Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/anypaper-2.4/anypaper/anypaper_image.h Examining data/anypaper-2.4/anypaper/anypaper_preview.c Examining data/anypaper-2.4/anypaper/anypaper_command.c Examining data/anypaper-2.4/anypaper/anypaper_command.h Examining data/anypaper-2.4/anypaper/anypaper_image.c Examining data/anypaper-2.4/anypaper/anypaper_window.c Examining data/anypaper-2.4/anypaper/anypaper.c Examining data/anypaper-2.4/anypaper/anypaper_parameters.c Examining data/anypaper-2.4/anypaper/anypaper_wallpapersetter.c Examining data/anypaper-2.4/anypaper/anypaper_preview.h Examining data/anypaper-2.4/anypaper/anypaper_window.h Examining data/anypaper-2.4/anypaper/anypaper_wallpapersetter.h Examining data/anypaper-2.4/anypaper/anypaper_parameters.h FINAL RESULTS: data/anypaper-2.4/anypaper/anypaper.c:78:43: [3] (buffer) g_get_home_dir: This function is synonymous with 'getenv("HOME")';it returns untrustable input if the environment can beset by an attacker. It can have any content and length, and the same variable can be set more than once (CWE-807, CWE-20). Check environment variables carefully before using them. buffer = g_strdup_printf("%s/.anypaper", g_get_home_dir ()); data/anypaper-2.4/anypaper/anypaper.c:82:74: [3] (buffer) g_get_home_dir: This function is synonymous with 'getenv("HOME")';it returns untrustable input if the environment can beset by an attacker. It can have any content and length, and the same variable can be set more than once (CWE-807, CWE-20). Check environment variables carefully before using them. if (rcfile == NULL) rcfile = g_strdup_printf("%s/.anypaper/anypaperrc", g_get_home_dir ()); data/anypaper-2.4/anypaper/anypaper.c:83:99: [3] (buffer) g_get_home_dir: This function is synonymous with 'getenv("HOME")';it returns untrustable input if the environment can beset by an attacker. It can have any content and length, and the same variable can be set more than once (CWE-807, CWE-20). Check environment variables carefully before using them. if (lastwallpaperfile == NULL) lastwallpaperfile = g_strdup_printf("%s/.anypaper/lastwallpaper", g_get_home_dir ()); data/anypaper-2.4/anypaper/anypaper.c:86:106: [3] (buffer) g_get_home_dir: This function is synonymous with 'getenv("HOME")';it returns untrustable input if the environment can beset by an attacker. It can have any content and length, and the same variable can be set more than once (CWE-807, CWE-20). Check environment variables carefully before using them. if (wallpapersetterfile == NULL) wallpapersetterfile = g_strdup_printf("%s/.anypaper/wallpapersetters", g_get_home_dir ()); data/anypaper-2.4/anypaper/anypaper_parameters.c:106:65: [3] (buffer) g_get_home_dir: This function is synonymous with 'getenv("HOME")';it returns untrustable input if the environment can beset by an attacker. It can have any content and length, and the same variable can be set more than once (CWE-807, CWE-20). Check environment variables carefully before using them. self->defaultfile = g_strdup_printf("%s/.anypaper/output.png", g_get_home_dir ()); data/anypaper-2.4/anypaper/anypaper_window.c:416:74: [3] (buffer) g_get_home_dir: This function is synonymous with 'getenv("HOME")';it returns untrustable input if the environment can beset by an attacker. It can have any content and length, and the same variable can be set more than once (CWE-807, CWE-20). Check environment variables carefully before using them. if (rcfile == NULL) rcfile = g_strdup_printf("%s/.anypaper/anypaperrc", g_get_home_dir ()); data/anypaper-2.4/anypaper/anypaper_window.c:417:99: [3] (buffer) g_get_home_dir: This function is synonymous with 'getenv("HOME")';it returns untrustable input if the environment can beset by an attacker. It can have any content and length, and the same variable can be set more than once (CWE-807, CWE-20). Check environment variables carefully before using them. if (lastwallpaperfile == NULL) lastwallpaperfile = g_strdup_printf("%s/.anypaper/lastwallpaper", g_get_home_dir ()); ANALYSIS SUMMARY: Hits = 7 Lines analyzed = 3046 in approximately 0.11 seconds (27484 lines/second) Physical Source Lines of Code (SLOC) = 2063 Hits@level = [0] 1 [1] 0 [2] 0 [3] 7 [4] 0 [5] 0 Hits@level+ = [0+] 8 [1+] 7 [2+] 7 [3+] 7 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 3.87785 [1+] 3.39312 [2+] 3.39312 [3+] 3.39312 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.