stdin

Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/curseofwar-1.1.8/client.c
Examining data/curseofwar-1.1.8/client.h
Examining data/curseofwar-1.1.8/common.h
Examining data/curseofwar-1.1.8/grid.c
Examining data/curseofwar-1.1.8/king.c
Examining data/curseofwar-1.1.8/king.h
Examining data/curseofwar-1.1.8/main.c
Examining data/curseofwar-1.1.8/messaging.h
Examining data/curseofwar-1.1.8/network.c
Examining data/curseofwar-1.1.8/network.h
Examining data/curseofwar-1.1.8/output.c
Examining data/curseofwar-1.1.8/output.h
Examining data/curseofwar-1.1.8/server.c
Examining data/curseofwar-1.1.8/server.h
Examining data/curseofwar-1.1.8/state.c
Examining data/curseofwar-1.1.8/state.h
Examining data/curseofwar-1.1.8/grid.h

FINAL RESULTS:

data/curseofwar-1.1.8/main.c:328:3:  [3] (random) srand:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
  srand(time(NULL));
data/curseofwar-1.1.8/main.c:357:15:  [3] (buffer) getopt:
  Some older implementations do not protect against internal buffer overflows
  (CWE-120, CWE-20). Check implementation on installation, or limit the size
  of all string inputs.
  while ((c = getopt (argc, argv, "hrTW:H:i:l:q:d:s:R:S:E:e:C:c:")) != -1){
data/curseofwar-1.1.8/state.c:104:3:  [3] (random) srand:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
  srand(s->map_seed);
data/curseofwar-1.1.8/client.c:85:11:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
          memcpy(&msg_data, buf+1, sizeof(struct msg_s_data));
data/curseofwar-1.1.8/client.c:172:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(buf+1, &mcd, sizeof(mcd));
data/curseofwar-1.1.8/main.c:600:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char buf[1];
data/curseofwar-1.1.8/main.c:627:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char buf[1];
data/curseofwar-1.1.8/main.c:709:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char buf[1];
data/curseofwar-1.1.8/main.c:729:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char buf[1];
data/curseofwar-1.1.8/output.c:202:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char buf[32];
data/curseofwar-1.1.8/output.c:205:3:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
  sprintf(buf, "%li    ", st->country[st->controlled].gold);
data/curseofwar-1.1.8/output.c:245:5:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
    sprintf(buf, "%3i", st->grid.tiles[i][j].units[p][citizen]);
data/curseofwar-1.1.8/output.c:258:3:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
  sprintf(buf, "%i-%02i-%02i ", year, month, day);
data/curseofwar-1.1.8/output.c:375:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char buf[20];
data/curseofwar-1.1.8/output.c:382:7:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
      sprintf(buf, "%i", y2);
data/curseofwar-1.1.8/output.c:415:3:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
  sprintf(buf, "%g", max);
data/curseofwar-1.1.8/output.c:417:3:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
  sprintf(buf, "%g", min);
data/curseofwar-1.1.8/output.c:436:7:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
      sprintf(buf, "%g", val_arr[i]);
data/curseofwar-1.1.8/server.c:60:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(buf+1, &msg_data, size); 
data/curseofwar-1.1.8/server.c:103:5:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
    memcpy(&msg_data, buf+1, sizeof(struct msg_c_data));
data/curseofwar-1.1.8/output.c:92:16:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  int keylen = strlen(key);

ANALYSIS SUMMARY:

Hits = 21
Lines analyzed = 3784 in approximately 0.19 seconds (20254 lines/second)
Physical Source Lines of Code (SLOC) = 2574
Hits@level = [0]  17 [1]   1 [2]  17 [3]   3 [4]   0 [5]   0
Hits@level+ = [0+]  38 [1+]  21 [2+]  20 [3+]   3 [4+]   0 [5+]   0
Hits/KSLOC@level+ = [0+] 14.763 [1+] 8.15851 [2+] 7.77001 [3+] 1.1655 [4+]   0 [5+]   0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.