Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/libosinfo-1.7.1/osinfo/ignore-value.h
Examining data/libosinfo-1.7.1/osinfo/osinfo.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_avatar_format.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_avatar_format.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_datamap.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_datamap.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_datamaplist.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_datamaplist.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_db.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_db.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_deployment.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_deployment.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_deploymentlist.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_deploymentlist.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_device.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_device.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_device_driver.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_device_driver.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_device_driver_private.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_device_driverlist.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_device_driverlist.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_devicelink.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_devicelink.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_devicelinkfilter.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_devicelinkfilter.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_devicelinklist.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_devicelinklist.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_devicelist.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_devicelist.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_entity.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_entity.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_filter.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_filter.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_firmware.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_firmware.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_firmwarelist.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_firmwarelist.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_image.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_image.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_imagelist.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_imagelist.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_install_config.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_install_config.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_install_config_param.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_install_config_param.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_install_config_paramlist.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_install_config_paramlist.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_install_script.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_install_script.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_install_script_private.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_install_scriptlist.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_install_scriptlist.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_list.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_list.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_loader.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_loader.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_media.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_media.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_media_private.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_medialist.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_medialist.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_os.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_os.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_os_variant.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_os_variant.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_os_variantlist.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_os_variantlist.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_oslist.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_oslist.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_platform.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_platform.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_platformlist.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_platformlist.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_product.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_product.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_product_private.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_productfilter.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_productfilter.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_productlist.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_productlist.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_resources.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_resources.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_resources_private.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_resourceslist.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_resourceslist.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_tree.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_tree.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_treelist.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_treelist.h
Examining data/libosinfo-1.7.1/osinfo/osinfo_util_private.c
Examining data/libosinfo-1.7.1/osinfo/osinfo_util_private.h
Examining data/libosinfo-1.7.1/tests/test-db.c
Examining data/libosinfo-1.7.1/tests/test-device.c
Examining data/libosinfo-1.7.1/tests/test-devicelinklist.c
Examining data/libosinfo-1.7.1/tests/test-devicelist.c
Examining data/libosinfo-1.7.1/tests/test-entity.c
Examining data/libosinfo-1.7.1/tests/test-filter.c
Examining data/libosinfo-1.7.1/tests/test-firmware.c
Examining data/libosinfo-1.7.1/tests/test-firmwarelist.c
Examining data/libosinfo-1.7.1/tests/test-image.c
Examining data/libosinfo-1.7.1/tests/test-imagelist.c
Examining data/libosinfo-1.7.1/tests/test-install-script.c
Examining data/libosinfo-1.7.1/tests/test-list.c
Examining data/libosinfo-1.7.1/tests/test-loader.c
Examining data/libosinfo-1.7.1/tests/test-media.c
Examining data/libosinfo-1.7.1/tests/test-os.c
Examining data/libosinfo-1.7.1/tests/test-oslist.c
Examining data/libosinfo-1.7.1/tests/test-platform.c
Examining data/libosinfo-1.7.1/tests/test-platformlist.c
Examining data/libosinfo-1.7.1/tests/test-product.c
Examining data/libosinfo-1.7.1/tests/test-productfilter.c
Examining data/libosinfo-1.7.1/tests/test-tree.c
Examining data/libosinfo-1.7.1/tools/osinfo-detect.c
Examining data/libosinfo-1.7.1/tools/osinfo-install-script.c
Examining data/libosinfo-1.7.1/tools/osinfo-query.c
Examining data/libosinfo-1.7.1/debian/tests/build-test.c
FINAL RESULTS:
data/libosinfo-1.7.1/osinfo/osinfo_media.c:75:12: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
gchar system[MAX_SYSTEM]; /* System ID */
data/libosinfo-1.7.1/osinfo/osinfo_media.c:100:12: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
gchar system[MAX_SYSTEM]; /* System ID */
data/libosinfo-1.7.1/osinfo/osinfo_media.c:145:12: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
gchar *system;
data/libosinfo-1.7.1/osinfo/osinfo_media.c:164:18: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
g_free(data->system);
data/libosinfo-1.7.1/osinfo/osinfo_media.c:861:29: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
if (!is_str_empty(data->system))
data/libosinfo-1.7.1/osinfo/osinfo_media.c:864:39: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
data->system);
data/libosinfo-1.7.1/osinfo/osinfo_media.c:1152:15: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
data->svd.system[MAX_SYSTEM - 1] = 0;
data/libosinfo-1.7.1/osinfo/osinfo_media.c:1153:26: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
g_strchomp(data->svd.system);
data/libosinfo-1.7.1/osinfo/osinfo_media.c:1155:41: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
if (strncmp(BOOTABLE_TAG, data->svd.system, sizeof(BOOTABLE_TAG)) != 0) {
data/libosinfo-1.7.1/osinfo/osinfo_media.c:1228:40: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
data->system = g_strndup(data->pvd.system, MAX_SYSTEM);
data/libosinfo-1.7.1/osinfo/osinfo_media.c:1229:22: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
g_strchomp(data->system);
data/libosinfo-1.7.1/osinfo/osinfo_install_config.c:84:20: [3] (random) g_random_int_range:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
gint val = g_random_int_range(0, sizeof(valid));
data/libosinfo-1.7.1/osinfo/osinfo_loader.c:227:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(*list, obj->nodesetval->nodeTab,
data/libosinfo-1.7.1/osinfo/osinfo_loader.c:299:30: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
if (g_strcmp0((const char *)nodes[i]->children->content, "true") == 0) {
data/libosinfo-1.7.1/osinfo/osinfo_loader.c:443:40: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
(const char *)custom[i]->name,
data/libosinfo-1.7.1/osinfo/osinfo_loader.c:444:40: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
(const char *)custom[i]->children->content);
data/libosinfo-1.7.1/osinfo/osinfo_install_script.c:1688:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
data->output_len = strlen(data->output);
data/libosinfo-1.7.1/osinfo/osinfo_loader.c:533:32: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
suffix = g_strdup(id + strlen("http://"));
data/libosinfo-1.7.1/osinfo/osinfo_loader.c:1290:60: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
OSINFO_TREE_PROP_TREEINFO_FAMILY + strlen("treeinfo-")))
data/libosinfo-1.7.1/osinfo/osinfo_loader.c:1295:66: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
OSINFO_TREE_PROP_TREEINFO_VARIANT + strlen("treeinfo-")))
data/libosinfo-1.7.1/osinfo/osinfo_loader.c:1300:66: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
OSINFO_TREE_PROP_TREEINFO_VERSION + strlen("treeinfo-")))
data/libosinfo-1.7.1/osinfo/osinfo_loader.c:1305:63: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
OSINFO_TREE_PROP_TREEINFO_ARCH + strlen("treeinfo-")))
data/libosinfo-1.7.1/osinfo/osinfo_loader.c:2172:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
relpath += strlen(basepath);
data/libosinfo-1.7.1/osinfo/osinfo_loader.c:2178:34: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
key = g_strndup(dirname, strlen(dirname) - 2);
data/libosinfo-1.7.1/osinfo/osinfo_loader.c:2181:34: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
key = g_strndup(relpath, strlen(relpath) - 4);
data/libosinfo-1.7.1/osinfo/osinfo_media.c:826:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
for (i = 0; i < strlen(str); i++)
data/libosinfo-1.7.1/osinfo/osinfo_media.c:956:85: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
g_ascii_strncasecmp(data->filepath[data->filepath_index], dr->filename, strlen(data->filepath[data->filepath_index])) == 0) {
data/libosinfo-1.7.1/osinfo/osinfo_tree.c:551:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
for (i = 0; i < strlen(str); i++)
data/libosinfo-1.7.1/osinfo/osinfo_tree.c:1193:45: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
return load_keyinfo(location, treeinfo, strlen(treeinfo), error);
data/libosinfo-1.7.1/tools/osinfo-query.c:247:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (val && (strlen(val) > labels[i].width))
data/libosinfo-1.7.1/tools/osinfo-query.c:250:44: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
pad = labels[i].width - (val ? strlen(val) : 0);
data/libosinfo-1.7.1/tools/osinfo-query.c:293:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(gettext(labels[i].label)) > labels[i].width)
data/libosinfo-1.7.1/tools/osinfo-query.c:296:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
pad = labels[i].width - strlen(gettext(labels[i].label));
ANALYSIS SUMMARY:
Hits = 33
Lines analyzed = 30678 in approximately 0.80 seconds (38430 lines/second)
Physical Source Lines of Code (SLOC) = 17608
Hits@level = [0] 0 [1] 17 [2] 4 [3] 1 [4] 11 [5] 0
Hits@level+ = [0+] 33 [1+] 33 [2+] 16 [3+] 12 [4+] 11 [5+] 0
Hits/KSLOC@level+ = [0+] 1.87415 [1+] 1.87415 [2+] 0.908678 [3+] 0.681508 [4+] 0.624716 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.