Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/fbxkb-0.6/dbg.h Examining data/fbxkb-0.6/eggtrayicon.h Examining data/fbxkb-0.6/version.h Examining data/fbxkb-0.6/eggtrayicon.c Examining data/fbxkb-0.6/fbxkb.c FINAL RESULTS: data/fbxkb-0.6/dbg.h:3:27: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. #define ERR(fmt, args...) fprintf(stderr, fmt, ## args) data/fbxkb-0.6/dbg.h:4:28: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. #define DBG2(fmt, args...) fprintf(stderr, "%s:%-5d: " fmt, __FUNCTION__, __LINE__, ## args) data/fbxkb-0.6/dbg.h:8:28: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. #define DBG3(fmt, args...) fprintf(stderr, fmt, ## args) data/fbxkb-0.6/dbg.h:15:27: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. #define DBG(fmt, args...) fprintf(stderr, "%s:%-5d: " fmt, __FUNCTION__, __LINE__, ## args) data/fbxkb-0.6/eggtrayicon.c:235:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[256]; data/fbxkb-0.6/eggtrayicon.c:292:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[256]; data/fbxkb-0.6/eggtrayicon.c:351:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (&ev.data, message, 20); data/fbxkb-0.6/eggtrayicon.c:357:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (&ev.data, message, len); data/fbxkb-0.6/fbxkb.c:531:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[256]; data/fbxkb-0.6/eggtrayicon.c:322:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen (message); data/fbxkb-0.6/fbxkb.c:271:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). g_assert(sym != NULL && strlen(sym) > 1); data/fbxkb-0.6/fbxkb.c:371:40: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!strcmp(tok, "pc") || (strlen(tok) != 2)) ANALYSIS SUMMARY: Hits = 12 Lines analyzed = 1016 in approximately 0.06 seconds (17488 lines/second) Physical Source Lines of Code (SLOC) = 760 Hits@level = [0] 5 [1] 3 [2] 5 [3] 0 [4] 4 [5] 0 Hits@level+ = [0+] 17 [1+] 12 [2+] 9 [3+] 4 [4+] 4 [5+] 0 Hits/KSLOC@level+ = [0+] 22.3684 [1+] 15.7895 [2+] 11.8421 [3+] 5.26316 [4+] 5.26316 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.