Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/macchanger-1.7.0/src/mac.h
Examining data/macchanger-1.7.0/src/maclist.c
Examining data/macchanger-1.7.0/src/maclist.h
Examining data/macchanger-1.7.0/src/netinfo.c
Examining data/macchanger-1.7.0/src/netinfo.h
Examining data/macchanger-1.7.0/src/mac.c
Examining data/macchanger-1.7.0/src/main.c

FINAL RESULTS:

data/macchanger-1.7.0/src/mac.c:65:3:  [4] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf.
		sprintf (&s[i*3], "%02x%s", mac->byte[i], i<5?":":"");
data/macchanger-1.7.0/src/mac.c:87:20:  [3] (random) random:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
			mac->byte[0] = (random()%255) & 0xFC;
data/macchanger-1.7.0/src/mac.c:88:19:  [3] (random) random:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
			mac->byte[1] = random()%255;
data/macchanger-1.7.0/src/mac.c:89:19:  [3] (random) random:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
			mac->byte[2] = random()%255;
data/macchanger-1.7.0/src/mac.c:91:19:  [3] (random) random:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
			mac->byte[3] = random()%255;
data/macchanger-1.7.0/src/mac.c:92:19:  [3] (random) random:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
			mac->byte[4] = random()%255;
data/macchanger-1.7.0/src/mac.c:93:19:  [3] (random) random:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
			mac->byte[5] = random()%255;
data/macchanger-1.7.0/src/maclist.c:87:8:  [3] (random) random:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
	num = random()%num;
data/macchanger-1.7.0/src/maclist.c:101:8:  [3] (random) random:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
	num = random() % ( list_others_len + list_wireless_len );
data/macchanger-1.7.0/src/main.c:121:2:  [3] (random) srandom:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
	srandom(seed);
data/macchanger-1.7.0/src/main.c:165:16:  [3] (buffer) getopt_long:
  Some older implementations do not protect against internal buffer overflows
  (CWE-120, CWE-20). Check implementation on installation, or limit the size
  of all string inputs.
	while ((val = getopt_long (argc, argv, "VasAbrephlm:", long_options, NULL)) != -1) {
data/macchanger-1.7.0/src/main.c:242:20:  [3] (random) random:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
	if (set_bia  &&  !random) {
data/macchanger-1.7.0/src/main.c:259:13:  [3] (random) random:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
	} else if (random) {
data/macchanger-1.7.0/src/mac.c:40:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy (new, mac, sizeof(mac_t));
data/macchanger-1.7.0/src/mac.h:31:11:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	unsigned char byte[6];
data/macchanger-1.7.0/src/maclist.c:165:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char  tmp[512];
data/macchanger-1.7.0/src/maclist.c:169:11:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	if ((f = fopen(fullpath, "r")) == NULL) {
data/macchanger-1.7.0/src/maclist.h:33:11:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	unsigned char  byte[3];
data/macchanger-1.7.0/src/main.c:79:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char string[18];
data/macchanger-1.7.0/src/main.c:107:8:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
		fd = open(*name, O_RDONLY);
data/macchanger-1.7.0/src/netinfo.c:115:2:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
	memcpy(&req, &(net->dev), sizeof(struct ifreq));
data/macchanger-1.7.0/src/mac.c:127:6:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	if (strlen(string) != 17) {
data/macchanger-1.7.0/src/mac.c:128:92:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
		fprintf (stderr, "[ERROR] Incorrect format: MAC length should be 17. %s(%lu)\n", string, strlen(string));
data/macchanger-1.7.0/src/maclist.c:188:8:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
		line[strlen(line)-1] = '\0';
data/macchanger-1.7.0/src/main.c:109:15:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
			read_len = read (fd, &seed, sizeof(seed));
data/macchanger-1.7.0/src/netinfo.c:50:2:  [1] (buffer) strncpy:
  Easily used incorrectly; doesn't always \0-terminate or check for invalid
  pointers [MS-banned] (CWE-120).
	strncpy (new->dev.ifr_name, device, sizeof(new->dev.ifr_name));

ANALYSIS SUMMARY:

Hits = 26
Lines analyzed = 956 in approximately 0.07 seconds (13217 lines/second)
Physical Source Lines of Code (SLOC) = 601
Hits@level = [0]  13 [1]   5 [2]   8 [3]  12 [4]   1 [5]   0
Hits@level+ = [0+]  39 [1+]  26 [2+]  21 [3+]  13 [4+]   1 [5+]   0
Hits/KSLOC@level+ = [0+] 64.8918 [1+] 43.2612 [2+] 34.9418 [3+] 21.6306 [4+] 1.66389 [5+]   0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.