Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/wmmatrix-0.2/wmMatrix.c Examining data/wmmatrix-0.2/config.h Examining data/wmmatrix-0.2/yarandom.h Examining data/wmmatrix-0.2/yarandom.c Examining data/wmmatrix-0.2/matrix.c Examining data/wmmatrix-0.2/version.h Examining data/wmmatrix-0.2/matrix.h Examining data/wmmatrix-0.2/xutils.c Examining data/wmmatrix-0.2/xutils.h FINAL RESULTS: data/wmmatrix-0.2/wmMatrix.c:287:13: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(TimeColor, argv[++i]); data/wmmatrix-0.2/wmMatrix.c:296:13: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(BackgroundColor, argv[++i]); data/wmmatrix-0.2/wmMatrix.c:305:6: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(ExecuteCommand, argv[++i]); data/wmmatrix-0.2/wmMatrix.c:381:9: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. system("xscreensaver-demo"); data/wmmatrix-0.2/matrix.c:168:45: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. else if (bottom_feeder_p) to->glow = 1 + (random() % 2); data/wmmatrix-0.2/matrix.c:192:15: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. int g = (random() % state->nglyphs) + 1; data/wmmatrix-0.2/matrix.c:204:7: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. if ((random() % 10) == 0) { /* randomly change throttle speed */ data/wmmatrix-0.2/matrix.c:206:22: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. f->throttle = ((random() % 5) + (random() % 5)); data/wmmatrix-0.2/matrix.c:206:39: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. f->throttle = ((random() % 5) + (random() % 5)); data/wmmatrix-0.2/matrix.c:243:15: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. int i = random() % (state->grid_width / 2); data/wmmatrix-0.2/matrix.c:246:19: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. int x = random() % state->grid_width; data/wmmatrix-0.2/matrix.c:247:19: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. int y = random() % state->grid_height; data/wmmatrix-0.2/matrix.c:251:28: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. cell->glow = random() % 10; data/wmmatrix-0.2/matrix.c:267:12: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. if ((random() % densitizer(state)) != 0) /* then change N% of the time */ data/wmmatrix-0.2/matrix.c:270:27: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. f->remaining = 3 + (random() % state->grid_height); data/wmmatrix-0.2/matrix.c:271:23: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. f->throttle = ((random() % 5) + (random() % 5)); data/wmmatrix-0.2/matrix.c:271:40: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. f->throttle = ((random() % 5) + (random() % 5)); data/wmmatrix-0.2/matrix.c:273:12: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. if ((random() % 4) != 0) data/wmmatrix-0.2/matrix.c:277:28: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. bottom_feeder_p = (random() & 1); data/wmmatrix-0.2/matrix.c:282:16: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. f->y = random() % (state->grid_height / 2); data/wmmatrix-0.2/yarandom.h:15:8: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. #undef random data/wmmatrix-0.2/yarandom.h:17:8: [3] (random) drand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. #undef drand48 data/wmmatrix-0.2/yarandom.h:18:8: [3] (random) srandom: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. #undef srandom data/wmmatrix-0.2/yarandom.h:19:8: [3] (random) srand: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. #undef srand data/wmmatrix-0.2/yarandom.h:28:9: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. #define random() ya_random() data/wmmatrix-0.2/yarandom.h:29:9: [3] (random) srandom: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. #define srandom(i) ya_rand_init(0) data/wmmatrix-0.2/yarandom.h:40:30: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. ({ double tmp = (((double) random()) / \ data/wmmatrix-0.2/yarandom.h:48:29: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. (_frand_tmp_ = (((double) random()) / \ data/wmmatrix-0.2/wmMatrix.c:87:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char ExecuteCommand[1024]; data/wmmatrix-0.2/wmMatrix.c:96:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char TimeColor[30] = "#ffff00"; data/wmmatrix-0.2/wmMatrix.c:97:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char BackgroundColor[30] = "#181818"; data/wmmatrix-0.2/wmMatrix.c:125:5: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(ExecuteCommand, "xmatrixsmall"); data/wmmatrix-0.2/wmMatrix.c:161:17: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ( (fp = fopen("/proc/loadavg", "r")) != NULL ){ data/wmmatrix-0.2/xutils.c:63:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. extern char TimeColor[30]; data/wmmatrix-0.2/xutils.c:64:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. extern char BackgroundColor[30]; ANALYSIS SUMMARY: Hits = 35 Lines analyzed = 1772 in approximately 0.08 seconds (21723 lines/second) Physical Source Lines of Code (SLOC) = 760 Hits@level = [0] 14 [1] 0 [2] 7 [3] 24 [4] 4 [5] 0 Hits@level+ = [0+] 49 [1+] 35 [2+] 35 [3+] 28 [4+] 4 [5+] 0 Hits/KSLOC@level+ = [0+] 64.4737 [1+] 46.0526 [2+] 46.0526 [3+] 36.8421 [4+] 5.26316 [5+] 0 Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.