Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/hexcompare-1.0.4/gui.c
Examining data/hexcompare-1.0.4/general.h
Examining data/hexcompare-1.0.4/main.c
Examining data/hexcompare-1.0.4/gui.h

FINAL RESULTS:

data/hexcompare-1.0.4/main.c:49:3:  [4] (format) printf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
		printf(message[2], file_one.name);
data/hexcompare-1.0.4/main.c:53:3:  [4] (format) printf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
		printf(message[2], file_two.name);
data/hexcompare-1.0.4/gui.c:79:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char s[32];
data/hexcompare-1.0.4/gui.c:80:2:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
	sprintf(s, "%lX", fsz);
data/hexcompare-1.0.4/gui.c:142:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char title_offset[32];
data/hexcompare-1.0.4/gui.c:143:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char bottom_message[128];
data/hexcompare-1.0.4/gui.c:160:2:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
	sprintf(title_offset, " 0x%04x", (unsigned int) file_offset);
data/hexcompare-1.0.4/gui.c:165:2:  [2] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant string.
	strcpy(bottom_message, "Quit: q | ");
data/hexcompare-1.0.4/gui.c:168:3:  [2] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused). Risk is low because the
  source is a constant string.
		strcat(bottom_message, "Hex Mode: m | ");
data/hexcompare-1.0.4/gui.c:170:3:  [2] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused). Risk is low because the
  source is a constant string.
		strcat(bottom_message, "ASCII Mode: m | ");
data/hexcompare-1.0.4/gui.c:174:3:  [2] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused). Risk is low because the
  source is a constant string.
		strcat(bottom_message, "Full View: v | Page & Arrow Keys to Move");
data/hexcompare-1.0.4/gui.c:176:3:  [2] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused). Risk is low because the
  source is a constant string.
		strcat(bottom_message, "Mixed View: v | Arrow Keys to Move");
data/hexcompare-1.0.4/gui.c:403:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char offset_line[32];
data/hexcompare-1.0.4/gui.c:408:3:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
		sprintf(offset_line, "0x%%0%ix ", offset_char_size);
data/hexcompare-1.0.4/gui.c:429:4:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
			char byte_one_hex[16], byte_two_hex[16];
data/hexcompare-1.0.4/gui.c:442:4:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
			sprintf(byte_one_hex, "%02x", byte_one);
data/hexcompare-1.0.4/gui.c:443:4:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
			sprintf(byte_two_hex, "%02x", byte_two);
data/hexcompare-1.0.4/main.c:48:26:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	if ((file_one.pointer = fopen(file_one.name, "rb")) == NULL) {
data/hexcompare-1.0.4/main.c:52:26:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	if ((file_two.pointer = fopen(file_two.name, "rb")) == NULL) {
data/hexcompare-1.0.4/gui.c:81:9:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	return(strlen(s));
data/hexcompare-1.0.4/gui.c:161:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	mvprintw(0, width-strlen(title_offset)-SIDE_MARGIN, "%s",

ANALYSIS SUMMARY:

Hits = 21
Lines analyzed = 1009 in approximately 0.04 seconds (23100 lines/second)
Physical Source Lines of Code (SLOC) = 632
Hits@level = [0]   6 [1]   2 [2]  17 [3]   0 [4]   2 [5]   0
Hits@level+ = [0+]  27 [1+]  21 [2+]  19 [3+]   2 [4+]   2 [5+]   0
Hits/KSLOC@level+ = [0+] 42.7215 [1+] 33.2278 [2+] 30.0633 [3+] 3.16456 [4+] 3.16456 [5+]   0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.