA, block->file_flags, &block->fh));

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 156 Column: 39 CWE codes: 126 

                  __wt_verbose(session, WT_VERB_BLOCK, "open: %s", filename);

    conn = S2C(session);
    hash = __wt_hash_city64(filename, strlen(filename));
    bucket = hash & (conn->hash_size - 1);
    __wt_spin_lock(session, &conn->block_lock);
    TAILQ_FOREACH (block, &conn->blockhash[bucket], hashq) {
        if (strcmp(filename, block->name) == 0) {
            ++block->ref;

Reported by FlawFinder.

src/third_party/wiredtiger/src/block/block_tiered.c
2 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 27 Column: 27 CWE codes: 362 

                   * requests in flight.
     */
    old_fh = block->fh;
    WT_RET(block->opener->open(
      block->opener, session, object_id, WT_FS_OPEN_FILE_TYPE_DATA, block->file_flags, &new_fh));
    block->fh = new_fh;
    block->objectid = object_id;

    return (__wt_close(session, &old_fh));

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 75 Column: 22 CWE codes: 362 

                   */
    ret = block->opener->open == NULL ?
      WT_NOTFOUND :
      block->opener->open(block->opener, session, object_id, WT_FS_OPEN_FILE_TYPE_DATA,
        WT_FS_OPEN_READONLY | block->file_flags, &block->ofh[object_id]);
    if (ret == 0) {
        *fhp = block->ofh[object_id];
        return (0);
    }

Reported by FlawFinder.

src/third_party/wiredtiger/src/btree/bt_read.c
2 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 244 Column: 18 CWE codes: 120 20 

                          if (LF_ISSET(WT_READ_DELETED_CHECK) &&
              __wt_delete_page_skip(session, ref, !F_ISSET(session->txn, WT_TXN_HAS_SNAPSHOT)))
                return (WT_NOTFOUND);
            goto read;
        case WT_REF_DISK:
            /* Optionally limit reads to cache-only. */
            if (LF_ISSET(WT_READ_CACHE))
                return (WT_NOTFOUND);
read:

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 249 Column: 1 CWE codes: 120 20 

                          /* Optionally limit reads to cache-only. */
            if (LF_ISSET(WT_READ_CACHE))
                return (WT_NOTFOUND);
read:
            /*
             * The page isn't in memory, read it. If this thread respects the cache size, check for
             * space in the cache.
             */
            if (!LF_ISSET(WT_READ_IGNORE_CACHE_SIZE))

Reported by FlawFinder.

src/third_party/wiredtiger/src/config/config_collapse.c
2 issues
strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 212 Column: 16 CWE codes: 126 

              
    for (; *enp < cp->entries_next; ++*enp) {
        ep = &cp->entries[*enp];
        len1 = strlen(ep->k);

        /*
         * The entries are in sorted order, take the last entry for any key.
         */
        if (*enp < (cp->entries_next - 1)) {

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 218 Column: 20 CWE codes: 126 

                       * The entries are in sorted order, take the last entry for any key.
         */
        if (*enp < (cp->entries_next - 1)) {
            len2 = strlen((ep + 1)->k);

            /* Choose the last of identical keys. */
            if (len1 == len2 && memcmp(ep->k, (ep + 1)->k, len1) == 0)
                continue;

Reported by FlawFinder.