Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/haskell-gluraw-2.0.0.4/cbits/HsGLURaw.c FINAL RESULTS: data/haskell-gluraw-2.0.0.4/cbits/HsGLURaw.c:50:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(symbolName + 1, name); data/haskell-gluraw-2.0.0.4/cbits/HsGLURaw.c:26:14: [3] (misc) LoadLibrary: Ensure that the full path to the library is specified, or current directory may be used (CWE-829, CWE-20). Use registry entry or GetWindowsDirectory to find library path, if you aren't already. handle = LoadLibrary(TEXT("glu32")); data/haskell-gluraw-2.0.0.4/cbits/HsGLURaw.c:45:36: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char* symbolName = (char*)malloc(strlen(name) + 2); ANALYSIS SUMMARY: Hits = 3 Lines analyzed = 105 in approximately 0.03 seconds (3481 lines/second) Physical Source Lines of Code (SLOC) = 67 Hits@level = [0] 0 [1] 1 [2] 0 [3] 1 [4] 1 [5] 0 Hits@level+ = [0+] 3 [1+] 3 [2+] 2 [3+] 2 [4+] 1 [5+] 0 Hits/KSLOC@level+ = [0+] 44.7761 [1+] 44.7761 [2+] 29.8507 [3+] 29.8507 [4+] 14.9254 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.