stdin

Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/gkrellm2-cpufreq-0.6.4/cpufreq.c

FINAL RESULTS:

data/gkrellm2-cpufreq-0.6.4/cpufreq.c:104:7:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
      strcpy(governor[cpu], policy->governor);
data/gkrellm2-cpufreq-0.6.4/cpufreq.c:133:3:  [4] (shell) system:
  This causes a new program to execute and is difficult to use safely
  (CWE-78). try using a library call that implements the same functionality
  if available.
  system(cmd);
data/gkrellm2-cpufreq-0.6.4/cpufreq.c:139:3:  [4] (shell) system:
  This causes a new program to execute and is difficult to use safely
  (CWE-78). try using a library call that implements the same functionality
  if available.
  system(cmd);
data/gkrellm2-cpufreq-0.6.4/cpufreq.c:145:3:  [4] (shell) system:
  This causes a new program to execute and is difficult to use safely
  (CWE-78). try using a library call that implements the same functionality
  if available.
  system(cmd);
data/gkrellm2-cpufreq-0.6.4/cpufreq.c:457:7:  [4] (buffer) sscanf:
  The scanf() family's %s operation, without a limit specification, permits
  buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
  different input function.
  n = sscanf(arg, "%s %[^\n]", config, item);
data/gkrellm2-cpufreq-0.6.4/cpufreq.c:71:8:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
static char governor[NCPU_MAX][256];
data/gkrellm2-cpufreq-0.6.4/cpufreq.c:72:8:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
static char empty[1];
data/gkrellm2-cpufreq-0.6.4/cpufreq.c:107:7:  [2] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant string.
      strcpy(governor[cpu], "unknown");
data/gkrellm2-cpufreq-0.6.4/cpufreq.c:131:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char cmd[length];
data/gkrellm2-cpufreq-0.6.4/cpufreq.c:132:3:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
  sprintf(cmd, "sudo /usr/sbin/cpufreqnextgovernor %u", cpu);
data/gkrellm2-cpufreq-0.6.4/cpufreq.c:137:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char cmd[length];
data/gkrellm2-cpufreq-0.6.4/cpufreq.c:138:3:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
  sprintf(cmd, "sudo cpufreq-set -c %u -g userspace", cpu);
data/gkrellm2-cpufreq-0.6.4/cpufreq.c:143:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char cmd[length];
data/gkrellm2-cpufreq-0.6.4/cpufreq.c:144:3:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
  sprintf(cmd, "sudo cpufreq-set -c %u -f %lu", cpu, freq );
data/gkrellm2-cpufreq-0.6.4/cpufreq.c:179:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char theText[length];
data/gkrellm2-cpufreq-0.6.4/cpufreq.c:188:5:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
    sprintf(theText, "%d MHz", (int)((khz_sum/ncpu+500)/1000));
data/gkrellm2-cpufreq-0.6.4/cpufreq.c:193:7:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
      sprintf(theText, "%d MHz", (int)((khz[cpu]+500)/1000));
data/gkrellm2-cpufreq-0.6.4/cpufreq.c:634:3:  [1] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant character.
  strcpy(empty, "");
data/gkrellm2-cpufreq-0.6.4/cpufreq.c:639:7:  [1] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant character.
      strcpy(governor[cpu], "");

ANALYSIS SUMMARY:

Hits = 19
Lines analyzed = 643 in approximately 0.03 seconds (18421 lines/second)
Physical Source Lines of Code (SLOC) = 458
Hits@level = [0]  14 [1]   2 [2]  12 [3]   0 [4]   5 [5]   0
Hits@level+ = [0+]  33 [1+]  19 [2+]  17 [3+]   5 [4+]   5 [5+]   0
Hits/KSLOC@level+ = [0+] 72.0524 [1+] 41.4847 [2+] 37.1179 [3+] 10.917 [4+] 10.917 [5+]   0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.