stdin

Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/vonsh-1.0/inc/font_layout.h
Examining data/vonsh-1.0/inc/pcg_basic.h
Examining data/vonsh-1.0/inc/text_renderer.h
Examining data/vonsh-1.0/src/pcg_basic.c
Examining data/vonsh-1.0/src/text_renderer.c
Examining data/vonsh-1.0/src/vonsh.c

FINAL RESULTS:

data/vonsh-1.0/src/vonsh.c:191:13:  [5] (race) readlink:
  This accepts filename arguments; if an attacker can move those files or
  change the link content, a race condition results. Also, it does not
  terminate with ASCII NUL. (CWE-362, CWE-20). Reconsider approach.
        if (readlink("/proc/self/exe", exe_path, EXE_PATH_SIZE) == -1) {
data/vonsh-1.0/src/vonsh.c:189:9:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
        char exe_path[EXE_PATH_SIZE]; /* resources path */
data/vonsh-1.0/src/vonsh.c:584:5:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char bottom_string[15];
data/vonsh-1.0/src/vonsh.c:745:5:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
    sprintf(bottom_string, "HI SCORE: %d", hi_score);
data/vonsh-1.0/src/vonsh.c:747:5:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
    sprintf(bottom_string, "SCORE: %d", score);

ANALYSIS SUMMARY:

Hits = 5
Lines analyzed = 1253 in approximately 0.05 seconds (24102 lines/second)
Physical Source Lines of Code (SLOC) = 958
Hits@level = [0]   1 [1]   0 [2]   4 [3]   0 [4]   0 [5]   1
Hits@level+ = [0+]   6 [1+]   5 [2+]   5 [3+]   1 [4+]   1 [5+]   1
Hits/KSLOC@level+ = [0+] 6.26305 [1+] 5.21921 [2+] 5.21921 [3+] 1.04384 [4+] 1.04384 [5+] 1.04384
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.