stdin

Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/libxdmcp-1.1.2/Wrap.c
Examining data/libxdmcp-1.1.2/Flush.c
Examining data/libxdmcp-1.1.2/Unwrap.c
Examining data/libxdmcp-1.1.2/test/Array.c
Examining data/libxdmcp-1.1.2/Wrap.h
Examining data/libxdmcp-1.1.2/include/X11/Xdmcp.h
Examining data/libxdmcp-1.1.2/Wraphelp.c
Examining data/libxdmcp-1.1.2/Key.c
Examining data/libxdmcp-1.1.2/Array.c
Examining data/libxdmcp-1.1.2/Fill.c
Examining data/libxdmcp-1.1.2/Write.c
Examining data/libxdmcp-1.1.2/Read.c

FINAL RESULTS:

data/libxdmcp-1.1.2/Key.c:55:9:  [3] (random) srandom:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
#define srandom srand48
data/libxdmcp-1.1.2/Key.c:56:9:  [3] (random) random:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
#define random lrand48
data/libxdmcp-1.1.2/Key.c:56:16:  [3] (random) lrand48:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
#define random lrand48
data/libxdmcp-1.1.2/Key.c:60:9:  [3] (random) srandom:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
#define srandom srand
data/libxdmcp-1.1.2/Key.c:60:17:  [3] (random) srand:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
#define srandom srand
data/libxdmcp-1.1.2/Key.c:61:9:  [3] (random) random:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
#define random rand
data/libxdmcp-1.1.2/Key.c:71:5:  [3] (random) srandom:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
    srandom ((int)getpid() ^ time((Time_t *)0));
data/libxdmcp-1.1.2/Key.c:72:15:  [3] (random) random:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
    lowbits = random ();
data/libxdmcp-1.1.2/Key.c:73:16:  [3] (random) random:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
    highbits = random ();
data/libxdmcp-1.1.2/Unwrap.c:62:14:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    unsigned char	tmp[8];
data/libxdmcp-1.1.2/Unwrap.c:63:14:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    unsigned char	blocks[2][8];
data/libxdmcp-1.1.2/Unwrap.c:64:14:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    unsigned char	expand_wrapper[8];
data/libxdmcp-1.1.2/Wrap.c:57:14:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    unsigned char	tmp[8];
data/libxdmcp-1.1.2/Wrap.c:58:14:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    unsigned char	expand_wrapper[8];
data/libxdmcp-1.1.2/Wrap.h:5:18:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
typedef unsigned char auth_cblock[8];	/* block size */
data/libxdmcp-1.1.2/Wraphelp.c:370:14:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
static const char shifts2[16] = {0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0};
data/libxdmcp-1.1.2/include/X11/Xdmcp.h:71:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char name[XDM_MAX_STR_LEN];
data/libxdmcp-1.1.2/include/X11/Xdmcp.h:72:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char status[XDM_MAX_STR_LEN];

ANALYSIS SUMMARY:

Hits = 18
Lines analyzed = 1891 in approximately 0.07 seconds (28659 lines/second)
Physical Source Lines of Code (SLOC) = 1288
Hits@level = [0]   5 [1]   0 [2]   9 [3]   9 [4]   0 [5]   0
Hits@level+ = [0+]  23 [1+]  18 [2+]  18 [3+]   9 [4+]   0 [5+]   0
Hits/KSLOC@level+ = [0+] 17.8571 [1+] 13.9752 [2+] 13.9752 [3+] 6.98758 [4+]   0 [5+]   0
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.