Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/goodvibes-0.6/scripts/code/gv-object-templates/gv-dummy.c Examining data/goodvibes-0.6/scripts/code/gv-object-templates/gv-dummy.h Examining data/goodvibes-0.6/scripts/code/gv-object-templates/gv-feature-dummy.c Examining data/goodvibes-0.6/scripts/code/gv-object-templates/gv-feature-dummy.h Examining data/goodvibes-0.6/src/base/glib-additions.c Examining data/goodvibes-0.6/src/base/glib-additions.h Examining data/goodvibes-0.6/src/base/glib-object-additions.c Examining data/goodvibes-0.6/src/base/glib-object-additions.h Examining data/goodvibes-0.6/src/base/gv-base.c Examining data/goodvibes-0.6/src/base/gv-base.h Examining data/goodvibes-0.6/src/base/gv-configurable.c Examining data/goodvibes-0.6/src/base/gv-configurable.h Examining data/goodvibes-0.6/src/base/gv-errorable.c Examining data/goodvibes-0.6/src/base/gv-errorable.h Examining data/goodvibes-0.6/src/base/gv-feature.c Examining data/goodvibes-0.6/src/base/gv-feature.h Examining data/goodvibes-0.6/src/base/gv-param-specs.h Examining data/goodvibes-0.6/src/base/log.c Examining data/goodvibes-0.6/src/base/log.h Examining data/goodvibes-0.6/src/base/uri-schemes.c Examining data/goodvibes-0.6/src/base/uri-schemes.h Examining data/goodvibes-0.6/src/base/utils.c Examining data/goodvibes-0.6/src/base/utils.h Examining data/goodvibes-0.6/src/base/vt-codes.h Examining data/goodvibes-0.6/src/client.c Examining data/goodvibes-0.6/src/core/gst-additions.c Examining data/goodvibes-0.6/src/core/gst-additions.h Examining data/goodvibes-0.6/src/core/gv-core-internal.h Examining data/goodvibes-0.6/src/core/gv-core.c Examining data/goodvibes-0.6/src/core/gv-core.h Examining data/goodvibes-0.6/src/core/gv-engine.c Examining data/goodvibes-0.6/src/core/gv-engine.h Examining data/goodvibes-0.6/src/core/gv-metadata.c Examining data/goodvibes-0.6/src/core/gv-metadata.h Examining data/goodvibes-0.6/src/core/gv-player.c Examining data/goodvibes-0.6/src/core/gv-player.h Examining data/goodvibes-0.6/src/core/gv-playlist.c Examining data/goodvibes-0.6/src/core/gv-playlist.h Examining data/goodvibes-0.6/src/core/gv-station-list.c Examining data/goodvibes-0.6/src/core/gv-station-list.h Examining data/goodvibes-0.6/src/core/gv-station.c Examining data/goodvibes-0.6/src/core/gv-station.h Examining data/goodvibes-0.6/src/core/gv-streaminfo.c Examining data/goodvibes-0.6/src/core/gv-streaminfo.h Examining data/goodvibes-0.6/src/core/tests/metadata.c Examining data/goodvibes-0.6/src/core/tests/station-list.c Examining data/goodvibes-0.6/src/default-stations.h Examining data/goodvibes-0.6/src/feat/gv-console-output.c Examining data/goodvibes-0.6/src/feat/gv-console-output.h Examining data/goodvibes-0.6/src/feat/gv-dbus-server-mpris2.c Examining data/goodvibes-0.6/src/feat/gv-dbus-server-mpris2.h Examining data/goodvibes-0.6/src/feat/gv-dbus-server-native.c Examining data/goodvibes-0.6/src/feat/gv-dbus-server-native.h Examining data/goodvibes-0.6/src/feat/gv-dbus-server.c Examining data/goodvibes-0.6/src/feat/gv-dbus-server.h Examining data/goodvibes-0.6/src/feat/gv-feat.c Examining data/goodvibes-0.6/src/feat/gv-feat.h Examining data/goodvibes-0.6/src/feat/gv-hotkeys.c Examining data/goodvibes-0.6/src/feat/gv-hotkeys.h Examining data/goodvibes-0.6/src/feat/gv-inhibitor-impl.c Examining data/goodvibes-0.6/src/feat/gv-inhibitor-impl.h Examining data/goodvibes-0.6/src/feat/gv-inhibitor.c Examining data/goodvibes-0.6/src/feat/gv-inhibitor.h Examining data/goodvibes-0.6/src/feat/gv-notifications.c Examining data/goodvibes-0.6/src/feat/gv-notifications.h Examining data/goodvibes-0.6/src/gv-console-application.c Examining data/goodvibes-0.6/src/gv-console-application.h Examining data/goodvibes-0.6/src/gv-graphical-application.c Examining data/goodvibes-0.6/src/gv-graphical-application.h Examining data/goodvibes-0.6/src/main.c Examining data/goodvibes-0.6/src/options.c Examining data/goodvibes-0.6/src/options.h Examining data/goodvibes-0.6/src/ui/gtk-additions.c Examining data/goodvibes-0.6/src/ui/gtk-additions.h Examining data/goodvibes-0.6/src/ui/gv-about-dialog.c Examining data/goodvibes-0.6/src/ui/gv-about-dialog.h Examining data/goodvibes-0.6/src/ui/gv-keyboard-shortcuts-window.c Examining data/goodvibes-0.6/src/ui/gv-keyboard-shortcuts-window.h Examining data/goodvibes-0.6/src/ui/gv-main-window-manager.c Examining data/goodvibes-0.6/src/ui/gv-main-window-manager.h Examining data/goodvibes-0.6/src/ui/gv-main-window.c Examining data/goodvibes-0.6/src/ui/gv-main-window.h Examining data/goodvibes-0.6/src/ui/gv-prefs-window.c Examining data/goodvibes-0.6/src/ui/gv-prefs-window.h Examining data/goodvibes-0.6/src/ui/gv-station-context-menu.c Examining data/goodvibes-0.6/src/ui/gv-station-context-menu.h Examining data/goodvibes-0.6/src/ui/gv-station-dialog.c Examining data/goodvibes-0.6/src/ui/gv-station-dialog.h Examining data/goodvibes-0.6/src/ui/gv-station-properties-box.c Examining data/goodvibes-0.6/src/ui/gv-station-properties-box.h Examining data/goodvibes-0.6/src/ui/gv-stations-tree-view.c Examining data/goodvibes-0.6/src/ui/gv-stations-tree-view.h Examining data/goodvibes-0.6/src/ui/gv-status-icon.c Examining data/goodvibes-0.6/src/ui/gv-status-icon.h Examining data/goodvibes-0.6/src/ui/gv-ui-helpers.c Examining data/goodvibes-0.6/src/ui/gv-ui-helpers.h Examining data/goodvibes-0.6/src/ui/gv-ui-internal.h Examining data/goodvibes-0.6/src/ui/gv-ui.c Examining data/goodvibes-0.6/src/ui/gv-ui.h FINAL RESULTS: data/goodvibes-0.6/src/base/log.c:39:27: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. #define perrorf(fmt, ...) fprintf(stderr, fmt ": %s\n", ##__VA_ARGS__, strerror(errno)) data/goodvibes-0.6/src/base/log.c:40:29: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. #define print_err(fmt, ...) fprintf(stderr, fmt "\n", ##__VA_ARGS__) data/goodvibes-0.6/src/client.c:38:29: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. #define print(fmt, ...) fprintf(stdout, fmt"\n", ##__VA_ARGS__) data/goodvibes-0.6/src/client.c:39:29: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. #define print_err(fmt, ...) fprintf(stderr, fmt"\n", ##__VA_ARGS__) data/goodvibes-0.6/src/client.c:802:12: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. success = system(gsettings_cmd); data/goodvibes-0.6/src/core/gv-station-list.c:554:9: [3] (random) g_random_boolean: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. return g_random_boolean() ? 1 : -1; data/goodvibes-0.6/src/base/log.c:351:8: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fp = fopen(output_file, "w"); data/goodvibes-0.6/src/base/glib-additions.c:76:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). separator_len = strlen(separator); data/goodvibes-0.6/src/base/glib-additions.c:86:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len += strlen(s); data/goodvibes-0.6/src/base/log.c:237:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (value_string && strlen(value_string) > max_len) { data/goodvibes-0.6/src/feat/gv-dbus-server-mpris2.c:198:30: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). station_uid = playlist_id + strlen(PLAYLISTID_PATH "/"); data/goodvibes-0.6/src/feat/gv-dbus-server-mpris2.c:231:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). station_uid = track_id + strlen(TRACKID_PATH "/"); data/goodvibes-0.6/src/ui/gv-prefs-window.c:149:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (text && strlen(text) > 0) { data/goodvibes-0.6/src/ui/gv-station-dialog.c:90:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). length = strlen(text); ANALYSIS SUMMARY: Hits = 14 Lines analyzed = 21986 in approximately 0.47 seconds (46720 lines/second) Physical Source Lines of Code (SLOC) = 13447 Hits@level = [0] 4 [1] 7 [2] 1 [3] 1 [4] 5 [5] 0 Hits@level+ = [0+] 18 [1+] 14 [2+] 7 [3+] 6 [4+] 5 [5+] 0 Hits/KSLOC@level+ = [0+] 1.33859 [1+] 1.04112 [2+] 0.520562 [3+] 0.446196 [4+] 0.37183 [5+] 0 Dot directories skipped = 2 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.