Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/exo-4.15.3/exo-open/main.c Examining data/exo-4.15.3/exo-desktop-item-edit/exo-die-desktop-model.c Examining data/exo-4.15.3/exo-desktop-item-edit/exo-die-command-entry.c Examining data/exo-4.15.3/exo-desktop-item-edit/exo-die-enum-types.c Examining data/exo-4.15.3/exo-desktop-item-edit/exo-die-enum-types.h Examining data/exo-4.15.3/exo-desktop-item-edit/exo-die-utils.c Examining data/exo-4.15.3/exo-desktop-item-edit/exo-die-editor.c Examining data/exo-4.15.3/exo-desktop-item-edit/exo-die-command-model.c Examining data/exo-4.15.3/exo-desktop-item-edit/exo-die-utils.h Examining data/exo-4.15.3/exo-desktop-item-edit/main.c Examining data/exo-4.15.3/exo-desktop-item-edit/exo-die-command-entry.h Examining data/exo-4.15.3/exo-desktop-item-edit/exo-die-desktop-model.h Examining data/exo-4.15.3/exo-desktop-item-edit/exo-die-editor.h Examining data/exo-4.15.3/exo-desktop-item-edit/exo-die-command-model.h Examining data/exo-4.15.3/tests/test-exo-icon-chooser-dialog.c Examining data/exo-4.15.3/tests/test-exo-string.c Examining data/exo-4.15.3/tests/test-exo-noop.c Examining data/exo-4.15.3/exo/exo-cell-renderer-icon.h Examining data/exo-4.15.3/exo/exo-icon-chooser-model.h Examining data/exo-4.15.3/exo/exo-gdk-pixbuf-extensions.h Examining data/exo-4.15.3/exo/exo-execute.h Examining data/exo-4.15.3/exo/exo-private.h Examining data/exo-4.15.3/exo/exo-aliasdef.c Examining data/exo-4.15.3/exo/exo-thumbnail.c Examining data/exo-4.15.3/exo/exo-gobject-extensions.c Examining data/exo-4.15.3/exo/exo-enum-types.h Examining data/exo-4.15.3/exo/exo-config.c Examining data/exo-4.15.3/exo/exo-tree-view.c Examining data/exo-4.15.3/exo/exo-thumbnail-preview.c Examining data/exo-4.15.3/exo/exo-job.c Examining data/exo-4.15.3/exo/exo-string.h Examining data/exo-4.15.3/exo/exo-alias.h Examining data/exo-4.15.3/exo/exo-private.c Examining data/exo-4.15.3/exo/exo-icon-chooser-dialog.h Examining data/exo-4.15.3/exo/exo-config.h Examining data/exo-4.15.3/exo/exo-gdk-pixbuf-extensions.c Examining data/exo-4.15.3/exo/exo-icon-chooser-model.c Examining data/exo-4.15.3/exo/exo-binding.c Examining data/exo-4.15.3/exo/exo-tree-view.h Examining data/exo-4.15.3/exo/exo-enum-types.c Examining data/exo-4.15.3/exo/exo-gtk-extensions.c Examining data/exo-4.15.3/exo/exo-job.h Examining data/exo-4.15.3/exo/exo-string.c Examining data/exo-4.15.3/exo/exo-icon-chooser-dialog.c Examining data/exo-4.15.3/exo/exo-icon-view.c Examining data/exo-4.15.3/exo/exo-utils.h Examining data/exo-4.15.3/exo/exo-gtk-extensions.h Examining data/exo-4.15.3/exo/exo-gobject-extensions.h Examining data/exo-4.15.3/exo/exo-thumbnail.h Examining data/exo-4.15.3/exo/exo-marshal.h Examining data/exo-4.15.3/exo/exo-utils.c Examining data/exo-4.15.3/exo/exo-icon-view.h Examining data/exo-4.15.3/exo/exo-icon-view-accessible.c Examining data/exo-4.15.3/exo/exo-binding.h Examining data/exo-4.15.3/exo/exo-simple-job.h Examining data/exo-4.15.3/exo/exo-marshal.c Examining data/exo-4.15.3/exo/exo-execute.c Examining data/exo-4.15.3/exo/exo-thumbnail-preview.h Examining data/exo-4.15.3/exo/exo.h Examining data/exo-4.15.3/exo/exo-simple-job.c Examining data/exo-4.15.3/exo/exo-cell-renderer-icon.c FINAL RESULTS: data/exo-4.15.3/exo-desktop-item-edit/exo-die-command-model.c:151:26: [3] (random) g_random_int: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. command_model->stamp = g_random_int (); data/exo-4.15.3/exo-desktop-item-edit/exo-die-desktop-model.c:150:26: [3] (random) g_random_int: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. desktop_model->stamp = g_random_int (); data/exo-4.15.3/exo/exo-icon-chooser-model.c:169:18: [3] (random) g_random_int: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. model->stamp = g_random_int (); data/exo-4.15.3/exo/exo-gdk-pixbuf-extensions.c:68:36: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). #define g_open(path, mode, flags) (open ((path), (mode), (flags))) data/exo-4.15.3/exo-desktop-item-edit/exo-die-desktop-model.c:604:30: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). icon_len = strlen (desktop_item->icon); data/exo-4.15.3/exo/exo-gdk-pixbuf-extensions.c:844:15: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). n = read (fd, buffer, 8192); data/exo-4.15.3/exo/exo-icon-view.c:8402:12: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). length = strlen (text); data/exo-4.15.3/exo/exo-icon-view.c:8483:12: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). length = strlen (text); data/exo-4.15.3/exo/exo-icon-view.c:8631:65: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strncmp (case_normalized_key, case_normalized_string, strlen (case_normalized_key)) == 0) data/exo-4.15.3/exo/exo-string.c:71:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). result = g_malloc (strlen (text) + 1); data/exo-4.15.3/exo/exo-string.c:156:32: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). result = g_string_sized_new (strlen (str)); ANALYSIS SUMMARY: Hits = 11 Lines analyzed = 26975 in approximately 0.70 seconds (38798 lines/second) Physical Source Lines of Code (SLOC) = 16679 Hits@level = [0] 0 [1] 7 [2] 1 [3] 3 [4] 0 [5] 0 Hits@level+ = [0+] 11 [1+] 11 [2+] 4 [3+] 3 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 0.659512 [1+] 0.659512 [2+] 0.239823 [3+] 0.179867 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.