Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/gnome-todo-3.28.1/plugins/background/gtd-plugin-background.c
Examining data/gnome-todo-3.28.1/plugins/background/gtd-plugin-background.h
Examining data/gnome-todo-3.28.1/plugins/dark-theme/gtd-plugin-dark-theme.c
Examining data/gnome-todo-3.28.1/plugins/dark-theme/gtd-plugin-dark-theme.h
Examining data/gnome-todo-3.28.1/plugins/today-panel/gtd-plugin-today-panel.c
Examining data/gnome-todo-3.28.1/plugins/today-panel/gtd-panel-today.h
Examining data/gnome-todo-3.28.1/plugins/today-panel/gtd-plugin-today-panel.h
Examining data/gnome-todo-3.28.1/plugins/today-panel/gtd-panel-today.c
Examining data/gnome-todo-3.28.1/plugins/todo-txt/gtd-plugin-todo-txt.c
Examining data/gnome-todo-3.28.1/plugins/todo-txt/gtd-provider-todo-txt.h
Examining data/gnome-todo-3.28.1/plugins/todo-txt/gtd-plugin-todo-txt.h
Examining data/gnome-todo-3.28.1/plugins/todo-txt/gtd-todo-txt-parser.h
Examining data/gnome-todo-3.28.1/plugins/todo-txt/gtd-todo-txt-parser.c
Examining data/gnome-todo-3.28.1/plugins/todo-txt/gtd-provider-todo-txt.c
Examining data/gnome-todo-3.28.1/plugins/scheduled-panel/gtd-plugin-scheduled-panel.c
Examining data/gnome-todo-3.28.1/plugins/scheduled-panel/gtd-panel-scheduled.c
Examining data/gnome-todo-3.28.1/plugins/scheduled-panel/gtd-panel-scheduled.h
Examining data/gnome-todo-3.28.1/plugins/scheduled-panel/gtd-plugin-scheduled-panel.h
Examining data/gnome-todo-3.28.1/plugins/eds/gtd-task-eds.h
Examining data/gnome-todo-3.28.1/plugins/eds/gtd-provider-goa.h
Examining data/gnome-todo-3.28.1/plugins/eds/gtd-plugin-eds.h
Examining data/gnome-todo-3.28.1/plugins/eds/gtd-provider-local.c
Examining data/gnome-todo-3.28.1/plugins/eds/gtd-provider-local.h
Examining data/gnome-todo-3.28.1/plugins/eds/gtd-task-list-eds.h
Examining data/gnome-todo-3.28.1/plugins/eds/gtd-plugin-eds.c
Examining data/gnome-todo-3.28.1/plugins/eds/gtd-provider-eds.h
Examining data/gnome-todo-3.28.1/plugins/eds/gtd-provider-goa.c
Examining data/gnome-todo-3.28.1/plugins/eds/e-source-gnome-todo.c
Examining data/gnome-todo-3.28.1/plugins/eds/e-source-gnome-todo.h
Examining data/gnome-todo-3.28.1/plugins/eds/gtd-eds-autoptr.h
Examining data/gnome-todo-3.28.1/plugins/eds/gtd-provider-eds.c
Examining data/gnome-todo-3.28.1/plugins/eds/gtd-task-eds.c
Examining data/gnome-todo-3.28.1/plugins/eds/gtd-task-list-eds.c
Examining data/gnome-todo-3.28.1/plugins/todoist/gtd-todoist-preferences-panel.h
Examining data/gnome-todo-3.28.1/plugins/todoist/gtd-todoist-preferences-panel.c
Examining data/gnome-todo-3.28.1/plugins/todoist/gtd-plugin-todoist.c
Examining data/gnome-todo-3.28.1/plugins/todoist/gtd-provider-todoist.c
Examining data/gnome-todo-3.28.1/plugins/todoist/gtd-provider-todoist.h
Examining data/gnome-todo-3.28.1/plugins/todoist/gtd-plugin-todoist.h
Examining data/gnome-todo-3.28.1/src/gnome-todo.h
Examining data/gnome-todo-3.28.1/src/gtd-initial-setup-window.c
Examining data/gnome-todo-3.28.1/src/gtd-empty-list-widget.h
Examining data/gnome-todo-3.28.1/src/gtd-plugin-dialog-row.c
Examining data/gnome-todo-3.28.1/src/gtd-task-list.c
Examining data/gnome-todo-3.28.1/src/gtd-plugin-dialog.h
Examining data/gnome-todo-3.28.1/src/gtd-timer.c
Examining data/gnome-todo-3.28.1/src/gtd-application.c
Examining data/gnome-todo-3.28.1/src/interfaces/gtd-provider.h
Examining data/gnome-todo-3.28.1/src/interfaces/gtd-activatable.c
Examining data/gnome-todo-3.28.1/src/interfaces/gtd-panel.c
Examining data/gnome-todo-3.28.1/src/interfaces/gtd-provider.c
Examining data/gnome-todo-3.28.1/src/interfaces/gtd-panel.h
Examining data/gnome-todo-3.28.1/src/interfaces/gtd-activatable.h
Examining data/gnome-todo-3.28.1/src/gtd-window.h
Examining data/gnome-todo-3.28.1/src/gtd-task-list.h
Examining data/gnome-todo-3.28.1/src/gtd-task-row.c
Examining data/gnome-todo-3.28.1/src/gtd-initial-setup-window.h
Examining data/gnome-todo-3.28.1/src/gtd-empty-list-widget.c
Examining data/gnome-todo-3.28.1/src/gtd-enums.h
Examining data/gnome-todo-3.28.1/src/gtd-task-row.h
Examining data/gnome-todo-3.28.1/src/gtd-edit-pane.h
Examining data/gnome-todo-3.28.1/src/gtd-edit-pane.c
Examining data/gnome-todo-3.28.1/src/widgets/gtd-expandable-entry.h
Examining data/gnome-todo-3.28.1/src/widgets/gtd-done-button.h
Examining data/gnome-todo-3.28.1/src/widgets/gtd-done-button.c
Examining data/gnome-todo-3.28.1/src/widgets/gtd-expandable-entry.c
Examining data/gnome-todo-3.28.1/src/logging/gtd-log.h
Examining data/gnome-todo-3.28.1/src/logging/gtd-log.c
Examining data/gnome-todo-3.28.1/src/gtd-rows-common-private.h
Examining data/gnome-todo-3.28.1/src/main.c
Examining data/gnome-todo-3.28.1/src/views/gtd-list-selector-panel.c
Examining data/gnome-todo-3.28.1/src/views/gtd-list-selector-item.c
Examining data/gnome-todo-3.28.1/src/views/gtd-list-selector.c
Examining data/gnome-todo-3.28.1/src/views/gtd-list-selector-panel.h
Examining data/gnome-todo-3.28.1/src/views/gtd-list-selector-grid-item.h
Examining data/gnome-todo-3.28.1/src/views/gtd-list-selector-list.h
Examining data/gnome-todo-3.28.1/src/views/gtd-list-selector-list-item.c
Examining data/gnome-todo-3.28.1/src/views/gtd-list-selector-grid.c
Examining data/gnome-todo-3.28.1/src/views/gtd-list-selector-grid.h
Examining data/gnome-todo-3.28.1/src/views/gtd-list-selector-list-item.h
Examining data/gnome-todo-3.28.1/src/views/gtd-list-selector-item.h
Examining data/gnome-todo-3.28.1/src/views/gtd-list-selector-grid-item.c
Examining data/gnome-todo-3.28.1/src/views/gtd-list-selector-list.c
Examining data/gnome-todo-3.28.1/src/views/gtd-list-selector.h
Examining data/gnome-todo-3.28.1/src/gtd-application.h
Examining data/gnome-todo-3.28.1/src/gtd-dnd-row.h
Examining data/gnome-todo-3.28.1/src/gtd-rows-common.c
Examining data/gnome-todo-3.28.1/src/gtd-task.h
Examining data/gnome-todo-3.28.1/src/gtd-plugin-dialog-row.h
Examining data/gnome-todo-3.28.1/src/gtd-new-task-row.h
Examining data/gnome-todo-3.28.1/src/gtd-object.h
Examining data/gnome-todo-3.28.1/src/gtd-utils.h
Examining data/gnome-todo-3.28.1/src/gtd-object.c
Examining data/gnome-todo-3.28.1/src/gtd-utils.c
Examining data/gnome-todo-3.28.1/src/engine/gtd-manager.h
Examining data/gnome-todo-3.28.1/src/engine/gtd-manager-protected.h
Examining data/gnome-todo-3.28.1/src/engine/gtd-manager.c
Examining data/gnome-todo-3.28.1/src/engine/gtd-plugin-manager.h
Examining data/gnome-todo-3.28.1/src/engine/gtd-plugin-manager.c
Examining data/gnome-todo-3.28.1/src/gtd-task.c
Examining data/gnome-todo-3.28.1/src/provider/gtd-provider-selector.c
Examining data/gnome-todo-3.28.1/src/provider/gtd-provider-popover.c
Examining data/gnome-todo-3.28.1/src/provider/gtd-provider-row.c
Examining data/gnome-todo-3.28.1/src/provider/gtd-provider-selector.h
Examining data/gnome-todo-3.28.1/src/provider/gtd-provider-row.h
Examining data/gnome-todo-3.28.1/src/provider/gtd-provider-popover.h
Examining data/gnome-todo-3.28.1/src/notification/gtd-notification.h
Examining data/gnome-todo-3.28.1/src/notification/gtd-notification.c
Examining data/gnome-todo-3.28.1/src/notification/gtd-notification-widget.c
Examining data/gnome-todo-3.28.1/src/notification/gtd-notification-widget.h
Examining data/gnome-todo-3.28.1/src/gtd-timer.h
Examining data/gnome-todo-3.28.1/src/gtd-task-list-view.h
Examining data/gnome-todo-3.28.1/src/gtd-new-task-row.c
Examining data/gnome-todo-3.28.1/src/gtd-types.h
Examining data/gnome-todo-3.28.1/src/gtd-dnd-row.c
Examining data/gnome-todo-3.28.1/src/gtd-plugin-dialog.c
Examining data/gnome-todo-3.28.1/src/gtd-window.c
Examining data/gnome-todo-3.28.1/src/gtd-task-list-view.c
FINAL RESULTS:
data/gnome-todo-3.28.1/src/engine/gtd-plugin-manager.c:199:34: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
plugin_dir = g_build_filename (g_get_home_dir (),
data/gnome-todo-3.28.1/src/gtd-empty-list-widget.c:81:20: [3] (random) g_random_int_range:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
icon_index = g_random_int_range (0, G_N_ELEMENTS (icons));
data/gnome-todo-3.28.1/src/gtd-empty-list-widget.c:82:23: [3] (random) g_random_int_range:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
message_index = g_random_int_range (0, G_N_ELEMENTS (messages));
data/gnome-todo-3.28.1/src/gtd-empty-list-widget.c:83:24: [3] (random) g_random_int_range:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
subtitle_index = g_random_int_range (0, G_N_ELEMENTS (subtitles));
data/gnome-todo-3.28.1/plugins/todo-txt/gtd-todo-txt-parser.c:107:18: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
token_length = strlen (token);
data/gnome-todo-3.28.1/plugins/todo-txt/gtd-todo-txt-parser.c:220:36: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
dt = parse_date (token + strlen ("due:"));
data/gnome-todo-3.28.1/plugins/todo-txt/gtd-todo-txt-parser.c:280:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
color = g_strdup (token + strlen ("color:"));
data/gnome-todo-3.28.1/plugins/todo-txt/gtd-todo-txt-parser.c:394:33: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (!is_date (token + strlen ("due:")))
data/gnome-todo-3.28.1/src/gtd-utils.c:45:16: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
source_len = strlen (source);
data/gnome-todo-3.28.1/src/gtd-utils.c:46:16: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
search_len = strlen (search);
data/gnome-todo-3.28.1/src/gtd-utils.c:47:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
replacement_len = strlen (replacement);
data/gnome-todo-3.28.1/src/gtd-utils.c:79:7: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (new_aux, source_aux2, diff);
data/gnome-todo-3.28.1/src/gtd-utils.c:84:7: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (new_aux, replacement, replacement_len);
data/gnome-todo-3.28.1/src/gtd-utils.c:92:3: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (new_aux, source_aux2, diff);
ANALYSIS SUMMARY:
Hits = 14
Lines analyzed = 28613 in approximately 0.83 seconds (34425 lines/second)
Physical Source Lines of Code (SLOC) = 18014
Hits@level = [0] 0 [1] 10 [2] 0 [3] 4 [4] 0 [5] 0
Hits@level+ = [0+] 14 [1+] 14 [2+] 4 [3+] 4 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 0.777173 [1+] 0.777173 [2+] 0.22205 [3+] 0.22205 [4+] 0 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.