Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/irssi-plugin-robustirc-0.6/src/core/robustio.c Examining data/irssi-plugin-robustirc-0.6/src/core/robustio.h Examining data/irssi-plugin-robustirc-0.6/src/core/robustirc.c Examining data/irssi-plugin-robustirc-0.6/src/core/robustirc.h Examining data/irssi-plugin-robustirc-0.6/src/core/robustsession/robustsession-network.c Examining data/irssi-plugin-robustirc-0.6/src/core/robustsession/robustsession-network.h Examining data/irssi-plugin-robustirc-0.6/src/core/robustsession/robustsession.h Examining data/irssi-plugin-robustirc-0.6/src/core/robustsession/robustsession.c Examining data/irssi-plugin-robustirc-0.6/src/fe-common/fe-robustirc.c Examining data/irssi-plugin-robustirc-0.6/src/fe-common/module-formats.c Examining data/irssi-plugin-robustirc-0.6/src/fe-common/module-formats.h FINAL RESULTS: data/irssi-plugin-robustirc-0.6/src/core/robustsession/robustsession-network.c:95:5: [3] (random) srand: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. srand(time(NULL)); data/irssi-plugin-robustirc-0.6/src/core/robustsession/robustsession-network.c:164:14: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. gboolean random; data/irssi-plugin-robustirc-0.6/src/core/robustsession/robustsession-network.c:182:28: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. ctx->address, ctx->random, ctx->cancellable, ctx->callback, ctx->userdata); data/irssi-plugin-robustirc-0.6/src/core/robustsession/robustsession-network.c:197:14: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. gboolean random, data/irssi-plugin-robustirc-0.6/src/core/robustsession/robustsession-network.c:221:9: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. if (random) { data/irssi-plugin-robustirc-0.6/src/core/robustsession/robustsession-network.c:258:25: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. retry_ctx->random = random; data/irssi-plugin-robustirc-0.6/src/core/robustsession/robustsession-network.h:25:14: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. gboolean random, data/irssi-plugin-robustirc-0.6/src/core/robustsession/robustsession.c:69:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char curl_error_buf[CURL_ERROR_SIZE]; data/irssi-plugin-robustirc-0.6/src/core/robustsession/robustsession.c:149:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(request->last_key, val, len); data/irssi-plugin-robustirc-0.6/src/core/robustsession/robustsession.c:176:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(str, val, len); data/irssi-plugin-robustirc-0.6/src/core/robustsession/robustsession.c:186:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(request->data, val, len); data/irssi-plugin-robustirc-0.6/src/core/robustsession/robustsession.c:340:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char errmsg[1024]; data/irssi-plugin-robustirc-0.6/src/core/robustsession/robustsession.c:651:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&(body_buffer->body[body_buffer->size]), contents, realsize); data/irssi-plugin-robustirc-0.6/src/core/robustsession/robustsession.c:800:57: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). yajl_gen_string(gen, (const unsigned char *)"Data", strlen("Data")); data/irssi-plugin-robustirc-0.6/src/core/robustsession/robustsession.c:801:67: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). yajl_gen_string(gen, (const unsigned char *)send_ctx->buffer, strlen(send_ctx->buffer)); data/irssi-plugin-robustirc-0.6/src/core/robustsession/robustsession.c:802:68: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). yajl_gen_string(gen, (const unsigned char *)"ClientMessageId", strlen("ClientMessageId")); ANALYSIS SUMMARY: Hits = 16 Lines analyzed = 1753 in approximately 0.05 seconds (32058 lines/second) Physical Source Lines of Code (SLOC) = 1347 Hits@level = [0] 0 [1] 3 [2] 6 [3] 7 [4] 0 [5] 0 Hits@level+ = [0+] 16 [1+] 16 [2+] 13 [3+] 7 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 11.8782 [1+] 11.8782 [2+] 9.65108 [3+] 5.19673 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.