Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/kmahjongg-20.04.3/src/selectionanimation.cpp Examining data/kmahjongg-20.04.3/src/demoanimation.h Examining data/kmahjongg-20.04.3/src/gamescene.cpp Examining data/kmahjongg-20.04.3/src/gameremovedtiles.h Examining data/kmahjongg-20.04.3/src/kmtypes.h Examining data/kmahjongg-20.04.3/src/gameview.cpp Examining data/kmahjongg-20.04.3/src/kmahjongg.cpp Examining data/kmahjongg-20.04.3/src/movelistanimation.cpp Examining data/kmahjongg-20.04.3/src/editor.h Examining data/kmahjongg-20.04.3/src/gameview.h Examining data/kmahjongg-20.04.3/src/boardlayout.h Examining data/kmahjongg-20.04.3/src/gamebackground.h Examining data/kmahjongg-20.04.3/src/gamescene.h Examining data/kmahjongg-20.04.3/src/gamedata.cpp Examining data/kmahjongg-20.04.3/src/main.cpp Examining data/kmahjongg-20.04.3/src/version.h Examining data/kmahjongg-20.04.3/src/editor.cpp Examining data/kmahjongg-20.04.3/src/kmahjongglayout.cpp Examining data/kmahjongg-20.04.3/src/gameitem.h Examining data/kmahjongg-20.04.3/src/movelistanimation.h Examining data/kmahjongg-20.04.3/src/gameitem.cpp Examining data/kmahjongg-20.04.3/src/kmahjongglayoutselector.cpp Examining data/kmahjongg-20.04.3/src/demoanimation.cpp Examining data/kmahjongg-20.04.3/src/frameimage.h Examining data/kmahjongg-20.04.3/src/selectionanimation.h Examining data/kmahjongg-20.04.3/src/kmahjongglayout.h Examining data/kmahjongg-20.04.3/src/boardlayout.cpp Examining data/kmahjongg-20.04.3/src/gamedata.h Examining data/kmahjongg-20.04.3/src/kmahjongg.h Examining data/kmahjongg-20.04.3/src/frameimage.cpp Examining data/kmahjongg-20.04.3/src/gamebackground.cpp Examining data/kmahjongg-20.04.3/src/kmahjongglayoutselector.h Examining data/kmahjongg-20.04.3/src/gameremovedtiles.cpp FINAL RESULTS: data/kmahjongg-20.04.3/src/gamedata.cpp:248:41: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. position = static_cast<int>(random.getLong(m_numTilesToGenerate)); data/kmahjongg-20.04.3/src/gamedata.cpp:405:24: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. position = random.getLong(m_numTilesToGenerate); data/kmahjongg-20.04.3/src/gamedata.cpp:580:23: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. p2 = p1 = random.getLong(remaining - 2); data/kmahjongg-20.04.3/src/gamedata.cpp:584:22: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. p2 = random.getLong(remaining - 2); data/kmahjongg-20.04.3/src/gamedata.cpp:680:18: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. to = random.getLong(144); data/kmahjongg-20.04.3/src/gamedata.cpp:902:9: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. random.setSeed(0); // WABA: Why is the seed reset? data/kmahjongg-20.04.3/src/gamedata.cpp:903:21: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. short pos = random.getLong(posCount) & -2; // Even value data/kmahjongg-20.04.3/src/gamedata.cpp:1080:20: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. int pos1 = random.getLong(count); data/kmahjongg-20.04.3/src/gamedata.cpp:1081:20: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. int pos2 = random.getLong(count); data/kmahjongg-20.04.3/src/gamedata.h:91:21: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. KRandomSequence random; data/kmahjongg-20.04.3/src/gameview.cpp:221:33: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. m_gameNumber = KRandom::random(); data/kmahjongg-20.04.3/src/gameview.cpp:228:17: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. m_gameData->random.setSeed(m_gameNumber); data/kmahjongg-20.04.3/src/boardlayout.cpp:66:12: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!f.open(QIODevice::ReadWrite)) { data/kmahjongg-20.04.3/src/boardlayout.cpp:118:11: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (f.open(QIODevice::ReadOnly)) { data/kmahjongg-20.04.3/src/boardlayout.cpp:166:11: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (f.open(QIODevice::ReadOnly)) { data/kmahjongg-20.04.3/src/boardlayout.cpp:270:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(to, m_board.data(), m_width * m_height * m_depth); data/kmahjongg-20.04.3/src/gamedata.h:117:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char m_removedCharacter[9]; data/kmahjongg-20.04.3/src/gamedata.h:118:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char m_removedBamboo[9]; data/kmahjongg-20.04.3/src/gamedata.h:119:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char m_removedRod[9]; data/kmahjongg-20.04.3/src/gamedata.h:120:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char m_removedDragon[3]; data/kmahjongg-20.04.3/src/gamedata.h:121:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char m_removedWind[9]; data/kmahjongg-20.04.3/src/gamedata.h:122:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char m_removedFlower[4]; data/kmahjongg-20.04.3/src/gamedata.h:123:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char m_removedSeason[4]; data/kmahjongg-20.04.3/src/kmahjongg.cpp:595:17: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!infile.open(QFile::ReadOnly)) { data/kmahjongg-20.04.3/src/kmahjongg.cpp:671:18: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!outfile.open(QFile::WriteOnly)) { data/kmahjongg-20.04.3/src/kmahjongglayout.cpp:88:17: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!bgfile.open(QIODevice::ReadOnly)) { ANALYSIS SUMMARY: Hits = 26 Lines analyzed = 7672 in approximately 0.83 seconds (9252 lines/second) Physical Source Lines of Code (SLOC) = 4694 Hits@level = [0] 0 [1] 0 [2] 14 [3] 12 [4] 0 [5] 0 Hits@level+ = [0+] 26 [1+] 26 [2+] 26 [3+] 12 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 5.53899 [1+] 5.53899 [2+] 5.53899 [3+] 2.55646 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.