Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/kodi-pvr-hdhomerun-3.4.3/src/HDHomeRunTuners.cpp Examining data/kodi-pvr-hdhomerun-3.4.3/src/HDHomeRunTuners.h Examining data/kodi-pvr-hdhomerun-3.4.3/src/Utils.cpp Examining data/kodi-pvr-hdhomerun-3.4.3/src/Utils.h Examining data/kodi-pvr-hdhomerun-3.4.3/src/client.cpp Examining data/kodi-pvr-hdhomerun-3.4.3/src/client.h FINAL RESULTS: data/kodi-pvr-hdhomerun-3.4.3/src/Utils.cpp:48:10: [4] (format) vsnprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. nLen = vsnprintf(szBuffer, sizeof(szBuffer) - 1, szFormat, args); data/kodi-pvr-hdhomerun-3.4.3/src/Utils.cpp:36:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char szBuffer[4096]; data/kodi-pvr-hdhomerun-3.4.3/src/Utils.cpp:66:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[1024]; data/kodi-pvr-hdhomerun-3.4.3/src/HDHomeRunTuners.cpp:284:7: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(pvrChannel.strChannelName, jsonChannel["_ChannelName"].asString().c_str(), data/kodi-pvr-hdhomerun-3.4.3/src/HDHomeRunTuners.cpp:287:7: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(pvrChannel.strIconPath, jsonChannel["_IconPath"].asString().c_str(), data/kodi-pvr-hdhomerun-3.4.3/src/HDHomeRunTuners.cpp:363:3: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(channelGroup.strGroupName, g_strGroupFavoriteChannels.c_str(), data/kodi-pvr-hdhomerun-3.4.3/src/HDHomeRunTuners.cpp:369:3: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(channelGroup.strGroupName, g_strGroupHDChannels.c_str(), data/kodi-pvr-hdhomerun-3.4.3/src/HDHomeRunTuners.cpp:375:3: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(channelGroup.strGroupName, g_strGroupSDChannels.c_str(), data/kodi-pvr-hdhomerun-3.4.3/src/HDHomeRunTuners.cpp:398:7: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(channelGroupMember.strGroupName, group.strGroupName, data/kodi-pvr-hdhomerun-3.4.3/src/client.cpp:273:3: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). Risk is low because the source is a constant string. strncpy(signalStatus.strAdapterName, "PVR HDHomeRun Adapter 1", data/kodi-pvr-hdhomerun-3.4.3/src/client.cpp:276:3: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). Risk is low because the source is a constant string. strncpy(signalStatus.strAdapterStatus, "OK", data/kodi-pvr-hdhomerun-3.4.3/src/client.cpp:305:3: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(properties[0].strName, PVR_STREAM_PROPERTY_STREAMURL, sizeof(properties[0].strName) - 1); data/kodi-pvr-hdhomerun-3.4.3/src/client.cpp:306:3: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(properties[0].strValue, strUrl.c_str(), sizeof(properties[0].strValue) - 1); data/kodi-pvr-hdhomerun-3.4.3/src/client.cpp:307:3: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(properties[1].strName, PVR_STREAM_PROPERTY_ISREALTIMESTREAM, sizeof(properties[1].strName) - 1); data/kodi-pvr-hdhomerun-3.4.3/src/client.cpp:308:3: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). Risk is low because the source is a constant string. strncpy(properties[1].strValue, "true", sizeof(properties[1].strValue) - 1); ANALYSIS SUMMARY: Hits = 15 Lines analyzed = 1095 in approximately 0.49 seconds (2236 lines/second) Physical Source Lines of Code (SLOC) = 759 Hits@level = [0] 5 [1] 12 [2] 2 [3] 0 [4] 1 [5] 0 Hits@level+ = [0+] 20 [1+] 15 [2+] 3 [3+] 1 [4+] 1 [5+] 0 Hits/KSLOC@level+ = [0+] 26.3505 [1+] 19.7628 [2+] 3.95257 [3+] 1.31752 [4+] 1.31752 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.