stdin

Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/xfce4-panel-4.15.5/panel/panel-plugin-external.h
Examining data/xfce4-panel-4.15.5/panel/panel-itembar.h
Examining data/xfce4-panel-4.15.5/panel/panel-window.h
Examining data/xfce4-panel-4.15.5/panel/panel-dialogs.c
Examining data/xfce4-panel-4.15.5/panel/panel-item-dialog.h
Examining data/xfce4-panel-4.15.5/panel/panel-marshal.c
Examining data/xfce4-panel-4.15.5/panel/panel-dialogs.h
Examining data/xfce4-panel-4.15.5/panel/panel-dbus-service.c
Examining data/xfce4-panel-4.15.5/panel/panel-plugin-external-wrapper-exported.c
Examining data/xfce4-panel-4.15.5/panel/panel-module-factory.c
Examining data/xfce4-panel-4.15.5/panel/panel-preferences-dialog.h
Examining data/xfce4-panel-4.15.5/panel/panel-application.h
Examining data/xfce4-panel-4.15.5/panel/panel-base-window.h
Examining data/xfce4-panel-4.15.5/panel/panel-tic-tac-toe.c
Examining data/xfce4-panel-4.15.5/panel/panel-preferences-dialog-ui.h
Examining data/xfce4-panel-4.15.5/panel/panel-plugin-external-wrapper-exported.h
Examining data/xfce4-panel-4.15.5/panel/panel-item-dialog.c
Examining data/xfce4-panel-4.15.5/panel/panel-module.h
Examining data/xfce4-panel-4.15.5/panel/panel-plugin-external.c
Examining data/xfce4-panel-4.15.5/panel/panel-application.c
Examining data/xfce4-panel-4.15.5/panel/panel-itembar.c
Examining data/xfce4-panel-4.15.5/panel/panel-dbus-service.h
Examining data/xfce4-panel-4.15.5/panel/panel-preferences-dialog.c
Examining data/xfce4-panel-4.15.5/panel/panel-tic-tac-toe.h
Examining data/xfce4-panel-4.15.5/panel/panel-dbus-client.h
Examining data/xfce4-panel-4.15.5/panel/panel-gdbus-exported-service.c
Examining data/xfce4-panel-4.15.5/panel/panel-module-factory.h
Examining data/xfce4-panel-4.15.5/panel/panel-marshal.h
Examining data/xfce4-panel-4.15.5/panel/panel-base-window.c
Examining data/xfce4-panel-4.15.5/panel/panel-window.c
Examining data/xfce4-panel-4.15.5/panel/panel-dbus-client.c
Examining data/xfce4-panel-4.15.5/panel/panel-gdbus-exported-service.h
Examining data/xfce4-panel-4.15.5/panel/panel-plugin-external-wrapper.c
Examining data/xfce4-panel-4.15.5/panel/main.c
Examining data/xfce4-panel-4.15.5/panel/panel-plugin-external-wrapper.h
Examining data/xfce4-panel-4.15.5/panel/panel-module.c
Examining data/xfce4-panel-4.15.5/common/panel-debug.c
Examining data/xfce4-panel-4.15.5/common/panel-xfconf.c
Examining data/xfce4-panel-4.15.5/common/panel-private.h
Examining data/xfce4-panel-4.15.5/common/panel-debug.h
Examining data/xfce4-panel-4.15.5/common/panel-xfconf.h
Examining data/xfce4-panel-4.15.5/common/panel-utils.h
Examining data/xfce4-panel-4.15.5/common/panel-dbus.h
Examining data/xfce4-panel-4.15.5/common/panel-utils.c
Examining data/xfce4-panel-4.15.5/plugins/actions/actions.h
Examining data/xfce4-panel-4.15.5/plugins/actions/actions-dialog_ui.h
Examining data/xfce4-panel-4.15.5/plugins/actions/actions.c
Examining data/xfce4-panel-4.15.5/plugins/directorymenu/directorymenu.c
Examining data/xfce4-panel-4.15.5/plugins/directorymenu/directorymenu-dialog_ui.h
Examining data/xfce4-panel-4.15.5/plugins/directorymenu/directorymenu.h
Examining data/xfce4-panel-4.15.5/plugins/windowmenu/windowmenu.c
Examining data/xfce4-panel-4.15.5/plugins/windowmenu/windowmenu.h
Examining data/xfce4-panel-4.15.5/plugins/windowmenu/windowmenu-dialog_ui.h
Examining data/xfce4-panel-4.15.5/plugins/showdesktop/showdesktop.h
Examining data/xfce4-panel-4.15.5/plugins/showdesktop/showdesktop.c
Examining data/xfce4-panel-4.15.5/plugins/systray/systray-box.h
Examining data/xfce4-panel-4.15.5/plugins/systray/systray.h
Examining data/xfce4-panel-4.15.5/plugins/systray/sn-icon-box.h
Examining data/xfce4-panel-4.15.5/plugins/systray/sn-item.c
Examining data/xfce4-panel-4.15.5/plugins/systray/sn-config.h
Examining data/xfce4-panel-4.15.5/plugins/systray/systray-manager.h
Examining data/xfce4-panel-4.15.5/plugins/systray/systray-socket.c
Examining data/xfce4-panel-4.15.5/plugins/systray/sn-button.c
Examining data/xfce4-panel-4.15.5/plugins/systray/sn-util.h
Examining data/xfce4-panel-4.15.5/plugins/systray/sn-item.h
Examining data/xfce4-panel-4.15.5/plugins/systray/systray-box.c
Examining data/xfce4-panel-4.15.5/plugins/systray/sn-icon-box.c
Examining data/xfce4-panel-4.15.5/plugins/systray/systray-marshal.c
Examining data/xfce4-panel-4.15.5/plugins/systray/systray.c
Examining data/xfce4-panel-4.15.5/plugins/systray/sn-dialog.c
Examining data/xfce4-panel-4.15.5/plugins/systray/sn-button.h
Examining data/xfce4-panel-4.15.5/plugins/systray/sn-config.c
Examining data/xfce4-panel-4.15.5/plugins/systray/sn-backend.c
Examining data/xfce4-panel-4.15.5/plugins/systray/sn-box.c
Examining data/xfce4-panel-4.15.5/plugins/systray/sn-dialog-ui.h
Examining data/xfce4-panel-4.15.5/plugins/systray/sn-box.h
Examining data/xfce4-panel-4.15.5/plugins/systray/sn-watcher.h
Examining data/xfce4-panel-4.15.5/plugins/systray/systray-socket.h
Examining data/xfce4-panel-4.15.5/plugins/systray/systray-manager.c
Examining data/xfce4-panel-4.15.5/plugins/systray/sn-plugin.c
Examining data/xfce4-panel-4.15.5/plugins/systray/sn-plugin.h
Examining data/xfce4-panel-4.15.5/plugins/systray/sn-dialog.h
Examining data/xfce4-panel-4.15.5/plugins/systray/sn-util.c
Examining data/xfce4-panel-4.15.5/plugins/systray/sn-backend.h
Examining data/xfce4-panel-4.15.5/plugins/systray/systray-marshal.h
Examining data/xfce4-panel-4.15.5/plugins/systray/sn-watcher.c
Examining data/xfce4-panel-4.15.5/plugins/pager/pager-dialog_ui.h
Examining data/xfce4-panel-4.15.5/plugins/pager/pager-buttons.c
Examining data/xfce4-panel-4.15.5/plugins/pager/pager-buttons.h
Examining data/xfce4-panel-4.15.5/plugins/pager/pager.h
Examining data/xfce4-panel-4.15.5/plugins/pager/pager.c
Examining data/xfce4-panel-4.15.5/plugins/clock/clock-lcd.c
Examining data/xfce4-panel-4.15.5/plugins/clock/clock.h
Examining data/xfce4-panel-4.15.5/plugins/clock/clock-digital.c
Examining data/xfce4-panel-4.15.5/plugins/clock/clock-binary.h
Examining data/xfce4-panel-4.15.5/plugins/clock/clock-time.h
Examining data/xfce4-panel-4.15.5/plugins/clock/clock-fuzzy.h
Examining data/xfce4-panel-4.15.5/plugins/clock/clock-dialog_ui.h
Examining data/xfce4-panel-4.15.5/plugins/clock/clock-digital.h
Examining data/xfce4-panel-4.15.5/plugins/clock/clock-fuzzy.c
Examining data/xfce4-panel-4.15.5/plugins/clock/clock-analog.h
Examining data/xfce4-panel-4.15.5/plugins/clock/clock-analog.c
Examining data/xfce4-panel-4.15.5/plugins/clock/clock.c
Examining data/xfce4-panel-4.15.5/plugins/clock/clock-binary.c
Examining data/xfce4-panel-4.15.5/plugins/clock/clock-lcd.h
Examining data/xfce4-panel-4.15.5/plugins/clock/clock-time.c
Examining data/xfce4-panel-4.15.5/plugins/applicationsmenu/applicationsmenu.c
Examining data/xfce4-panel-4.15.5/plugins/applicationsmenu/applicationsmenu.h
Examining data/xfce4-panel-4.15.5/plugins/applicationsmenu/applicationsmenu-dialog_ui.h
Examining data/xfce4-panel-4.15.5/plugins/tasklist/tasklist-dialog_ui.h
Examining data/xfce4-panel-4.15.5/plugins/tasklist/tasklist-widget.c
Examining data/xfce4-panel-4.15.5/plugins/tasklist/tasklist.c
Examining data/xfce4-panel-4.15.5/plugins/tasklist/tasklist-widget.h
Examining data/xfce4-panel-4.15.5/plugins/separator/separator-dialog_ui.h
Examining data/xfce4-panel-4.15.5/plugins/separator/separator.h
Examining data/xfce4-panel-4.15.5/plugins/separator/separator.c
Examining data/xfce4-panel-4.15.5/plugins/launcher/launcher.h
Examining data/xfce4-panel-4.15.5/plugins/launcher/launcher-dialog_ui.h
Examining data/xfce4-panel-4.15.5/plugins/launcher/launcher-dialog.c
Examining data/xfce4-panel-4.15.5/plugins/launcher/launcher-dialog.h
Examining data/xfce4-panel-4.15.5/plugins/launcher/launcher.c
Examining data/xfce4-panel-4.15.5/libxfce4panel/libxfce4panel-alias.h
Examining data/xfce4-panel-4.15.5/libxfce4panel/xfce-panel-macros.h
Examining data/xfce4-panel-4.15.5/libxfce4panel/libxfce4panel-config.h
Examining data/xfce4-panel-4.15.5/libxfce4panel/xfce-arrow-button.c
Examining data/xfce4-panel-4.15.5/libxfce4panel/xfce-panel-image.h
Examining data/xfce4-panel-4.15.5/libxfce4panel/libxfce4panel-enum-types.c
Examining data/xfce4-panel-4.15.5/libxfce4panel/xfce-panel-plugin.h
Examining data/xfce4-panel-4.15.5/libxfce4panel/libxfce4panel.h
Examining data/xfce4-panel-4.15.5/libxfce4panel/libxfce4panel-marshal.h
Examining data/xfce4-panel-4.15.5/libxfce4panel/libxfce4panel-marshal.c
Examining data/xfce4-panel-4.15.5/libxfce4panel/xfce-panel-image.c
Examining data/xfce4-panel-4.15.5/libxfce4panel/xfce-panel-convenience.c
Examining data/xfce4-panel-4.15.5/libxfce4panel/libxfce4panel-aliasdef.c
Examining data/xfce4-panel-4.15.5/libxfce4panel/xfce-arrow-button.h
Examining data/xfce4-panel-4.15.5/libxfce4panel/xfce-panel-plugin-provider.h
Examining data/xfce4-panel-4.15.5/libxfce4panel/libxfce4panel-config.c
Examining data/xfce4-panel-4.15.5/libxfce4panel/xfce-panel-convenience.h
Examining data/xfce4-panel-4.15.5/libxfce4panel/libxfce4panel-enums.h
Examining data/xfce4-panel-4.15.5/libxfce4panel/xfce-panel-plugin-provider.c
Examining data/xfce4-panel-4.15.5/libxfce4panel/xfce-panel-plugin.c
Examining data/xfce4-panel-4.15.5/libxfce4panel/libxfce4panel-enum-types.h
Examining data/xfce4-panel-4.15.5/wrapper/wrapper-plug.c
Examining data/xfce4-panel-4.15.5/wrapper/wrapper-plug.h
Examining data/xfce4-panel-4.15.5/wrapper/wrapper-module.h
Examining data/xfce4-panel-4.15.5/wrapper/wrapper-module.c
Examining data/xfce4-panel-4.15.5/wrapper/main.c
Examining data/xfce4-panel-4.15.5/migrate/migrate-config.h
Examining data/xfce4-panel-4.15.5/migrate/migrate-config.c
Examining data/xfce4-panel-4.15.5/migrate/migrate-default.c
Examining data/xfce4-panel-4.15.5/migrate/main.c
Examining data/xfce4-panel-4.15.5/migrate/migrate-default.h

FINAL RESULTS:

data/xfce4-panel-4.15.5/panel/main.c:179:26:  [3] (buffer) g_get_tmp_dir:
  This function is synonymous with 'getenv("TMP")';it returns untrustable
  input if the environment can beset by an attacker. It can have any content
  and length, and the same variable can be set more than once (CWE-807,
  CWE-20). Check environment variables carefully before using them.
                   path, g_get_tmp_dir ());
data/xfce4-panel-4.15.5/panel/panel-plugin-external.c:562:52:  [3] (buffer) g_get_tmp_dir:
  This function is synonymous with 'getenv("TMP")';it returns untrustable
  input if the environment can beset by an attacker. It can have any content
  and length, and the same variable can be set more than once (CWE-807,
  CWE-20). Check environment variables carefully before using them.
                                          program, g_get_tmp_dir (), timestamp / G_USEC_PER_SEC,
data/xfce4-panel-4.15.5/panel/panel-plugin-external.c:575:52:  [3] (buffer) g_get_tmp_dir:
  This function is synonymous with 'getenv("TMP")';it returns untrustable
  input if the environment can beset by an attacker. It can have any content
  and length, and the same variable can be set more than once (CWE-807,
  CWE-20). Check environment variables carefully before using them.
                                          program, g_get_tmp_dir (), timestamp / G_USEC_PER_SEC,
data/xfce4-panel-4.15.5/panel/panel-tic-tac-toe.c:309:14:  [3] (random) g_random_int_range:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
      seed = g_random_int_range (0, n_moves);
data/xfce4-panel-4.15.5/panel/panel-tic-tac-toe.c:642:7:  [3] (random) g_random_int_range:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
  if (g_random_int_range (0, 2) == 0)
data/xfce4-panel-4.15.5/plugins/directorymenu/directorymenu.c:292:16:  [3] (buffer) g_get_home_dir:
  This function is synonymous with 'getenv("HOME")';it returns untrustable
  input if the environment can beset by an attacker. It can have any content
  and length, and the same variable can be set more than once (CWE-807,
  CWE-20). Check environment variables carefully before using them.
        path = g_get_home_dir ();
data/xfce4-panel-4.15.5/plugins/directorymenu/directorymenu.c:388:56:  [3] (buffer) g_get_home_dir:
  This function is synonymous with 'getenv("HOME")';it returns untrustable
  input if the environment can beset by an attacker. It can have any content
  and length, and the same variable can be set more than once (CWE-807,
  CWE-20). Check environment variables carefully before using them.
    g_object_set (G_OBJECT (plugin), "base-directory", g_get_home_dir (), NULL);
data/xfce4-panel-4.15.5/plugins/directorymenu/directorymenu.c:517:69:  [3] (buffer) g_get_home_dir:
  This function is synonymous with 'getenv("HOME")';it returns untrustable
  input if the environment can beset by an attacker. It can have any content
  and length, and the same variable can be set more than once (CWE-807,
  CWE-20). Check environment variables carefully before using them.
    gtk_file_chooser_set_current_folder (GTK_FILE_CHOOSER (object), g_get_home_dir ());
data/xfce4-panel-4.15.5/panel/main.c:108:49:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
      opt_preferences = value != NULL ? MAX (0, atoi (value)) : 0;
data/xfce4-panel-4.15.5/panel/main.c:113:47:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range
  (CWE-190). If source untrusted, check both minimum and maximum, even if the
  input had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).
      opt_add_items = value != NULL ? MAX (0, atoi (value)) : 0;
data/xfce4-panel-4.15.5/plugins/actions/actions.c:1291:15:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
              char buf[16];
data/xfce4-panel-4.15.5/plugins/systray/systray-manager.c:597:11:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
          memcpy ((message->string + message->length - message->remaining_length), &xev->data, length);
data/xfce4-panel-4.15.5/panel/panel-item-dialog.c:570:37:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
          (guchar *) internal_name, strlen (internal_name));
data/xfce4-panel-4.15.5/plugins/clock/clock-fuzzy.c:345:40:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
          g_string_append (string, p + strlen (pattern));
data/xfce4-panel-4.15.5/plugins/clock/clock.c:970:25:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  gsize        dirlen = strlen (ZONEINFO_DIR);
data/xfce4-panel-4.15.5/plugins/directorymenu/directorymenu.c:891:7:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  if (strlen(text) > 0)
data/xfce4-panel-4.15.5/plugins/directorymenu/directorymenu.c:979:11:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
      if (strlen(filename) > 0)
data/xfce4-panel-4.15.5/plugins/systray/sn-backend.c:328:28:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  if (new_owner == NULL || strlen (new_owner) == 0)
data/xfce4-panel-4.15.5/plugins/systray/sn-item.c:416:33:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  finish = new_owner == NULL || strlen (new_owner) == 0;
data/xfce4-panel-4.15.5/plugins/systray/sn-item.c:733:38:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
      item->entry = (val) != NULL && strlen (val) > 0 \

ANALYSIS SUMMARY:

Hits = 20
Lines analyzed = 66015 in approximately 1.45 seconds (45547 lines/second)
Physical Source Lines of Code (SLOC) = 46004
Hits@level = [0]   4 [1]   8 [2]   4 [3]   8 [4]   0 [5]   0
Hits@level+ = [0+]  24 [1+]  20 [2+]  12 [3+]   8 [4+]   0 [5+]   0
Hits/KSLOC@level+ = [0+] 0.521694 [1+] 0.434745 [2+] 0.260847 [3+] 0.173898 [4+]   0 [5+]   0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.