Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/osinfo-db-tools-1.1.0/tools/osinfo-db-util.c Examining data/osinfo-db-tools-1.1.0/tools/osinfo-db-import.c Examining data/osinfo-db-tools-1.1.0/tools/osinfo-db-export.c Examining data/osinfo-db-tools-1.1.0/tools/osinfo-db-validate.c Examining data/osinfo-db-tools-1.1.0/tools/osinfo-db-util.h Examining data/osinfo-db-tools-1.1.0/tools/osinfo-db-path.c FINAL RESULTS: data/osinfo-db-tools-1.1.0/tools/osinfo-db-export.c:495:53: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. { "system", 0, 0, G_OPTION_ARG_NONE, (void *)&system, data/osinfo-db-tools-1.1.0/tools/osinfo-db-export.c:533:9: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. if (system) data/osinfo-db-tools-1.1.0/tools/osinfo-db-export.c:555:49: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. dir = osinfo_db_get_path(root, user, local, system, custom); data/osinfo-db-tools-1.1.0/tools/osinfo-db-import.c:218:53: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. { "system", 0, 0, G_OPTION_ARG_NONE, (void *)&system, data/osinfo-db-tools-1.1.0/tools/osinfo-db-import.c:252:9: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. if (system) data/osinfo-db-tools-1.1.0/tools/osinfo-db-import.c:264:49: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. dir = osinfo_db_get_path(root, user, local, system, custom); data/osinfo-db-tools-1.1.0/tools/osinfo-db-path.c:52:53: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. { "system", 0, 0, G_OPTION_ARG_NONE, (void *)&system, data/osinfo-db-tools-1.1.0/tools/osinfo-db-path.c:86:9: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. if (system) data/osinfo-db-tools-1.1.0/tools/osinfo-db-path.c:97:49: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. dir = osinfo_db_get_path(root, user, local, system, custom); data/osinfo-db-tools-1.1.0/tools/osinfo-db-util.c:99:36: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. gboolean system, data/osinfo-db-tools-1.1.0/tools/osinfo-db-util.c:108:16: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. } else if (system) { data/osinfo-db-tools-1.1.0/tools/osinfo-db-util.c:122:36: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. gboolean system, data/osinfo-db-tools-1.1.0/tools/osinfo-db-util.c:133:26: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. if (user || local || system || custom) data/osinfo-db-tools-1.1.0/tools/osinfo-db-util.c:145:19: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. if (tryAll || system) data/osinfo-db-tools-1.1.0/tools/osinfo-db-util.h:40:36: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. gboolean system, data/osinfo-db-tools-1.1.0/tools/osinfo-db-util.h:45:36: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. gboolean system, data/osinfo-db-tools-1.1.0/tools/osinfo-db-validate.c:259:53: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. { "system", 0, 0, G_OPTION_ARG_NONE, (void *)&system, data/osinfo-db-tools-1.1.0/tools/osinfo-db-validate.c:286:9: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. if (system) data/osinfo-db-tools-1.1.0/tools/osinfo-db-validate.c:300:33: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. system || local || user || custom, data/osinfo-db-tools-1.1.0/tools/osinfo-db-validate.c:308:49: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. dir = osinfo_db_get_path(root, user, local, system, custom); data/osinfo-db-tools-1.1.0/tools/osinfo-db-export.c:319:35: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). archive_entry_set_size(entry, strlen(version)); data/osinfo-db-tools-1.1.0/tools/osinfo-db-export.c:327:42: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (archive_write_data(arc, version, strlen(version)) < 0) { ANALYSIS SUMMARY: Hits = 22 Lines analyzed = 2014 in approximately 0.07 seconds (27127 lines/second) Physical Source Lines of Code (SLOC) = 1161 Hits@level = [0] 0 [1] 2 [2] 0 [3] 0 [4] 20 [5] 0 Hits@level+ = [0+] 22 [1+] 22 [2+] 20 [3+] 20 [4+] 20 [5+] 0 Hits/KSLOC@level+ = [0+] 18.9492 [1+] 18.9492 [2+] 17.2265 [3+] 17.2265 [4+] 17.2265 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.