Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/cmst-2019.01.13/apps/cmstapp/code/agent/agent.cpp Examining data/cmst-2019.01.13/apps/cmstapp/code/agent/agent.h Examining data/cmst-2019.01.13/apps/cmstapp/code/agent/agent_dialog.cpp Examining data/cmst-2019.01.13/apps/cmstapp/code/agent/agent_dialog.h Examining data/cmst-2019.01.13/apps/cmstapp/code/control_box/controlbox.cpp Examining data/cmst-2019.01.13/apps/cmstapp/code/control_box/controlbox.h Examining data/cmst-2019.01.13/apps/cmstapp/code/counter/counter.cpp Examining data/cmst-2019.01.13/apps/cmstapp/code/counter/counter.h Examining data/cmst-2019.01.13/apps/cmstapp/code/iconman/iconman.cpp Examining data/cmst-2019.01.13/apps/cmstapp/code/iconman/iconman.h Examining data/cmst-2019.01.13/apps/cmstapp/code/main.cpp Examining data/cmst-2019.01.13/apps/cmstapp/code/notify/notify.cpp Examining data/cmst-2019.01.13/apps/cmstapp/code/notify/notify.h Examining data/cmst-2019.01.13/apps/cmstapp/code/peditor/peditor.cpp Examining data/cmst-2019.01.13/apps/cmstapp/code/peditor/peditor.h Examining data/cmst-2019.01.13/apps/cmstapp/code/provisioning/prov_ed.cpp Examining data/cmst-2019.01.13/apps/cmstapp/code/provisioning/prov_ed.h Examining data/cmst-2019.01.13/apps/cmstapp/code/scrollbox/scrollbox.cpp Examining data/cmst-2019.01.13/apps/cmstapp/code/scrollbox/scrollbox.h Examining data/cmst-2019.01.13/apps/cmstapp/code/shared/shared.cpp Examining data/cmst-2019.01.13/apps/cmstapp/code/shared/shared.h Examining data/cmst-2019.01.13/apps/cmstapp/code/trstring/tr_strings.cpp Examining data/cmst-2019.01.13/apps/cmstapp/code/trstring/tr_strings.h Examining data/cmst-2019.01.13/apps/cmstapp/code/vpn_agent/vpnagent.cpp Examining data/cmst-2019.01.13/apps/cmstapp/code/vpn_agent/vpnagent.h Examining data/cmst-2019.01.13/apps/cmstapp/code/vpn_agent/vpnagent_adaptor.cpp Examining data/cmst-2019.01.13/apps/cmstapp/code/vpn_agent/vpnagent_adaptor.h Examining data/cmst-2019.01.13/apps/cmstapp/code/vpn_agent/vpnagent_dialog.cpp Examining data/cmst-2019.01.13/apps/cmstapp/code/vpn_agent/vpnagent_dialog.h Examining data/cmst-2019.01.13/apps/cmstapp/code/vpn_agent/vpnagent_interface.cpp Examining data/cmst-2019.01.13/apps/cmstapp/code/vpn_agent/vpnagent_interface.h Examining data/cmst-2019.01.13/apps/cmstapp/code/vpn_prov_ed/vpn_ed.cpp Examining data/cmst-2019.01.13/apps/cmstapp/code/vpn_prov_ed/vpn_ed.h Examining data/cmst-2019.01.13/apps/resource.h Examining data/cmst-2019.01.13/apps/rootapp/code/main.cpp Examining data/cmst-2019.01.13/apps/rootapp/code/roothelper/roothelper.cpp Examining data/cmst-2019.01.13/apps/rootapp/code/roothelper/roothelper.h FINAL RESULTS: data/cmst-2019.01.13/apps/cmstapp/code/control_box/controlbox.cpp:128:32: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. QLocale::setDefault(QLocale::system() ); data/cmst-2019.01.13/apps/cmstapp/code/main.cpp:158:38: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. qtTranslator.load("qt_" + QLocale::system().name(), data/cmst-2019.01.13/apps/cmstapp/code/main.cpp:163:46: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. if (cmstTranslator.load("cmst_" + QLocale::system().name(), ":/translations/translations" ) ) { data/cmst-2019.01.13/apps/cmstapp/code/agent/agent.cpp:154:16: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!logfile.open(QIODevice::WriteOnly | QIODevice::Text)) b_loginputrequest = false; data/cmst-2019.01.13/apps/cmstapp/code/control_box/controlbox.cpp:166:9: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (f0.open(QIODevice::ReadOnly | QIODevice::Text)) { data/cmst-2019.01.13/apps/cmstapp/code/control_box/controlbox.cpp:180:9: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (f1.open(QIODevice::ReadOnly | QIODevice::Text)) { data/cmst-2019.01.13/apps/cmstapp/code/control_box/controlbox.cpp:2040:16: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (f0.open(QIODevice::ReadOnly | QIODevice::Text)) { data/cmst-2019.01.13/apps/cmstapp/code/control_box/controlbox.cpp:2833:12: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (file.open(QIODevice::ReadOnly | QIODevice::Text)) { data/cmst-2019.01.13/apps/cmstapp/code/iconman/iconman.cpp:64:10: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!f1.open(QIODevice::ReadOnly | QIODevice::Text)) { data/cmst-2019.01.13/apps/cmstapp/code/iconman/iconman.cpp:268:10: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!f0.open(QIODevice::ReadOnly | QIODevice::Text)) { data/cmst-2019.01.13/apps/cmstapp/code/iconman/iconman.cpp:317:7: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). src.open(QIODevice::ReadOnly); data/cmst-2019.01.13/apps/cmstapp/code/notify/notify.cpp:179:23: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (tempfileicon->open() ) { data/cmst-2019.01.13/apps/cmstapp/code/provisioning/prov_ed.cpp:444:12: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (file.open(QIODevice::ReadOnly | QIODevice::Text)) { data/cmst-2019.01.13/apps/cmstapp/code/vpn_agent/vpnagent.cpp:142:16: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!logfile.open(QIODevice::WriteOnly | QIODevice::Text)) b_loginputrequest = false; data/cmst-2019.01.13/apps/cmstapp/code/vpn_prov_ed/vpn_ed.cpp:794:17: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (sourcefile.open(QIODevice::ReadOnly | QIODevice::Text)) { data/cmst-2019.01.13/apps/cmstapp/code/vpn_prov_ed/vpn_ed.cpp:818:17: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (outfile.open(QIODevice::WriteOnly | QIODevice::Text)) { data/cmst-2019.01.13/apps/cmstapp/code/vpn_prov_ed/vpn_ed.cpp:863:16: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (outfile.open(QIODevice::WriteOnly | QIODevice::Text)) { data/cmst-2019.01.13/apps/cmstapp/code/vpn_prov_ed/vpn_ed.cpp:906:17: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (outfile.open(QIODevice::WriteOnly | QIODevice::Text)) { data/cmst-2019.01.13/apps/rootapp/code/roothelper/roothelper.cpp:106:16: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (! infile.open(QIODevice::ReadOnly | QIODevice::Text)) data/cmst-2019.01.13/apps/rootapp/code/roothelper/roothelper.cpp:137:17: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (! outfile.open(QIODevice::WriteOnly | QIODevice::Text)) ANALYSIS SUMMARY: Hits = 20 Lines analyzed = 9463 in approximately 0.35 seconds (26795 lines/second) Physical Source Lines of Code (SLOC) = 6032 Hits@level = [0] 6 [1] 0 [2] 17 [3] 0 [4] 3 [5] 0 Hits@level+ = [0+] 26 [1+] 20 [2+] 20 [3+] 3 [4+] 3 [5+] 0 Hits/KSLOC@level+ = [0+] 4.31034 [1+] 3.31565 [2+] 3.31565 [3+] 0.497347 [4+] 0.497347 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.