stdin

Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/grsync-1.3.0/src/main.c
Examining data/grsync-1.3.0/src/callbacks.c
Examining data/grsync-1.3.0/src/callbacks.h
Examining data/grsync-1.3.0/src/support.h

FINAL RESULTS:

data/grsync-1.3.0/src/callbacks.c:732:27:  [3] (buffer) g_get_home_dir:
  This function is synonymous with 'getenv("HOME")';it returns untrustable
  input if the environment can beset by an attacker. It can have any content
  and length, and the same variable can be set more than once (CWE-807,
  CWE-20). Check environment variables carefully before using them.
	grsync_dir = g_strconcat(g_get_home_dir(), "/.grsync", NULL);
data/grsync-1.3.0/src/callbacks.c:134:24:  [2] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant string.
	if (filename == NULL) strcpy(config_command, "rsync");
data/grsync-1.3.0/src/callbacks.c:376:13:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	key_file = fopen(settings_file_name, "w");
data/grsync-1.3.0/src/callbacks.c:535:7:  [2] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant string.
	else strcpy(tmps, "0%");
data/grsync-1.3.0/src/callbacks.c:671:14:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
		log_file = fopen(gtmp, (config_log_overwrite ? "w" : "a"));
data/grsync-1.3.0/src/callbacks.c:808:3:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
		sprintf(pidbuf, "%i", rsync_pid);
data/grsync-1.3.0/src/callbacks.c:809:3:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
		sprintf(sigbuf, "%i", sig);
data/grsync-1.3.0/src/callbacks.c:1018:2:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
	sprintf(buf, "%i", WEXITSTATUS(status));
data/grsync-1.3.0/src/callbacks.c:1251:14:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
		key_file = fopen(settings_file_name, "w");
data/grsync-1.3.0/src/callbacks.c:131:7:  [1] (buffer) strncpy:
  Easily used incorrectly; doesn't always \0-terminate or check for invalid
  pointers [MS-banned] (CWE-120).
	else strncpy(settings_file_path, filename, MAXPATH-1);
data/grsync-1.3.0/src/callbacks.c:157:4:  [1] (buffer) strncpy:
  Easily used incorrectly; doesn't always \0-terminate or check for invalid
  pointers [MS-banned] (CWE-120).
			strncpy(config_command, stmp, MAXPATH - 1);
data/grsync-1.3.0/src/callbacks.c:275:7:  [1] (buffer) strncpy:
  Easily used incorrectly; doesn't always \0-terminate or check for invalid
  pointers [MS-banned] (CWE-120).
	else strncpy(settings_file_name, filename, MAXPATH-1);
data/grsync-1.3.0/src/callbacks.c:1350:3:  [1] (buffer) strncpy:
  Easily used incorrectly; doesn't always \0-terminate or check for invalid
  pointers [MS-banned] (CWE-120).
		strncpy(config_command, gtk_entry_get_text((GtkEntry*) gtk_builder_get_object(builder, "entry_command")), MAXPATH - 1);

ANALYSIS SUMMARY:

Hits = 13
Lines analyzed = 1636 in approximately 0.07 seconds (21996 lines/second)
Physical Source Lines of Code (SLOC) = 1336
Hits@level = [0]   3 [1]   4 [2]   8 [3]   1 [4]   0 [5]   0
Hits@level+ = [0+]  16 [1+]  13 [2+]   9 [3+]   1 [4+]   0 [5+]   0
Hits/KSLOC@level+ = [0+] 11.976 [1+] 9.73054 [2+] 6.73653 [3+] 0.748503 [4+]   0 [5+]   0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.