Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/purple-discord-0.9.2020.07.17.git.8fd7ceb/glib_compat.h Examining data/purple-discord-0.9.2020.07.17.git.8fd7ceb/json_compat.h Examining data/purple-discord-0.9.2020.07.17.git.8fd7ceb/libdiscord.c Examining data/purple-discord-0.9.2020.07.17.git.8fd7ceb/markdown.c Examining data/purple-discord-0.9.2020.07.17.git.8fd7ceb/markdown.h Examining data/purple-discord-0.9.2020.07.17.git.8fd7ceb/purple_compat.h FINAL RESULTS: data/purple-discord-0.9.2020.07.17.git.8fd7ceb/libdiscord.c:5626:48: [3] (random) g_random_int: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. nonce = g_strdup_printf("%" G_GUINT32_FORMAT, g_random_int()); data/purple-discord-0.9.2020.07.17.git.8fd7ceb/libdiscord.c:1011:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). header_len = strlen(headers); data/purple-discord-0.9.2020.07.17.git.8fd7ceb/libdiscord.c:1221:78: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). g_string_append_printf(headers, "Content-Length: %" G_GSIZE_FORMAT "\r\n", strlen(postdata)); data/purple-discord-0.9.2020.07.17.git.8fd7ceb/libdiscord.c:4673:52: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). purple_ssl_write(da->websocket, websocket_header, strlen(websocket_header)); data/purple-discord-0.9.2020.07.17.git.8fd7ceb/libdiscord.c:5007:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). gint i = strlen(str) - 1; data/purple-discord-0.9.2020.07.17.git.8fd7ceb/libdiscord.c:5640:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). final_len = strlen(final); data/purple-discord-0.9.2020.07.17.git.8fd7ceb/libdiscord.c:6043:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!name || !strlen(name)) { data/purple-discord-0.9.2020.07.17.git.8fd7ceb/markdown.c:135:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). guint html_len = strlen(html); data/purple-discord-0.9.2020.07.17.git.8fd7ceb/markdown.c:287:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t markdown_len = strlen(markdown); ANALYSIS SUMMARY: Hits = 9 Lines analyzed = 7585 in approximately 0.18 seconds (41875 lines/second) Physical Source Lines of Code (SLOC) = 5583 Hits@level = [0] 0 [1] 8 [2] 0 [3] 1 [4] 0 [5] 0 Hits@level+ = [0+] 9 [1+] 9 [2+] 1 [3+] 1 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 1.61204 [1+] 1.61204 [2+] 0.179115 [3+] 0.179115 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.