Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/makedepf90-3.0.0/list.h
Examining data/makedepf90-3.0.0/find_dep.h
Examining data/makedepf90-3.0.0/modfile_name.c
Examining data/makedepf90-3.0.0/macro.c
Examining data/makedepf90-3.0.0/macro.h
Examining data/makedepf90-3.0.0/utils.h
Examining data/makedepf90-3.0.0/modfile_name.h
Examining data/makedepf90-3.0.0/global.h
Examining data/makedepf90-3.0.0/finddep.h
Examining data/makedepf90-3.0.0/errormesg.h
Examining data/makedepf90-3.0.0/config.h
Examining data/makedepf90-3.0.0/main.c
Examining data/makedepf90-3.0.0/strcasecmp.c
Examining data/makedepf90-3.0.0/xmalloc.h
Examining data/makedepf90-3.0.0/errormesg.c
Examining data/makedepf90-3.0.0/list.c
Examining data/makedepf90-3.0.0/xmalloc.c
Examining data/makedepf90-3.0.0/utils.c

FINAL RESULTS:

data/makedepf90-3.0.0/global.h:41:51:  [4] (format) fprintf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
    fprintf(stderr, "DEBUG: %s: ", __FUNCTION__); fprintf(stderr, fmt, ## args);
data/makedepf90-3.0.0/utils.c:60:9:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
        strcpy(rs, filename);
data/makedepf90-3.0.0/utils.c:61:9:  [4] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused).
        strcat(rs, new_suffix);
data/makedepf90-3.0.0/utils.c:66:9:  [4] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused).
        strcat(rs, new_suffix);
data/makedepf90-3.0.0/utils.c:96:9:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
        strcpy(rs, path);
data/makedepf90-3.0.0/utils.c:97:9:  [4] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused).
        strcat(rs, filename);
data/makedepf90-3.0.0/utils.c:100:9:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
        strcpy(rs, path);
data/makedepf90-3.0.0/utils.c:101:9:  [4] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused).
        strcat(rs, &filename[n+1]);
data/makedepf90-3.0.0/utils.c:178:13:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
            strcpy(fn, (char *)h->data);
data/makedepf90-3.0.0/utils.c:180:13:  [4] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused).
            strcat(fn, fname);
data/makedepf90-3.0.0/xmalloc.c:54:5:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
    strcpy(new, str);
data/makedepf90-3.0.0/main.c:310:13:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
            char err_msg[32];
data/makedepf90-3.0.0/main.c:311:6:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	    char _argv[3];
data/makedepf90-3.0.0/utils.c:174:10:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
    fd = fopen(fname, "r");
data/makedepf90-3.0.0/utils.c:181:18:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
            fd = fopen(fn, "r");
data/makedepf90-3.0.0/main.c:188:17:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            if (strlen(argv[i]) == 2) {
data/makedepf90-3.0.0/main.c:195:17:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            if (strlen(argv[i]) == 2) {
data/makedepf90-3.0.0/main.c:202:17:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            if (strlen(argv[i]) == 2) {
data/makedepf90-3.0.0/main.c:218:17:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            if (strlen(argv[i]) == 2) {
data/makedepf90-3.0.0/main.c:228:17:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            if (strlen(argv[i]) == 2) {
data/makedepf90-3.0.0/main.c:231:7:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
		if (strlen(argv[i+1]) > RULE_LENGTH) {
data/makedepf90-3.0.0/main.c:243:17:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            if (strlen(argv[i]) == 2) {
data/makedepf90-3.0.0/main.c:255:17:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            if (strlen(argv[i]) == 2) {
data/makedepf90-3.0.0/main.c:262:17:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            if (strlen(argv[i]) == 2) {
data/makedepf90-3.0.0/main.c:280:17:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            if (strlen(argv[i]) == 2) {
data/makedepf90-3.0.0/main.c:313:6:  [1] (buffer) strncpy:
  Easily used incorrectly; doesn't always \0-terminate or check for invalid
  pointers [MS-banned] (CWE-120).
	    strncpy(_argv,argv[i],2); _argv[2]='\0';
data/makedepf90-3.0.0/main.c:316:17:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            if (strlen(argv[i]) == 2) {
data/makedepf90-3.0.0/main.c:325:17:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            n = strlen(options.obj_dir);
data/makedepf90-3.0.0/main.c:328:17:  [1] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused). Risk is low because the
  source is a constant character.
                strcat(options.obj_dir, "/");
data/makedepf90-3.0.0/main.c:340:17:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            if (strlen(argv[i]) == 2) {
data/makedepf90-3.0.0/main.c:349:17:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            n = strlen(s);
data/makedepf90-3.0.0/utils.c:51:10:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    sl = strlen(new_suffix);
data/makedepf90-3.0.0/utils.c:54:14:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    fl = n = strlen(filename);
data/makedepf90-3.0.0/utils.c:64:9:  [1] (buffer) strncpy:
  Easily used incorrectly; doesn't always \0-terminate or check for invalid
  pointers [MS-banned] (CWE-120).
        strncpy(rs, filename, n);
data/makedepf90-3.0.0/utils.c:83:10:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    pl = strlen(path);
data/makedepf90-3.0.0/utils.c:86:14:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    fl = n = strlen(filename);
data/makedepf90-3.0.0/utils.c:115:26:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    d = (char *)xmalloc((strlen(s)+1)*sizeof(char));
data/makedepf90-3.0.0/utils.c:130:12:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    rlen = strlen(r);
data/makedepf90-3.0.0/utils.c:133:17:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    for (slen = strlen(srcfile); slen > 0 && srcfile[slen] != '.'; slen--);
data/makedepf90-3.0.0/utils.c:136:27:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    if (slen == 0) slen = strlen(srcfile);
data/makedepf90-3.0.0/utils.c:177:26:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            fn = xmalloc(strlen(h->data) + strlen(fname) + 2);
data/makedepf90-3.0.0/utils.c:177:44:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            fn = xmalloc(strlen(h->data) + strlen(fname) + 2);
data/makedepf90-3.0.0/utils.c:179:13:  [1] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused). Risk is low because the
  source is a constant character.
            strcat(fn, "/");
data/makedepf90-3.0.0/xmalloc.c:53:30:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    new = (char *) xmalloc ((strlen(str) + 1)*sizeof(char));
data/makedepf90-3.0.0/xmalloc.c:67:5:  [1] (buffer) strncpy:
  Easily used incorrectly; doesn't always \0-terminate or check for invalid
  pointers [MS-banned] (CWE-120).
    strncpy (new, str, maxl);

ANALYSIS SUMMARY:

Hits = 45
Lines analyzed = 1740 in approximately 0.07 seconds (24247 lines/second)
Physical Source Lines of Code (SLOC) = 1016
Hits@level = [0]  25 [1]  30 [2]   4 [3]   0 [4]  11 [5]   0
Hits@level+ = [0+]  70 [1+]  45 [2+]  15 [3+]  11 [4+]  11 [5+]   0
Hits/KSLOC@level+ = [0+] 68.8976 [1+] 44.2913 [2+] 14.7638 [3+] 10.8268 [4+] 10.8268 [5+]   0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.