Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/vala-panel-0.5.0/app/application.c Examining data/vala-panel-0.5.0/app/application.h Examining data/vala-panel-0.5.0/app/vala-panel-platform-standalone-layer-shell.c Examining data/vala-panel-0.5.0/app/vala-panel-platform-standalone-layer-shell.h Examining data/vala-panel-0.5.0/app/vala-panel-platform-standalone-x11.c Examining data/vala-panel-0.5.0/app/vala-panel-platform-standalone-x11.h Examining data/vala-panel-0.5.0/applets/core/cpu/cpu.c Examining data/vala-panel-0.5.0/applets/core/cpu/cpu.h Examining data/vala-panel-0.5.0/applets/core/menumodel/debug.h Examining data/vala-panel-0.5.0/applets/core/menumodel/menu-maker.c Examining data/vala-panel-0.5.0/applets/core/menumodel/menu.c Examining data/vala-panel-0.5.0/applets/core/menumodel/menu.h Examining data/vala-panel-0.5.0/applets/core/monitors/cpu.c Examining data/vala-panel-0.5.0/applets/core/monitors/cpu.h Examining data/vala-panel-0.5.0/applets/core/monitors/mem.c Examining data/vala-panel-0.5.0/applets/core/monitors/mem.h Examining data/vala-panel-0.5.0/applets/core/monitors/monitor.c Examining data/vala-panel-0.5.0/applets/core/monitors/monitor.h Examining data/vala-panel-0.5.0/applets/core/monitors/monitors.c Examining data/vala-panel-0.5.0/applets/core/monitors/monitors.h Examining data/vala-panel-0.5.0/applets/core/monitors/swap.c Examining data/vala-panel-0.5.0/applets/core/monitors/swap.h Examining data/vala-panel-0.5.0/applets/core/netmon/monitor.c Examining data/vala-panel-0.5.0/applets/core/netmon/monitor.h Examining data/vala-panel-0.5.0/applets/core/netmon/monitors.c Examining data/vala-panel-0.5.0/applets/core/netmon/monitors.h Examining data/vala-panel-0.5.0/applets/core/netmon/net.c Examining data/vala-panel-0.5.0/applets/core/netmon/net.h Examining data/vala-panel-0.5.0/applets/wnck/tasklist/tasklist-widget.c Examining data/vala-panel-0.5.0/applets/wnck/tasklist/tasklist-widget.h Examining data/vala-panel-0.5.0/applets/wnck/tasklist/tasklist.c Examining data/vala-panel-0.5.0/applets/wnck/tasklist/tasklist.h Examining data/vala-panel-0.5.0/applets/wnck/tasklist/xfce-arrow-button.c Examining data/vala-panel-0.5.0/applets/wnck/tasklist/xfce-arrow-button.h Examining data/vala-panel-0.5.0/runner/info-data.c Examining data/vala-panel-0.5.0/runner/info-data.h Examining data/vala-panel-0.5.0/runner/runner-app.c Examining data/vala-panel-0.5.0/runner/runner-app.h Examining data/vala-panel-0.5.0/runner/runner.c Examining data/vala-panel-0.5.0/runner/runner.h Examining data/vala-panel-0.5.0/ui/applet-info.c Examining data/vala-panel-0.5.0/ui/applet-info.h Examining data/vala-panel-0.5.0/ui/applet-manager.c Examining data/vala-panel-0.5.0/ui/applet-manager.h Examining data/vala-panel-0.5.0/ui/applet-widget-api.h Examining data/vala-panel-0.5.0/ui/applet-widget.c Examining data/vala-panel-0.5.0/ui/applet-widget.h Examining data/vala-panel-0.5.0/ui/client.h Examining data/vala-panel-0.5.0/ui/definitions.h Examining data/vala-panel-0.5.0/ui/panel-layout.c Examining data/vala-panel-0.5.0/ui/panel-layout.h Examining data/vala-panel-0.5.0/ui/panel-platform.c Examining data/vala-panel-0.5.0/ui/panel-platform.h Examining data/vala-panel-0.5.0/ui/private.h Examining data/vala-panel-0.5.0/ui/server.h Examining data/vala-panel-0.5.0/ui/settings-manager.c Examining data/vala-panel-0.5.0/ui/settings-manager.h Examining data/vala-panel-0.5.0/ui/toplevel-config.c Examining data/vala-panel-0.5.0/ui/toplevel-config.h Examining data/vala-panel-0.5.0/ui/toplevel.c Examining data/vala-panel-0.5.0/ui/toplevel.h Examining data/vala-panel-0.5.0/util/boxed-wrapper.c Examining data/vala-panel-0.5.0/util/boxed-wrapper.h Examining data/vala-panel-0.5.0/util/constants.h Examining data/vala-panel-0.5.0/util/glistmodel-filter.c Examining data/vala-panel-0.5.0/util/glistmodel-filter.h Examining data/vala-panel-0.5.0/util/gtk/css.c Examining data/vala-panel-0.5.0/util/gtk/css.h Examining data/vala-panel-0.5.0/util/gtk/generic-config-dialog.c Examining data/vala-panel-0.5.0/util/gtk/generic-config-dialog.h Examining data/vala-panel-0.5.0/util/gtk/launcher-gtk.c Examining data/vala-panel-0.5.0/util/gtk/launcher-gtk.h Examining data/vala-panel-0.5.0/util/gtk/menu-maker.c Examining data/vala-panel-0.5.0/util/gtk/menu-maker.h Examining data/vala-panel-0.5.0/util/gtk/misc-gtk.c Examining data/vala-panel-0.5.0/util/gtk/misc-gtk.h Examining data/vala-panel-0.5.0/util/gtk/util-gtk.h Examining data/vala-panel-0.5.0/util/misc.c Examining data/vala-panel-0.5.0/util/misc.h Examining data/vala-panel-0.5.0/util/util.h FINAL RESULTS: data/vala-panel-0.5.0/applets/core/menumodel/menu-maker.c:212:44: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. g_menu_append_submenu(menu, _("System"), system); data/vala-panel-0.5.0/applets/core/menumodel/menu-maker.c:220:29: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. append_all_sections(menu, system); data/vala-panel-0.5.0/applets/core/menumodel/menu.c:69:7: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. bool system; data/vala-panel-0.5.0/applets/core/menumodel/menu.c:365:36: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. g_value_set_boolean(value, self->system); data/vala-panel-0.5.0/applets/core/menumodel/menu.c:485:48: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. if (!g_strcmp0(command_name, "menu") && self->system && self->show_system_menu_idle == 0) data/vala-panel-0.5.0/applets/core/menumodel/menu-maker.c:138:38: [3] (buffer) g_get_home_dir: This function is synonymous with 'getenv("HOME")';it returns untrustable input if the environment can beset by an attacker. It can have any content and length, and the same variable can be set more than once (CWE-807, CWE-20). Check environment variables carefully before using them. char *path = g_filename_to_uri(g_get_home_dir(), NULL, NULL); data/vala-panel-0.5.0/app/application.c:233:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char cwd[PATH_MAX]; data/vala-panel-0.5.0/applets/core/cpu/cpu.c:117:16: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *stat = fopen("/proc/stat", "r"); data/vala-panel-0.5.0/applets/core/cpu/cpu.c:135:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&c->previous_cpu_stat, &cpu, sizeof(cpu_stat)); data/vala-panel-0.5.0/applets/core/cpu/cpu.c:176:6: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&new_stats_cpu[0], data/vala-panel-0.5.0/applets/core/cpu/cpu.c:179:6: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&new_stats_cpu[new_pixmap_width - c->pixmap_width + data/vala-panel-0.5.0/applets/core/cpu/cpu.c:189:6: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&new_stats_cpu[0], data/vala-panel-0.5.0/applets/core/cpu/cpu.c:192:6: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&new_stats_cpu[c->ring_cursor], data/vala-panel-0.5.0/applets/core/cpu/cpu.c:204:6: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&new_stats_cpu[0], data/vala-panel-0.5.0/applets/core/monitors/cpu.c:38:16: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *stat = fopen("/proc/stat", "r"); data/vala-panel-0.5.0/applets/core/monitors/cpu.c:56:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&previous_cpu_stat, &cpu, sizeof(cpu_stat)); data/vala-panel-0.5.0/applets/core/monitors/mem.c:30:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[80]; data/vala-panel-0.5.0/applets/core/monitors/mem.c:36:18: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *meminfo = fopen("/proc/meminfo", "r"); data/vala-panel-0.5.0/applets/core/monitors/monitor.c:90:6: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(new_stats, data/vala-panel-0.5.0/applets/core/monitors/monitor.c:93:6: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&new_stats[nvalues], data/vala-panel-0.5.0/applets/core/monitors/monitor.c:104:6: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(new_stats, data/vala-panel-0.5.0/applets/core/monitors/monitor.c:107:6: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&new_stats[mon->ring_cursor], data/vala-panel-0.5.0/applets/core/monitors/monitor.c:117:6: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy((void *)new_stats, data/vala-panel-0.5.0/applets/core/monitors/swap.c:30:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[80]; data/vala-panel-0.5.0/applets/core/monitors/swap.c:37:18: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *meminfo = fopen("/proc/meminfo", "r"); data/vala-panel-0.5.0/applets/core/netmon/monitor.c:90:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(new_stats, old_stats, cursor * sizeof(double)); data/vala-panel-0.5.0/applets/core/netmon/monitor.c:91:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&new_stats[nvalues], &old_stats[cursor], nvalues * sizeof(double)); data/vala-panel-0.5.0/applets/core/netmon/monitor.c:100:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(new_stats, old_stats, cursor * sizeof(double)); data/vala-panel-0.5.0/applets/core/netmon/monitor.c:101:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&new_stats[cursor], data/vala-panel-0.5.0/applets/core/netmon/monitor.c:111:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy((void *)new_stats, data/vala-panel-0.5.0/applets/core/netmon/net.c:49:13: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!(fp = fopen("/proc/net/dev", "r"))) data/vala-panel-0.5.0/applets/core/netmon/net.c:53:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[256]; data/vala-panel-0.5.0/ui/definitions.h:90:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy((DST), (SRC), TMPSZ); \ data/vala-panel-0.5.0/ui/toplevel-config.c:230:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char scol[120]; data/vala-panel-0.5.0/runner/info-data.c:30:48: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char *nom = g_markup_escape_text(name, (long)strlen(name)); data/vala-panel-0.5.0/runner/info-data.c:31:49: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char *desc = g_markup_escape_text(sdesc, (long)strlen(sdesc)); data/vala-panel-0.5.0/util/gtk/css.c:211:55: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). gtk_css_provider_load_from_data(provider, css, (long)strlen(css), &err); data/vala-panel-0.5.0/util/gtk/css.c:224:55: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). gtk_css_provider_load_from_data(provider, css, (long)strlen(css), &err); data/vala-panel-0.5.0/util/misc.c:61:28: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (uri_scheme != NULL && strlen(uri_scheme) <= 0) ANALYSIS SUMMARY: Hits = 39 Lines analyzed = 16560 in approximately 0.39 seconds (42281 lines/second) Physical Source Lines of Code (SLOC) = 12731 Hits@level = [0] 9 [1] 5 [2] 28 [3] 1 [4] 5 [5] 0 Hits@level+ = [0+] 48 [1+] 39 [2+] 34 [3+] 6 [4+] 5 [5+] 0 Hits/KSLOC@level+ = [0+] 3.77032 [1+] 3.06339 [2+] 2.67065 [3+] 0.471291 [4+] 0.392742 [5+] 0 Dot directories skipped = 3 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.