Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/vala-panel-0.5.0/app/application.c
Examining data/vala-panel-0.5.0/app/application.h
Examining data/vala-panel-0.5.0/app/vala-panel-platform-standalone-layer-shell.c
Examining data/vala-panel-0.5.0/app/vala-panel-platform-standalone-layer-shell.h
Examining data/vala-panel-0.5.0/app/vala-panel-platform-standalone-x11.c
Examining data/vala-panel-0.5.0/app/vala-panel-platform-standalone-x11.h
Examining data/vala-panel-0.5.0/applets/core/cpu/cpu.c
Examining data/vala-panel-0.5.0/applets/core/cpu/cpu.h
Examining data/vala-panel-0.5.0/applets/core/menumodel/debug.h
Examining data/vala-panel-0.5.0/applets/core/menumodel/menu-maker.c
Examining data/vala-panel-0.5.0/applets/core/menumodel/menu.c
Examining data/vala-panel-0.5.0/applets/core/menumodel/menu.h
Examining data/vala-panel-0.5.0/applets/core/monitors/cpu.c
Examining data/vala-panel-0.5.0/applets/core/monitors/cpu.h
Examining data/vala-panel-0.5.0/applets/core/monitors/mem.c
Examining data/vala-panel-0.5.0/applets/core/monitors/mem.h
Examining data/vala-panel-0.5.0/applets/core/monitors/monitor.c
Examining data/vala-panel-0.5.0/applets/core/monitors/monitor.h
Examining data/vala-panel-0.5.0/applets/core/monitors/monitors.c
Examining data/vala-panel-0.5.0/applets/core/monitors/monitors.h
Examining data/vala-panel-0.5.0/applets/core/monitors/swap.c
Examining data/vala-panel-0.5.0/applets/core/monitors/swap.h
Examining data/vala-panel-0.5.0/applets/core/netmon/monitor.c
Examining data/vala-panel-0.5.0/applets/core/netmon/monitor.h
Examining data/vala-panel-0.5.0/applets/core/netmon/monitors.c
Examining data/vala-panel-0.5.0/applets/core/netmon/monitors.h
Examining data/vala-panel-0.5.0/applets/core/netmon/net.c
Examining data/vala-panel-0.5.0/applets/core/netmon/net.h
Examining data/vala-panel-0.5.0/applets/wnck/tasklist/tasklist-widget.c
Examining data/vala-panel-0.5.0/applets/wnck/tasklist/tasklist-widget.h
Examining data/vala-panel-0.5.0/applets/wnck/tasklist/tasklist.c
Examining data/vala-panel-0.5.0/applets/wnck/tasklist/tasklist.h
Examining data/vala-panel-0.5.0/applets/wnck/tasklist/xfce-arrow-button.c
Examining data/vala-panel-0.5.0/applets/wnck/tasklist/xfce-arrow-button.h
Examining data/vala-panel-0.5.0/runner/info-data.c
Examining data/vala-panel-0.5.0/runner/info-data.h
Examining data/vala-panel-0.5.0/runner/runner-app.c
Examining data/vala-panel-0.5.0/runner/runner-app.h
Examining data/vala-panel-0.5.0/runner/runner.c
Examining data/vala-panel-0.5.0/runner/runner.h
Examining data/vala-panel-0.5.0/ui/applet-info.c
Examining data/vala-panel-0.5.0/ui/applet-info.h
Examining data/vala-panel-0.5.0/ui/applet-manager.c
Examining data/vala-panel-0.5.0/ui/applet-manager.h
Examining data/vala-panel-0.5.0/ui/applet-widget-api.h
Examining data/vala-panel-0.5.0/ui/applet-widget.c
Examining data/vala-panel-0.5.0/ui/applet-widget.h
Examining data/vala-panel-0.5.0/ui/client.h
Examining data/vala-panel-0.5.0/ui/definitions.h
Examining data/vala-panel-0.5.0/ui/panel-layout.c
Examining data/vala-panel-0.5.0/ui/panel-layout.h
Examining data/vala-panel-0.5.0/ui/panel-platform.c
Examining data/vala-panel-0.5.0/ui/panel-platform.h
Examining data/vala-panel-0.5.0/ui/private.h
Examining data/vala-panel-0.5.0/ui/server.h
Examining data/vala-panel-0.5.0/ui/settings-manager.c
Examining data/vala-panel-0.5.0/ui/settings-manager.h
Examining data/vala-panel-0.5.0/ui/toplevel-config.c
Examining data/vala-panel-0.5.0/ui/toplevel-config.h
Examining data/vala-panel-0.5.0/ui/toplevel.c
Examining data/vala-panel-0.5.0/ui/toplevel.h
Examining data/vala-panel-0.5.0/util/boxed-wrapper.c
Examining data/vala-panel-0.5.0/util/boxed-wrapper.h
Examining data/vala-panel-0.5.0/util/constants.h
Examining data/vala-panel-0.5.0/util/glistmodel-filter.c
Examining data/vala-panel-0.5.0/util/glistmodel-filter.h
Examining data/vala-panel-0.5.0/util/gtk/css.c
Examining data/vala-panel-0.5.0/util/gtk/css.h
Examining data/vala-panel-0.5.0/util/gtk/generic-config-dialog.c
Examining data/vala-panel-0.5.0/util/gtk/generic-config-dialog.h
Examining data/vala-panel-0.5.0/util/gtk/launcher-gtk.c
Examining data/vala-panel-0.5.0/util/gtk/launcher-gtk.h
Examining data/vala-panel-0.5.0/util/gtk/menu-maker.c
Examining data/vala-panel-0.5.0/util/gtk/menu-maker.h
Examining data/vala-panel-0.5.0/util/gtk/misc-gtk.c
Examining data/vala-panel-0.5.0/util/gtk/misc-gtk.h
Examining data/vala-panel-0.5.0/util/gtk/util-gtk.h
Examining data/vala-panel-0.5.0/util/misc.c
Examining data/vala-panel-0.5.0/util/misc.h
Examining data/vala-panel-0.5.0/util/util.h
FINAL RESULTS:
data/vala-panel-0.5.0/applets/core/menumodel/menu-maker.c:212:44: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
g_menu_append_submenu(menu, _("System"), system);
data/vala-panel-0.5.0/applets/core/menumodel/menu-maker.c:220:29: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
append_all_sections(menu, system);
data/vala-panel-0.5.0/applets/core/menumodel/menu.c:69:7: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
bool system;
data/vala-panel-0.5.0/applets/core/menumodel/menu.c:365:36: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
g_value_set_boolean(value, self->system);
data/vala-panel-0.5.0/applets/core/menumodel/menu.c:485:48: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
if (!g_strcmp0(command_name, "menu") && self->system && self->show_system_menu_idle == 0)
data/vala-panel-0.5.0/applets/core/menumodel/menu-maker.c:138:38: [3] (buffer) g_get_home_dir:
This function is synonymous with 'getenv("HOME")';it returns untrustable
input if the environment can beset by an attacker. It can have any content
and length, and the same variable can be set more than once (CWE-807,
CWE-20). Check environment variables carefully before using them.
char *path = g_filename_to_uri(g_get_home_dir(), NULL, NULL);
data/vala-panel-0.5.0/app/application.c:233:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char cwd[PATH_MAX];
data/vala-panel-0.5.0/applets/core/cpu/cpu.c:117:16: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
FILE *stat = fopen("/proc/stat", "r");
data/vala-panel-0.5.0/applets/core/cpu/cpu.c:135:4: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&c->previous_cpu_stat, &cpu, sizeof(cpu_stat));
data/vala-panel-0.5.0/applets/core/cpu/cpu.c:176:6: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&new_stats_cpu[0],
data/vala-panel-0.5.0/applets/core/cpu/cpu.c:179:6: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&new_stats_cpu[new_pixmap_width - c->pixmap_width +
data/vala-panel-0.5.0/applets/core/cpu/cpu.c:189:6: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&new_stats_cpu[0],
data/vala-panel-0.5.0/applets/core/cpu/cpu.c:192:6: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&new_stats_cpu[c->ring_cursor],
data/vala-panel-0.5.0/applets/core/cpu/cpu.c:204:6: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&new_stats_cpu[0],
data/vala-panel-0.5.0/applets/core/monitors/cpu.c:38:16: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
FILE *stat = fopen("/proc/stat", "r");
data/vala-panel-0.5.0/applets/core/monitors/cpu.c:56:4: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&previous_cpu_stat, &cpu, sizeof(cpu_stat));
data/vala-panel-0.5.0/applets/core/monitors/mem.c:30:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[80];
data/vala-panel-0.5.0/applets/core/monitors/mem.c:36:18: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
FILE *meminfo = fopen("/proc/meminfo", "r");
data/vala-panel-0.5.0/applets/core/monitors/monitor.c:90:6: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(new_stats,
data/vala-panel-0.5.0/applets/core/monitors/monitor.c:93:6: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&new_stats[nvalues],
data/vala-panel-0.5.0/applets/core/monitors/monitor.c:104:6: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(new_stats,
data/vala-panel-0.5.0/applets/core/monitors/monitor.c:107:6: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&new_stats[mon->ring_cursor],
data/vala-panel-0.5.0/applets/core/monitors/monitor.c:117:6: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy((void *)new_stats,
data/vala-panel-0.5.0/applets/core/monitors/swap.c:30:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[80];
data/vala-panel-0.5.0/applets/core/monitors/swap.c:37:18: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
FILE *meminfo = fopen("/proc/meminfo", "r");
data/vala-panel-0.5.0/applets/core/netmon/monitor.c:90:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(new_stats, old_stats, cursor * sizeof(double));
data/vala-panel-0.5.0/applets/core/netmon/monitor.c:91:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&new_stats[nvalues], &old_stats[cursor], nvalues * sizeof(double));
data/vala-panel-0.5.0/applets/core/netmon/monitor.c:100:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(new_stats, old_stats, cursor * sizeof(double));
data/vala-panel-0.5.0/applets/core/netmon/monitor.c:101:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&new_stats[cursor],
data/vala-panel-0.5.0/applets/core/netmon/monitor.c:111:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy((void *)new_stats,
data/vala-panel-0.5.0/applets/core/netmon/net.c:49:13: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (!(fp = fopen("/proc/net/dev", "r")))
data/vala-panel-0.5.0/applets/core/netmon/net.c:53:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[256];
data/vala-panel-0.5.0/ui/definitions.h:90:4: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy((DST), (SRC), TMPSZ); \
data/vala-panel-0.5.0/ui/toplevel-config.c:230:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char scol[120];
data/vala-panel-0.5.0/runner/info-data.c:30:48: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
char *nom = g_markup_escape_text(name, (long)strlen(name));
data/vala-panel-0.5.0/runner/info-data.c:31:49: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
char *desc = g_markup_escape_text(sdesc, (long)strlen(sdesc));
data/vala-panel-0.5.0/util/gtk/css.c:211:55: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
gtk_css_provider_load_from_data(provider, css, (long)strlen(css), &err);
data/vala-panel-0.5.0/util/gtk/css.c:224:55: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
gtk_css_provider_load_from_data(provider, css, (long)strlen(css), &err);
data/vala-panel-0.5.0/util/misc.c:61:28: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (uri_scheme != NULL && strlen(uri_scheme) <= 0)
ANALYSIS SUMMARY:
Hits = 39
Lines analyzed = 16560 in approximately 0.39 seconds (42281 lines/second)
Physical Source Lines of Code (SLOC) = 12731
Hits@level = [0] 9 [1] 5 [2] 28 [3] 1 [4] 5 [5] 0
Hits@level+ = [0+] 48 [1+] 39 [2+] 34 [3+] 6 [4+] 5 [5+] 0
Hits/KSLOC@level+ = [0+] 3.77032 [1+] 3.06339 [2+] 2.67065 [3+] 0.471291 [4+] 0.392742 [5+] 0
Dot directories skipped = 3 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.