Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/spread-sheet-widget-0.6/demo/custom-axis.c Examining data/spread-sheet-widget-0.6/demo/main.c Examining data/spread-sheet-widget-0.6/demo/custom-axis.h Examining data/spread-sheet-widget-0.6/doc/prog2.c Examining data/spread-sheet-widget-0.6/doc/prog1.c Examining data/spread-sheet-widget-0.6/src/ssw-sheet-body.c Examining data/spread-sheet-widget-0.6/src/ssw-sheet.h Examining data/spread-sheet-widget-0.6/src/ssw-virtual-model.h Examining data/spread-sheet-widget-0.6/src/ssw-sheet-single.c Examining data/spread-sheet-widget-0.6/src/ssw-virtual-model.c Examining data/spread-sheet-widget-0.6/src/ssw-constraint.h Examining data/spread-sheet-widget-0.6/src/ssw-sheet-single.h Examining data/spread-sheet-widget-0.6/src/ssw-axis-model.h Examining data/spread-sheet-widget-0.6/src/ssw-constraint.c Examining data/spread-sheet-widget-0.6/src/ssw-html-parser.c Examining data/spread-sheet-widget-0.6/src/ssw-xpaned.h Examining data/spread-sheet-widget-0.6/src/ssw-sheet-axis.h Examining data/spread-sheet-widget-0.6/src/ssw-paste.h Examining data/spread-sheet-widget-0.6/src/ssw-sheet.c Examining data/spread-sheet-widget-0.6/src/ssw-sheet-body.h Examining data/spread-sheet-widget-0.6/src/ssw-axis-model.c Examining data/spread-sheet-widget-0.6/src/ssw-cell.h Examining data/spread-sheet-widget-0.6/src/ssw-sheet-axis.c Examining data/spread-sheet-widget-0.6/src/ssw-xpaned.c Examining data/spread-sheet-widget-0.6/src/ssw-cell.c FINAL RESULTS: data/spread-sheet-widget-0.6/src/ssw-virtual-model.c:262:18: [3] (random) g_random_int: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. model->stamp = g_random_int (); data/spread-sheet-widget-0.6/src/ssw-sheet-body.c:258:45: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). gtk_css_provider_load_from_data (cp, css, strlen (css), 0); data/spread-sheet-widget-0.6/src/ssw-sheet-body.c:418:62: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). gtk_css_provider_load_from_data (cp, focused_border, strlen (focused_border), 0); data/spread-sheet-widget-0.6/src/ssw-sheet-body.c:421:42: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen (unfocused_border), 0); data/spread-sheet-widget-0.6/src/ssw-xpaned.c:146:47: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). gtk_css_provider_load_from_data (cp, css, strlen (css), 0); ANALYSIS SUMMARY: Hits = 5 Lines analyzed = 8891 in approximately 0.18 seconds (48530 lines/second) Physical Source Lines of Code (SLOC) = 6451 Hits@level = [0] 3 [1] 4 [2] 0 [3] 1 [4] 0 [5] 0 Hits@level+ = [0+] 8 [1+] 5 [2+] 1 [3+] 1 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 1.24012 [1+] 0.775074 [2+] 0.155015 [3+] 0.155015 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.