Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/pragha-1.3.4/plugins/acoustid/pragha-acoustid-plugin.c Examining data/pragha-1.3.4/plugins/cdrom/pragha-cdrom-plugin.c Examining data/pragha-1.3.4/plugins/cdrom/pragha-cdrom-plugin.h Examining data/pragha-1.3.4/plugins/devices/pragha-device-client.c Examining data/pragha-1.3.4/plugins/devices/pragha-device-client.h Examining data/pragha-1.3.4/plugins/devices/pragha-devices-plugin.c Examining data/pragha-1.3.4/plugins/devices/pragha-devices-plugin.h Examining data/pragha-1.3.4/plugins/dlna-renderer/pragha-dlna-renderer-plugin.c Examining data/pragha-1.3.4/plugins/dlna-renderer/pragha-dlna-renderer-plugin.h Examining data/pragha-1.3.4/plugins/dlna/pragha-dlna-plugin.c Examining data/pragha-1.3.4/plugins/dlna/pragha-dlna-plugin.h Examining data/pragha-1.3.4/plugins/gnome-media-keys/pragha-gnome-media-keys-plugin.c Examining data/pragha-1.3.4/plugins/gnome-media-keys/pragha-gnome-media-keys-plugin.h Examining data/pragha-1.3.4/plugins/keybinder/pragha-keybinder-plugin.c Examining data/pragha-1.3.4/plugins/keybinder/pragha-keybinder-plugin.h Examining data/pragha-1.3.4/plugins/lastfm/pragha-lastfm-plugin.c Examining data/pragha-1.3.4/plugins/mpris2/pragha-mpris2-plugin.c Examining data/pragha-1.3.4/plugins/mpris2/pragha-mpris2-plugin.h Examining data/pragha-1.3.4/plugins/mtp/pragha-devices-mtp.c Examining data/pragha-1.3.4/plugins/mtp/pragha-mtp-musicobject.c Examining data/pragha-1.3.4/plugins/mtp/pragha-mtp-musicobject.h Examining data/pragha-1.3.4/plugins/notify/pragha-notify-plugin.c Examining data/pragha-1.3.4/plugins/pragha-plugin-macros.h Examining data/pragha-1.3.4/plugins/removable-media/pragha-devices-removable.c Examining data/pragha-1.3.4/plugins/song-info/pragha-song-info-dialog.c Examining data/pragha-1.3.4/plugins/song-info/pragha-song-info-dialog.h Examining data/pragha-1.3.4/plugins/song-info/pragha-song-info-pane.c Examining data/pragha-1.3.4/plugins/song-info/pragha-song-info-pane.h Examining data/pragha-1.3.4/plugins/song-info/pragha-song-info-plugin.c Examining data/pragha-1.3.4/plugins/song-info/pragha-song-info-plugin.h Examining data/pragha-1.3.4/plugins/song-info/pragha-song-info-thread-albumart.c Examining data/pragha-1.3.4/plugins/song-info/pragha-song-info-thread-albumart.h Examining data/pragha-1.3.4/plugins/song-info/pragha-song-info-thread-dialog.c Examining data/pragha-1.3.4/plugins/song-info/pragha-song-info-thread-dialog.h Examining data/pragha-1.3.4/plugins/song-info/pragha-song-info-thread-pane.c Examining data/pragha-1.3.4/plugins/song-info/pragha-song-info-thread-pane.h Examining data/pragha-1.3.4/plugins/tunein/pragha-tunein-plugin.c Examining data/pragha-1.3.4/src/gtkcellrendererbubble.c Examining data/pragha-1.3.4/src/gtkcellrendererbubble.h Examining data/pragha-1.3.4/src/info-bar-import-music.c Examining data/pragha-1.3.4/src/pragha-album-art.c Examining data/pragha-1.3.4/src/pragha-album-art.h Examining data/pragha-1.3.4/src/pragha-art-cache.c Examining data/pragha-1.3.4/src/pragha-art-cache.h Examining data/pragha-1.3.4/src/pragha-backend.c Examining data/pragha-1.3.4/src/pragha-backend.h Examining data/pragha-1.3.4/src/pragha-cmdline.c Examining data/pragha-1.3.4/src/pragha-database.c Examining data/pragha-1.3.4/src/pragha-database.h Examining data/pragha-1.3.4/src/pragha-debug.c Examining data/pragha-1.3.4/src/pragha-debug.h Examining data/pragha-1.3.4/src/pragha-dnd.c Examining data/pragha-1.3.4/src/pragha-dnd.h Examining data/pragha-1.3.4/src/pragha-equalizer-dialog.c Examining data/pragha-1.3.4/src/pragha-equalizer-dialog.h Examining data/pragha-1.3.4/src/pragha-file-utils.c Examining data/pragha-1.3.4/src/pragha-file-utils.h Examining data/pragha-1.3.4/src/pragha-filter-dialog.c Examining data/pragha-1.3.4/src/pragha-filter-dialog.h Examining data/pragha-1.3.4/src/pragha-hig.c Examining data/pragha-1.3.4/src/pragha-hig.h Examining data/pragha-1.3.4/src/pragha-library-pane.c Examining data/pragha-1.3.4/src/pragha-library-pane.h Examining data/pragha-1.3.4/src/pragha-menubar.c Examining data/pragha-1.3.4/src/pragha-menubar.h Examining data/pragha-1.3.4/src/pragha-music-enum.c Examining data/pragha-1.3.4/src/pragha-music-enum.h Examining data/pragha-1.3.4/src/pragha-musicobject-mgmt.c Examining data/pragha-1.3.4/src/pragha-musicobject-mgmt.h Examining data/pragha-1.3.4/src/pragha-musicobject.c Examining data/pragha-1.3.4/src/pragha-musicobject.h Examining data/pragha-1.3.4/src/pragha-playback.c Examining data/pragha-1.3.4/src/pragha-playback.h Examining data/pragha-1.3.4/src/pragha-playlist.c Examining data/pragha-1.3.4/src/pragha-playlist.h Examining data/pragha-1.3.4/src/pragha-playlists-mgmt.c Examining data/pragha-1.3.4/src/pragha-playlists-mgmt.h Examining data/pragha-1.3.4/src/pragha-plugins-engine.c Examining data/pragha-1.3.4/src/pragha-plugins-engine.h Examining data/pragha-1.3.4/src/pragha-preferences-dialog.c Examining data/pragha-1.3.4/src/pragha-preferences-dialog.h Examining data/pragha-1.3.4/src/pragha-preferences.c Examining data/pragha-1.3.4/src/pragha-preferences.h Examining data/pragha-1.3.4/src/pragha-prepared-statement-private.h Examining data/pragha-1.3.4/src/pragha-prepared-statement.c Examining data/pragha-1.3.4/src/pragha-prepared-statement.h Examining data/pragha-1.3.4/src/pragha-scanner.c Examining data/pragha-1.3.4/src/pragha-scanner.h Examining data/pragha-1.3.4/src/pragha-search-entry.c Examining data/pragha-1.3.4/src/pragha-search-entry.h Examining data/pragha-1.3.4/src/pragha-session.c Examining data/pragha-1.3.4/src/pragha-session.h Examining data/pragha-1.3.4/src/pragha-sidebar.c Examining data/pragha-1.3.4/src/pragha-sidebar.h Examining data/pragha-1.3.4/src/pragha-simple-async.c Examining data/pragha-1.3.4/src/pragha-simple-async.h Examining data/pragha-1.3.4/src/pragha-simple-widgets.c Examining data/pragha-1.3.4/src/pragha-simple-widgets.h Examining data/pragha-1.3.4/src/pragha-statusbar.c Examining data/pragha-1.3.4/src/pragha-statusbar.h Examining data/pragha-1.3.4/src/pragha-statusicon.c Examining data/pragha-1.3.4/src/pragha-statusicon.h Examining data/pragha-1.3.4/src/pragha-tagger.c Examining data/pragha-1.3.4/src/pragha-tagger.h Examining data/pragha-1.3.4/src/pragha-tags-dialog.c Examining data/pragha-1.3.4/src/pragha-tags-dialog.h Examining data/pragha-1.3.4/src/pragha-tags-mgmt.c Examining data/pragha-1.3.4/src/pragha-tags-mgmt.h Examining data/pragha-1.3.4/src/pragha-toolbar.c Examining data/pragha-1.3.4/src/pragha-toolbar.h Examining data/pragha-1.3.4/src/pragha-utils.c Examining data/pragha-1.3.4/src/pragha-utils.h Examining data/pragha-1.3.4/src/pragha-window.c Examining data/pragha-1.3.4/src/pragha-window.h Examining data/pragha-1.3.4/src/pragha.c Examining data/pragha-1.3.4/src/pragha.h Examining data/pragha-1.3.4/src/xml_helper.c Examining data/pragha-1.3.4/src/xml_helper.h Examining data/pragha-1.3.4/win32/win32dep.c Examining data/pragha-1.3.4/win32/win32dep.h FINAL RESULTS: data/pragha-1.3.4/src/pragha-utils.c:456:3: [4] (shell) ShellExecute: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. ShellExecute (0, "explore", url, NULL, NULL, SW_SHOWNORMAL); data/pragha-1.3.4/src/pragha-utils.c:458:3: [4] (shell) ShellExecute: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. ShellExecute (0, "open", url, NULL, NULL, SW_SHOWNORMAL); data/pragha-1.3.4/src/xml_helper.c:40:4: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf (cptr, "%s%s", HTML_ESCAPE[i+1], cptr+strlen(HTML_ESCAPE[i])); data/pragha-1.3.4/src/pragha-playlist.c:951:9: [3] (random) g_rand_int_range: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. rnd = g_rand_int_range (playlist->rand, data/pragha-1.3.4/src/pragha-playlist.c:977:9: [3] (random) g_rand_int_range: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. rnd = g_rand_int_range (playlist->rand, data/pragha-1.3.4/src/pragha-playlist.c:1008:9: [3] (random) g_rand_int_range: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. rnd = g_rand_int_range (playlist->rand, data/pragha-1.3.4/src/pragha-preferences.c:2637:23: [3] (buffer) g_get_home_dir: This function is synonymous with 'getenv("HOME")';it returns untrustable input if the environment can beset by an attacker. It can have any content and length, and the same variable can be set more than once (CWE-807, CWE-20). Check environment variables carefully before using them. g_get_home_dir(), data/pragha-1.3.4/plugins/mtp/pragha-mtp-musicobject.c:155:9: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). return atoi(track_id); data/pragha-1.3.4/src/pragha-debug.c:31:18: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE* logfile = fopen ((const char*)user_data, "a"); data/pragha-1.3.4/src/pragha-dnd.c:59:18: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). location_id = atoi(uri + strlen("Location:/")); data/pragha-1.3.4/src/pragha-library-pane.c:511:62: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). node_data = g_strconcat ((string_is_not_empty(year) && (atoi(year) > 0)) ? year : _("Unknown"), data/pragha-1.3.4/src/pragha-library-pane.c:2423:41: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). pragha_musicobject_set_year(omobj, atoi (split_album[0])); data/pragha-1.3.4/src/pragha-menubar.c:950:76: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). gchar *title = pragha_database_get_playlist_by_order(cdbase, atoi(name + strlen("playlist"))); data/pragha-1.3.4/src/pragha-menubar.c:991:76: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). gchar *title = pragha_database_get_playlist_by_order(cdbase, atoi(name + strlen("selection"))); data/pragha-1.3.4/src/xml_helper.c:151:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buffer,c,n-c-1); data/pragha-1.3.4/plugins/mpris2/pragha-mpris2-plugin.c:184:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sscanf(track_id + strlen(base), "%p", &mobj_request); data/pragha-1.3.4/plugins/mtp/pragha-mtp-musicobject.c:153:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). track_id = file + strlen ("mtp://"); data/pragha-1.3.4/plugins/mtp/pragha-mtp-musicobject.c:164:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). track_id = file + strlen ("mtp://"); data/pragha-1.3.4/src/pragha-dnd.c:59:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). location_id = atoi(uri + strlen("Location:/")); data/pragha-1.3.4/src/pragha-dnd.c:65:17: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). name = uri + strlen("Playlist:/"); data/pragha-1.3.4/src/pragha-dnd.c:69:17: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). name = uri + strlen("Radio:/"); data/pragha-1.3.4/src/pragha-library-pane.c:1776:68: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). filepath = pragha_prepared_statement_get_string(statement, 0) + strlen(list->data) + 1; data/pragha-1.3.4/src/pragha-menubar.c:950:88: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). gchar *title = pragha_database_get_playlist_by_order(cdbase, atoi(name + strlen("playlist"))); data/pragha-1.3.4/src/pragha-menubar.c:991:88: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). gchar *title = pragha_database_get_playlist_by_order(cdbase, atoi(name + strlen("selection"))); data/pragha-1.3.4/src/pragha-menubar.c:1199:65: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). g_action_map_remove_action (G_ACTION_MAP (window), action + strlen ("win.")); data/pragha-1.3.4/src/pragha-menubar.c:1241:28: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (g_strcmp0 (action + strlen ("win."), action_name) == 0) { data/pragha-1.3.4/src/pragha-playlist.c:3210:48: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). mobj = new_musicobject_from_location(file + strlen("Radio:/"), file + strlen("Radio:/")); data/pragha-1.3.4/src/pragha-playlist.c:3210:74: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). mobj = new_musicobject_from_location(file + strlen("Radio:/"), file + strlen("Radio:/")); data/pragha-1.3.4/src/xml_helper.c:40:50: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sprintf (cptr, "%s%s", HTML_ESCAPE[i+1], cptr+strlen(HTML_ESCAPE[i])); ANALYSIS SUMMARY: Hits = 29 Lines analyzed = 43394 in approximately 0.87 seconds (50151 lines/second) Physical Source Lines of Code (SLOC) = 30857 Hits@level = [0] 3 [1] 14 [2] 8 [3] 4 [4] 3 [5] 0 Hits@level+ = [0+] 32 [1+] 29 [2+] 15 [3+] 7 [4+] 3 [5+] 0 Hits/KSLOC@level+ = [0+] 1.03704 [1+] 0.939819 [2+] 0.486113 [3+] 0.226853 [4+] 0.0972227 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.