Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/qgit-2.9/src/FileHistory.cc
Examining data/qgit-2.9/src/FileHistory.h
Examining data/qgit-2.9/src/annotate.cpp
Examining data/qgit-2.9/src/annotate.h
Examining data/qgit-2.9/src/cache.cpp
Examining data/qgit-2.9/src/cache.h
Examining data/qgit-2.9/src/commitimpl.cpp
Examining data/qgit-2.9/src/commitimpl.h
Examining data/qgit-2.9/src/common.cpp
Examining data/qgit-2.9/src/common.h
Examining data/qgit-2.9/src/config.h
Examining data/qgit-2.9/src/consoleimpl.cpp
Examining data/qgit-2.9/src/consoleimpl.h
Examining data/qgit-2.9/src/customactionimpl.cpp
Examining data/qgit-2.9/src/customactionimpl.h
Examining data/qgit-2.9/src/dataloader.cpp
Examining data/qgit-2.9/src/dataloader.h
Examining data/qgit-2.9/src/domain.cpp
Examining data/qgit-2.9/src/domain.h
Examining data/qgit-2.9/src/exceptionmanager.cpp
Examining data/qgit-2.9/src/exceptionmanager.h
Examining data/qgit-2.9/src/filecontent.cpp
Examining data/qgit-2.9/src/filecontent.h
Examining data/qgit-2.9/src/filelist.cpp
Examining data/qgit-2.9/src/filelist.h
Examining data/qgit-2.9/src/fileview.cpp
Examining data/qgit-2.9/src/fileview.h
Examining data/qgit-2.9/src/git.cpp
Examining data/qgit-2.9/src/git.h
Examining data/qgit-2.9/src/help.h
Examining data/qgit-2.9/src/inputdialog.cpp
Examining data/qgit-2.9/src/inputdialog.h
Examining data/qgit-2.9/src/lanes.cpp
Examining data/qgit-2.9/src/lanes.h
Examining data/qgit-2.9/src/listview.cpp
Examining data/qgit-2.9/src/listview.h
Examining data/qgit-2.9/src/mainimpl.cpp
Examining data/qgit-2.9/src/mainimpl.h
Examining data/qgit-2.9/src/myprocess.cpp
Examining data/qgit-2.9/src/myprocess.h
Examining data/qgit-2.9/src/namespace_def.cpp
Examining data/qgit-2.9/src/patchcontent.cpp
Examining data/qgit-2.9/src/patchcontent.h
Examining data/qgit-2.9/src/patchview.cpp
Examining data/qgit-2.9/src/patchview.h
Examining data/qgit-2.9/src/qgit.cpp
Examining data/qgit-2.9/src/rangeselectimpl.cpp
Examining data/qgit-2.9/src/rangeselectimpl.h
Examining data/qgit-2.9/src/revdesc.cpp
Examining data/qgit-2.9/src/revdesc.h
Examining data/qgit-2.9/src/revsview.cpp
Examining data/qgit-2.9/src/revsview.h
Examining data/qgit-2.9/src/settingsimpl.cpp
Examining data/qgit-2.9/src/settingsimpl.h
Examining data/qgit-2.9/src/smartbrowse.cpp
Examining data/qgit-2.9/src/smartbrowse.h
Examining data/qgit-2.9/src/treeview.cpp
Examining data/qgit-2.9/src/treeview.h
FINAL RESULTS:
data/qgit-2.9/src/namespace_def.cpp:428:3: [5] (race) chmod:
This accepts filename arguments; if an attacker can move those files, a
race condition results. (CWE-362). Use fchmod( ) instead.
chmod(fileName.toLatin1().constData(), 0755);
data/qgit-2.9/src/namespace_def.cpp:446:3: [5] (race) chmod:
This accepts filename arguments; if an attacker can move those files, a
race condition results. (CWE-362). Use fchmod( ) instead.
chmod(fileName.toLatin1().constData(), 0755);
data/qgit-2.9/src/git.cpp:2418:29: [4] (format) sprintf:
Potential format string problem (CWE-134). Make format string constant.
tmp.sprintf("Loaded %i revisions (%li KB), "
data/qgit-2.9/src/cache.cpp:31:9: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (!f.open(QIODevice::WriteOnly | QIODevice::Unbuffered))
data/qgit-2.9/src/cache.cpp:118:9: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (!f.open(QIODevice::ReadOnly | QIODevice::Unbuffered))
data/qgit-2.9/src/dataloader.cpp:21:28: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
bool unbufOpen() { return open(QIODevice::ReadOnly | QIODevice::Unbuffered); }
data/qgit-2.9/src/dataloader.cpp:300:19: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (!dataFile->open()) { // test for write access
data/qgit-2.9/src/dataloader.cpp:311:17: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (!dataFile->open()) // to read the file name
data/qgit-2.9/src/filecontent.cpp:531:8: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (f.open()) {
data/qgit-2.9/src/git.cpp:987:12: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (file.open(QIODevice::ReadOnly)) {
data/qgit-2.9/src/namespace_def.cpp:412:12: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (!file.open(QIODevice::WriteOnly)) {
data/qgit-2.9/src/namespace_def.cpp:436:12: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (!file.open(QIODevice::WriteOnly)) {
data/qgit-2.9/src/namespace_def.cpp:455:12: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (!file.open(QIODevice::ReadOnly)) {
data/qgit-2.9/src/namespace_def.cpp:484:12: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
bufFile->open();
data/qgit-2.9/src/dataloader.cpp:244:46: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
int len = static_cast<int>(dataFile->read(ba->data(), READ_BLOCK_SIZE));
ANALYSIS SUMMARY:
Hits = 15
Lines analyzed = 17743 in approximately 0.40 seconds (43859 lines/second)
Physical Source Lines of Code (SLOC) = 12904
Hits@level = [0] 0 [1] 1 [2] 11 [3] 0 [4] 1 [5] 2
Hits@level+ = [0+] 15 [1+] 15 [2+] 14 [3+] 3 [4+] 3 [5+] 2
Hits/KSLOC@level+ = [0+] 1.16243 [1+] 1.16243 [2+] 1.08493 [3+] 0.232486 [4+] 0.232486 [5+] 0.154991
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.