Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/folks-0.14.0/backends/telepathy/lib/tp-lowlevel.c Examining data/folks-0.14.0/backends/telepathy/lib/tp-lowlevel.h Examining data/folks-0.14.0/folks/redeclare-internal-api.h Examining data/folks-0.14.0/folks/small-set-internal.h Examining data/folks-0.14.0/folks/small-set.c Examining data/folks-0.14.0/folks/small-set.h Examining data/folks-0.14.0/folks/warnings.h Examining data/folks-0.14.0/tests/lib/gtestdbus.c Examining data/folks-0.14.0/tests/lib/gtestdbus.h Examining data/folks-0.14.0/tests/lib/haze-remove-directory.c Examining data/folks-0.14.0/tests/lib/telepathy/contactlist/backend.c Examining data/folks-0.14.0/tests/lib/telepathy/contactlist/backend.h Examining data/folks-0.14.0/tests/lib/telepathy/contactlist/contact-list-manager.c Examining data/folks-0.14.0/tests/lib/telepathy/contactlist/contact-list-manager.h Examining data/folks-0.14.0/tests/lib/telepathy/contactlist/contacts-conn.c Examining data/folks-0.14.0/tests/lib/telepathy/contactlist/contacts-conn.h Examining data/folks-0.14.0/tests/lib/telepathy/contactlist/debug.h Examining data/folks-0.14.0/tests/lib/telepathy/contactlist/room-list-chan.c Examining data/folks-0.14.0/tests/lib/telepathy/contactlist/room-list-chan.h Examining data/folks-0.14.0/tests/lib/telepathy/contactlist/simple-account-manager.c Examining data/folks-0.14.0/tests/lib/telepathy/contactlist/simple-account-manager.h Examining data/folks-0.14.0/tests/lib/telepathy/contactlist/simple-account.c Examining data/folks-0.14.0/tests/lib/telepathy/contactlist/simple-account.h Examining data/folks-0.14.0/tests/lib/telepathy/contactlist/simple-conn.c Examining data/folks-0.14.0/tests/lib/telepathy/contactlist/simple-conn.h Examining data/folks-0.14.0/tests/lib/telepathy/contactlist/textchan-null.c Examining data/folks-0.14.0/tests/lib/telepathy/contactlist/textchan-null.h Examining data/folks-0.14.0/tests/lib/telepathy/contactlist/tp-test-contactlist.h Examining data/folks-0.14.0/tests/lib/telepathy/contactlist/util.c Examining data/folks-0.14.0/tests/lib/telepathy/contactlist/util.h Examining data/folks-0.14.0/tests/lib/telepathy/test-case-helper.c Examining data/folks-0.14.0/tests/lib/test-case-helper.c FINAL RESULTS: data/folks-0.14.0/tests/lib/gtestdbus.c:219:11: [4] (buffer) sscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a different input function. If the scanf format is influenceable by an attacker, it's exploitable. if (sscanf (command, ADD_PID_FORMAT, &pid) == 1) data/folks-0.14.0/tests/lib/gtestdbus.c:223:16: [4] (buffer) sscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a different input function. If the scanf format is influenceable by an attacker, it's exploitable. else if (sscanf (command, REMOVE_PID_FORMAT, &pid) == 1) data/folks-0.14.0/tests/lib/telepathy/contactlist/util.c:345:48: [3] (tmpfile) tmpnam: Temporary file race condition (CWE-377). address = g_unix_socket_address_new (tmpnam (NULL)); data/folks-0.14.0/folks/small-set.c:131:16: [1] (buffer) equal: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. gboolean equal; data/folks-0.14.0/folks/small-set.c:139:11: [1] (buffer) equal: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. if (equal) data/folks-0.14.0/tests/lib/telepathy/contactlist/util.c:276:33: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). gchar *value = line + strlen (TRACER_T); ANALYSIS SUMMARY: Hits = 6 Lines analyzed = 8867 in approximately 0.25 seconds (35413 lines/second) Physical Source Lines of Code (SLOC) = 6385 Hits@level = [0] 0 [1] 3 [2] 0 [3] 1 [4] 2 [5] 0 Hits@level+ = [0+] 6 [1+] 6 [2+] 3 [3+] 3 [4+] 2 [5+] 0 Hits/KSLOC@level+ = [0+] 0.939702 [1+] 0.939702 [2+] 0.469851 [3+] 0.469851 [4+] 0.313234 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.