Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/libkcddb-20.08.0/tests/synccddblookuptest.h
Examining data/libkcddb-20.08.0/tests/synchttplookuptest.h
Examining data/libkcddb-20.08.0/tests/asynchttpsubmittest.h
Examining data/libkcddb-20.08.0/tests/asynccddblookuptest.h
Examining data/libkcddb-20.08.0/tests/asyncmusicbrainztest.h
Examining data/libkcddb-20.08.0/tests/cdinfotest.cpp
Examining data/libkcddb-20.08.0/tests/asyncsmtpsubmittest.h
Examining data/libkcddb-20.08.0/tests/asynchttpsubmittest.cpp
Examining data/libkcddb-20.08.0/tests/sitestest.cpp
Examining data/libkcddb-20.08.0/tests/musicbrainztest.h
Examining data/libkcddb-20.08.0/tests/utf8test.h
Examining data/libkcddb-20.08.0/tests/synchttpsubmittest.cpp
Examining data/libkcddb-20.08.0/tests/asynchttplookuptest.cpp
Examining data/libkcddb-20.08.0/tests/syncsmtpsubmittest.cpp
Examining data/libkcddb-20.08.0/tests/musicbrainztest-severaldiscs.cpp
Examining data/libkcddb-20.08.0/tests/musicbrainztest-fulldate.cpp
Examining data/libkcddb-20.08.0/tests/musicbrainztest.cpp
Examining data/libkcddb-20.08.0/tests/asyncsmtpsubmittest.cpp
Examining data/libkcddb-20.08.0/tests/cachetest.h
Examining data/libkcddb-20.08.0/tests/synchttplookuptest.cpp
Examining data/libkcddb-20.08.0/tests/musicbrainztest-fulldate.h
Examining data/libkcddb-20.08.0/tests/musicbrainztest-severaldiscs.h
Examining data/libkcddb-20.08.0/tests/asynchttplookuptest.h
Examining data/libkcddb-20.08.0/tests/cachetest.cpp
Examining data/libkcddb-20.08.0/tests/utf8test.cpp
Examining data/libkcddb-20.08.0/tests/asyncmusicbrainztest.cpp
Examining data/libkcddb-20.08.0/tests/synccddblookuptest.cpp
Examining data/libkcddb-20.08.0/tests/asynccddblookuptest.cpp
Examining data/libkcddb-20.08.0/tests/cdinfotest.h
Examining data/libkcddb-20.08.0/kcmcddb/cddbconfigwidget.cpp
Examining data/libkcddb-20.08.0/kcmcddb/cddbconfigwidget.h
Examining data/libkcddb-20.08.0/kcmcddb/kcmcddb.cpp
Examining data/libkcddb-20.08.0/kcmcddb/kcmcddbi18n.h
Examining data/libkcddb-20.08.0/kcmcddb/kcmcddb.h
Examining data/libkcddb-20.08.0/libkcddb/lookup.h
Examining data/libkcddb-20.08.0/libkcddb/lookup.cpp
Examining data/libkcddb-20.08.0/libkcddb/client.h
Examining data/libkcddb-20.08.0/libkcddb/syncsmtpsubmit.h
Examining data/libkcddb-20.08.0/libkcddb/asynccddbplookup.cpp
Examining data/libkcddb-20.08.0/libkcddb/asyncsmtpsubmit.cpp
Examining data/libkcddb-20.08.0/libkcddb/cddbplookup.cpp
Examining data/libkcddb-20.08.0/libkcddb/genres.cpp
Examining data/libkcddb-20.08.0/libkcddb/cddb.h
Examining data/libkcddb-20.08.0/libkcddb/synchttplookup.h
Examining data/libkcddb-20.08.0/libkcddb/synchttpsubmit.h
Examining data/libkcddb-20.08.0/libkcddb/asyncsmtpsubmit.h
Examining data/libkcddb-20.08.0/libkcddb/kcddbi18n.h
Examining data/libkcddb-20.08.0/libkcddb/genres.h
Examining data/libkcddb-20.08.0/libkcddb/asynchttplookup.h
Examining data/libkcddb-20.08.0/libkcddb/httplookup.cpp
Examining data/libkcddb-20.08.0/libkcddb/submit.h
Examining data/libkcddb-20.08.0/libkcddb/cache.cpp
Examining data/libkcddb-20.08.0/libkcddb/asynchttpsubmit.h
Examining data/libkcddb-20.08.0/libkcddb/synccddbplookup.cpp
Examining data/libkcddb-20.08.0/libkcddb/synccddbplookup.h
Examining data/libkcddb-20.08.0/libkcddb/client.cpp
Examining data/libkcddb-20.08.0/libkcddb/logging.cpp
Examining data/libkcddb-20.08.0/libkcddb/categories.cpp
Examining data/libkcddb-20.08.0/libkcddb/syncsmtpsubmit.cpp
Examining data/libkcddb-20.08.0/libkcddb/musicbrainz/musicbrainzlookup.cpp
Examining data/libkcddb-20.08.0/libkcddb/musicbrainz/asyncmusicbrainzlookup.h
Examining data/libkcddb-20.08.0/libkcddb/musicbrainz/asyncmusicbrainzlookup.cpp
Examining data/libkcddb-20.08.0/libkcddb/musicbrainz/musicbrainzlookup.h
Examining data/libkcddb-20.08.0/libkcddb/kcddb.cpp
Examining data/libkcddb-20.08.0/libkcddb/asynccddbplookup.h
Examining data/libkcddb-20.08.0/libkcddb/cdinfo.cpp
Examining data/libkcddb-20.08.0/libkcddb/smtpsubmit.cpp
Examining data/libkcddb-20.08.0/libkcddb/cache.h
Examining data/libkcddb-20.08.0/libkcddb/cddb.cpp
Examining data/libkcddb-20.08.0/libkcddb/httpsubmit.cpp
Examining data/libkcddb-20.08.0/libkcddb/synchttpsubmit.cpp
Examining data/libkcddb-20.08.0/libkcddb/httpsubmit.h
Examining data/libkcddb-20.08.0/libkcddb/logging.h
Examining data/libkcddb-20.08.0/libkcddb/kcddbconfig.h
Examining data/libkcddb-20.08.0/libkcddb/sites.h
Examining data/libkcddb-20.08.0/libkcddb/categories.h
Examining data/libkcddb-20.08.0/libkcddb/kcddbconfig.cpp
Examining data/libkcddb-20.08.0/libkcddb/cdinfo.h
Examining data/libkcddb-20.08.0/libkcddb/asynchttplookup.cpp
Examining data/libkcddb-20.08.0/libkcddb/httplookup.h
Examining data/libkcddb-20.08.0/libkcddb/sites.cpp
Examining data/libkcddb-20.08.0/libkcddb/asynchttpsubmit.cpp
Examining data/libkcddb-20.08.0/libkcddb/kcddb.h
Examining data/libkcddb-20.08.0/libkcddb/smtpsubmit.h
Examining data/libkcddb-20.08.0/libkcddb/cddbplookup.h
Examining data/libkcddb-20.08.0/libkcddb/synchttplookup.cpp
Examining data/libkcddb-20.08.0/libkcddb/submit.cpp
FINAL RESULTS:
data/libkcddb-20.08.0/libkcddb/cache.cpp:132:14: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ( f.open(QIODevice::WriteOnly) )
data/libkcddb-20.08.0/libkcddb/cddb.cpp:135:30: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ( f.exists() && f.open(QIODevice::ReadOnly) )
data/libkcddb-20.08.0/libkcddb/musicbrainz/musicbrainzlookup.cpp:258:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char temp[9];
data/libkcddb-20.08.0/libkcddb/musicbrainz/musicbrainzlookup.cpp:264:5: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(temp, "%02X", firstTrack);
data/libkcddb-20.08.0/libkcddb/musicbrainz/musicbrainzlookup.cpp:267:5: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(temp, "%02X", lastTrack);
data/libkcddb-20.08.0/libkcddb/musicbrainz/musicbrainzlookup.cpp:280:7: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(temp, "%08lX", offset);
data/libkcddb-20.08.0/libkcddb/musicbrainz/musicbrainzlookup.cpp:312:30: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ( f.exists() && f.open(QIODevice::ReadOnly) )
data/libkcddb-20.08.0/libkcddb/asynccddbplookup.cpp:89:7: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
read();
data/libkcddb-20.08.0/libkcddb/asynccddbplookup.cpp:93:21: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
AsyncCDDBPLookup::read()
data/libkcddb-20.08.0/libkcddb/asynccddbplookup.h:77:12: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
void read();
data/libkcddb-20.08.0/libkcddb/musicbrainz/musicbrainzlookup.cpp:265:23: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
sha.addData(temp, strlen(temp));
data/libkcddb-20.08.0/libkcddb/musicbrainz/musicbrainzlookup.cpp:268:23: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
sha.addData(temp, strlen(temp));
data/libkcddb-20.08.0/libkcddb/musicbrainz/musicbrainzlookup.cpp:281:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
sha.addData(temp, strlen(temp));
ANALYSIS SUMMARY:
Hits = 13
Lines analyzed = 8026 in approximately 0.34 seconds (23429 lines/second)
Physical Source Lines of Code (SLOC) = 4763
Hits@level = [0] 0 [1] 6 [2] 7 [3] 0 [4] 0 [5] 0
Hits@level+ = [0+] 13 [1+] 13 [2+] 7 [3+] 0 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 2.72937 [1+] 2.72937 [2+] 1.46966 [3+] 0 [4+] 0 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.