Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/libquvi-scripts-0.9.20131130/tests/scan/scan_youtube.c
Examining data/libquvi-scripts-0.9.20131130/tests/scan/scan_vzaar.c
Examining data/libquvi-scripts-0.9.20131130/tests/lib/tests.h
Examining data/libquvi-scripts-0.9.20131130/tests/lib/slist.c
Examining data/libquvi-scripts-0.9.20131130/tests/lib/re.c
Examining data/libquvi-scripts-0.9.20131130/tests/lib/qp_test.c
Examining data/libquvi-scripts-0.9.20131130/tests/lib/qm_test.c
Examining data/libquvi-scripts-0.9.20131130/tests/lib/qs_test.c
Examining data/libquvi-scripts-0.9.20131130/tests/lib/env.c
Examining data/libquvi-scripts-0.9.20131130/tests/lib/fetch.c
Examining data/libquvi-scripts-0.9.20131130/tests/lib/qsub_test.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_publicsenat.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_ted.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_tapuz.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_cbsnews.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_myspass.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_youtube.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_vzaar.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_majestyc.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_theonion.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_senat.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_videobash.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_101greatgoals.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_charlierose.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_tagtele.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_canalplus.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_dorkly.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_collegehumor.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_tvlux.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_vimeo.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_audioboo.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_dailymotion.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_ina.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_arte.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_ardmediathek.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_lego.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_videa.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_soundcloud.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_liveleak.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_guardian.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_spiegel.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_metacafe.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_clipfish.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_sapo.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_gaskrank.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_1tvru.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_bikeradar.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_break.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_sevenload.c
Examining data/libquvi-scripts-0.9.20131130/tests/media/media_funnyordie.c
Examining data/libquvi-scripts-0.9.20131130/tests/subtitle/subtitle_youtube.c
Examining data/libquvi-scripts-0.9.20131130/tests/playlist/playlist_soundcloud.c
Examining data/libquvi-scripts-0.9.20131130/tests/playlist/playlist_youtube.c
FINAL RESULTS:
data/libquvi-scripts-0.9.20131130/tests/media/media_ardmediathek.c:109:22: [3] (random) g_random_int_range:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
const gint32 n = g_random_int_range(0, g_slist_length(l));
data/libquvi-scripts-0.9.20131130/tests/media/media_arte.c:77:22: [3] (random) g_random_int_range:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
const gint32 n = g_random_int_range(0, g_slist_length(l));
data/libquvi-scripts-0.9.20131130/tests/lib/fetch.c:67:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&(t->p[t->size]), p, rsize);
data/libquvi-scripts-0.9.20131130/tests/lib/env.c:33:20: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (s == NULL || strlen(s) == 0)
data/libquvi-scripts-0.9.20131130/tests/lib/env.c:73:20: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (e == NULL || strlen(e) == 0)
data/libquvi-scripts-0.9.20131130/tests/lib/env.c:89:20: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (e == NULL || strlen(e) == 0)
data/libquvi-scripts-0.9.20131130/tests/lib/qs_test.c:55:23: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
g_assert_cmpint(strlen(s), >, 0);
data/libquvi-scripts-0.9.20131130/tests/lib/tests.h:100:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
g_assert_cmpint(strlen(s), >, 0);\
data/libquvi-scripts-0.9.20131130/tests/lib/tests.h:164:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
g_assert_cmpint(strlen(s), >, 0);\
data/libquvi-scripts-0.9.20131130/tests/lib/tests.h:211:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
g_assert_cmpint(strlen(s), >, 0);\
data/libquvi-scripts-0.9.20131130/tests/subtitle/subtitle_youtube.c:71:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
g_assert_cmpint(strlen(quvi_subtitle_export_data(qse)), >, 4096);
ANALYSIS SUMMARY:
Hits = 11
Lines analyzed = 4524 in approximately 0.21 seconds (21424 lines/second)
Physical Source Lines of Code (SLOC) = 2587
Hits@level = [0] 0 [1] 8 [2] 1 [3] 2 [4] 0 [5] 0
Hits@level+ = [0+] 11 [1+] 11 [2+] 3 [3+] 2 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 4.25203 [1+] 4.25203 [2+] 1.15964 [3+] 0.773096 [4+] 0 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.