Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/libkcddb-20.08.0/tests/synccddblookuptest.h Examining data/libkcddb-20.08.0/tests/synchttplookuptest.h Examining data/libkcddb-20.08.0/tests/asynchttpsubmittest.h Examining data/libkcddb-20.08.0/tests/asynccddblookuptest.h Examining data/libkcddb-20.08.0/tests/asyncmusicbrainztest.h Examining data/libkcddb-20.08.0/tests/cdinfotest.cpp Examining data/libkcddb-20.08.0/tests/asyncsmtpsubmittest.h Examining data/libkcddb-20.08.0/tests/asynchttpsubmittest.cpp Examining data/libkcddb-20.08.0/tests/sitestest.cpp Examining data/libkcddb-20.08.0/tests/musicbrainztest.h Examining data/libkcddb-20.08.0/tests/utf8test.h Examining data/libkcddb-20.08.0/tests/synchttpsubmittest.cpp Examining data/libkcddb-20.08.0/tests/asynchttplookuptest.cpp Examining data/libkcddb-20.08.0/tests/syncsmtpsubmittest.cpp Examining data/libkcddb-20.08.0/tests/musicbrainztest-severaldiscs.cpp Examining data/libkcddb-20.08.0/tests/musicbrainztest-fulldate.cpp Examining data/libkcddb-20.08.0/tests/musicbrainztest.cpp Examining data/libkcddb-20.08.0/tests/asyncsmtpsubmittest.cpp Examining data/libkcddb-20.08.0/tests/cachetest.h Examining data/libkcddb-20.08.0/tests/synchttplookuptest.cpp Examining data/libkcddb-20.08.0/tests/musicbrainztest-fulldate.h Examining data/libkcddb-20.08.0/tests/musicbrainztest-severaldiscs.h Examining data/libkcddb-20.08.0/tests/asynchttplookuptest.h Examining data/libkcddb-20.08.0/tests/cachetest.cpp Examining data/libkcddb-20.08.0/tests/utf8test.cpp Examining data/libkcddb-20.08.0/tests/asyncmusicbrainztest.cpp Examining data/libkcddb-20.08.0/tests/synccddblookuptest.cpp Examining data/libkcddb-20.08.0/tests/asynccddblookuptest.cpp Examining data/libkcddb-20.08.0/tests/cdinfotest.h Examining data/libkcddb-20.08.0/kcmcddb/cddbconfigwidget.cpp Examining data/libkcddb-20.08.0/kcmcddb/cddbconfigwidget.h Examining data/libkcddb-20.08.0/kcmcddb/kcmcddb.cpp Examining data/libkcddb-20.08.0/kcmcddb/kcmcddbi18n.h Examining data/libkcddb-20.08.0/kcmcddb/kcmcddb.h Examining data/libkcddb-20.08.0/libkcddb/lookup.h Examining data/libkcddb-20.08.0/libkcddb/lookup.cpp Examining data/libkcddb-20.08.0/libkcddb/client.h Examining data/libkcddb-20.08.0/libkcddb/syncsmtpsubmit.h Examining data/libkcddb-20.08.0/libkcddb/asynccddbplookup.cpp Examining data/libkcddb-20.08.0/libkcddb/asyncsmtpsubmit.cpp Examining data/libkcddb-20.08.0/libkcddb/cddbplookup.cpp Examining data/libkcddb-20.08.0/libkcddb/genres.cpp Examining data/libkcddb-20.08.0/libkcddb/cddb.h Examining data/libkcddb-20.08.0/libkcddb/synchttplookup.h Examining data/libkcddb-20.08.0/libkcddb/synchttpsubmit.h Examining data/libkcddb-20.08.0/libkcddb/asyncsmtpsubmit.h Examining data/libkcddb-20.08.0/libkcddb/kcddbi18n.h Examining data/libkcddb-20.08.0/libkcddb/genres.h Examining data/libkcddb-20.08.0/libkcddb/asynchttplookup.h Examining data/libkcddb-20.08.0/libkcddb/httplookup.cpp Examining data/libkcddb-20.08.0/libkcddb/submit.h Examining data/libkcddb-20.08.0/libkcddb/cache.cpp Examining data/libkcddb-20.08.0/libkcddb/asynchttpsubmit.h Examining data/libkcddb-20.08.0/libkcddb/synccddbplookup.cpp Examining data/libkcddb-20.08.0/libkcddb/synccddbplookup.h Examining data/libkcddb-20.08.0/libkcddb/client.cpp Examining data/libkcddb-20.08.0/libkcddb/logging.cpp Examining data/libkcddb-20.08.0/libkcddb/categories.cpp Examining data/libkcddb-20.08.0/libkcddb/syncsmtpsubmit.cpp Examining data/libkcddb-20.08.0/libkcddb/musicbrainz/musicbrainzlookup.cpp Examining data/libkcddb-20.08.0/libkcddb/musicbrainz/asyncmusicbrainzlookup.h Examining data/libkcddb-20.08.0/libkcddb/musicbrainz/asyncmusicbrainzlookup.cpp Examining data/libkcddb-20.08.0/libkcddb/musicbrainz/musicbrainzlookup.h Examining data/libkcddb-20.08.0/libkcddb/kcddb.cpp Examining data/libkcddb-20.08.0/libkcddb/asynccddbplookup.h Examining data/libkcddb-20.08.0/libkcddb/cdinfo.cpp Examining data/libkcddb-20.08.0/libkcddb/smtpsubmit.cpp Examining data/libkcddb-20.08.0/libkcddb/cache.h Examining data/libkcddb-20.08.0/libkcddb/cddb.cpp Examining data/libkcddb-20.08.0/libkcddb/httpsubmit.cpp Examining data/libkcddb-20.08.0/libkcddb/synchttpsubmit.cpp Examining data/libkcddb-20.08.0/libkcddb/httpsubmit.h Examining data/libkcddb-20.08.0/libkcddb/logging.h Examining data/libkcddb-20.08.0/libkcddb/kcddbconfig.h Examining data/libkcddb-20.08.0/libkcddb/sites.h Examining data/libkcddb-20.08.0/libkcddb/categories.h Examining data/libkcddb-20.08.0/libkcddb/kcddbconfig.cpp Examining data/libkcddb-20.08.0/libkcddb/cdinfo.h Examining data/libkcddb-20.08.0/libkcddb/asynchttplookup.cpp Examining data/libkcddb-20.08.0/libkcddb/httplookup.h Examining data/libkcddb-20.08.0/libkcddb/sites.cpp Examining data/libkcddb-20.08.0/libkcddb/asynchttpsubmit.cpp Examining data/libkcddb-20.08.0/libkcddb/kcddb.h Examining data/libkcddb-20.08.0/libkcddb/smtpsubmit.h Examining data/libkcddb-20.08.0/libkcddb/cddbplookup.h Examining data/libkcddb-20.08.0/libkcddb/synchttplookup.cpp Examining data/libkcddb-20.08.0/libkcddb/submit.cpp FINAL RESULTS: data/libkcddb-20.08.0/libkcddb/cache.cpp:132:14: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ( f.open(QIODevice::WriteOnly) ) data/libkcddb-20.08.0/libkcddb/cddb.cpp:135:30: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ( f.exists() && f.open(QIODevice::ReadOnly) ) data/libkcddb-20.08.0/libkcddb/musicbrainz/musicbrainzlookup.cpp:258:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char temp[9]; data/libkcddb-20.08.0/libkcddb/musicbrainz/musicbrainzlookup.cpp:264:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(temp, "%02X", firstTrack); data/libkcddb-20.08.0/libkcddb/musicbrainz/musicbrainzlookup.cpp:267:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(temp, "%02X", lastTrack); data/libkcddb-20.08.0/libkcddb/musicbrainz/musicbrainzlookup.cpp:280:7: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(temp, "%08lX", offset); data/libkcddb-20.08.0/libkcddb/musicbrainz/musicbrainzlookup.cpp:312:30: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ( f.exists() && f.open(QIODevice::ReadOnly) ) data/libkcddb-20.08.0/libkcddb/asynccddbplookup.cpp:89:7: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). read(); data/libkcddb-20.08.0/libkcddb/asynccddbplookup.cpp:93:21: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). AsyncCDDBPLookup::read() data/libkcddb-20.08.0/libkcddb/asynccddbplookup.h:77:12: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). void read(); data/libkcddb-20.08.0/libkcddb/musicbrainz/musicbrainzlookup.cpp:265:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sha.addData(temp, strlen(temp)); data/libkcddb-20.08.0/libkcddb/musicbrainz/musicbrainzlookup.cpp:268:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sha.addData(temp, strlen(temp)); data/libkcddb-20.08.0/libkcddb/musicbrainz/musicbrainzlookup.cpp:281:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sha.addData(temp, strlen(temp)); ANALYSIS SUMMARY: Hits = 13 Lines analyzed = 8026 in approximately 0.34 seconds (23429 lines/second) Physical Source Lines of Code (SLOC) = 4763 Hits@level = [0] 0 [1] 6 [2] 7 [3] 0 [4] 0 [5] 0 Hits@level+ = [0+] 13 [1+] 13 [2+] 7 [3+] 0 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 2.72937 [1+] 2.72937 [2+] 1.46966 [3+] 0 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.