Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/vmpk-0.7.2/src/keyboardmap.cpp
Examining data/vmpk-0.7.2/src/mididefs.h
Examining data/vmpk-0.7.2/src/sonivoxsettingsdialog.h
Examining data/vmpk-0.7.2/src/about.h
Examining data/vmpk-0.7.2/src/about.cpp
Examining data/vmpk-0.7.2/src/nativefilter.h
Examining data/vmpk-0.7.2/src/shortcutdialog.cpp
Examining data/vmpk-0.7.2/src/vpiano.cpp
Examining data/vmpk-0.7.2/src/colordialog.cpp
Examining data/vmpk-0.7.2/src/riff.h
Examining data/vmpk-0.7.2/src/macsynthsettingsdialog.h
Examining data/vmpk-0.7.2/src/riffimportdlg.cpp
Examining data/vmpk-0.7.2/src/keylabel.cpp
Examining data/vmpk-0.7.2/src/networksettingsdialog.cpp
Examining data/vmpk-0.7.2/src/riff.cpp
Examining data/vmpk-0.7.2/src/instrument.cpp
Examining data/vmpk-0.7.2/src/pianopalette.cpp
Examining data/vmpk-0.7.2/src/shortcutdialog.h
Examining data/vmpk-0.7.2/src/kmapdialog.cpp
Examining data/vmpk-0.7.2/src/pianopalette.h
Examining data/vmpk-0.7.2/src/preferences.h
Examining data/vmpk-0.7.2/src/fluidsettingsdialog.h
Examining data/vmpk-0.7.2/src/midisetup.cpp
Examining data/vmpk-0.7.2/src/instrument.h
Examining data/vmpk-0.7.2/src/keylabel.h
Examining data/vmpk-0.7.2/src/pianokey.h
Examining data/vmpk-0.7.2/src/vpiano.h
Examining data/vmpk-0.7.2/src/extracontrols.cpp
Examining data/vmpk-0.7.2/src/pianokey.cpp
Examining data/vmpk-0.7.2/src/pianoscene.cpp
Examining data/vmpk-0.7.2/src/constants.h
Examining data/vmpk-0.7.2/src/extracontrols.h
Examining data/vmpk-0.7.2/src/sonivoxsettingsdialog.cpp
Examining data/vmpk-0.7.2/src/riffimportdlg.h
Examining data/vmpk-0.7.2/src/colorwidget.h
Examining data/vmpk-0.7.2/src/networksettingsdialog.h
Examining data/vmpk-0.7.2/src/pianokeybd.h
Examining data/vmpk-0.7.2/src/fluidsettingsdialog.cpp
Examining data/vmpk-0.7.2/src/keyboardmap.h
Examining data/vmpk-0.7.2/src/macsynthsettingsdialog.cpp
Examining data/vmpk-0.7.2/src/midisetup.h
Examining data/vmpk-0.7.2/src/kmapdialog.h
Examining data/vmpk-0.7.2/src/colordialog.h
Examining data/vmpk-0.7.2/src/colorwidget.cpp
Examining data/vmpk-0.7.2/src/main.cpp
Examining data/vmpk-0.7.2/src/nativefilter.cpp
Examining data/vmpk-0.7.2/src/pianoscene.h
Examining data/vmpk-0.7.2/src/maceventhelper.h
Examining data/vmpk-0.7.2/src/preferences.cpp
Examining data/vmpk-0.7.2/src/pianokeybd.cpp
Examining data/vmpk-0.7.2/src/pianodefs.h
FINAL RESULTS:
data/vmpk-0.7.2/src/vpiano.cpp:2049:36: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
QString defLang = QLocale::system().name();
data/vmpk-0.7.2/src/instrument.cpp:145:15: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (!file.open(QIODevice::ReadOnly))
data/vmpk-0.7.2/src/instrument.cpp:375:15: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (!file.open(QIODevice::WriteOnly | QIODevice::Truncate))
data/vmpk-0.7.2/src/keyboardmap.cpp:31:11: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (f.open(QFile::ReadOnly | QFile::Text)) {
data/vmpk-0.7.2/src/keyboardmap.cpp:45:11: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (f.open(QFile::WriteOnly | QFile::Text)) {
data/vmpk-0.7.2/src/midisetup.cpp:139:28: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
m_midiOut->open(conn);
data/vmpk-0.7.2/src/midisetup.cpp:149:27: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
m_midiIn->open(conn);
data/vmpk-0.7.2/src/midisetup.cpp:283:28: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
m_midiOut->open(conn);
data/vmpk-0.7.2/src/riff.cpp:42:10: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
file.open(QIODevice::ReadOnly);
data/vmpk-0.7.2/src/riff.cpp:74:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[size+1];
data/vmpk-0.7.2/src/riff.cpp:165:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char name[21];
data/vmpk-0.7.2/src/riffimportdlg.cpp:103:14: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (data.open(QFile::WriteOnly | QFile::Truncate)) {
data/vmpk-0.7.2/src/vpiano.cpp:256:23: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
m_midiin->open(m_lastInputConnection);
data/vmpk-0.7.2/src/vpiano.cpp:265:20: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
m_midiout->open(m_lastOutputConnection);
data/vmpk-0.7.2/src/vpiano.cpp:460:10: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
file.open(QIODevice::ReadOnly);
data/vmpk-0.7.2/src/vpiano.cpp:1891:23: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
m_midiin->open(value);
data/vmpk-0.7.2/src/vpiano.cpp:1903:24: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
m_midiout->open(value);
data/vmpk-0.7.2/src/riff.cpp:53:9: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
read();
data/vmpk-0.7.2/src/riff.cpp:341:12: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
void Riff::read()
data/vmpk-0.7.2/src/riff.h:74:10: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
void read();
ANALYSIS SUMMARY:
Hits = 20
Lines analyzed = 9705 in approximately 0.23 seconds (42380 lines/second)
Physical Source Lines of Code (SLOC) = 7552
Hits@level = [0] 0 [1] 3 [2] 16 [3] 0 [4] 1 [5] 0
Hits@level+ = [0+] 20 [1+] 20 [2+] 17 [3+] 1 [4+] 1 [5+] 0
Hits/KSLOC@level+ = [0+] 2.64831 [1+] 2.64831 [2+] 2.25106 [3+] 0.132415 [4+] 0.132415 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.