Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/goodvibes-0.6/scripts/code/gv-object-templates/gv-dummy.c
Examining data/goodvibes-0.6/scripts/code/gv-object-templates/gv-dummy.h
Examining data/goodvibes-0.6/scripts/code/gv-object-templates/gv-feature-dummy.c
Examining data/goodvibes-0.6/scripts/code/gv-object-templates/gv-feature-dummy.h
Examining data/goodvibes-0.6/src/base/glib-additions.c
Examining data/goodvibes-0.6/src/base/glib-additions.h
Examining data/goodvibes-0.6/src/base/glib-object-additions.c
Examining data/goodvibes-0.6/src/base/glib-object-additions.h
Examining data/goodvibes-0.6/src/base/gv-base.c
Examining data/goodvibes-0.6/src/base/gv-base.h
Examining data/goodvibes-0.6/src/base/gv-configurable.c
Examining data/goodvibes-0.6/src/base/gv-configurable.h
Examining data/goodvibes-0.6/src/base/gv-errorable.c
Examining data/goodvibes-0.6/src/base/gv-errorable.h
Examining data/goodvibes-0.6/src/base/gv-feature.c
Examining data/goodvibes-0.6/src/base/gv-feature.h
Examining data/goodvibes-0.6/src/base/gv-param-specs.h
Examining data/goodvibes-0.6/src/base/log.c
Examining data/goodvibes-0.6/src/base/log.h
Examining data/goodvibes-0.6/src/base/uri-schemes.c
Examining data/goodvibes-0.6/src/base/uri-schemes.h
Examining data/goodvibes-0.6/src/base/utils.c
Examining data/goodvibes-0.6/src/base/utils.h
Examining data/goodvibes-0.6/src/base/vt-codes.h
Examining data/goodvibes-0.6/src/client.c
Examining data/goodvibes-0.6/src/core/gst-additions.c
Examining data/goodvibes-0.6/src/core/gst-additions.h
Examining data/goodvibes-0.6/src/core/gv-core-internal.h
Examining data/goodvibes-0.6/src/core/gv-core.c
Examining data/goodvibes-0.6/src/core/gv-core.h
Examining data/goodvibes-0.6/src/core/gv-engine.c
Examining data/goodvibes-0.6/src/core/gv-engine.h
Examining data/goodvibes-0.6/src/core/gv-metadata.c
Examining data/goodvibes-0.6/src/core/gv-metadata.h
Examining data/goodvibes-0.6/src/core/gv-player.c
Examining data/goodvibes-0.6/src/core/gv-player.h
Examining data/goodvibes-0.6/src/core/gv-playlist.c
Examining data/goodvibes-0.6/src/core/gv-playlist.h
Examining data/goodvibes-0.6/src/core/gv-station-list.c
Examining data/goodvibes-0.6/src/core/gv-station-list.h
Examining data/goodvibes-0.6/src/core/gv-station.c
Examining data/goodvibes-0.6/src/core/gv-station.h
Examining data/goodvibes-0.6/src/core/gv-streaminfo.c
Examining data/goodvibes-0.6/src/core/gv-streaminfo.h
Examining data/goodvibes-0.6/src/core/tests/metadata.c
Examining data/goodvibes-0.6/src/core/tests/station-list.c
Examining data/goodvibes-0.6/src/default-stations.h
Examining data/goodvibes-0.6/src/feat/gv-console-output.c
Examining data/goodvibes-0.6/src/feat/gv-console-output.h
Examining data/goodvibes-0.6/src/feat/gv-dbus-server-mpris2.c
Examining data/goodvibes-0.6/src/feat/gv-dbus-server-mpris2.h
Examining data/goodvibes-0.6/src/feat/gv-dbus-server-native.c
Examining data/goodvibes-0.6/src/feat/gv-dbus-server-native.h
Examining data/goodvibes-0.6/src/feat/gv-dbus-server.c
Examining data/goodvibes-0.6/src/feat/gv-dbus-server.h
Examining data/goodvibes-0.6/src/feat/gv-feat.c
Examining data/goodvibes-0.6/src/feat/gv-feat.h
Examining data/goodvibes-0.6/src/feat/gv-hotkeys.c
Examining data/goodvibes-0.6/src/feat/gv-hotkeys.h
Examining data/goodvibes-0.6/src/feat/gv-inhibitor-impl.c
Examining data/goodvibes-0.6/src/feat/gv-inhibitor-impl.h
Examining data/goodvibes-0.6/src/feat/gv-inhibitor.c
Examining data/goodvibes-0.6/src/feat/gv-inhibitor.h
Examining data/goodvibes-0.6/src/feat/gv-notifications.c
Examining data/goodvibes-0.6/src/feat/gv-notifications.h
Examining data/goodvibes-0.6/src/gv-console-application.c
Examining data/goodvibes-0.6/src/gv-console-application.h
Examining data/goodvibes-0.6/src/gv-graphical-application.c
Examining data/goodvibes-0.6/src/gv-graphical-application.h
Examining data/goodvibes-0.6/src/main.c
Examining data/goodvibes-0.6/src/options.c
Examining data/goodvibes-0.6/src/options.h
Examining data/goodvibes-0.6/src/ui/gtk-additions.c
Examining data/goodvibes-0.6/src/ui/gtk-additions.h
Examining data/goodvibes-0.6/src/ui/gv-about-dialog.c
Examining data/goodvibes-0.6/src/ui/gv-about-dialog.h
Examining data/goodvibes-0.6/src/ui/gv-keyboard-shortcuts-window.c
Examining data/goodvibes-0.6/src/ui/gv-keyboard-shortcuts-window.h
Examining data/goodvibes-0.6/src/ui/gv-main-window-manager.c
Examining data/goodvibes-0.6/src/ui/gv-main-window-manager.h
Examining data/goodvibes-0.6/src/ui/gv-main-window.c
Examining data/goodvibes-0.6/src/ui/gv-main-window.h
Examining data/goodvibes-0.6/src/ui/gv-prefs-window.c
Examining data/goodvibes-0.6/src/ui/gv-prefs-window.h
Examining data/goodvibes-0.6/src/ui/gv-station-context-menu.c
Examining data/goodvibes-0.6/src/ui/gv-station-context-menu.h
Examining data/goodvibes-0.6/src/ui/gv-station-dialog.c
Examining data/goodvibes-0.6/src/ui/gv-station-dialog.h
Examining data/goodvibes-0.6/src/ui/gv-station-properties-box.c
Examining data/goodvibes-0.6/src/ui/gv-station-properties-box.h
Examining data/goodvibes-0.6/src/ui/gv-stations-tree-view.c
Examining data/goodvibes-0.6/src/ui/gv-stations-tree-view.h
Examining data/goodvibes-0.6/src/ui/gv-status-icon.c
Examining data/goodvibes-0.6/src/ui/gv-status-icon.h
Examining data/goodvibes-0.6/src/ui/gv-ui-helpers.c
Examining data/goodvibes-0.6/src/ui/gv-ui-helpers.h
Examining data/goodvibes-0.6/src/ui/gv-ui-internal.h
Examining data/goodvibes-0.6/src/ui/gv-ui.c
Examining data/goodvibes-0.6/src/ui/gv-ui.h
FINAL RESULTS:
data/goodvibes-0.6/src/base/log.c:39:27: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
#define perrorf(fmt, ...) fprintf(stderr, fmt ": %s\n", ##__VA_ARGS__, strerror(errno))
data/goodvibes-0.6/src/base/log.c:40:29: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
#define print_err(fmt, ...) fprintf(stderr, fmt "\n", ##__VA_ARGS__)
data/goodvibes-0.6/src/client.c:38:29: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
#define print(fmt, ...) fprintf(stdout, fmt"\n", ##__VA_ARGS__)
data/goodvibes-0.6/src/client.c:39:29: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
#define print_err(fmt, ...) fprintf(stderr, fmt"\n", ##__VA_ARGS__)
data/goodvibes-0.6/src/client.c:802:12: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
success = system(gsettings_cmd);
data/goodvibes-0.6/src/core/gv-station-list.c:554:9: [3] (random) g_random_boolean:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
return g_random_boolean() ? 1 : -1;
data/goodvibes-0.6/src/base/log.c:351:8: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fp = fopen(output_file, "w");
data/goodvibes-0.6/src/base/glib-additions.c:76:18: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
separator_len = strlen(separator);
data/goodvibes-0.6/src/base/glib-additions.c:86:11: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len += strlen(s);
data/goodvibes-0.6/src/base/log.c:237:23: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (value_string && strlen(value_string) > max_len) {
data/goodvibes-0.6/src/feat/gv-dbus-server-mpris2.c:198:30: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
station_uid = playlist_id + strlen(PLAYLISTID_PATH "/");
data/goodvibes-0.6/src/feat/gv-dbus-server-mpris2.c:231:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
station_uid = track_id + strlen(TRACKID_PATH "/");
data/goodvibes-0.6/src/ui/gv-prefs-window.c:149:14: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (text && strlen(text) > 0) {
data/goodvibes-0.6/src/ui/gv-station-dialog.c:90:11: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
length = strlen(text);
ANALYSIS SUMMARY:
Hits = 14
Lines analyzed = 21986 in approximately 0.47 seconds (46720 lines/second)
Physical Source Lines of Code (SLOC) = 13447
Hits@level = [0] 4 [1] 7 [2] 1 [3] 1 [4] 5 [5] 0
Hits@level+ = [0+] 18 [1+] 14 [2+] 7 [3+] 6 [4+] 5 [5+] 0
Hits/KSLOC@level+ = [0+] 1.33859 [1+] 1.04112 [2+] 0.520562 [3+] 0.446196 [4+] 0.37183 [5+] 0
Dot directories skipped = 2 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.