Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/performous-composer-2.0+20181009-gitbeeea23/src/operation.cc
Examining data/performous-composer-2.0+20181009-gitbeeea23/src/songwriter-lrc.cc
Examining data/performous-composer-2.0+20181009-gitbeeea23/src/editorapp.cc
Examining data/performous-composer-2.0+20181009-gitbeeea23/src/songparser-ini.cc
Examining data/performous-composer-2.0+20181009-gitbeeea23/src/songparser-lrc.cc
Examining data/performous-composer-2.0+20181009-gitbeeea23/src/notelabel.cc
Examining data/performous-composer-2.0+20181009-gitbeeea23/src/songwriter-ini.cc
Examining data/performous-composer-2.0+20181009-gitbeeea23/src/songparser-xml.cc
Examining data/performous-composer-2.0+20181009-gitbeeea23/src/pitch.cc
Examining data/performous-composer-2.0+20181009-gitbeeea23/src/midifile.cc
Examining data/performous-composer-2.0+20181009-gitbeeea23/src/song.cc
Examining data/performous-composer-2.0+20181009-gitbeeea23/src/songwriter-smm.cc
Examining data/performous-composer-2.0+20181009-gitbeeea23/src/ffmpeg.cc
Examining data/performous-composer-2.0+20181009-gitbeeea23/src/songwriter-txt.cc
Examining data/performous-composer-2.0+20181009-gitbeeea23/src/notelabelmanager.cc
Examining data/performous-composer-2.0+20181009-gitbeeea23/src/notegraphwidget.cc
Examining data/performous-composer-2.0+20181009-gitbeeea23/src/songparser-txt.cc
Examining data/performous-composer-2.0+20181009-gitbeeea23/src/notes.cc
Examining data/performous-composer-2.0+20181009-gitbeeea23/src/pitchvis.cc
Examining data/performous-composer-2.0+20181009-gitbeeea23/src/libda/portaudio.hpp
Examining data/performous-composer-2.0+20181009-gitbeeea23/src/libda/fft.hpp
Examining data/performous-composer-2.0+20181009-gitbeeea23/src/libda/sample.hpp
Examining data/performous-composer-2.0+20181009-gitbeeea23/src/songwriter-xml.cc
Examining data/performous-composer-2.0+20181009-gitbeeea23/src/main.cc
Examining data/performous-composer-2.0+20181009-gitbeeea23/src/synth.cc
Examining data/performous-composer-2.0+20181009-gitbeeea23/src/songparser.cc
FINAL RESULTS:
data/performous-composer-2.0+20181009-gitbeeea23/src/main.cc:51:28: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
QString locale = QLocale::system().name();
data/performous-composer-2.0+20181009-gitbeeea23/src/editorapp.cc:385:11: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (f.open(QFile::ReadOnly)) {
data/performous-composer-2.0+20181009-gitbeeea23/src/editorapp.cc:470:8: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (f.open(QFile::WriteOnly)) {
data/performous-composer-2.0+20181009-gitbeeea23/src/editorapp.cc:533:9: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (f.open(QFile::WriteOnly | QFile::Truncate)) {
data/performous-composer-2.0+20181009-gitbeeea23/src/editorapp.cc:685:14: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (!file.open(QIODevice::ReadOnly | QIODevice::Text))
data/performous-composer-2.0+20181009-gitbeeea23/src/editorapp.cc:1022:5: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
f.open(QIODevice::ReadOnly);
data/performous-composer-2.0+20181009-gitbeeea23/src/editorapp.cc:1030:5: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
f.open(QIODevice::ReadOnly);
data/performous-composer-2.0+20181009-gitbeeea23/src/ffmpeg.cc:42:2: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
open(); // Throws on error
data/performous-composer-2.0+20181009-gitbeeea23/src/ffmpeg.cc:69:14: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
void FFmpeg::open() {
data/performous-composer-2.0+20181009-gitbeeea23/src/notes.cc:12:15: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static const char * note[12] = {"C ","C#","D ","D#","E ","F ","F#","G ","G#","A ","A#","B "};
data/performous-composer-2.0+20181009-gitbeeea23/src/songparser.cc:34:12: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (!file.open(QIODevice::ReadOnly | QIODevice::Text))
data/performous-composer-2.0+20181009-gitbeeea23/src/songwriter-ini.cc:19:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char buf[16];
data/performous-composer-2.0+20181009-gitbeeea23/src/songwriter-ini.cc:107:9: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (!f.open(QFile::WriteOnly | QFile::Truncate))
data/performous-composer-2.0+20181009-gitbeeea23/src/songwriter-lrc.cc:10:9: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (!f.open(QFile::WriteOnly | QFile::Truncate))
data/performous-composer-2.0+20181009-gitbeeea23/src/songwriter-smm.cc:9:9: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (!f.open(QFile::WriteOnly | QFile::Truncate))
data/performous-composer-2.0+20181009-gitbeeea23/src/songwriter-txt.cc:9:9: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (!f.open(QFile::WriteOnly | QFile::Truncate))
data/performous-composer-2.0+20181009-gitbeeea23/src/songwriter-xml.cc:109:8: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (f.open(QFile::WriteOnly)) {
data/performous-composer-2.0+20181009-gitbeeea23/src/synth.cc:167:13: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
m_buffer->open(QIODevice::ReadOnly);
data/performous-composer-2.0+20181009-gitbeeea23/src/midifile.cc:20:8: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
file.read(reinterpret_cast<char*>(&m_data[0]), size);
data/performous-composer-2.0+20181009-gitbeeea23/src/midifile.cc:35:12: [1] (buffer) equal:
Function does not check the second iterator for over-read conditions
(CWE-126). This function is often discouraged by most C++ coding standards
in favor of its safer alternatives provided since C++14. Consider using a
form of this function that checks the second iterator before potentially
overflowing it.
if (!std::equal(name, name + 4, m_pos)) throw std::runtime_error("MIDI header " + std::string(name) + " not found, instead found " + std::string(m_pos, m_pos + 4));
data/performous-composer-2.0+20181009-gitbeeea23/src/midifile.cc:37:18: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
unsigned size = read<4>();
data/performous-composer-2.0+20181009-gitbeeea23/src/midifile.cc:44:17: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
unsigned fmt = read<2>();
data/performous-composer-2.0+20181009-gitbeeea23/src/midifile.cc:45:13: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
m_tracks = read<2>();
data/performous-composer-2.0+20181009-gitbeeea23/src/midifile.cc:46:15: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
m_division = read<2>();
data/performous-composer-2.0+20181009-gitbeeea23/src/midifile.cc:65:20: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
unsigned event = read<1>();
data/performous-composer-2.0+20181009-gitbeeea23/src/midifile.cc:78:62: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if (ev.type != Event::SPECIAL || ev.channel >= 8) ev.arg1 = read<1>(); // Everything except System Common takes one argument
data/performous-composer-2.0+20181009-gitbeeea23/src/midifile.cc:86:13: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
ev.arg2 = read<1>();
data/performous-composer-2.0+20181009-gitbeeea23/src/songparser-txt.cc:89:26: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
n.type = Note::Type(iss.read(1)[0].toLatin1());
data/performous-composer-2.0+20181009-gitbeeea23/src/songparser-txt.cc:101:12: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if (iss.read(1)[0].toLatin1() == ' ') n.syllable = iss.readLine();
ANALYSIS SUMMARY:
Hits = 29
Lines analyzed = 5413 in approximately 0.16 seconds (34613 lines/second)
Physical Source Lines of Code (SLOC) = 4278
Hits@level = [0] 0 [1] 11 [2] 17 [3] 0 [4] 1 [5] 0
Hits@level+ = [0+] 29 [1+] 29 [2+] 18 [3+] 1 [4+] 1 [5+] 0
Hits/KSLOC@level+ = [0+] 6.77887 [1+] 6.77887 [2+] 4.20757 [3+] 0.233754 [4+] 0.233754 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.