Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/wmmatrix-0.2/wmMatrix.c
Examining data/wmmatrix-0.2/config.h
Examining data/wmmatrix-0.2/yarandom.h
Examining data/wmmatrix-0.2/yarandom.c
Examining data/wmmatrix-0.2/matrix.c
Examining data/wmmatrix-0.2/version.h
Examining data/wmmatrix-0.2/matrix.h
Examining data/wmmatrix-0.2/xutils.c
Examining data/wmmatrix-0.2/xutils.h
FINAL RESULTS:
data/wmmatrix-0.2/wmMatrix.c:287:13: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(TimeColor, argv[++i]);
data/wmmatrix-0.2/wmMatrix.c:296:13: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(BackgroundColor, argv[++i]);
data/wmmatrix-0.2/wmMatrix.c:305:6: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(ExecuteCommand, argv[++i]);
data/wmmatrix-0.2/wmMatrix.c:381:9: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
system("xscreensaver-demo");
data/wmmatrix-0.2/matrix.c:168:45: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
else if (bottom_feeder_p) to->glow = 1 + (random() % 2);
data/wmmatrix-0.2/matrix.c:192:15: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
int g = (random() % state->nglyphs) + 1;
data/wmmatrix-0.2/matrix.c:204:7: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
if ((random() % 10) == 0) { /* randomly change throttle speed */
data/wmmatrix-0.2/matrix.c:206:22: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
f->throttle = ((random() % 5) + (random() % 5));
data/wmmatrix-0.2/matrix.c:206:39: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
f->throttle = ((random() % 5) + (random() % 5));
data/wmmatrix-0.2/matrix.c:243:15: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
int i = random() % (state->grid_width / 2);
data/wmmatrix-0.2/matrix.c:246:19: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
int x = random() % state->grid_width;
data/wmmatrix-0.2/matrix.c:247:19: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
int y = random() % state->grid_height;
data/wmmatrix-0.2/matrix.c:251:28: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
cell->glow = random() % 10;
data/wmmatrix-0.2/matrix.c:267:12: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
if ((random() % densitizer(state)) != 0) /* then change N% of the time */
data/wmmatrix-0.2/matrix.c:270:27: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
f->remaining = 3 + (random() % state->grid_height);
data/wmmatrix-0.2/matrix.c:271:23: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
f->throttle = ((random() % 5) + (random() % 5));
data/wmmatrix-0.2/matrix.c:271:40: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
f->throttle = ((random() % 5) + (random() % 5));
data/wmmatrix-0.2/matrix.c:273:12: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
if ((random() % 4) != 0)
data/wmmatrix-0.2/matrix.c:277:28: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
bottom_feeder_p = (random() & 1);
data/wmmatrix-0.2/matrix.c:282:16: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
f->y = random() % (state->grid_height / 2);
data/wmmatrix-0.2/yarandom.h:15:8: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
#undef random
data/wmmatrix-0.2/yarandom.h:17:8: [3] (random) drand48:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
#undef drand48
data/wmmatrix-0.2/yarandom.h:18:8: [3] (random) srandom:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
#undef srandom
data/wmmatrix-0.2/yarandom.h:19:8: [3] (random) srand:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
#undef srand
data/wmmatrix-0.2/yarandom.h:28:9: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
#define random() ya_random()
data/wmmatrix-0.2/yarandom.h:29:9: [3] (random) srandom:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
#define srandom(i) ya_rand_init(0)
data/wmmatrix-0.2/yarandom.h:40:30: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
({ double tmp = (((double) random()) / \
data/wmmatrix-0.2/yarandom.h:48:29: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
(_frand_tmp_ = (((double) random()) / \
data/wmmatrix-0.2/wmMatrix.c:87:1: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char ExecuteCommand[1024];
data/wmmatrix-0.2/wmMatrix.c:96:1: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char TimeColor[30] = "#ffff00";
data/wmmatrix-0.2/wmMatrix.c:97:1: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char BackgroundColor[30] = "#181818";
data/wmmatrix-0.2/wmMatrix.c:125:5: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(ExecuteCommand, "xmatrixsmall");
data/wmmatrix-0.2/wmMatrix.c:161:17: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ( (fp = fopen("/proc/loadavg", "r")) != NULL ){
data/wmmatrix-0.2/xutils.c:63:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
extern char TimeColor[30];
data/wmmatrix-0.2/xutils.c:64:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
extern char BackgroundColor[30];
ANALYSIS SUMMARY:
Hits = 35
Lines analyzed = 1772 in approximately 0.08 seconds (21723 lines/second)
Physical Source Lines of Code (SLOC) = 760
Hits@level = [0] 14 [1] 0 [2] 7 [3] 24 [4] 4 [5] 0
Hits@level+ = [0+] 49 [1+] 35 [2+] 35 [3+] 28 [4+] 4 [5+] 0
Hits/KSLOC@level+ = [0+] 64.4737 [1+] 46.0526 [2+] 46.0526 [3+] 36.8421 [4+] 5.26316 [5+] 0
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.