Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/jcsp-1.1-rc4/src/org/jcsp/win32/svcclasses.cpp
Examining data/jcsp-1.1-rc4/src/org/jcsp/win32/NTService.c
Examining data/jcsp-1.1-rc4/src/org/jcsp/win32/svcctrl.cpp
Examining data/jcsp-1.1-rc4/src/org/jcsp/win32/svcclasses.h
Examining data/jcsp-1.1-rc4/src/org/jcsp/win32/NTService.h
FINAL RESULTS:
data/jcsp-1.1-rc4/src/org/jcsp/win32/svcctrl.cpp:37:3: [4] (format) _ftprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
_ftprintf(stderr, TEXT ("Couldn't open service manager\n"));
data/jcsp-1.1-rc4/src/org/jcsp/win32/svcctrl.cpp:42:4: [4] (format) _ftprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
_ftprintf (stderr, TEXT ("%s install name path\n"), argv[0]);
data/jcsp-1.1-rc4/src/org/jcsp/win32/svcctrl.cpp:49:4: [4] (format) _ftprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
_ftprintf(stderr, TEXT ("Couldn't install service\n"));
data/jcsp-1.1-rc4/src/org/jcsp/win32/svcctrl.cpp:54:4: [4] (format) _ftprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
_ftprintf (stderr, TEXT ("%s remove name\n"), argv[0]);
data/jcsp-1.1-rc4/src/org/jcsp/win32/svcctrl.cpp:60:3: [4] (format) _ftprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
_ftprintf(stderr, TEXT (" %s install\nor %s remove\n"), argv[0], argv[0]);
data/jcsp-1.1-rc4/src/org/jcsp/win32/NTService.c:47:13: [3] (random) setstate:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
static void setstate(int s) {
data/jcsp-1.1-rc4/src/org/jcsp/win32/NTService.c:59:6: [3] (random) setstate:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
setstate(SERVICE_STOP_PENDING);
data/jcsp-1.1-rc4/src/org/jcsp/win32/NTService.c:62:6: [3] (random) setstate:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
setstate(sta.dwCurrentState);
data/jcsp-1.1-rc4/src/org/jcsp/win32/NTService.c:74:5: [3] (random) setstate:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
setstate(SERVICE_RUNNING);
data/jcsp-1.1-rc4/src/org/jcsp/win32/NTService.c:77:5: [3] (random) setstate:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
setstate(SERVICE_STOPPED);
data/jcsp-1.1-rc4/src/org/jcsp/win32/svcclasses.cpp:116:13: [3] (random) setstate:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
static void setstate(int s) {
data/jcsp-1.1-rc4/src/org/jcsp/win32/svcclasses.cpp:128:6: [3] (random) setstate:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
setstate(SERVICE_STOP_PENDING);
data/jcsp-1.1-rc4/src/org/jcsp/win32/svcclasses.cpp:131:6: [3] (random) setstate:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
setstate(sta.dwCurrentState);
data/jcsp-1.1-rc4/src/org/jcsp/win32/svcclasses.cpp:143:5: [3] (random) setstate:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
setstate(SERVICE_RUNNING);
data/jcsp-1.1-rc4/src/org/jcsp/win32/svcclasses.cpp:145:5: [3] (random) setstate:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
setstate(SERVICE_STOPPED);
ANALYSIS SUMMARY:
Hits = 15
Lines analyzed = 481 in approximately 0.36 seconds (1340 lines/second)
Physical Source Lines of Code (SLOC) = 285
Hits@level = [0] 0 [1] 0 [2] 0 [3] 10 [4] 5 [5] 0
Hits@level+ = [0+] 15 [1+] 15 [2+] 15 [3+] 15 [4+] 5 [5+] 0
Hits/KSLOC@level+ = [0+] 52.6316 [1+] 52.6316 [2+] 52.6316 [3+] 52.6316 [4+] 17.5439 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.