Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/arc-gui-clients-0.4.6/cmake/Modules/CheckFileOffsetBits.c
Examining data/arc-gui-clients-0.4.6/src/common/helpviewer.h
Examining data/arc-gui-clients-0.4.6/src/common/arcproxy-utils-functions.h
Examining data/arc-gui-clients-0.4.6/src/common/arcproxy-utils.h
Examining data/arc-gui-clients-0.4.6/src/common/helpwindow.cpp
Examining data/arc-gui-clients-0.4.6/src/common/infodialog.cpp
Examining data/arc-gui-clients-0.4.6/src/common/arctools.h
Examining data/arc-gui-clients-0.4.6/src/common/infodialog.h
Examining data/arc-gui-clients-0.4.6/src/common/helpviewer.cpp
Examining data/arc-gui-clients-0.4.6/src/common/proxywindow.h
Examining data/arc-gui-clients-0.4.6/src/common/arc-gui-config.h
Examining data/arc-gui-clients-0.4.6/src/common/helpwindow.h
Examining data/arc-gui-clients-0.4.6/src/common/arcproxy-utils-functions.cpp
Examining data/arc-gui-clients-0.4.6/src/common/arctools.cpp
Examining data/arc-gui-clients-0.4.6/src/common/arcproxy-utils.cpp
Examining data/arc-gui-clients-0.4.6/src/common/proxywindow.cpp
Examining data/arc-gui-clients-0.4.6/src/common/qdebugstream.h
Examining data/arc-gui-clients-0.4.6/src/arcstat-ui/jobinfo.h
Examining data/arc-gui-clients-0.4.6/src/arcstat-ui/JmBase.cpp
Examining data/arc-gui-clients-0.4.6/src/arcstat-ui/jobinfo.cpp
Examining data/arc-gui-clients-0.4.6/src/arcstat-ui/jobstatuswindow.cpp
Examining data/arc-gui-clients-0.4.6/src/arcstat-ui/arcjobcontroller.h
Examining data/arc-gui-clients-0.4.6/src/arcstat-ui/jobstatuswindow.h
Examining data/arc-gui-clients-0.4.6/src/arcstat-ui/JmBase.h
Examining data/arc-gui-clients-0.4.6/src/arcstat-ui/main.cpp
Examining data/arc-gui-clients-0.4.6/src/arcstat-ui/qdebugstream.h
Examining data/arc-gui-clients-0.4.6/src/arcstat-ui/arcjobcontroller.cpp
Examining data/arc-gui-clients-0.4.6/src/arcsub-ui/jobdefinitionwindow.h
Examining data/arc-gui-clients-0.4.6/src/arcsub-ui/jobdefinitions.h
Examining data/arc-gui-clients-0.4.6/src/arcsub-ui/jobdefinitions.cpp
Examining data/arc-gui-clients-0.4.6/src/arcsub-ui/utils.cpp
Examining data/arc-gui-clients-0.4.6/src/arcsub-ui/arcsubmitcontroller.h
Examining data/arc-gui-clients-0.4.6/src/arcsub-ui/utils.h
Examining data/arc-gui-clients-0.4.6/src/arcsub-ui/arcsubmitcontroller.cpp
Examining data/arc-gui-clients-0.4.6/src/arcsub-ui/jobdefinitionwindow.cpp
Examining data/arc-gui-clients-0.4.6/src/arcsub-ui/main.cpp
Examining data/arc-gui-clients-0.4.6/src/arcsub-ui/qdebugstream.h
Examining data/arc-gui-clients-0.4.6/src/arccert-ui/certconvertwindow.h
Examining data/arc-gui-clients-0.4.6/src/arccert-ui/certconvertwindow.cpp
Examining data/arc-gui-clients-0.4.6/src/arccert-ui/main.cpp
Examining data/arc-gui-clients-0.4.6/src/arccert-ui/qdebugstream.h
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/filelister.cpp
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/moc_draggableqtreewidget.cpp
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/filetransfer.cpp
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/filepropertyinspector.cpp
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/settings.cpp
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/storagesplash.cpp
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/foldercontent.h
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/fileserverfactory.h
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/applicationsettings.h
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/atreewidgetitem.h
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/filetransferlist.cpp
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/renamedialog.cpp
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/filepropertiesdialog.h
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/ftpfileserver.h
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/filepropertyinspector.h
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/storagesplash.h
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/arcfileelement.cpp
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/localfileserver.h
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/srmsettingsdialog.cpp
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/fileserver.cpp
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/filepropertiesdialog.cpp
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/atreewidgetitem.cpp
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/dragdropabletreewidget.h
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/ftpfileserver.cpp
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/globalstateinfo.h
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/settings.h
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/filelister.h
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/arcfileelement.h
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/arcfileserver.h
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/arcstorage.h
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/filetransfer.h
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/qdebugstream.h
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/localfileserver.cpp
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/fileserver.h
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/foldercontent.cpp
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/srmsettingsdialog.h
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/filetransferlist.h
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/applicationsettings.cpp
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/renamedialog.h
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/fileserverfactory.cpp
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/transferlistwindow.h
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/arcfileserver.cpp
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/arcstoragewindow.cpp
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/arcstoragewindow.h
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/dragdropabletreewidget.cpp
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/globalstateinfo.cpp
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/main.cpp
Examining data/arc-gui-clients-0.4.6/src/arcstorage-ui/transferlistwindow.cpp
Examining data/arc-gui-clients-0.4.6/src/arcproxy-ui/main.cpp
FINAL RESULTS:
data/arc-gui-clients-0.4.6/src/arccert-ui/certconvertwindow.cpp:354:5: [5] (race) chmod:
This accepts filename arguments; if an attacker can move those files, a
race condition results. (CWE-362). Use fchmod( ) instead.
chmod(keyFilename.toLatin1(), 0400);
data/arc-gui-clients-0.4.6/src/common/arcproxy-utils-functions.cpp:66:10: [5] (race) chmod:
This accepts filename arguments; if an attacker can move those files, a
race condition results. (CWE-362). Use fchmod( ) instead.
if(::chmod(path.c_str(), S_IRUSR | S_IWUSR) != 0) {
data/arc-gui-clients-0.4.6/src/arcsub-ui/jobdefinitions.cpp:512:18: [4] (format) sprintf:
Potential format string problem (CWE-134). Make format string constant.
numberString.sprintf("%03d", i);
data/arc-gui-clients-0.4.6/src/arcsub-ui/jobdefinitions.cpp:540:22: [4] (format) sprintf:
Potential format string problem (CWE-134). Make format string constant.
numberString.sprintf("%03d", i);
data/arc-gui-clients-0.4.6/src/common/arcproxy-utils.cpp:68:5: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(prompt, "Password or Pin for \"%s\":",
data/arc-gui-clients-0.4.6/src/arcstorage-ui/ftpfileserver.cpp:236:30: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (destinationFile->open(QIODevice::WriteOnly) == false)
data/arc-gui-clients-0.4.6/src/arcsub-ui/jobdefinitions.cpp:586:20: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
scriptFile.open(QFile::WriteOnly);
data/arc-gui-clients-0.4.6/src/common/arcproxy-utils-functions.cpp:62:11: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
f = ::open(path.c_str(), O_WRONLY | O_CREAT | O_EXCL | O_TRUNC, S_IRUSR | S_IWUSR);
data/arc-gui-clients-0.4.6/src/common/arcproxy-utils-functions.cpp:594:45: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
Arc::ClientTCP client(cfg, address, atoi(port.c_str()), use_gsi_comm ? Arc::GSISec : Arc::SSL3Sec, usercfg.Timeout());
data/arc-gui-clients-0.4.6/src/common/arcproxy-utils-functions.cpp:609:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char ret_buf[1024];
data/arc-gui-clients-0.4.6/src/common/arcproxy-utils.cpp:62:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char prompt[255];
data/arc-gui-clients-0.4.6/src/common/arcproxy-utils.cpp:238:26: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if(!vomsFile.open(QIODevice::ReadOnly)) {
data/arc-gui-clients-0.4.6/src/common/arcproxy-utils.cpp:288:14: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
vomsFile.open(QFile::WriteOnly|QFile::Truncate);
data/arc-gui-clients-0.4.6/src/common/arcproxy-utils.cpp:1134:13: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char password[256];
data/arc-gui-clients-0.4.6/src/common/arcproxy-utils.cpp:1142:13: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char newpassword[256];
data/arc-gui-clients-0.4.6/src/common/arcproxy-utils.cpp:1192:13: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char password[256];
data/arc-gui-clients-0.4.6/src/common/arcproxy-utils.cpp:1243:13: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char password[256];
data/arc-gui-clients-0.4.6/src/common/arcproxy-utils.cpp:1537:57: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
Arc::ClientTCP client(cfg, address, atoi(port.c_str()), use_gsi_comm ? Arc::GSISec : Arc::SSL3Sec, usercfg.Timeout());
data/arc-gui-clients-0.4.6/src/common/arcproxy-utils.cpp:1554:21: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char ret_buf[1024];
data/arc-gui-clients-0.4.6/src/common/arcproxy-utils.cpp:1682:13: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char password[256];
data/arc-gui-clients-0.4.6/src/arcstorage-ui/arcfileelement.cpp:13:37: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
bool read,
data/arc-gui-clients-0.4.6/src/arcstorage-ui/arcfileelement.cpp:26:20: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
readable = read;
data/arc-gui-clients-0.4.6/src/arcstorage-ui/arcfileelement.h:38:25: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
bool read,
data/arc-gui-clients-0.4.6/src/arcstorage-ui/arcfileserver.cpp:266:29: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (url.length() > (int)strlen("SRM://"))
data/arc-gui-clients-0.4.6/src/arcstorage-ui/ftpfileserver.cpp:68:29: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (url.length() > (int)strlen("FTP://"))
data/arc-gui-clients-0.4.6/src/arcstorage-ui/localfileserver.cpp:26:18: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (URL.left(strlen("file://")).toLower() == "file://")
data/arc-gui-clients-0.4.6/src/arcstorage-ui/localfileserver.cpp:28:40: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
URL = URL.right(URL.length() - strlen("file://"));
data/arc-gui-clients-0.4.6/src/common/arcproxy-utils-functions.cpp:133:28: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (ok >= 0) res = strlen(password);
data/arc-gui-clients-0.4.6/src/common/arcproxy-utils-functions.cpp:720:13: [1] (buffer) getchar:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
c = getchar();
data/arc-gui-clients-0.4.6/src/common/arcproxy-utils.cpp:200:11: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
this->read();
data/arc-gui-clients-0.4.6/src/common/arcproxy-utils.cpp:218:16: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
bool VomsList::read()
data/arc-gui-clients-0.4.6/src/common/arcproxy-utils.h:52:10: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
bool read();
ANALYSIS SUMMARY:
Hits = 32
Lines analyzed = 15460 in approximately 0.39 seconds (39198 lines/second)
Physical Source Lines of Code (SLOC) = 11363
Hits@level = [0] 0 [1] 12 [2] 15 [3] 0 [4] 3 [5] 2
Hits@level+ = [0+] 32 [1+] 32 [2+] 20 [3+] 5 [4+] 5 [5+] 2
Hits/KSLOC@level+ = [0+] 2.81616 [1+] 2.81616 [2+] 1.7601 [3+] 0.440025 [4+] 0.440025 [5+] 0.17601
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.