Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/libgweather-3.36.1/libgweather/gweather-enums.h Examining data/libgweather-3.36.1/libgweather/gweather-location-entry.c Examining data/libgweather-3.36.1/libgweather/gweather-location-entry.h Examining data/libgweather-3.36.1/libgweather/gweather-location.c Examining data/libgweather-3.36.1/libgweather/gweather-location.h Examining data/libgweather-3.36.1/libgweather/gweather-parser.c Examining data/libgweather-3.36.1/libgweather/gweather-parser.h Examining data/libgweather-3.36.1/libgweather/gweather-private.c Examining data/libgweather-3.36.1/libgweather/gweather-private.h Examining data/libgweather-3.36.1/libgweather/gweather-timezone-menu.c Examining data/libgweather-3.36.1/libgweather/gweather-timezone-menu.h Examining data/libgweather-3.36.1/libgweather/gweather-timezone.c Examining data/libgweather-3.36.1/libgweather/gweather-timezone.h Examining data/libgweather-3.36.1/libgweather/gweather-weather.c Examining data/libgweather-3.36.1/libgweather/gweather-weather.h Examining data/libgweather-3.36.1/libgweather/gweather.c Examining data/libgweather-3.36.1/libgweather/gweather.h Examining data/libgweather-3.36.1/libgweather/test_libgweather.c Examining data/libgweather-3.36.1/libgweather/test_locations.c Examining data/libgweather-3.36.1/libgweather/test_locations_utc.c Examining data/libgweather-3.36.1/libgweather/test_metar.c Examining data/libgweather-3.36.1/libgweather/test_sun_moon.c Examining data/libgweather-3.36.1/libgweather/test_weather.c Examining data/libgweather-3.36.1/libgweather/weather-iwin.c Examining data/libgweather-3.36.1/libgweather/weather-metar.c Examining data/libgweather-3.36.1/libgweather/weather-moon.c Examining data/libgweather-3.36.1/libgweather/weather-owm.c Examining data/libgweather-3.36.1/libgweather/weather-sun.c Examining data/libgweather-3.36.1/libgweather/weather-wx.c Examining data/libgweather-3.36.1/libgweather/weather-yrno.c FINAL RESULTS: data/libgweather-3.36.1/libgweather/test_metar.c:63:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[BUFLEN]; data/libgweather-3.36.1/libgweather/test_metar.c:96:11: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). stream = fopen (filename, "r"); data/libgweather-3.36.1/libgweather/weather-iwin.c:242:64: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. if (strstr ((const char *)val, ph_list [i].name)) { data/libgweather-3.36.1/libgweather/weather-iwin.c:250:64: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. if (strstr ((const char *)val, sky_list [i].name)) { data/libgweather-3.36.1/libgweather/weather-metar.c:98:42: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). dir = (!strcmp (sdir, "VRB")) ? -1 : atoi (sdir); data/libgweather-3.36.1/libgweather/weather-metar.c:103:11: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). spd = atoi (sspd); data/libgweather-3.36.1/libgweather/weather-metar.c:180:9: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). den = atoi (sval); data/libgweather-3.36.1/libgweather/weather-metar.c:187:13: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). val = atoi (tokp); data/libgweather-3.36.1/libgweather/weather-metar.c:193:19: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). val = atoi (sval); data/libgweather-3.36.1/libgweather/weather-metar.c:200:8: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). val = atoi (sval); data/libgweather-3.36.1/libgweather/weather-metar.c:252:16: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). intg = atoi (sintg); data/libgweather-3.36.1/libgweather/weather-metar.c:256:17: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). fract = atoi (sfract); data/libgweather-3.36.1/libgweather/weather-metar.c:265:16: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). pres = atoi (spres); data/libgweather-3.36.1/libgweather/weather-metar.c:286:50: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). priv->temp = (*ptemp == 'M') ? TEMP_C_TO_F (-atoi (ptemp + 1)) data/libgweather-3.36.1/libgweather/weather-metar.c:287:17: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). : TEMP_C_TO_F (atoi (ptemp)); data/libgweather-3.36.1/libgweather/weather-metar.c:289:45: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). priv->dew = (*pdew == 'M') ? TEMP_C_TO_F (-atoi (pdew + 1)) data/libgweather-3.36.1/libgweather/weather-metar.c:290:21: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). : TEMP_C_TO_F (atoi (pdew)); data/libgweather-3.36.1/libgweather/gweather-location-entry.c:677:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). g_assert (len == strlen(key)); data/libgweather-3.36.1/libgweather/gweather-timezone.c:82:31: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strncmp (contents, TZ_MAGIC, strlen (TZ_MAGIC)) != 0) { data/libgweather-3.36.1/libgweather/gweather-weather.c:299:10: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). return (strlen (str) > 0) ? str : "-"; data/libgweather-3.36.1/libgweather/test_libgweather.c:323:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen (line) != 83) data/libgweather-3.36.1/libgweather/test_metar.c:106:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen (buf); data/libgweather-3.36.1/libgweather/weather-iwin.c:67:33: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). doc = xmlParseMemory (buff, strlen (buff)); data/libgweather-3.36.1/libgweather/weather-metar.c:96:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (sdir, tokp, 3); data/libgweather-3.36.1/libgweather/weather-metar.c:102:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (sspd, tokp + 3, glen); data/libgweather-3.36.1/libgweather/weather-metar.c:110:9: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (sgust, gustp + 1, glen); data/libgweather-3.36.1/libgweather/weather-metar.c:179:3: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (sval, pfrac + 1, pend - pfrac - 1); data/libgweather-3.36.1/libgweather/weather-metar.c:192:6: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (sval, tokp, pend - tokp); data/libgweather-3.36.1/libgweather/weather-metar.c:199:9: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (sval, tokp, strspn (tokp, CONST_DIGITS)); data/libgweather-3.36.1/libgweather/weather-metar.c:215:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (stype, tokp, 3); data/libgweather-3.36.1/libgweather/weather-metar.c:217:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen (tokp) == 6) { data/libgweather-3.36.1/libgweather/weather-metar.c:218:9: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (salt, tokp + 3, 3); data/libgweather-3.36.1/libgweather/weather-metar.c:250:9: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (sintg, tokp + 1, 2); data/libgweather-3.36.1/libgweather/weather-metar.c:254:9: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (sfract, tokp + 3, 2); data/libgweather-3.36.1/libgweather/weather-metar.c:263:9: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (spres, tokp + 1, 4); data/libgweather-3.36.1/libgweather/weather-metar.c:354:10: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ((strlen (tokp) > 3) && ((*tokp == '+') || (*tokp == '-'))) data/libgweather-3.36.1/libgweather/weather-metar.c:359:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). else if (strlen (tokp) < 4) data/libgweather-3.36.1/libgweather/weather-metar.c:365:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (squal, tokp, pphen - tokp); data/libgweather-3.36.1/libgweather/weather-metar.c:369:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (sphen, pphen, sizeof (sphen)); data/libgweather-3.36.1/libgweather/weather-metar.c:538:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). token_start = strlen(p); data/libgweather-3.36.1/libgweather/weather-metar.c:618:7: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). p += strlen (searchkey); ANALYSIS SUMMARY: Hits = 41 Lines analyzed = 11378 in approximately 0.38 seconds (29836 lines/second) Physical Source Lines of Code (SLOC) = 7662 Hits@level = [0] 22 [1] 24 [2] 17 [3] 0 [4] 0 [5] 0 Hits@level+ = [0+] 63 [1+] 41 [2+] 17 [3+] 0 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 8.2224 [1+] 5.35108 [2+] 2.21874 [3+] 0 [4+] 0 [5+] 0 Dot directories skipped = 2 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.