Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/gnome-online-accounts-3.38.0/src/daemon/main.c Examining data/gnome-online-accounts-3.38.0/src/daemon/goadaemon.h Examining data/gnome-online-accounts-3.38.0/src/daemon/goadaemon.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goaewsclient.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goasouplogger.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goaoauth2provider-web-extension.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goawebview.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goawebextension.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/nautilus-floating-bar.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goaprovider.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goadlnaservermanager.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goamediaserverprovider.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goawebextensionmain.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goasmtpauth.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goaobjectskeletonutils.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goawindowsliveprovider.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goabackend.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goamailauth.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goabackendenumtypes.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goaowncloudprovider.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goarestproxy.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goaobjectskeletonutils.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goafacebookprovider.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goamailclient.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goaoauth2provider.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goawebview.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goaprovider-priv.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goamailclient.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goakerberosprovider.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goakerberosprovider.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goaoauthprovider.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goafedoraprovider.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goaimapauthlogin.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goaexchangeprovider.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/nautilus-floating-bar.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goabackendenumtypes.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goafedoraprovider.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goabackendinit.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goafoursquareprovider.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goabackendenums-priv.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/gconstructor.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goasmtpauth.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goaimapsmtpprovider.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goaimapsmtpprovider.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goaewsclient.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goautils.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goaoauth2provider-web-view.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goagoogleprovider.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goawebextension.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goafacebookprovider.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goahttpclient.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goaimapauthlogin.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goaoauthprovider.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goamediaserverprovider.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goawindowsliveprovider.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goalastfmprovider.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goalastfmprovider.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goabackendenums.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goaoauth2provider.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goaflickrprovider.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goaexchangeprovider.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goaprovider.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goamailauth.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goaowncloudprovider.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goahttpclient.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goaflickrprovider.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goarestproxy.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goaoauth2provider-priv.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goadlnaservermanager.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goagoogleprovider.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goasouplogger.h Examining data/gnome-online-accounts-3.38.0/src/goabackend/goafoursquareprovider.c Examining data/gnome-online-accounts-3.38.0/src/goabackend/goautils.c Examining data/gnome-online-accounts-3.38.0/src/goa/goaerror.c Examining data/gnome-online-accounts-3.38.0/src/goa/goaversion.c Examining data/gnome-online-accounts-3.38.0/src/goa/goaenumtypes.h Examining data/gnome-online-accounts-3.38.0/src/goa/goaenums.h Examining data/gnome-online-accounts-3.38.0/src/goa/goaclient.h Examining data/gnome-online-accounts-3.38.0/src/goa/goaenumtypes.c Examining data/gnome-online-accounts-3.38.0/src/goa/goa.h Examining data/gnome-online-accounts-3.38.0/src/goa/goa-generated.c Examining data/gnome-online-accounts-3.38.0/src/goa/goaversion.h Examining data/gnome-online-accounts-3.38.0/src/goa/goaclient.c Examining data/gnome-online-accounts-3.38.0/src/goa/goa-generated.h Examining data/gnome-online-accounts-3.38.0/src/goa/goaerror.h Examining data/gnome-online-accounts-3.38.0/src/goaidentity/goaidentitymanager.c Examining data/gnome-online-accounts-3.38.0/src/goaidentity/goaalarm.h Examining data/gnome-online-accounts-3.38.0/src/goaidentity/main.c Examining data/gnome-online-accounts-3.38.0/src/goaidentity/org.gnome.Identity.c Examining data/gnome-online-accounts-3.38.0/src/goaidentity/goaidentityutils.h Examining data/gnome-online-accounts-3.38.0/src/goaidentity/goaidentity.c Examining data/gnome-online-accounts-3.38.0/src/goaidentity/goakerberosidentity.h Examining data/gnome-online-accounts-3.38.0/src/goaidentity/goaidentityenumtypes.c Examining data/gnome-online-accounts-3.38.0/src/goaidentity/goaidentity.h Examining data/gnome-online-accounts-3.38.0/src/goaidentity/goaidentityutils.c Examining data/gnome-online-accounts-3.38.0/src/goaidentity/goakerberosidentitymanager.c Examining data/gnome-online-accounts-3.38.0/src/goaidentity/goaidentityinquiryprivate.h Examining data/gnome-online-accounts-3.38.0/src/goaidentity/goaidentitymanagererror.c Examining data/gnome-online-accounts-3.38.0/src/goaidentity/goaidentitymanager.h Examining data/gnome-online-accounts-3.38.0/src/goaidentity/goaidentityinquiry.c Examining data/gnome-online-accounts-3.38.0/src/goaidentity/goaidentityenumtypes.h Examining data/gnome-online-accounts-3.38.0/src/goaidentity/goaidentityservice.c Examining data/gnome-online-accounts-3.38.0/src/goaidentity/org.gnome.Identity.h Examining data/gnome-online-accounts-3.38.0/src/goaidentity/goaidentityinquiry.h Examining data/gnome-online-accounts-3.38.0/src/goaidentity/goaidentitymanagerprivate.h Examining data/gnome-online-accounts-3.38.0/src/goaidentity/goaalarm.c Examining data/gnome-online-accounts-3.38.0/src/goaidentity/goaidentitymanagererror.h Examining data/gnome-online-accounts-3.38.0/src/goaidentity/goakerberosidentityinquiry.h Examining data/gnome-online-accounts-3.38.0/src/goaidentity/goaidentityservice.h Examining data/gnome-online-accounts-3.38.0/src/goaidentity/goakerberosidentityinquiry.c Examining data/gnome-online-accounts-3.38.0/src/goaidentity/goakerberosidentitymanager.h Examining data/gnome-online-accounts-3.38.0/src/goaidentity/goakerberosidentity.c Examining data/gnome-online-accounts-3.38.0/src/examples/introspect-providers.c Examining data/gnome-online-accounts-3.38.0/src/examples/list-accounts.c Examining data/gnome-online-accounts-3.38.0/src/examples/list-providers.c Examining data/gnome-online-accounts-3.38.0/src/examples/lastfm-shout.c FINAL RESULTS: data/gnome-online-accounts-3.38.0/src/goabackend/goaoauth2provider.c:668:39: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). ret_access_token_expires_in = atoi (expires_in_str); data/gnome-online-accounts-3.38.0/src/goabackend/goaoauth2provider.c:846:45: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). priv->access_token_expires_in = atoi (expires_in_str); data/gnome-online-accounts-3.38.0/src/goabackend/goaoauthprovider.c:554:35: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). ret_access_token_expires_in = atoi (expires_in_str); data/gnome-online-accounts-3.38.0/src/goabackend/goaoauthprovider.c:557:37: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). ret_session_handle_expires_in = atoi (expires_in_str); data/gnome-online-accounts-3.38.0/src/goabackend/gconstructor.h:60:31: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). __pragma(section(".CRT$XCU",read)) \ data/gnome-online-accounts-3.38.0/src/goabackend/gconstructor.h:68:31: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). __pragma(section(".CRT$XCU",read)) \ data/gnome-online-accounts-3.38.0/src/goabackend/gconstructor.h:80:22: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). section(".CRT$XCU",read) data/gnome-online-accounts-3.38.0/src/goabackend/gconstructor.h:87:22: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). section(".CRT$XCU",read) data/gnome-online-accounts-3.38.0/src/goabackend/goaimapauthlogin.c:198:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen (str); data/gnome-online-accounts-3.38.0/src/goabackend/goaowncloudprovider.c:428:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). pretty_path[strlen(pretty_path) - 1] = '\0'; data/gnome-online-accounts-3.38.0/src/goabackend/goasmtpauth.c:112:46: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!g_str_has_prefix (response, "250") || strlen (response) < 4) data/gnome-online-accounts-3.38.0/src/goabackend/goasmtpauth.c:482:32: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). auth_arg_plain_len = 2 * strlen (self->username) + 2 + strlen (self->password); data/gnome-online-accounts-3.38.0/src/goabackend/goasmtpauth.c:482:62: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). auth_arg_plain_len = 2 * strlen (self->username) + 2 + strlen (self->password); data/gnome-online-accounts-3.38.0/src/goabackend/goasmtpauth.c:496:28: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). auth_arg_plain_len = strlen (self->username); data/gnome-online-accounts-3.38.0/src/goabackend/goasmtpauth.c:516:28: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). auth_arg_plain_len = strlen (self->password); data/gnome-online-accounts-3.38.0/src/goaidentity/goaidentityservice.c:84:63: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen (identifier)); data/gnome-online-accounts-3.38.0/src/goaidentity/goaidentityutils.c:104:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). studly_string_length = strlen (studly_string); data/gnome-online-accounts-3.38.0/src/goaidentity/goaidentityutils.c:139:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). (dashed_string[strlen (old_prefix)] == '-' || data/gnome-online-accounts-3.38.0/src/goaidentity/goaidentityutils.c:140:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). dashed_string[strlen (old_prefix)] == '_')) data/gnome-online-accounts-3.38.0/src/goaidentity/goaidentityutils.c:141:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). dashed_string += strlen (old_prefix) + 1; data/gnome-online-accounts-3.38.0/src/goaidentity/goaidentityutils.c:147:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). i += strlen (new_prefix) + 1; data/gnome-online-accounts-3.38.0/src/goaidentity/goaidentityutils.c:149:30: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). dbus_error_string_length = strlen (dbus_error_string); data/gnome-online-accounts-3.38.0/src/goaidentity/goakerberosidentityinquiry.c:282:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). answer_length = strlen (answer); data/gnome-online-accounts-3.38.0/src/goaidentity/goakerberosidentityinquiry.c:290:7: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (kerberos_query->kerberos_prompt->reply->data, ANALYSIS SUMMARY: Hits = 24 Lines analyzed = 67558 in approximately 1.59 seconds (42498 lines/second) Physical Source Lines of Code (SLOC) = 46821 Hits@level = [0] 0 [1] 20 [2] 4 [3] 0 [4] 0 [5] 0 Hits@level+ = [0+] 24 [1+] 24 [2+] 4 [3+] 0 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 0.512591 [1+] 0.512591 [2+] 0.0854318 [3+] 0 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.