Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/telepathy-rakia-0.8.0/src/protocol.h Examining data/telepathy-rakia-0.8.0/src/write-mgr-file.c Examining data/telepathy-rakia-0.8.0/src/sip-connection-manager.h Examining data/telepathy-rakia-0.8.0/src/sip-connection-private.h Examining data/telepathy-rakia-0.8.0/src/sip-connection.c Examining data/telepathy-rakia-0.8.0/src/telepathy-rakia.c Examining data/telepathy-rakia-0.8.0/src/sip-connection-manager.c Examining data/telepathy-rakia-0.8.0/src/protocol.c Examining data/telepathy-rakia-0.8.0/src/sip-connection.h Examining data/telepathy-rakia-0.8.0/src/sip-connection-helpers.h Examining data/telepathy-rakia-0.8.0/src/sip-connection-helpers.c Examining data/telepathy-rakia-0.8.0/rakia/base-connection.h Examining data/telepathy-rakia-0.8.0/rakia/call-content.h Examining data/telepathy-rakia-0.8.0/rakia/text-channel.h Examining data/telepathy-rakia-0.8.0/rakia/call-channel.c Examining data/telepathy-rakia-0.8.0/rakia/util.h Examining data/telepathy-rakia-0.8.0/rakia/media-manager.h Examining data/telepathy-rakia-0.8.0/rakia/handles.c Examining data/telepathy-rakia-0.8.0/rakia/text-channel.c Examining data/telepathy-rakia-0.8.0/rakia/sip-session.h Examining data/telepathy-rakia-0.8.0/rakia/sip-media.c Examining data/telepathy-rakia-0.8.0/rakia/debug.h Examining data/telepathy-rakia-0.8.0/rakia/sofia-decls.h Examining data/telepathy-rakia-0.8.0/rakia/event-target.h Examining data/telepathy-rakia-0.8.0/rakia/base-connection-sofia.c Examining data/telepathy-rakia-0.8.0/rakia/debug.c Examining data/telepathy-rakia-0.8.0/rakia/text-manager.h Examining data/telepathy-rakia-0.8.0/rakia/connection-aliasing.c Examining data/telepathy-rakia-0.8.0/rakia/sip-session.c Examining data/telepathy-rakia-0.8.0/rakia/handles.h Examining data/telepathy-rakia-0.8.0/rakia/call-stream.h Examining data/telepathy-rakia-0.8.0/rakia/event-target.c Examining data/telepathy-rakia-0.8.0/rakia/codec-param-formats.c Examining data/telepathy-rakia-0.8.0/rakia/media-manager.c Examining data/telepathy-rakia-0.8.0/rakia/call-content.c Examining data/telepathy-rakia-0.8.0/rakia/text-manager.c Examining data/telepathy-rakia-0.8.0/rakia/codec-param-formats.h Examining data/telepathy-rakia-0.8.0/rakia/util.c Examining data/telepathy-rakia-0.8.0/rakia/connection-aliasing.h Examining data/telepathy-rakia-0.8.0/rakia/call-stream.c Examining data/telepathy-rakia-0.8.0/rakia/sip-media.h Examining data/telepathy-rakia-0.8.0/rakia/base-connection.c Examining data/telepathy-rakia-0.8.0/rakia/call-channel.h Examining data/telepathy-rakia-0.8.0/extensions/extensions.h Examining data/telepathy-rakia-0.8.0/extensions/extensions.c FINAL RESULTS: data/telepathy-rakia-0.8.0/rakia/sip-session.c:1418:16: [3] (random) g_random_int_range: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. interval = g_random_int_range (0, 200) * 10; data/telepathy-rakia-0.8.0/rakia/sip-session.c:1420:16: [3] (random) g_random_int_range: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. interval = g_random_int_range (210, 400) * 10; data/telepathy-rakia-0.8.0/src/sip-connection-helpers.c:493:43: [3] (random) g_random_int_range: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. ans = g_ptr_array_index (items, g_random_int_range (0, items->len)); data/telepathy-rakia-0.8.0/src/sip-connection-helpers.c:618:14: [3] (random) g_random_int_range: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. dice = g_random_int_range (0, sum + 1); data/telepathy-rakia-0.8.0/rakia/handles.c:186:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (res, src, i); data/telepathy-rakia-0.8.0/rakia/sip-media.c:680:31: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). rtpmap->rm_params ? atoi(rtpmap->rm_params) : 0); data/telepathy-rakia-0.8.0/rakia/sip-session.c:74:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static const char *const session_states[NUM_RAKIA_SIP_SESSION_STATES] = data/telepathy-rakia-0.8.0/rakia/handles.c:177:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). n = i + strlen (src + i); data/telepathy-rakia-0.8.0/rakia/util.c:135:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen (src); ANALYSIS SUMMARY: Hits = 9 Lines analyzed = 14140 in approximately 0.27 seconds (52251 lines/second) Physical Source Lines of Code (SLOC) = 9892 Hits@level = [0] 2 [1] 2 [2] 3 [3] 4 [4] 0 [5] 0 Hits@level+ = [0+] 11 [1+] 9 [2+] 7 [3+] 4 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 1.11201 [1+] 0.909826 [2+] 0.707643 [3+] 0.404367 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.