Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/extremetuxracer-0.8.0/src/audio.h Examining data/extremetuxracer-0.8.0/src/gui.cpp Examining data/extremetuxracer-0.8.0/src/reset.h Examining data/extremetuxracer-0.8.0/src/states.h Examining data/extremetuxracer-0.8.0/src/spx.h Examining data/extremetuxracer-0.8.0/src/textures.h Examining data/extremetuxracer-0.8.0/src/font.cpp Examining data/extremetuxracer-0.8.0/src/reset.cpp Examining data/extremetuxracer-0.8.0/src/quadtree.cpp Examining data/extremetuxracer-0.8.0/src/loading.cpp Examining data/extremetuxracer-0.8.0/src/newplayer.h Examining data/extremetuxracer-0.8.0/src/course.cpp Examining data/extremetuxracer-0.8.0/src/particles.h Examining data/extremetuxracer-0.8.0/src/course_render.h Examining data/extremetuxracer-0.8.0/src/winsys.h Examining data/extremetuxracer-0.8.0/src/particles.cpp Examining data/extremetuxracer-0.8.0/src/paused.h Examining data/extremetuxracer-0.8.0/src/env.cpp Examining data/extremetuxracer-0.8.0/src/event_select.cpp Examining data/extremetuxracer-0.8.0/src/racing.h Examining data/extremetuxracer-0.8.0/src/game_config.cpp Examining data/extremetuxracer-0.8.0/src/common.h Examining data/extremetuxracer-0.8.0/src/ogl.cpp Examining data/extremetuxracer-0.8.0/src/mathlib.h Examining data/extremetuxracer-0.8.0/src/game_ctrl.cpp Examining data/extremetuxracer-0.8.0/src/mathlib.cpp Examining data/extremetuxracer-0.8.0/src/hud.cpp Examining data/extremetuxracer-0.8.0/src/translation.h Examining data/extremetuxracer-0.8.0/src/tux.cpp Examining data/extremetuxracer-0.8.0/src/common.cpp Examining data/extremetuxracer-0.8.0/src/physics.h Examining data/extremetuxracer-0.8.0/src/matrices.cpp Examining data/extremetuxracer-0.8.0/src/bh.h Examining data/extremetuxracer-0.8.0/src/tool_char.cpp Examining data/extremetuxracer-0.8.0/src/matrices.h Examining data/extremetuxracer-0.8.0/src/track_marks.h Examining data/extremetuxracer-0.8.0/src/quadtree.h Examining data/extremetuxracer-0.8.0/src/tools.h Examining data/extremetuxracer-0.8.0/src/credits.h Examining data/extremetuxracer-0.8.0/src/version.h Examining data/extremetuxracer-0.8.0/src/tux.h Examining data/extremetuxracer-0.8.0/src/ogl_test.cpp Examining data/extremetuxracer-0.8.0/src/race_select.h Examining data/extremetuxracer-0.8.0/src/help.h Examining data/extremetuxracer-0.8.0/src/event.cpp Examining data/extremetuxracer-0.8.0/src/racing.cpp Examining data/extremetuxracer-0.8.0/src/track_marks.cpp Examining data/extremetuxracer-0.8.0/src/gui.h Examining data/extremetuxracer-0.8.0/src/vectors.cpp Examining data/extremetuxracer-0.8.0/src/ogl_test.h Examining data/extremetuxracer-0.8.0/src/newplayer.cpp Examining data/extremetuxracer-0.8.0/src/tool_frame.h Examining data/extremetuxracer-0.8.0/src/keyframe.h Examining data/extremetuxracer-0.8.0/src/course_render.cpp Examining data/extremetuxracer-0.8.0/src/config_screen.h Examining data/extremetuxracer-0.8.0/src/font.h Examining data/extremetuxracer-0.8.0/src/ogl.h Examining data/extremetuxracer-0.8.0/src/config_screen.cpp Examining data/extremetuxracer-0.8.0/src/regist.h Examining data/extremetuxracer-0.8.0/src/event.h Examining data/extremetuxracer-0.8.0/src/intro.cpp Examining data/extremetuxracer-0.8.0/src/score.cpp Examining data/extremetuxracer-0.8.0/src/intro.h Examining data/extremetuxracer-0.8.0/src/tool_char.h Examining data/extremetuxracer-0.8.0/src/vectors.h Examining data/extremetuxracer-0.8.0/src/game_type_select.cpp Examining data/extremetuxracer-0.8.0/src/states.cpp Examining data/extremetuxracer-0.8.0/src/etr_types.h Examining data/extremetuxracer-0.8.0/src/env.h Examining data/extremetuxracer-0.8.0/src/view.cpp Examining data/extremetuxracer-0.8.0/src/event_select.h Examining data/extremetuxracer-0.8.0/src/spx.cpp Examining data/extremetuxracer-0.8.0/src/game_over.cpp Examining data/extremetuxracer-0.8.0/src/race_select.cpp Examining data/extremetuxracer-0.8.0/src/tools.cpp Examining data/extremetuxracer-0.8.0/src/game_over.h Examining data/extremetuxracer-0.8.0/src/loading.h Examining data/extremetuxracer-0.8.0/src/tool_frame.cpp Examining data/extremetuxracer-0.8.0/src/game_type_select.h Examining data/extremetuxracer-0.8.0/src/winsys.cpp Examining data/extremetuxracer-0.8.0/src/paused.cpp Examining data/extremetuxracer-0.8.0/src/physics.cpp Examining data/extremetuxracer-0.8.0/src/splash_screen.h Examining data/extremetuxracer-0.8.0/src/regist.cpp Examining data/extremetuxracer-0.8.0/src/main.cpp Examining data/extremetuxracer-0.8.0/src/course.h Examining data/extremetuxracer-0.8.0/src/score.h Examining data/extremetuxracer-0.8.0/src/view.h Examining data/extremetuxracer-0.8.0/src/audio.cpp Examining data/extremetuxracer-0.8.0/src/translation.cpp Examining data/extremetuxracer-0.8.0/src/help.cpp Examining data/extremetuxracer-0.8.0/src/game_ctrl.h Examining data/extremetuxracer-0.8.0/src/game_config.h Examining data/extremetuxracer-0.8.0/src/textures.cpp Examining data/extremetuxracer-0.8.0/src/credits.cpp Examining data/extremetuxracer-0.8.0/src/hud.h Examining data/extremetuxracer-0.8.0/src/keyframe.cpp Examining data/extremetuxracer-0.8.0/src/splash_screen.cpp FINAL RESULTS: data/extremetuxracer-0.8.0/src/game_config.cpp:287:8: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). std::strcpy(buff, arg0); data/extremetuxracer-0.8.0/src/main.cpp:68:7: [3] (random) srand: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. std::srand(std::time(nullptr)); data/extremetuxracer-0.8.0/src/game_config.cpp:281:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buff[256]; data/extremetuxracer-0.8.0/src/quadtree.h:66:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char SubEnabledCount[2]; data/extremetuxracer-0.8.0/src/translation.cpp:250:2: [2] (buffer) wchar_t: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. wchar_t buf[10] = {0}; data/extremetuxracer-0.8.0/src/translation.cpp:252:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf2[10] = {0}; data/extremetuxracer-0.8.0/src/view.cpp:318:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char p_vertex_code[6]; data/extremetuxracer-0.8.0/src/game_config.cpp:288:12: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (std::strlen(buff) > 5) { data/extremetuxracer-0.8.0/src/game_config.cpp:289:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). buff[std::strlen(buff)-3] = 0; ANALYSIS SUMMARY: Hits = 9 Lines analyzed = 19892 in approximately 0.65 seconds (30553 lines/second) Physical Source Lines of Code (SLOC) = 14806 Hits@level = [0] 0 [1] 2 [2] 5 [3] 1 [4] 1 [5] 0 Hits@level+ = [0+] 9 [1+] 9 [2+] 7 [3+] 2 [4+] 1 [5+] 0 Hits/KSLOC@level+ = [0+] 0.607862 [1+] 0.607862 [2+] 0.472781 [3+] 0.13508 [4+] 0.0675402 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.