Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/seriousproton-2020.01.15+dfsg/src/P.h
Examining data/seriousproton-2020.01.15+dfsg/src/PlayerController.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/PlayerController.h
Examining data/seriousproton-2020.01.15+dfsg/src/Renderable.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/Renderable.h
Examining data/seriousproton-2020.01.15+dfsg/src/Updatable.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/Updatable.h
Examining data/seriousproton-2020.01.15+dfsg/src/clipboard.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/clipboard.h
Examining data/seriousproton-2020.01.15+dfsg/src/collisionable.h
Examining data/seriousproton-2020.01.15+dfsg/src/dtoa/dtoa_milo.h
Examining data/seriousproton-2020.01.15+dfsg/src/engine.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/engine.h
Examining data/seriousproton-2020.01.15+dfsg/src/event.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/event.h
Examining data/seriousproton-2020.01.15+dfsg/src/fixedSocket.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/fixedSocket.h
Examining data/seriousproton-2020.01.15+dfsg/src/gameEntity.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/gameEntity.h
Examining data/seriousproton-2020.01.15+dfsg/src/httpServer.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/httpServer.h
Examining data/seriousproton-2020.01.15+dfsg/src/input.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/input.h
Examining data/seriousproton-2020.01.15+dfsg/src/json11/json11.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/json11/json11.hpp
Examining data/seriousproton-2020.01.15+dfsg/src/logging.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/logging.h
Examining data/seriousproton-2020.01.15+dfsg/src/multiplayer.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/multiplayer.h
Examining data/seriousproton-2020.01.15+dfsg/src/multiplayer_client.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/multiplayer_client.h
Examining data/seriousproton-2020.01.15+dfsg/src/multiplayer_internal.h
Examining data/seriousproton-2020.01.15+dfsg/src/multiplayer_server.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/multiplayer_server.h
Examining data/seriousproton-2020.01.15+dfsg/src/multiplayer_server_scanner.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/multiplayer_server_scanner.h
Examining data/seriousproton-2020.01.15+dfsg/src/networkAudioStream.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/networkAudioStream.h
Examining data/seriousproton-2020.01.15+dfsg/src/networkRecorder.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/networkRecorder.h
Examining data/seriousproton-2020.01.15+dfsg/src/postProcessManager.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/postProcessManager.h
Examining data/seriousproton-2020.01.15+dfsg/src/random.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/random.h
Examining data/seriousproton-2020.01.15+dfsg/src/resources.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/resources.h
Examining data/seriousproton-2020.01.15+dfsg/src/scriptInterface.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/scriptInterface.h
Examining data/seriousproton-2020.01.15+dfsg/src/scriptInterfaceMagic.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/shaderManager.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/shaderManager.h
Examining data/seriousproton-2020.01.15+dfsg/src/soundManager.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/soundManager.h
Examining data/seriousproton-2020.01.15+dfsg/src/stringImproved.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/stringImproved.h
Examining data/seriousproton-2020.01.15+dfsg/src/textureManager.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/textureManager.h
Examining data/seriousproton-2020.01.15+dfsg/src/tween.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/tween.h
Examining data/seriousproton-2020.01.15+dfsg/src/vectorUtils.h
Examining data/seriousproton-2020.01.15+dfsg/src/windowManager.cpp
Examining data/seriousproton-2020.01.15+dfsg/src/windowManager.h
Examining data/seriousproton-2020.01.15+dfsg/src/scriptInterfaceMagic.h
Examining data/seriousproton-2020.01.15+dfsg/src/collisionable.cpp
FINAL RESULTS:
data/seriousproton-2020.01.15+dfsg/src/clipboard.cpp:33:18: [4] (shell) popen:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
FILE* pipe = popen("/usr/bin/xclip -o -selection clipboard", "r");
data/seriousproton-2020.01.15+dfsg/src/clipboard.cpp:83:18: [4] (shell) popen:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
FILE* pipe = popen("/usr/bin/xclip -i -selection clipboard -silent", "we");
data/seriousproton-2020.01.15+dfsg/src/json11/json11.hpp:65:17: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
#ifndef snprintf
data/seriousproton-2020.01.15+dfsg/src/json11/json11.hpp:66:21: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
#define snprintf _snprintf_s
data/seriousproton-2020.01.15+dfsg/src/logging.cpp:14:25: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
#define print_func(...) fprintf(Logging::log_stream, __VA_ARGS__)
data/seriousproton-2020.01.15+dfsg/src/random.cpp:15:7: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
float random(float fmin, float fmax)
data/seriousproton-2020.01.15+dfsg/src/random.h:6:7: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
float random(float fmin, float fmax);
data/seriousproton-2020.01.15+dfsg/src/scriptInterface.cpp:7:12: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
static int random(lua_State* L)
data/seriousproton-2020.01.15+dfsg/src/scriptInterface.cpp:12:23: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
lua_pushnumber(L, random(rMin, rMax));
data/seriousproton-2020.01.15+dfsg/src/scriptInterface.cpp:17:26: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
REGISTER_SCRIPT_FUNCTION(random);
data/seriousproton-2020.01.15+dfsg/src/windowManager.cpp:12:5: [3] (random) srand:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
srand(time(NULL));
data/seriousproton-2020.01.15+dfsg/src/clipboard.cpp:39:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[1024];
data/seriousproton-2020.01.15+dfsg/src/clipboard.cpp:76:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(GlobalLock(string_handle), value.c_str(), string_size);
data/seriousproton-2020.01.15+dfsg/src/dtoa/dtoa_milo.h:325:15: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static const char cDigitsLut[200] = {
data/seriousproton-2020.01.15+dfsg/src/fixedSocket.cpp:63:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(backlog_data_block, reinterpret_cast<const char*>(&packetSize) + sent, sizeof(packetSize) - sent);
data/seriousproton-2020.01.15+dfsg/src/fixedSocket.cpp:64:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(backlog_data_block + sizeof(packetSize) - sent, data, size);
data/seriousproton-2020.01.15+dfsg/src/fixedSocket.cpp:74:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(backlog_data_block, reinterpret_cast<const char*>(data) + sent, backlog_data_block_size);
data/seriousproton-2020.01.15+dfsg/src/fixedSocket.cpp:89:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(new_block, backlog_data_block + sent, backlog_data_block_size - sent);
data/seriousproton-2020.01.15+dfsg/src/httpServer.cpp:61:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[1024];
data/seriousproton-2020.01.15+dfsg/src/httpServer.cpp:69:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(recvBuffer + recvBufferCount, buffer, size);
data/seriousproton-2020.01.15+dfsg/src/httpServer.cpp:329:9: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
f = fopen(fullPath.c_str(), "rb");
data/seriousproton-2020.01.15+dfsg/src/httpServer.cpp:335:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[1024];
data/seriousproton-2020.01.15+dfsg/src/httpServer.h:49:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char recvBuffer[recvBufferSize];
data/seriousproton-2020.01.15+dfsg/src/httpServer.h:51:25: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const static signed char HEX2DEC[256];
data/seriousproton-2020.01.15+dfsg/src/json11/json11.cpp:59:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[32];
data/seriousproton-2020.01.15+dfsg/src/json11/json11.cpp:68:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[32];
data/seriousproton-2020.01.15+dfsg/src/json11/json11.cpp:96:13: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[8];
data/seriousproton-2020.01.15+dfsg/src/json11/json11.cpp:329:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[12];
data/seriousproton-2020.01.15+dfsg/src/json11/json11.cpp:594:25: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
return std::atoi(str.c_str() + start_pos);
data/seriousproton-2020.01.15+dfsg/src/logging.cpp:63:18: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
log_stream = fopen(filename.c_str(), "wt");
data/seriousproton-2020.01.15+dfsg/src/networkRecorder.cpp:68:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&sample_buffer[old_size], samples, sizeof(sf::Int16) * sample_count);
data/seriousproton-2020.01.15+dfsg/src/resources.cpp:53:31: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
open_success = stream.open(filename);
data/seriousproton-2020.01.15+dfsg/src/httpServer.cpp:41:38: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if (!connections[n]->read())
data/seriousproton-2020.01.15+dfsg/src/httpServer.cpp:59:28: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
bool HttpServerConnection::read()
data/seriousproton-2020.01.15+dfsg/src/httpServer.h:60:10: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
bool read();
data/seriousproton-2020.01.15+dfsg/src/resources.cpp:38:13: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if (read(&c, 1) < 1)
data/seriousproton-2020.01.15+dfsg/src/resources.cpp:64:23: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
virtual sf::Int64 read(void* data, sf::Int64 size)
data/seriousproton-2020.01.15+dfsg/src/resources.cpp:66:23: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
return stream.read(data, size);
ANALYSIS SUMMARY:
Hits = 38
Lines analyzed = 10451 in approximately 0.26 seconds (40258 lines/second)
Physical Source Lines of Code (SLOC) = 8070
Hits@level = [0] 12 [1] 6 [2] 21 [3] 6 [4] 5 [5] 0
Hits@level+ = [0+] 50 [1+] 38 [2+] 32 [3+] 11 [4+] 5 [5+] 0
Hits/KSLOC@level+ = [0+] 6.19579 [1+] 4.7088 [2+] 3.9653 [3+] 1.36307 [4+] 0.619579 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.