Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/frogr-1.6/src/examples/example.c
Examining data/frogr-1.6/src/flicksoup/flicksoup.h
Examining data/frogr-1.6/src/flicksoup/fsp-data.c
Examining data/frogr-1.6/src/flicksoup/fsp-data.h
Examining data/frogr-1.6/src/flicksoup/fsp-error.c
Examining data/frogr-1.6/src/flicksoup/fsp-error.h
Examining data/frogr-1.6/src/flicksoup/fsp-parser.c
Examining data/frogr-1.6/src/flicksoup/fsp-parser.h
Examining data/frogr-1.6/src/flicksoup/fsp-session.c
Examining data/frogr-1.6/src/flicksoup/fsp-session.h
Examining data/frogr-1.6/src/frogr-about-dialog.c
Examining data/frogr-1.6/src/frogr-about-dialog.h
Examining data/frogr-1.6/src/frogr-account.c
Examining data/frogr-1.6/src/frogr-account.h
Examining data/frogr-1.6/src/frogr-add-tags-dialog.c
Examining data/frogr-1.6/src/frogr-add-tags-dialog.h
Examining data/frogr-1.6/src/frogr-add-to-group-dialog.c
Examining data/frogr-1.6/src/frogr-add-to-group-dialog.h
Examining data/frogr-1.6/src/frogr-add-to-set-dialog.c
Examining data/frogr-1.6/src/frogr-add-to-set-dialog.h
Examining data/frogr-1.6/src/frogr-auth-dialog.c
Examining data/frogr-1.6/src/frogr-auth-dialog.h
Examining data/frogr-1.6/src/frogr-config.c
Examining data/frogr-1.6/src/frogr-config.h
Examining data/frogr-1.6/src/frogr-controller.c
Examining data/frogr-1.6/src/frogr-controller.h
Examining data/frogr-1.6/src/frogr-create-new-set-dialog.c
Examining data/frogr-1.6/src/frogr-create-new-set-dialog.h
Examining data/frogr-1.6/src/frogr-details-dialog.c
Examining data/frogr-1.6/src/frogr-details-dialog.h
Examining data/frogr-1.6/src/frogr-file-loader.c
Examining data/frogr-1.6/src/frogr-file-loader.h
Examining data/frogr-1.6/src/frogr-global-defs.h
Examining data/frogr-1.6/src/frogr-group.c
Examining data/frogr-1.6/src/frogr-group.h
Examining data/frogr-1.6/src/frogr-live-entry.c
Examining data/frogr-1.6/src/frogr-live-entry.h
Examining data/frogr-1.6/src/frogr-location.c
Examining data/frogr-1.6/src/frogr-location.h
Examining data/frogr-1.6/src/frogr-main-view.c
Examining data/frogr-1.6/src/frogr-main-view.h
Examining data/frogr-1.6/src/frogr-model.c
Examining data/frogr-1.6/src/frogr-model.h
Examining data/frogr-1.6/src/frogr-photoset.c
Examining data/frogr-1.6/src/frogr-photoset.h
Examining data/frogr-1.6/src/frogr-picture.c
Examining data/frogr-1.6/src/frogr-picture.h
Examining data/frogr-1.6/src/frogr-settings-dialog.c
Examining data/frogr-1.6/src/frogr-settings-dialog.h
Examining data/frogr-1.6/src/frogr-util.c
Examining data/frogr-1.6/src/frogr-util.h
Examining data/frogr-1.6/src/main.c
FINAL RESULTS:
data/frogr-1.6/src/flicksoup/fsp-session.c:1182:42: [3] (random) g_random_int:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
random_str = g_strdup_printf ("%d_%s", g_random_int (), timestamp);
data/frogr-1.6/src/frogr-main-view.c:772:18: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
home_dir = g_get_home_dir ();
data/frogr-1.6/src/frogr-photoset.c:87:7: [3] (random) g_random_int:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
r = g_random_int();
data/frogr-1.6/src/examples/example.c:707:7: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[12];
data/frogr-1.6/src/examples/example.c:95:7: [1] (buffer) getchar:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
getchar ();
data/frogr-1.6/src/examples/example.c:186:7: [1] (buffer) getchar:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
getchar ();
data/frogr-1.6/src/examples/example.c:227:7: [1] (buffer) getchar:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
getchar ();
data/frogr-1.6/src/examples/example.c:255:7: [1] (buffer) getchar:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
getchar ();
data/frogr-1.6/src/examples/example.c:311:7: [1] (buffer) getchar:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
getchar ();
data/frogr-1.6/src/examples/example.c:364:7: [1] (buffer) getchar:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
getchar ();
data/frogr-1.6/src/examples/example.c:395:7: [1] (buffer) getchar:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
getchar ();
data/frogr-1.6/src/examples/example.c:431:7: [1] (buffer) getchar:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
getchar ();
data/frogr-1.6/src/examples/example.c:470:7: [1] (buffer) getchar:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
getchar ();
data/frogr-1.6/src/examples/example.c:502:7: [1] (buffer) getchar:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
getchar ();
data/frogr-1.6/src/examples/example.c:551:7: [1] (buffer) getchar:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
getchar ();
data/frogr-1.6/src/examples/example.c:610:7: [1] (buffer) getchar:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
getchar ();
data/frogr-1.6/src/examples/example.c:644:7: [1] (buffer) getchar:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
getchar ();
data/frogr-1.6/src/examples/example.c:682:7: [1] (buffer) getchar:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
getchar ();
data/frogr-1.6/src/flicksoup/fsp-session.c:894:43: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
gcry_md_setkey(digest_obj, signing_key, strlen (signing_key));
data/frogr-1.6/src/flicksoup/fsp-session.c:895:39: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
gcry_md_write (digest_obj, message, strlen (message));
data/frogr-1.6/src/frogr-file-loader.c:626:36: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
new_keyword = g_new0 (gchar, strlen(keyword) + 1);
ANALYSIS SUMMARY:
Hits = 21
Lines analyzed = 24574 in approximately 0.52 seconds (46913 lines/second)
Physical Source Lines of Code (SLOC) = 17980
Hits@level = [0] 0 [1] 17 [2] 1 [3] 3 [4] 0 [5] 0
Hits@level+ = [0+] 21 [1+] 21 [2+] 4 [3+] 3 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 1.16796 [1+] 1.16796 [2+] 0.222469 [3+] 0.166852 [4+] 0 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.