Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/geoclue-2.0-2.5.6/demo/agent.c
Examining data/geoclue-2.0-2.5.6/demo/gclue-service-agent.c
Examining data/geoclue-2.0-2.5.6/demo/gclue-service-agent.h
Examining data/geoclue-2.0-2.5.6/demo/where-am-i.c
Examining data/geoclue-2.0-2.5.6/libgeoclue/gclue-helpers.c
Examining data/geoclue-2.0-2.5.6/libgeoclue/gclue-helpers.h
Examining data/geoclue-2.0-2.5.6/libgeoclue/gclue-simple.c
Examining data/geoclue-2.0-2.5.6/libgeoclue/gclue-simple.h
Examining data/geoclue-2.0-2.5.6/libgeoclue/geoclue.h
Examining data/geoclue-2.0-2.5.6/public-api/gclue-enums.c
Examining data/geoclue-2.0-2.5.6/public-api/gclue-enums.h
Examining data/geoclue-2.0-2.5.6/src/gclue-3g-tower.h
Examining data/geoclue-2.0-2.5.6/src/gclue-3g.c
Examining data/geoclue-2.0-2.5.6/src/gclue-3g.h
Examining data/geoclue-2.0-2.5.6/src/gclue-cdma.c
Examining data/geoclue-2.0-2.5.6/src/gclue-cdma.h
Examining data/geoclue-2.0-2.5.6/src/gclue-client-info.c
Examining data/geoclue-2.0-2.5.6/src/gclue-client-info.h
Examining data/geoclue-2.0-2.5.6/src/gclue-compass.c
Examining data/geoclue-2.0-2.5.6/src/gclue-compass.h
Examining data/geoclue-2.0-2.5.6/src/gclue-config.c
Examining data/geoclue-2.0-2.5.6/src/gclue-config.h
Examining data/geoclue-2.0-2.5.6/src/gclue-error.c
Examining data/geoclue-2.0-2.5.6/src/gclue-error.h
Examining data/geoclue-2.0-2.5.6/src/gclue-location-source.c
Examining data/geoclue-2.0-2.5.6/src/gclue-location-source.h
Examining data/geoclue-2.0-2.5.6/src/gclue-location.c
Examining data/geoclue-2.0-2.5.6/src/gclue-location.h
Examining data/geoclue-2.0-2.5.6/src/gclue-locator.c
Examining data/geoclue-2.0-2.5.6/src/gclue-locator.h
Examining data/geoclue-2.0-2.5.6/src/gclue-main.c
Examining data/geoclue-2.0-2.5.6/src/gclue-min-uint.c
Examining data/geoclue-2.0-2.5.6/src/gclue-min-uint.h
Examining data/geoclue-2.0-2.5.6/src/gclue-modem-gps.c
Examining data/geoclue-2.0-2.5.6/src/gclue-modem-gps.h
Examining data/geoclue-2.0-2.5.6/src/gclue-modem-manager.c
Examining data/geoclue-2.0-2.5.6/src/gclue-modem-manager.h
Examining data/geoclue-2.0-2.5.6/src/gclue-modem.c
Examining data/geoclue-2.0-2.5.6/src/gclue-modem.h
Examining data/geoclue-2.0-2.5.6/src/gclue-mozilla.c
Examining data/geoclue-2.0-2.5.6/src/gclue-mozilla.h
Examining data/geoclue-2.0-2.5.6/src/gclue-nmea-source.c
Examining data/geoclue-2.0-2.5.6/src/gclue-nmea-source.h
Examining data/geoclue-2.0-2.5.6/src/gclue-service-client.c
Examining data/geoclue-2.0-2.5.6/src/gclue-service-client.h
Examining data/geoclue-2.0-2.5.6/src/gclue-service-location.c
Examining data/geoclue-2.0-2.5.6/src/gclue-service-location.h
Examining data/geoclue-2.0-2.5.6/src/gclue-service-manager.c
Examining data/geoclue-2.0-2.5.6/src/gclue-service-manager.h
Examining data/geoclue-2.0-2.5.6/src/gclue-web-source.c
Examining data/geoclue-2.0-2.5.6/src/gclue-web-source.h
Examining data/geoclue-2.0-2.5.6/src/gclue-wifi.c
Examining data/geoclue-2.0-2.5.6/src/gclue-wifi.h
FINAL RESULTS:
data/geoclue-2.0-2.5.6/src/gclue-config.c:61:18: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
gboolean system;
data/geoclue-2.0-2.5.6/src/gclue-config.c:137:35: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
gboolean allowed, system;
data/geoclue-2.0-2.5.6/src/gclue-config.c:176:38: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
app_config->system = system;
data/geoclue-2.0-2.5.6/src/gclue-config.c:430:51: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
return (app_config != NULL && app_config->system);
data/geoclue-2.0-2.5.6/src/gclue-location-source.c:411:38: [3] (random) g_random_int_range:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
distance = (gdouble) g_random_int_range (1, 3);
data/geoclue-2.0-2.5.6/src/gclue-location-source.c:413:21: [3] (random) g_random_boolean:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
if (g_random_boolean ())
data/geoclue-2.0-2.5.6/src/gclue-location.c:486:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char parts[3][3];
data/geoclue-2.0-2.5.6/src/gclue-location.c:507:17: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
hours = atoi (parts[0]);
data/geoclue-2.0-2.5.6/src/gclue-location.c:508:19: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
minutes = atoi (parts[1]);
data/geoclue-2.0-2.5.6/src/gclue-location.c:509:19: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
seconds = atoi (parts[2]);
data/geoclue-2.0-2.5.6/src/gclue-mozilla.c:82:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char raw_bssid[BSSID_LEN] = { 0 };
data/geoclue-2.0-2.5.6/src/gclue-mozilla.c:166:25: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char mac[BSSID_STR_LEN] = { 0 };
data/geoclue-2.0-2.5.6/src/gclue-mozilla.c:339:25: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char mac[BSSID_STR_LEN] = { 0 };
data/geoclue-2.0-2.5.6/src/gclue-mozilla.c:418:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char ssid[MAX_SSID_LEN] = { 0 };
data/geoclue-2.0-2.5.6/src/gclue-mozilla.c:419:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char bssid[BSSID_STR_LEN] = { 0 };
data/geoclue-2.0-2.5.6/src/gclue-wifi.c:232:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char raw_bssid[BSSID_LEN] = { 0 };
data/geoclue-2.0-2.5.6/src/gclue-wifi.c:265:17: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char ssid[MAX_SSID_LEN] = { 0 };
data/geoclue-2.0-2.5.6/src/gclue-wifi.c:283:17: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char bssid[BSSID_STR_LEN] = { 0 };
data/geoclue-2.0-2.5.6/src/gclue-wifi.c:309:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char ssid[MAX_SSID_LEN] = { 0 };
data/geoclue-2.0-2.5.6/src/gclue-wifi.c:330:17: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char bssid[BSSID_STR_LEN] = { 0 };
data/geoclue-2.0-2.5.6/src/gclue-wifi.c:369:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char ssid[MAX_SSID_LEN] = { 0 };
data/geoclue-2.0-2.5.6/demo/where-am-i.c:108:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen (desc) > 0)
data/geoclue-2.0-2.5.6/src/gclue-client-info.c:200:47: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
const char *unit = lines[i] + strlen ("1:name=systemd:");
data/geoclue-2.0-2.5.6/src/gclue-client-info.c:216:32: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
name = scope + strlen("xdg-app-");
data/geoclue-2.0-2.5.6/src/gclue-location.c:494:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen (nmea_ts) < 6) {
data/geoclue-2.0-2.5.6/src/gclue-location.c:495:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen (nmea_ts) >= 1)
ANALYSIS SUMMARY:
Hits = 26
Lines analyzed = 14154 in approximately 0.31 seconds (46239 lines/second)
Physical Source Lines of Code (SLOC) = 9813
Hits@level = [0] 0 [1] 5 [2] 15 [3] 2 [4] 4 [5] 0
Hits@level+ = [0+] 26 [1+] 26 [2+] 21 [3+] 6 [4+] 4 [5+] 0
Hits/KSLOC@level+ = [0+] 2.64955 [1+] 2.64955 [2+] 2.14002 [3+] 0.611434 [4+] 0.407623 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.