Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/athena-jot-9.0/debian/patches/jot.c
Examining data/athena-jot-9.0/jot.c

FINAL RESULTS:

data/athena-jot-9.0/jot.c:158:5:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
				strcpy(format, *av + 2);
data/athena-jot-9.0/jot.c:162:5:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
				strcpy(format, *++av);
data/athena-jot-9.0/jot.c:166:5:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
				strcpy(sepstring, *av + 2);
data/athena-jot-9.0/jot.c:170:5:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
				strcpy(sepstring, *++av);
data/athena-jot-9.0/jot.c:337:3:  [4] (format) printf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
		printf(format, *dp);
data/athena-jot-9.0/jot.c:339:3:  [4] (format) printf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
		printf(format, x);
data/athena-jot-9.0/jot.c:349:2:  [4] (format) fprintf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
	fprintf(stderr, msg, s);
data/athena-jot-9.0/debian/patches/jot.c:15:4:  [3] (random) srandom:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
 		srandom((int) s);
data/athena-jot-9.0/debian/patches/jot.c:18:19:  [3] (random) random:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
-			*y = (double) random() / INT_MAX;
data/athena-jot-9.0/debian/patches/jot.c:21:16:  [3] (random) random:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
+				randval = random();
data/athena-jot-9.0/jot.c:65:9:  [3] (random) srandom:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
#define srandom srand48
data/athena-jot-9.0/jot.c:66:9:  [3] (random) random:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
#define random lrand48
data/athena-jot-9.0/jot.c:66:16:  [3] (random) lrand48:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
#define random lrand48
data/athena-jot-9.0/jot.c:68:9:  [3] (random) srandom:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
#define srandom srand
data/athena-jot-9.0/jot.c:68:17:  [3] (random) srand:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
#define srandom srand
data/athena-jot-9.0/jot.c:69:9:  [3] (random) random:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
#define random rand
data/athena-jot-9.0/jot.c:117:3:  [3] (random) srandom:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
		srandom((int) s);
data/athena-jot-9.0/jot.c:121:15:  [3] (random) random:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
				randval = random();
data/athena-jot-9.0/jot.c:91:1:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
char	sepstring[BUFSIZ] = "\n";
data/athena-jot-9.0/jot.c:92:1:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
char	format[BUFSIZ];
data/athena-jot-9.0/jot.c:174:12:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
				prec = atoi(*av + 2);
data/athena-jot-9.0/jot.c:178:12:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
				prec = atoi(*++av);
data/athena-jot-9.0/jot.c:393:3:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
		sprintf(p, "%%.%df", prec);
data/athena-jot-9.0/jot.c:395:3:  [2] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant string.
		strcpy(p, "%c");
data/athena-jot-9.0/jot.c:196:19:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
				ender = av[2][strlen(av[2])-1];
data/athena-jot-9.0/jot.c:204:19:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
				begin = av[1][strlen(av[1])-1];
data/athena-jot-9.0/jot.c:399:3:  [1] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused). Risk is low because the
  source is a constant character.
		strcat(format, "%");		/* cannot end in single '%' */

ANALYSIS SUMMARY:

Hits = 27
Lines analyzed = 443 in approximately 0.02 seconds (20393 lines/second)
Physical Source Lines of Code (SLOC) = 379
Hits@level = [0]   8 [1]   3 [2]   6 [3]  11 [4]   7 [5]   0
Hits@level+ = [0+]  35 [1+]  27 [2+]  24 [3+]  18 [4+]   7 [5+]   0
Hits/KSLOC@level+ = [0+] 92.3483 [1+] 71.2401 [2+] 63.3245 [3+] 47.4934 [4+] 18.4697 [5+]   0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.