Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/ableton-link-3.0.2+dfsg/src/ableton/test/serial_io/SchedulerTree.cpp Examining data/ableton-link-3.0.2+dfsg/src/ableton/test/catch/CatchMain.cpp Examining data/ableton-link-3.0.2+dfsg/src/ableton/link/tst_Tempo.cpp Examining data/ableton-link-3.0.2+dfsg/src/ableton/link/tst_ClientSessionTimelines.cpp Examining data/ableton-link-3.0.2+dfsg/src/ableton/link/tst_PingResponder.cpp Examining data/ableton-link-3.0.2+dfsg/src/ableton/link/tst_Phase.cpp Examining data/ableton-link-3.0.2+dfsg/src/ableton/link/tst_HostTimeFilter.cpp Examining data/ableton-link-3.0.2+dfsg/src/ableton/link/tst_Controller.cpp Examining data/ableton-link-3.0.2+dfsg/src/ableton/link/tst_StartStopState.cpp Examining data/ableton-link-3.0.2+dfsg/src/ableton/link/tst_CircularFifo.cpp Examining data/ableton-link-3.0.2+dfsg/src/ableton/link/tst_LinearRegression.cpp Examining data/ableton-link-3.0.2+dfsg/src/ableton/link/tst_Kalman.cpp Examining data/ableton-link-3.0.2+dfsg/src/ableton/link/tst_Timeline.cpp Examining data/ableton-link-3.0.2+dfsg/src/ableton/link/tst_Peers.cpp Examining data/ableton-link-3.0.2+dfsg/src/ableton/link/tst_Measurement.cpp Examining data/ableton-link-3.0.2+dfsg/src/ableton/link/tst_Beats.cpp Examining data/ableton-link-3.0.2+dfsg/src/ableton/discovery/v1/tst_Messages.cpp Examining data/ableton-link-3.0.2+dfsg/src/ableton/discovery/tst_PeerGateway.cpp Examining data/ableton-link-3.0.2+dfsg/src/ableton/discovery/tst_PeerGateways.cpp Examining data/ableton-link-3.0.2+dfsg/src/ableton/discovery/tst_InterfaceScanner.cpp Examining data/ableton-link-3.0.2+dfsg/src/ableton/discovery/tst_Payload.cpp Examining data/ableton-link-3.0.2+dfsg/src/ableton/discovery/tst_UdpMessenger.cpp Examining data/ableton-link-3.0.2+dfsg/examples/linkaudio/AudioPlatform_Jack.cpp Examining data/ableton-link-3.0.2+dfsg/examples/linkaudio/AudioPlatform_CoreAudio.hpp Examining data/ableton-link-3.0.2+dfsg/examples/linkaudio/AudioPlatform_Wasapi.cpp Examining data/ableton-link-3.0.2+dfsg/examples/linkaudio/AudioPlatform.hpp Examining data/ableton-link-3.0.2+dfsg/examples/linkaudio/AudioPlatform_Portaudio.hpp Examining data/ableton-link-3.0.2+dfsg/examples/linkaudio/AudioEngine.cpp Examining data/ableton-link-3.0.2+dfsg/examples/linkaudio/AudioPlatform_Asio.hpp Examining data/ableton-link-3.0.2+dfsg/examples/linkaudio/AudioPlatform_Portaudio.cpp Examining data/ableton-link-3.0.2+dfsg/examples/linkaudio/AudioEngine.hpp Examining data/ableton-link-3.0.2+dfsg/examples/linkaudio/AudioPlatform_Jack.hpp Examining data/ableton-link-3.0.2+dfsg/examples/linkaudio/AudioPlatform_Dummy.hpp Examining data/ableton-link-3.0.2+dfsg/examples/linkaudio/AudioPlatform_Asio.cpp Examining data/ableton-link-3.0.2+dfsg/examples/linkaudio/AudioPlatform_Wasapi.hpp Examining data/ableton-link-3.0.2+dfsg/examples/linkaudio/AudioPlatform_CoreAudio.cpp Examining data/ableton-link-3.0.2+dfsg/examples/qlinkhut/Controller.cpp Examining data/ableton-link-3.0.2+dfsg/examples/qlinkhut/main.cpp Examining data/ableton-link-3.0.2+dfsg/examples/qlinkhut/Controller.hpp Examining data/ableton-link-3.0.2+dfsg/examples/linkhut/main.cpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/test/serial_io/Context.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/test/serial_io/SchedulerTree.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/test/serial_io/Fixture.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/test/serial_io/Socket.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/test/serial_io/Timer.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/test/CatchWrapper.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/platforms/posix/ScanIpIfAddrs.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/platforms/Config.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/platforms/linux/Clock.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/platforms/linux/Linux.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/platforms/windows/Clock.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/platforms/windows/ScanIpIfAddrs.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/platforms/stl/Clock.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/platforms/asio/Context.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/platforms/asio/Util.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/platforms/asio/AsioTimer.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/platforms/asio/AsioService.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/platforms/asio/LockFreeCallbackDispatcher.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/platforms/asio/AsioWrapper.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/platforms/asio/Socket.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/platforms/darwin/Clock.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/platforms/darwin/Darwin.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/link/Timeline.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/link/Tempo.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/link/MeasurementService.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/link/v1/Messages.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/link/Beats.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/link/PayloadEntries.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/link/Optional.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/link/MeasurementEndpointV4.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/link/Controller.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/link/Peers.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/link/LinearRegression.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/link/PeerState.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/link/PingResponder.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/link/StartStopState.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/link/Gateway.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/link/NodeState.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/link/HostTimeFilter.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/link/SessionState.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/link/Measurement.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/link/Phase.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/link/Sessions.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/link/SessionId.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/link/NodeId.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/link/GhostXForm.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/link/ClientSessionTimelines.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/link/Kalman.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/link/CircularFifo.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/Link.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/discovery/test/PayloadEntries.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/discovery/test/Interface.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/discovery/test/Socket.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/discovery/PeerGateway.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/discovery/v1/Messages.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/discovery/Payload.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/discovery/IpV4Interface.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/discovery/InterfaceScanner.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/discovery/NetworkByteStreamSerializable.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/discovery/MessageTypes.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/discovery/Service.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/discovery/PeerGateways.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/discovery/UdpMessenger.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/discovery/Socket.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/util/SafeAsyncHandler.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/util/test/IoService.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/util/test/Timer.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/util/Injected.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/util/SampleTiming.hpp Examining data/ableton-link-3.0.2+dfsg/include/ableton/util/Log.hpp Examining data/ableton-link-3.0.2+dfsg/third_party/catch/catch.hpp FINAL RESULTS: data/ableton-link-3.0.2+dfsg/include/ableton/link/Controller.hpp:136:23: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. , mNodeId(NodeId::random()) data/ableton-link-3.0.2+dfsg/include/ableton/link/Controller.hpp:513:23: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. mNodeId = NodeId::random(); data/ableton-link-3.0.2+dfsg/include/ableton/link/NodeId.hpp:45:17: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. static NodeId random() data/ableton-link-3.0.2+dfsg/src/ableton/link/tst_Measurement.cpp:69:44: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. mState.nodeState.sessionId = NodeId::random(); data/ableton-link-3.0.2+dfsg/src/ableton/link/tst_Peers.cpp:62:22: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. PeerState{{NodeId::random(), NodeId::random(), data/ableton-link-3.0.2+dfsg/src/ableton/link/tst_Peers.cpp:62:40: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. PeerState{{NodeId::random(), NodeId::random(), data/ableton-link-3.0.2+dfsg/src/ableton/link/tst_Peers.cpp:68:22: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. PeerState{{NodeId::random(), NodeId::random(), data/ableton-link-3.0.2+dfsg/src/ableton/link/tst_Peers.cpp:68:40: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. PeerState{{NodeId::random(), NodeId::random(), data/ableton-link-3.0.2+dfsg/src/ableton/link/tst_Peers.cpp:73:22: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. PeerState{{NodeId::random(), NodeId::random(), data/ableton-link-3.0.2+dfsg/src/ableton/link/tst_Peers.cpp:73:40: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. PeerState{{NodeId::random(), NodeId::random(), data/ableton-link-3.0.2+dfsg/src/ableton/link/tst_PingResponder.cpp:46:17: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. NodeId::random(), data/ableton-link-3.0.2+dfsg/third_party/catch/catch.hpp:8705:18: [3] (random) srand: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. std::srand( config.rngSeed() ); data/ableton-link-3.0.2+dfsg/examples/linkaudio/AudioPlatform_CoreAudio.cpp:114:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char deviceName[512]; data/ableton-link-3.0.2+dfsg/third_party/catch/catch.hpp:1537:23: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. struct TrueType { char sizer[1]; }; data/ableton-link-3.0.2+dfsg/third_party/catch/catch.hpp:1538:24: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. struct FalseType { char sizer[2]; }; data/ableton-link-3.0.2+dfsg/third_party/catch/catch.hpp:3131:13: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char storage[sizeof(T)]; data/ableton-link-3.0.2+dfsg/third_party/catch/catch.hpp:6142:14: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). void open() { data/ableton-link-3.0.2+dfsg/third_party/catch/catch.hpp:6236:17: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). open(); data/ableton-link-3.0.2+dfsg/third_party/catch/catch.hpp:6282:26: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). tracker->open(); data/ableton-link-3.0.2+dfsg/third_party/catch/catch.hpp:6471:16: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char altStackMem[SIGSTKSZ]; data/ableton-link-3.0.2+dfsg/third_party/catch/catch.hpp:7117:35: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char **utf8Argv = new char *[ argc ]; data/ableton-link-3.0.2+dfsg/third_party/catch/catch.hpp:7631:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char data[bufferSize]; data/ableton-link-3.0.2+dfsg/third_party/catch/catch.hpp:7668:15: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). m_ofs.open( filename.c_str() ); data/ableton-link-3.0.2+dfsg/third_party/catch/catch.hpp:8908:21: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char asChar[sizeof (int)]; data/ableton-link-3.0.2+dfsg/third_party/catch/catch.hpp:9550:13: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[maxDoubleSize]; data/ableton-link-3.0.2+dfsg/third_party/catch/catch.hpp:9557:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buffer, "%.3f", duration); data/ableton-link-3.0.2+dfsg/third_party/catch/catch.hpp:9784:16: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char line[CATCH_CONFIG_CONSOLE_WIDTH] = {0}; data/ableton-link-3.0.2+dfsg/third_party/catch/catch.hpp:10364:13: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char timeStamp[timeStampSize]; data/ableton-link-3.0.2+dfsg/include/ableton/discovery/v1/Messages.hpp:158:10: [1] (buffer) equal: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. && equal(begin(detail::kProtocolHeader), end(detail::kProtocolHeader), bytesBegin)) data/ableton-link-3.0.2+dfsg/include/ableton/link/v1/Messages.hpp:127:15: [1] (buffer) equal: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. && std::equal( data/ableton-link-3.0.2+dfsg/src/ableton/discovery/tst_Payload.cpp:181:14: [1] (buffer) equal: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. CHECK(std::equal(begin(fooBarBytes), fooBarEnd, begin(sumBytes))); data/ableton-link-3.0.2+dfsg/third_party/catch/catch.hpp:7143:40: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). static_cast<void>(std::getchar()); data/ableton-link-3.0.2+dfsg/third_party/catch/catch.hpp:7148:40: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). static_cast<void>(std::getchar()); data/ableton-link-3.0.2+dfsg/third_party/catch/catch.hpp:8629:50: [1] (buffer) equal: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. return s.size() >= prefix.size() && std::equal(prefix.begin(), prefix.end(), s.begin()); data/ableton-link-3.0.2+dfsg/third_party/catch/catch.hpp:8635:50: [1] (buffer) equal: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. return s.size() >= suffix.size() && std::equal(suffix.rbegin(), suffix.rend(), s.rbegin()); ANALYSIS SUMMARY: Hits = 35 Lines analyzed = 26561 in approximately 0.53 seconds (49702 lines/second) Physical Source Lines of Code (SLOC) = 19189 Hits@level = [0] 0 [1] 7 [2] 16 [3] 12 [4] 0 [5] 0 Hits@level+ = [0+] 35 [1+] 35 [2+] 28 [3+] 12 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 1.82396 [1+] 1.82396 [2+] 1.45917 [3+] 0.625358 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.