Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/qgit-2.9/src/FileHistory.cc Examining data/qgit-2.9/src/FileHistory.h Examining data/qgit-2.9/src/annotate.cpp Examining data/qgit-2.9/src/annotate.h Examining data/qgit-2.9/src/cache.cpp Examining data/qgit-2.9/src/cache.h Examining data/qgit-2.9/src/commitimpl.cpp Examining data/qgit-2.9/src/commitimpl.h Examining data/qgit-2.9/src/common.cpp Examining data/qgit-2.9/src/common.h Examining data/qgit-2.9/src/config.h Examining data/qgit-2.9/src/consoleimpl.cpp Examining data/qgit-2.9/src/consoleimpl.h Examining data/qgit-2.9/src/customactionimpl.cpp Examining data/qgit-2.9/src/customactionimpl.h Examining data/qgit-2.9/src/dataloader.cpp Examining data/qgit-2.9/src/dataloader.h Examining data/qgit-2.9/src/domain.cpp Examining data/qgit-2.9/src/domain.h Examining data/qgit-2.9/src/exceptionmanager.cpp Examining data/qgit-2.9/src/exceptionmanager.h Examining data/qgit-2.9/src/filecontent.cpp Examining data/qgit-2.9/src/filecontent.h Examining data/qgit-2.9/src/filelist.cpp Examining data/qgit-2.9/src/filelist.h Examining data/qgit-2.9/src/fileview.cpp Examining data/qgit-2.9/src/fileview.h Examining data/qgit-2.9/src/git.cpp Examining data/qgit-2.9/src/git.h Examining data/qgit-2.9/src/help.h Examining data/qgit-2.9/src/inputdialog.cpp Examining data/qgit-2.9/src/inputdialog.h Examining data/qgit-2.9/src/lanes.cpp Examining data/qgit-2.9/src/lanes.h Examining data/qgit-2.9/src/listview.cpp Examining data/qgit-2.9/src/listview.h Examining data/qgit-2.9/src/mainimpl.cpp Examining data/qgit-2.9/src/mainimpl.h Examining data/qgit-2.9/src/myprocess.cpp Examining data/qgit-2.9/src/myprocess.h Examining data/qgit-2.9/src/namespace_def.cpp Examining data/qgit-2.9/src/patchcontent.cpp Examining data/qgit-2.9/src/patchcontent.h Examining data/qgit-2.9/src/patchview.cpp Examining data/qgit-2.9/src/patchview.h Examining data/qgit-2.9/src/qgit.cpp Examining data/qgit-2.9/src/rangeselectimpl.cpp Examining data/qgit-2.9/src/rangeselectimpl.h Examining data/qgit-2.9/src/revdesc.cpp Examining data/qgit-2.9/src/revdesc.h Examining data/qgit-2.9/src/revsview.cpp Examining data/qgit-2.9/src/revsview.h Examining data/qgit-2.9/src/settingsimpl.cpp Examining data/qgit-2.9/src/settingsimpl.h Examining data/qgit-2.9/src/smartbrowse.cpp Examining data/qgit-2.9/src/smartbrowse.h Examining data/qgit-2.9/src/treeview.cpp Examining data/qgit-2.9/src/treeview.h FINAL RESULTS: data/qgit-2.9/src/namespace_def.cpp:428:3: [5] (race) chmod: This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362). Use fchmod( ) instead. chmod(fileName.toLatin1().constData(), 0755); data/qgit-2.9/src/namespace_def.cpp:446:3: [5] (race) chmod: This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362). Use fchmod( ) instead. chmod(fileName.toLatin1().constData(), 0755); data/qgit-2.9/src/git.cpp:2418:29: [4] (format) sprintf: Potential format string problem (CWE-134). Make format string constant. tmp.sprintf("Loaded %i revisions (%li KB), " data/qgit-2.9/src/cache.cpp:31:9: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!f.open(QIODevice::WriteOnly | QIODevice::Unbuffered)) data/qgit-2.9/src/cache.cpp:118:9: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!f.open(QIODevice::ReadOnly | QIODevice::Unbuffered)) data/qgit-2.9/src/dataloader.cpp:21:28: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). bool unbufOpen() { return open(QIODevice::ReadOnly | QIODevice::Unbuffered); } data/qgit-2.9/src/dataloader.cpp:300:19: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!dataFile->open()) { // test for write access data/qgit-2.9/src/dataloader.cpp:311:17: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!dataFile->open()) // to read the file name data/qgit-2.9/src/filecontent.cpp:531:8: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (f.open()) { data/qgit-2.9/src/git.cpp:987:12: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (file.open(QIODevice::ReadOnly)) { data/qgit-2.9/src/namespace_def.cpp:412:12: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!file.open(QIODevice::WriteOnly)) { data/qgit-2.9/src/namespace_def.cpp:436:12: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!file.open(QIODevice::WriteOnly)) { data/qgit-2.9/src/namespace_def.cpp:455:12: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!file.open(QIODevice::ReadOnly)) { data/qgit-2.9/src/namespace_def.cpp:484:12: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). bufFile->open(); data/qgit-2.9/src/dataloader.cpp:244:46: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). int len = static_cast<int>(dataFile->read(ba->data(), READ_BLOCK_SIZE)); ANALYSIS SUMMARY: Hits = 15 Lines analyzed = 17743 in approximately 0.40 seconds (43859 lines/second) Physical Source Lines of Code (SLOC) = 12904 Hits@level = [0] 0 [1] 1 [2] 11 [3] 0 [4] 1 [5] 2 Hits@level+ = [0+] 15 [1+] 15 [2+] 14 [3+] 3 [4+] 3 [5+] 2 Hits/KSLOC@level+ = [0+] 1.16243 [1+] 1.16243 [2+] 1.08493 [3+] 0.232486 [4+] 0.232486 [5+] 0.154991 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.