Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/user-manager-5.19.5/src/passworddialog.h Examining data/user-manager-5.19.5/src/passworddialog.cpp Examining data/user-manager-5.19.5/src/lib/modeltest.h Examining data/user-manager-5.19.5/src/lib/accountmodel.cpp Examining data/user-manager-5.19.5/src/lib/usersessions.cpp Examining data/user-manager-5.19.5/src/lib/modeltest.cpp Examining data/user-manager-5.19.5/src/lib/usersessions.h Examining data/user-manager-5.19.5/src/lib/accountmodel.h Examining data/user-manager-5.19.5/src/usermanager.cpp Examining data/user-manager-5.19.5/src/usermanager.h Examining data/user-manager-5.19.5/src/accountinfo.cpp Examining data/user-manager-5.19.5/src/avatargallery.h Examining data/user-manager-5.19.5/src/accountinfo.h Examining data/user-manager-5.19.5/src/createavatarjob.cpp Examining data/user-manager-5.19.5/src/createavatarjob.h Examining data/user-manager-5.19.5/src/avatargallery.cpp FINAL RESULTS: data/user-manager-5.19.5/src/lib/accountmodel.cpp:504:30: [4] (crypto) crypt: The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment (CWE-327). Use a different algorithm, such as SHA-256, with a larger, non-repeating salt. return QString::fromUtf8(crypt(password.toUtf8().constData(), salt.constData())); data/user-manager-5.19.5/src/createavatarjob.cpp:53:10: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). file.open(); data/user-manager-5.19.5/src/passworddialog.cpp:155:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[PWQ_MAX_ERROR_MESSAGE_LEN]; // arbitrary size ANALYSIS SUMMARY: Hits = 3 Lines analyzed = 2639 in approximately 0.09 seconds (29154 lines/second) Physical Source Lines of Code (SLOC) = 1785 Hits@level = [0] 0 [1] 0 [2] 2 [3] 0 [4] 1 [5] 0 Hits@level+ = [0+] 3 [1+] 3 [2+] 3 [3+] 1 [4+] 1 [5+] 0 Hits/KSLOC@level+ = [0+] 1.68067 [1+] 1.68067 [2+] 1.68067 [3+] 0.560224 [4+] 0.560224 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.