Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/vmpk-0.7.2/src/keyboardmap.cpp Examining data/vmpk-0.7.2/src/mididefs.h Examining data/vmpk-0.7.2/src/sonivoxsettingsdialog.h Examining data/vmpk-0.7.2/src/about.h Examining data/vmpk-0.7.2/src/about.cpp Examining data/vmpk-0.7.2/src/nativefilter.h Examining data/vmpk-0.7.2/src/shortcutdialog.cpp Examining data/vmpk-0.7.2/src/vpiano.cpp Examining data/vmpk-0.7.2/src/colordialog.cpp Examining data/vmpk-0.7.2/src/riff.h Examining data/vmpk-0.7.2/src/macsynthsettingsdialog.h Examining data/vmpk-0.7.2/src/riffimportdlg.cpp Examining data/vmpk-0.7.2/src/keylabel.cpp Examining data/vmpk-0.7.2/src/networksettingsdialog.cpp Examining data/vmpk-0.7.2/src/riff.cpp Examining data/vmpk-0.7.2/src/instrument.cpp Examining data/vmpk-0.7.2/src/pianopalette.cpp Examining data/vmpk-0.7.2/src/shortcutdialog.h Examining data/vmpk-0.7.2/src/kmapdialog.cpp Examining data/vmpk-0.7.2/src/pianopalette.h Examining data/vmpk-0.7.2/src/preferences.h Examining data/vmpk-0.7.2/src/fluidsettingsdialog.h Examining data/vmpk-0.7.2/src/midisetup.cpp Examining data/vmpk-0.7.2/src/instrument.h Examining data/vmpk-0.7.2/src/keylabel.h Examining data/vmpk-0.7.2/src/pianokey.h Examining data/vmpk-0.7.2/src/vpiano.h Examining data/vmpk-0.7.2/src/extracontrols.cpp Examining data/vmpk-0.7.2/src/pianokey.cpp Examining data/vmpk-0.7.2/src/pianoscene.cpp Examining data/vmpk-0.7.2/src/constants.h Examining data/vmpk-0.7.2/src/extracontrols.h Examining data/vmpk-0.7.2/src/sonivoxsettingsdialog.cpp Examining data/vmpk-0.7.2/src/riffimportdlg.h Examining data/vmpk-0.7.2/src/colorwidget.h Examining data/vmpk-0.7.2/src/networksettingsdialog.h Examining data/vmpk-0.7.2/src/pianokeybd.h Examining data/vmpk-0.7.2/src/fluidsettingsdialog.cpp Examining data/vmpk-0.7.2/src/keyboardmap.h Examining data/vmpk-0.7.2/src/macsynthsettingsdialog.cpp Examining data/vmpk-0.7.2/src/midisetup.h Examining data/vmpk-0.7.2/src/kmapdialog.h Examining data/vmpk-0.7.2/src/colordialog.h Examining data/vmpk-0.7.2/src/colorwidget.cpp Examining data/vmpk-0.7.2/src/main.cpp Examining data/vmpk-0.7.2/src/nativefilter.cpp Examining data/vmpk-0.7.2/src/pianoscene.h Examining data/vmpk-0.7.2/src/maceventhelper.h Examining data/vmpk-0.7.2/src/preferences.cpp Examining data/vmpk-0.7.2/src/pianokeybd.cpp Examining data/vmpk-0.7.2/src/pianodefs.h FINAL RESULTS: data/vmpk-0.7.2/src/vpiano.cpp:2049:36: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. QString defLang = QLocale::system().name(); data/vmpk-0.7.2/src/instrument.cpp:145:15: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!file.open(QIODevice::ReadOnly)) data/vmpk-0.7.2/src/instrument.cpp:375:15: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!file.open(QIODevice::WriteOnly | QIODevice::Truncate)) data/vmpk-0.7.2/src/keyboardmap.cpp:31:11: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (f.open(QFile::ReadOnly | QFile::Text)) { data/vmpk-0.7.2/src/keyboardmap.cpp:45:11: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (f.open(QFile::WriteOnly | QFile::Text)) { data/vmpk-0.7.2/src/midisetup.cpp:139:28: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). m_midiOut->open(conn); data/vmpk-0.7.2/src/midisetup.cpp:149:27: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). m_midiIn->open(conn); data/vmpk-0.7.2/src/midisetup.cpp:283:28: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). m_midiOut->open(conn); data/vmpk-0.7.2/src/riff.cpp:42:10: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). file.open(QIODevice::ReadOnly); data/vmpk-0.7.2/src/riff.cpp:74:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[size+1]; data/vmpk-0.7.2/src/riff.cpp:165:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char name[21]; data/vmpk-0.7.2/src/riffimportdlg.cpp:103:14: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (data.open(QFile::WriteOnly | QFile::Truncate)) { data/vmpk-0.7.2/src/vpiano.cpp:256:23: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). m_midiin->open(m_lastInputConnection); data/vmpk-0.7.2/src/vpiano.cpp:265:20: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). m_midiout->open(m_lastOutputConnection); data/vmpk-0.7.2/src/vpiano.cpp:460:10: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). file.open(QIODevice::ReadOnly); data/vmpk-0.7.2/src/vpiano.cpp:1891:23: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). m_midiin->open(value); data/vmpk-0.7.2/src/vpiano.cpp:1903:24: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). m_midiout->open(value); data/vmpk-0.7.2/src/riff.cpp:53:9: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). read(); data/vmpk-0.7.2/src/riff.cpp:341:12: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). void Riff::read() data/vmpk-0.7.2/src/riff.h:74:10: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). void read(); ANALYSIS SUMMARY: Hits = 20 Lines analyzed = 9705 in approximately 0.23 seconds (42380 lines/second) Physical Source Lines of Code (SLOC) = 7552 Hits@level = [0] 0 [1] 3 [2] 16 [3] 0 [4] 1 [5] 0 Hits@level+ = [0+] 20 [1+] 20 [2+] 17 [3+] 1 [4+] 1 [5+] 0 Hits/KSLOC@level+ = [0+] 2.64831 [1+] 2.64831 [2+] 2.25106 [3+] 0.132415 [4+] 0.132415 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.