The following issues were found

java/core/src/main/java/com/google/protobuf/Message.java
2 issues
This class has too many methods, consider refactoring it.
Design

Line: 104 

                Builder toBuilder();

  /** Abstract interface implemented by Protocol Message builders. */
  interface Builder extends MessageLite.Builder, MessageOrBuilder {
    // (From MessageLite.Builder, re-declared here only for return type
    // covariance.)
    @Override
    Builder clear();

Reported by PMD.

clone() method should throw CloneNotSupportedException
Error

Line: 138 

                  Message buildPartial();

    @Override
    Builder clone();

    @Override
    Builder mergeFrom(CodedInputStream input) throws IOException;

    @Override

Reported by PMD.

ruby/ext/google/protobuf_c/protobuf.c
2 issues
vsnprintf - If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate
Security

Line: 89 Column: 7 CWE codes: 134
Suggestion: Use a constant for the format specification 

                va_list args;

  va_start(args, fmt);
  n = vsnprintf(&b->data[b->size], have, fmt, args);
  va_end(args);

  if (have <= n) {
    while (have <= n) {
      b->cap *= 2;

Reported by FlawFinder.

vsnprintf - If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate
Security

Line: 99 Column: 9 CWE codes: 134
Suggestion: Use a constant for the format specification 

                  }
    b->data = realloc(b->data, StringBuilder_SizeOf(b->cap));
    va_start(args, fmt);
    n = vsnprintf(&b->data[b->size], have, fmt, args);
    va_end(args);
    PBRUBY_ASSERT(n < have);
  }

  b->size += n;

Reported by FlawFinder.

src/google/protobuf/any_lite.cc
2 issues
StrCat - Does not check for buffer overflows when concatenating to destination [MS-banned]
Security

Line: 46 Column: 12 CWE codes: 120 

                                     StringPiece type_url_prefix) {
  if (!type_url_prefix.empty() &&
      type_url_prefix[type_url_prefix.size() - 1] == '/') {
    return StrCat(type_url_prefix, message_name);
  } else {
    return StrCat(type_url_prefix, "/", message_name);
  }
}

Reported by FlawFinder.

StrCat - Does not check for buffer overflows when concatenating to destination [MS-banned]
Security

Line: 48 Column: 12 CWE codes: 120 

                    type_url_prefix[type_url_prefix.size() - 1] == '/') {
    return StrCat(type_url_prefix, message_name);
  } else {
    return StrCat(type_url_prefix, "/", message_name);
  }
}

const char kAnyFullTypeName[] = "google.protobuf.Any";
const char kTypeGoogleApisComPrefix[] = "type.googleapis.com/";

Reported by FlawFinder.

src/google/protobuf/api.pb.cc
2 issues
There is an unknown macro here somewhere. Configuration is required. If PROTOBUF_NAMESPACE_OPEN is a macro then please configure it.
Error

Line: 1236 

              
// @@protoc_insertion_point(namespace_scope)
PROTOBUF_NAMESPACE_CLOSE
PROTOBUF_NAMESPACE_OPEN
template<> PROTOBUF_NOINLINE ::PROTOBUF_NAMESPACE_ID::Api* Arena::CreateMaybeMessage< ::PROTOBUF_NAMESPACE_ID::Api >(Arena* arena) {
  return Arena::CreateMessageInternal< ::PROTOBUF_NAMESPACE_ID::Api >(arena);
}
template<> PROTOBUF_NOINLINE ::PROTOBUF_NAMESPACE_ID::Method* Arena::CreateMaybeMessage< ::PROTOBUF_NAMESPACE_ID::Method >(Arena* arena) {
  return Arena::CreateMessageInternal< ::PROTOBUF_NAMESPACE_ID::Method >(arena);

Reported by Cppcheck.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 628 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                  response_type_url_.Set(::PROTOBUF_NAMESPACE_ID::internal::ArenaStringPtr::EmptyDefault{}, from._internal_response_type_url(), 
      GetArenaForAllocation());
  }
  ::memcpy(&request_streaming_, &from.request_streaming_,
    static_cast<size_t>(reinterpret_cast<char*>(&syntax_) -
    reinterpret_cast<char*>(&request_streaming_)) + sizeof(syntax_));
  // @@protoc_insertion_point(copy_constructor:google.protobuf.Method)
}

Reported by FlawFinder.

src/google/protobuf/compiler/cpp/cpp_extension.cc
2 issues
StrCat - Does not check for buffer overflows when concatenating to destination [MS-banned]
Security

Line: 97 Column: 7 CWE codes: 120 

                variables_["name"] = ResolveKeyword(name);
  variables_["constant_name"] = FieldConstantName(descriptor_);
  variables_["field_type"] =
      StrCat(static_cast<int>(descriptor_->type()));
  variables_["packed"] = descriptor_->is_packed() ? "true" : "false";

  std::string scope =
      IsScoped() ? ClassName(descriptor_->extension_scope(), false) + "::" : "";
  variables_["scope"] = scope;

Reported by FlawFinder.

StrCat - Does not check for buffer overflows when concatenating to destination [MS-banned]
Security

Line: 104 Column: 26 CWE codes: 120 

                    IsScoped() ? ClassName(descriptor_->extension_scope(), false) + "::" : "";
  variables_["scope"] = scope;
  variables_["scoped_name"] = ExtensionName(descriptor_);
  variables_["number"] = StrCat(descriptor_->number());
}

ExtensionGenerator::~ExtensionGenerator() {}

bool ExtensionGenerator::IsScoped() const {

Reported by FlawFinder.

src/google/protobuf/compiler/cpp/cpp_helpers.h
2 issues
StrCat - Does not check for buffer overflows when concatenating to destination [MS-banned]
Security

Line: 766 Column: 12 CWE codes: 120 

                template <typename I, typename = typename std::enable_if<
                            std::is_integral<I>::value>::type>
  static std::string ToString(I x) {
    return StrCat(x);
  }
  static std::string ToString(strings::Hex x) { return StrCat(x); }
  static std::string ToString(const FieldDescriptor* d) { return Payload(d); }
  static std::string ToString(const Descriptor* d) { return Payload(d); }
  static std::string ToString(const EnumDescriptor* d) { return Payload(d); }

Reported by FlawFinder.

StrCat - Does not check for buffer overflows when concatenating to destination [MS-banned]
Security

Line: 768 Column: 56 CWE codes: 120 

                static std::string ToString(I x) {
    return StrCat(x);
  }
  static std::string ToString(strings::Hex x) { return StrCat(x); }
  static std::string ToString(const FieldDescriptor* d) { return Payload(d); }
  static std::string ToString(const Descriptor* d) { return Payload(d); }
  static std::string ToString(const EnumDescriptor* d) { return Payload(d); }
  static std::string ToString(const EnumValueDescriptor* d) {
    return Payload(d);

Reported by FlawFinder.

src/google/protobuf/compiler/cpp/cpp_map_field.cc
2 issues
StrCat - Does not check for buffer overflows when concatenating to destination [MS-banned]
Security

Line: 76 Column: 28 CWE codes: 120 

                (*variables)["val_wire_type"] =
      "TYPE_" + ToUpper(DeclaredTypeMethodName(val->type()));
  (*variables)["map_classname"] = ClassName(descriptor->message_type(), false);
  (*variables)["number"] = StrCat(descriptor->number());
  (*variables)["tag"] = StrCat(internal::WireFormat::MakeTag(descriptor));

  if (HasDescriptorMethods(descriptor->file(), options)) {
    (*variables)["lite"] = "";
  } else {

Reported by FlawFinder.

StrCat - Does not check for buffer overflows when concatenating to destination [MS-banned]
Security

Line: 77 Column: 25 CWE codes: 120 

                    "TYPE_" + ToUpper(DeclaredTypeMethodName(val->type()));
  (*variables)["map_classname"] = ClassName(descriptor->message_type(), false);
  (*variables)["number"] = StrCat(descriptor->number());
  (*variables)["tag"] = StrCat(internal::WireFormat::MakeTag(descriptor));

  if (HasDescriptorMethods(descriptor->file(), options)) {
    (*variables)["lite"] = "";
  } else {
    (*variables)["lite"] = "Lite";

Reported by FlawFinder.

src/google/protobuf/compiler/cpp/cpp_primitive_field.cc
2 issues
StrCat - Does not check for buffer overflows when concatenating to destination [MS-banned]
Security

Line: 107 Column: 25 CWE codes: 120 

                SetCommonFieldVariables(descriptor, variables, options);
  (*variables)["type"] = PrimitiveTypeName(options, descriptor->cpp_type());
  (*variables)["default"] = DefaultValue(options, descriptor);
  (*variables)["tag"] = StrCat(internal::WireFormat::MakeTag(descriptor));
  int fixed_size = FixedSize(descriptor->type());
  if (fixed_size != -1) {
    (*variables)["fixed_size"] = StrCat(fixed_size);
  }
  (*variables)["wire_format_field_type"] = FieldDescriptorProto_Type_Name(

Reported by FlawFinder.

StrCat - Does not check for buffer overflows when concatenating to destination [MS-banned]
Security

Line: 110 Column: 34 CWE codes: 120 

                (*variables)["tag"] = StrCat(internal::WireFormat::MakeTag(descriptor));
  int fixed_size = FixedSize(descriptor->type());
  if (fixed_size != -1) {
    (*variables)["fixed_size"] = StrCat(fixed_size);
  }
  (*variables)["wire_format_field_type"] = FieldDescriptorProto_Type_Name(
      static_cast<FieldDescriptorProto_Type>(descriptor->type()));
  (*variables)["full_name"] = descriptor->full_name();
}

Reported by FlawFinder.

src/google/protobuf/compiler/cpp/cpp_string_field.cc
2 issues
StrCat - Does not check for buffer overflows when concatenating to destination [MS-banned]
Security

Line: 55 Column: 7 CWE codes: 120 

                SetCommonFieldVariables(descriptor, variables, options);
  (*variables)["default"] = DefaultValue(options, descriptor);
  (*variables)["default_length"] =
      StrCat(descriptor->default_value_string().length());
  std::string default_variable_string = MakeDefaultName(descriptor);
  (*variables)["default_variable_name"] = default_variable_string;

  if (!descriptor->default_value_string().empty()) {
    (*variables)["lazy_variable"] =

Reported by FlawFinder.

StrCat - Does not check for buffer overflows when concatenating to destination [MS-banned]
Security

Line: 510 Column: 7 CWE codes: 120 

                SetCommonOneofFieldVariables(descriptor, &variables_);
  variables_["field_name"] = UnderscoresToCamelCase(descriptor->name(), true);
  variables_["oneof_index"] =
      StrCat(descriptor->containing_oneof()->index());
}

StringOneofFieldGenerator::~StringOneofFieldGenerator() {}

void StringOneofFieldGenerator::GenerateInlineAccessorDefinitions(

Reported by FlawFinder.

src/google/protobuf/compiler/csharp/csharp_enum.cc
2 issues
StrCat - Does not check for buffer overflows when concatenating to destination [MS-banned]
Security

Line: 83 Column: 24 CWE codes: 120 

                        printer->Print("[pbr::OriginalName(\"$original_name$\", PreferredAlias = false)] $name$ = $number$,\n",
             "original_name", original_name,
             "name", name,
             "number", StrCat(number));
      } else {
          printer->Print("[pbr::OriginalName(\"$original_name$\")] $name$ = $number$,\n",
             "original_name", original_name,
             "name", name,
             "number", StrCat(number));

Reported by FlawFinder.

StrCat - Does not check for buffer overflows when concatenating to destination [MS-banned]
Security

Line: 88 Column: 24 CWE codes: 120 

                        printer->Print("[pbr::OriginalName(\"$original_name$\")] $name$ = $number$,\n",
             "original_name", original_name,
             "name", name,
             "number", StrCat(number));
      }
  }
  printer->Outdent();
  printer->Print("}\n");
  printer->Print("\n");

Reported by FlawFinder.