Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/libmodulemd-2.9.4/modulemd/include/modulemd-2.0/modulemd-buildopts.h
Examining data/libmodulemd-2.9.4/modulemd/include/modulemd-2.0/modulemd-component-module.h
Examining data/libmodulemd-2.9.4/modulemd/include/modulemd-2.0/modulemd-component-rpm.h
Examining data/libmodulemd-2.9.4/modulemd/include/modulemd-2.0/modulemd-component.h
Examining data/libmodulemd-2.9.4/modulemd/include/modulemd-2.0/modulemd-compression.h
Examining data/libmodulemd-2.9.4/modulemd/include/modulemd-2.0/modulemd-defaults-v1.h
Examining data/libmodulemd-2.9.4/modulemd/include/modulemd-2.0/modulemd-defaults.h
Examining data/libmodulemd-2.9.4/modulemd/include/modulemd-2.0/modulemd-dependencies.h
Examining data/libmodulemd-2.9.4/modulemd/include/modulemd-2.0/modulemd-deprecated.h
Examining data/libmodulemd-2.9.4/modulemd/include/modulemd-2.0/modulemd-errors.h
Examining data/libmodulemd-2.9.4/modulemd/include/modulemd-2.0/modulemd-module-index-merger.h
Examining data/libmodulemd-2.9.4/modulemd/include/modulemd-2.0/modulemd-module-stream-v1.h
Examining data/libmodulemd-2.9.4/modulemd/include/modulemd-2.0/modulemd-module-stream-v2.h
Examining data/libmodulemd-2.9.4/modulemd/include/modulemd-2.0/modulemd-module-stream.h
Examining data/libmodulemd-2.9.4/modulemd/include/modulemd-2.0/modulemd-module.h
Examining data/libmodulemd-2.9.4/modulemd/include/modulemd-2.0/modulemd-profile.h
Examining data/libmodulemd-2.9.4/modulemd/include/modulemd-2.0/modulemd-rpm-map-entry.h
Examining data/libmodulemd-2.9.4/modulemd/include/modulemd-2.0/modulemd-service-level.h
Examining data/libmodulemd-2.9.4/modulemd/include/modulemd-2.0/modulemd-subdocument-info.h
Examining data/libmodulemd-2.9.4/modulemd/include/modulemd-2.0/modulemd-translation-entry.h
Examining data/libmodulemd-2.9.4/modulemd/include/modulemd-2.0/modulemd-translation.h
Examining data/libmodulemd-2.9.4/modulemd/include/modulemd-2.0/modulemd.h
Examining data/libmodulemd-2.9.4/modulemd/include/modulemd-2.0/modulemd-module-index.h
Examining data/libmodulemd-2.9.4/modulemd/include/private/gi-binding-renames.h
Examining data/libmodulemd-2.9.4/modulemd/include/private/glib-extensions.h
Examining data/libmodulemd-2.9.4/modulemd/include/private/modulemd-buildopts-private.h
Examining data/libmodulemd-2.9.4/modulemd/include/private/modulemd-component-module-private.h
Examining data/libmodulemd-2.9.4/modulemd/include/private/modulemd-component-private.h
Examining data/libmodulemd-2.9.4/modulemd/include/private/modulemd-component-rpm-private.h
Examining data/libmodulemd-2.9.4/modulemd/include/private/modulemd-compression-private.h
Examining data/libmodulemd-2.9.4/modulemd/include/private/modulemd-defaults-private.h
Examining data/libmodulemd-2.9.4/modulemd/include/private/modulemd-defaults-v1-private.h
Examining data/libmodulemd-2.9.4/modulemd/include/private/modulemd-dependencies-private.h
Examining data/libmodulemd-2.9.4/modulemd/include/private/modulemd-module-stream-private.h
Examining data/libmodulemd-2.9.4/modulemd/include/private/modulemd-module-stream-v1-private.h
Examining data/libmodulemd-2.9.4/modulemd/include/private/modulemd-module-stream-v2-private.h
Examining data/libmodulemd-2.9.4/modulemd/include/private/modulemd-profile-private.h
Examining data/libmodulemd-2.9.4/modulemd/include/private/modulemd-rpm-map-entry-private.h
Examining data/libmodulemd-2.9.4/modulemd/include/private/modulemd-service-level-private.h
Examining data/libmodulemd-2.9.4/modulemd/include/private/modulemd-subdocument-info-private.h
Examining data/libmodulemd-2.9.4/modulemd/include/private/modulemd-translation-entry-private.h
Examining data/libmodulemd-2.9.4/modulemd/include/private/modulemd-translation-private.h
Examining data/libmodulemd-2.9.4/modulemd/include/private/modulemd-util.h
Examining data/libmodulemd-2.9.4/modulemd/include/private/modulemd-yaml.h
Examining data/libmodulemd-2.9.4/modulemd/include/private/test-utils.h
Examining data/libmodulemd-2.9.4/modulemd/include/private/modulemd-module-index-private.h
Examining data/libmodulemd-2.9.4/modulemd/include/private/modulemd-module-private.h
Examining data/libmodulemd-2.9.4/modulemd/modulemd-buildopts.c
Examining data/libmodulemd-2.9.4/modulemd/modulemd-component-module.c
Examining data/libmodulemd-2.9.4/modulemd/modulemd-component-rpm.c
Examining data/libmodulemd-2.9.4/modulemd/modulemd-compression.c
Examining data/libmodulemd-2.9.4/modulemd/modulemd-defaults-v1.c
Examining data/libmodulemd-2.9.4/modulemd/modulemd-defaults.c
Examining data/libmodulemd-2.9.4/modulemd/modulemd-dependencies.c
Examining data/libmodulemd-2.9.4/modulemd/modulemd-module-index-merger.c
Examining data/libmodulemd-2.9.4/modulemd/modulemd-module-index.c
Examining data/libmodulemd-2.9.4/modulemd/modulemd-module-stream-v1.c
Examining data/libmodulemd-2.9.4/modulemd/modulemd-module-stream-v2.c
Examining data/libmodulemd-2.9.4/modulemd/modulemd-module-stream.c
Examining data/libmodulemd-2.9.4/modulemd/modulemd-module.c
Examining data/libmodulemd-2.9.4/modulemd/modulemd-profile.c
Examining data/libmodulemd-2.9.4/modulemd/modulemd-rpm-map-entry.c
Examining data/libmodulemd-2.9.4/modulemd/modulemd-service-level.c
Examining data/libmodulemd-2.9.4/modulemd/modulemd-subdocument-info.c
Examining data/libmodulemd-2.9.4/modulemd/modulemd-translation-entry.c
Examining data/libmodulemd-2.9.4/modulemd/modulemd-translation.c
Examining data/libmodulemd-2.9.4/modulemd/modulemd-util.c
Examining data/libmodulemd-2.9.4/modulemd/modulemd-validator.c
Examining data/libmodulemd-2.9.4/modulemd/modulemd.c
Examining data/libmodulemd-2.9.4/modulemd/tests/test-modulemd-buildopts.c
Examining data/libmodulemd-2.9.4/modulemd/tests/test-modulemd-component-module.c
Examining data/libmodulemd-2.9.4/modulemd/tests/test-modulemd-component-rpm.c
Examining data/libmodulemd-2.9.4/modulemd/tests/test-modulemd-compression.c
Examining data/libmodulemd-2.9.4/modulemd/tests/test-modulemd-defaults-v1.c
Examining data/libmodulemd-2.9.4/modulemd/tests/test-modulemd-defaults.c
Examining data/libmodulemd-2.9.4/modulemd/tests/test-modulemd-dependencies.c
Examining data/libmodulemd-2.9.4/modulemd/tests/test-modulemd-merger.c
Examining data/libmodulemd-2.9.4/modulemd/tests/test-modulemd-moduleindex.c
Examining data/libmodulemd-2.9.4/modulemd/tests/test-modulemd-modulestream.c
Examining data/libmodulemd-2.9.4/modulemd/tests/test-modulemd-profile.c
Examining data/libmodulemd-2.9.4/modulemd/tests/test-modulemd-rpmmap.c
Examining data/libmodulemd-2.9.4/modulemd/tests/test-modulemd-service-level.c
Examining data/libmodulemd-2.9.4/modulemd/tests/test-modulemd-translation-entry.c
Examining data/libmodulemd-2.9.4/modulemd/tests/test-modulemd-translation.c
Examining data/libmodulemd-2.9.4/modulemd/tests/test-utils.c
Examining data/libmodulemd-2.9.4/modulemd/tests/test-modulemd-module.c
Examining data/libmodulemd-2.9.4/modulemd/modulemd-component.c
Examining data/libmodulemd-2.9.4/modulemd/modulemd-yaml-util.c

FINAL RESULTS:

data/libmodulemd-2.9.4/modulemd/tests/test-modulemd-merger.c:240:16:  [3] (random) g_random_int_range:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
  random_low = g_random_int_range (1, 100);
data/libmodulemd-2.9.4/modulemd/tests/test-modulemd-merger.c:241:17:  [3] (random) g_random_int_range:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
  random_high = g_random_int_range (101, 999);
data/libmodulemd-2.9.4/modulemd/modulemd-util.c:602:7:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
      memcpy (rarray_to_extend->pdata + rarray_to_extend->len,
data/libmodulemd-2.9.4/modulemd/modulemd-yaml-util.c:51:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy (yaml_string->str + yaml_string->len, buffer, size);
data/libmodulemd-2.9.4/modulemd/tests/test-modulemd-moduleindex.c:737:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy (buffer, custom->current, size);
data/libmodulemd-2.9.4/modulemd/modulemd-compression.c:278:7:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
  if (read < 0)
data/libmodulemd-2.9.4/modulemd/modulemd-compression.c:284:16:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
  *size_read = read;
data/libmodulemd-2.9.4/modulemd/modulemd-module-index.c:679:50:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    &parser, (const unsigned char *)yaml_string, strlen (yaml_string));
data/libmodulemd-2.9.4/modulemd/modulemd-module-stream.c:131:50:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    &parser, (const unsigned char *)yaml_string, strlen (yaml_string));
data/libmodulemd-2.9.4/modulemd/modulemd-module-stream.c:1071:20:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  endptr = nsvca + strlen (nsvca) - 1;
data/libmodulemd-2.9.4/modulemd/modulemd-subdocument-info.c:182:52:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    parser, (const unsigned char *)self->contents, strlen (self->contents));
data/libmodulemd-2.9.4/modulemd/modulemd-translation.c:117:7:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  if (strlen (modulemd_translation_get_module_name (self)) == 0)
data/libmodulemd-2.9.4/modulemd/modulemd-translation.c:134:7:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  if (strlen (modulemd_translation_get_module_stream (self)) == 0)
data/libmodulemd-2.9.4/modulemd/modulemd-util.c:310:15:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  gsize len = strlen (nevra);
data/libmodulemd-2.9.4/modulemd/modulemd-yaml-util.c:291:44:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
                                      (int)strlen (scalar),
data/libmodulemd-2.9.4/modulemd/tests/test-modulemd-moduleindex.c:724:39:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  const gchar *end = custom->string + strlen (custom->string);

ANALYSIS SUMMARY:

Hits = 16
Lines analyzed = 44014 in approximately 0.99 seconds (44608 lines/second)
Physical Source Lines of Code (SLOC) = 27761
Hits@level = [0]   1 [1]  11 [2]   3 [3]   2 [4]   0 [5]   0
Hits@level+ = [0+]  17 [1+]  16 [2+]   5 [3+]   2 [4+]   0 [5+]   0
Hits/KSLOC@level+ = [0+] 0.61237 [1+] 0.576348 [2+] 0.180109 [3+] 0.0720435 [4+]   0 [5+]   0
Dot directories skipped = 3 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.