Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/qjoypad-4.3.1/src/axis.cpp Examining data/qjoypad-4.3.1/src/axis.h Examining data/qjoypad-4.3.1/src/axis_edit.cpp Examining data/qjoypad-4.3.1/src/axis_edit.h Examining data/qjoypad-4.3.1/src/axisw.cpp Examining data/qjoypad-4.3.1/src/axisw.h Examining data/qjoypad-4.3.1/src/button.cpp Examining data/qjoypad-4.3.1/src/button.h Examining data/qjoypad-4.3.1/src/button_edit.cpp Examining data/qjoypad-4.3.1/src/button_edit.h Examining data/qjoypad-4.3.1/src/buttonw.cpp Examining data/qjoypad-4.3.1/src/buttonw.h Examining data/qjoypad-4.3.1/src/constant.h Examining data/qjoypad-4.3.1/src/error.h Examining data/qjoypad-4.3.1/src/event.cpp Examining data/qjoypad-4.3.1/src/event.h Examining data/qjoypad-4.3.1/src/flash.cpp Examining data/qjoypad-4.3.1/src/flash.h Examining data/qjoypad-4.3.1/src/icon.cpp Examining data/qjoypad-4.3.1/src/icon.h Examining data/qjoypad-4.3.1/src/joypad.cpp Examining data/qjoypad-4.3.1/src/joypad.h Examining data/qjoypad-4.3.1/src/joypadw.cpp Examining data/qjoypad-4.3.1/src/joypadw.h Examining data/qjoypad-4.3.1/src/joyslider.cpp Examining data/qjoypad-4.3.1/src/joyslider.h Examining data/qjoypad-4.3.1/src/keycode.cpp Examining data/qjoypad-4.3.1/src/keycode.h Examining data/qjoypad-4.3.1/src/keydialog.cpp Examining data/qjoypad-4.3.1/src/keydialog.hpp Examining data/qjoypad-4.3.1/src/layout.cpp Examining data/qjoypad-4.3.1/src/layout.h Examining data/qjoypad-4.3.1/src/layout_edit.cpp Examining data/qjoypad-4.3.1/src/layout_edit.h Examining data/qjoypad-4.3.1/src/main.cpp Examining data/qjoypad-4.3.1/src/quickset.cpp Examining data/qjoypad-4.3.1/src/quickset.h FINAL RESULTS: data/qjoypad-4.3.1/src/error.h:15:68: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. inline void debug_mesg(const char *fmt, ...) __attribute__((format(printf,1,2))); data/qjoypad-4.3.1/src/error.h:21:5: [4] (format) vfprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. vfprintf(stderr, fmt, ap); data/qjoypad-4.3.1/src/main.cpp:55:34: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. if (translator.load(QLocale::system(), "qjoypad", "_", QJOYPAD_L10N_DIR)) { data/qjoypad-4.3.1/src/main.cpp:59:75: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. debug_mesg("no translation for locale: %s\n", qPrintable(QLocale::system().name())); data/qjoypad-4.3.1/src/main.cpp:99:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "hd:tTu", long_options, NULL); data/qjoypad-4.3.1/src/joypad.cpp:24:9: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). open(dev); data/qjoypad-4.3.1/src/joypad.cpp:63:14: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). void JoyPad::open(int dev) { data/qjoypad-4.3.1/src/joypad.cpp:69:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char id[256]; data/qjoypad-4.3.1/src/joypad.h:43:14: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). void open( int dev ); data/qjoypad-4.3.1/src/layout.cpp:177:15: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!file.open(QIODevice::ReadOnly)) { data/qjoypad-4.3.1/src/layout.cpp:266:14: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (file.open(QIODevice::ReadOnly)) { data/qjoypad-4.3.1/src/layout.cpp:311:14: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (file.open(QIODevice::WriteOnly)) { data/qjoypad-4.3.1/src/layout.cpp:426:14: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (file.open(QIODevice::WriteOnly)) { data/qjoypad-4.3.1/src/layout.cpp:690:18: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int joydev = open(qPrintable(devpath), O_RDONLY | O_NONBLOCK); data/qjoypad-4.3.1/src/layout.cpp:702:21: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). joypad->open(joydev); data/qjoypad-4.3.1/src/main.cpp:173:18: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (file.open(QIODevice::WriteOnly)) data/qjoypad-4.3.1/src/main.cpp:190:21: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (pidFile.open( QIODevice::ReadOnly )) data/qjoypad-4.3.1/src/main.cpp:219:17: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (pidFile.open( QIODevice::WriteOnly )) data/qjoypad-4.3.1/src/axis.cpp:26:12: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). bool Axis::read( QTextStream &stream ) { data/qjoypad-4.3.1/src/axis.h:35:8: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). bool read( QTextStream &stream ); data/qjoypad-4.3.1/src/button.cpp:17:14: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). bool Button::read( QTextStream &stream ) { data/qjoypad-4.3.1/src/button.h:20:8: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). bool read( QTextStream &stream ); data/qjoypad-4.3.1/src/joypad.cpp:158:38: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if (!buttons[num-1]->read( stream )) { data/qjoypad-4.3.1/src/joypad.cpp:178:35: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if (!axes[num-1]->read(stream)) { data/qjoypad-4.3.1/src/joypad.cpp:257:19: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ssize_t len = read(joydev, &msg, sizeof(js_event)); ANALYSIS SUMMARY: Hits = 25 Lines analyzed = 4175 in approximately 0.10 seconds (40021 lines/second) Physical Source Lines of Code (SLOC) = 3121 Hits@level = [0] 3 [1] 7 [2] 13 [3] 1 [4] 4 [5] 0 Hits@level+ = [0+] 28 [1+] 25 [2+] 18 [3+] 5 [4+] 4 [5+] 0 Hits/KSLOC@level+ = [0+] 8.97148 [1+] 8.01025 [2+] 5.76738 [3+] 1.60205 [4+] 1.28164 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.