Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/libgit2-glib-0.28.0.1/examples/clone.c Examining data/libgit2-glib-0.28.0.1/examples/general.c Examining data/libgit2-glib-0.28.0.1/examples/walk.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-annotated-commit.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-annotated-commit.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-blame-options.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-blame-options.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-blame.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-blame.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-blob-output-stream.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-blob-output-stream.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-blob.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-blob.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-branch-enumerator.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-branch-enumerator.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-branch.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-branch.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-checkout-options.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-checkout-options.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-cherry-pick-options.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-cherry-pick-options.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-clone-options.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-clone-options.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-commit-parents.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-commit-parents.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-commit.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-commit.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-config-entry.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-config-entry.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-config.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-config.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-convert.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-convert.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-cred-plaintext.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-cred-plaintext.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-cred-ssh-interactive.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-cred-ssh-interactive.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-cred-ssh-key-from-agent.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-cred-ssh-key-from-agent.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-cred.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-cred.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-diff-binary-file.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-diff-binary-file.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-diff-binary.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-diff-binary.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-diff-delta.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-diff-delta.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-diff-file.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-diff-file.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-diff-find-options.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-diff-find-options.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-diff-format-email-options.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-diff-format-email-options.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-diff-hunk.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-diff-hunk.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-diff-line.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-diff-line.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-diff-options.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-diff-options.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-diff-similarity-metric.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-diff-similarity-metric.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-diff.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-diff.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-error.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-error.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-fetch-options.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-fetch-options.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-index-entry-resolve-undo.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-index-entry-resolve-undo.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-index-entry.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-index-entry.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-index.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-index.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-main.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-main.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-merge-options.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-merge-options.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-message.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-message.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-native.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-native.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-note.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-note.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-object-factory-base.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-object-factory-base.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-object-factory.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-object-factory.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-object.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-object.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-oid.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-oid.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-patch.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-patch.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-proxy-options.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-proxy-options.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-push-options.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-push-options.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-rebase-operation.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-rebase-operation.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-rebase-options.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-rebase-options.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-rebase.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-rebase.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-ref-spec.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-ref-spec.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-ref.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-ref.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-reflog-entry.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-reflog-entry.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-reflog.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-reflog.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-remote-callbacks.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-remote-callbacks.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-remote.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-remote.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-repository.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-repository.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-revert-options.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-revert-options.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-revision-walker.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-revision-walker.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-signature.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-signature.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-status-options.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-status-options.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-submodule-update-options.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-submodule-update-options.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-submodule.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-submodule.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-tag.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-tag.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-transfer-progress.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-transfer-progress.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-tree-builder.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-tree-builder.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-tree-entry.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-tree-entry.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-tree.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-tree.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-types.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-types.h Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-utils.c Examining data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-utils.h Examining data/libgit2-glib-0.28.0.1/tests/repository.c FINAL RESULTS: data/libgit2-glib-0.28.0.1/tests/repository.c:147:8: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. ret = system (cmd); data/libgit2-glib-0.28.0.1/tests/repository.c:130:39: [3] (buffer) g_get_tmp_dir: This function is synonymous with 'getenv("TMP")';it returns untrustable input if the environment can beset by an attacker. It can have any content and length, and the same variable can be set more than once (CWE-807, CWE-20). Check environment variables carefully before using them. fixture->git_dir = g_build_filename (g_get_tmp_dir (), data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-diff-binary-file.c:49:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (gfile->data, file->data, file->datalen); data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-transfer-progress.c:42:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (&gprogress->progress, progress, sizeof (git_transfer_progress)); data/libgit2-glib-0.28.0.1/examples/clone.c:61:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). l = strlen (s); data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-convert.c:42:8: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). gsize read, written; data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-convert.c:49:28: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). &read, data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-convert.c:53:26: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). res = g_convert (text, read, "UTF-8", "ASCII", NULL, NULL, NULL); data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-convert.c:58:17: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). size = size - read; data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-convert.c:74:8: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). gsize read; data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-convert.c:81:21: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). &read, data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-convert.c:117:10: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size = strlen (str); data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-cred-ssh-interactive.c:212:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). responses[i].length = strlen (wprompts[i]->response); data/libgit2-glib-0.28.0.1/libgit2-glib/ggit-diff.c:998:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). buffer_len = strlen((const gchar *) buffer); data/libgit2-glib-0.28.0.1/tests/repository.c:226:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). msglen = strlen (msg); data/libgit2-glib-0.28.0.1/tests/repository.c:298:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen (message), ANALYSIS SUMMARY: Hits = 16 Lines analyzed = 32147 in approximately 0.92 seconds (35008 lines/second) Physical Source Lines of Code (SLOC) = 17015 Hits@level = [0] 0 [1] 12 [2] 2 [3] 1 [4] 1 [5] 0 Hits@level+ = [0+] 16 [1+] 16 [2+] 4 [3+] 2 [4+] 1 [5+] 0 Hits/KSLOC@level+ = [0+] 0.940347 [1+] 0.940347 [2+] 0.235087 [3+] 0.117543 [4+] 0.0587717 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.