Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/user-manager-5.19.5/src/passworddialog.h
Examining data/user-manager-5.19.5/src/passworddialog.cpp
Examining data/user-manager-5.19.5/src/lib/modeltest.h
Examining data/user-manager-5.19.5/src/lib/accountmodel.cpp
Examining data/user-manager-5.19.5/src/lib/usersessions.cpp
Examining data/user-manager-5.19.5/src/lib/modeltest.cpp
Examining data/user-manager-5.19.5/src/lib/usersessions.h
Examining data/user-manager-5.19.5/src/lib/accountmodel.h
Examining data/user-manager-5.19.5/src/usermanager.cpp
Examining data/user-manager-5.19.5/src/usermanager.h
Examining data/user-manager-5.19.5/src/accountinfo.cpp
Examining data/user-manager-5.19.5/src/avatargallery.h
Examining data/user-manager-5.19.5/src/accountinfo.h
Examining data/user-manager-5.19.5/src/createavatarjob.cpp
Examining data/user-manager-5.19.5/src/createavatarjob.h
Examining data/user-manager-5.19.5/src/avatargallery.cpp
FINAL RESULTS:
data/user-manager-5.19.5/src/lib/accountmodel.cpp:504:30: [4] (crypto) crypt:
The crypt functions use a poor one-way hashing algorithm; since they only
accept passwords of 8 characters or fewer and only a two-byte salt, they
are excessively vulnerable to dictionary attacks given today's faster
computing equipment (CWE-327). Use a different algorithm, such as SHA-256,
with a larger, non-repeating salt.
return QString::fromUtf8(crypt(password.toUtf8().constData(), salt.constData()));
data/user-manager-5.19.5/src/createavatarjob.cpp:53:10: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
file.open();
data/user-manager-5.19.5/src/passworddialog.cpp:155:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[PWQ_MAX_ERROR_MESSAGE_LEN]; // arbitrary size
ANALYSIS SUMMARY:
Hits = 3
Lines analyzed = 2639 in approximately 0.09 seconds (29154 lines/second)
Physical Source Lines of Code (SLOC) = 1785
Hits@level = [0] 0 [1] 0 [2] 2 [3] 0 [4] 1 [5] 0
Hits@level+ = [0+] 3 [1+] 3 [2+] 3 [3+] 1 [4+] 1 [5+] 0
Hits/KSLOC@level+ = [0+] 1.68067 [1+] 1.68067 [2+] 1.68067 [3+] 0.560224 [4+] 0.560224 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.