Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/zerofree-1.1.1/zerofree.c FINAL RESULTS: data/zerofree-1.1.1/zerofree.c:82:4: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(stderr, USAGE, argv[0]); data/zerofree-1.1.1/zerofree.c:88:3: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(stderr, USAGE, argv[0]); data/zerofree-1.1.1/zerofree.c:176:3: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. printf(FORMAT, modified, free, ext2fs_blocks_count(fs->super)); data/zerofree-1.1.1/zerofree.c:60:13: [3] (buffer) getopt: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. while ( (c=getopt(argc, argv, "nvf:")) != -1 ) { ANALYSIS SUMMARY: Hits = 4 Lines analyzed = 186 in approximately 0.02 seconds (9290 lines/second) Physical Source Lines of Code (SLOC) = 141 Hits@level = [0] 12 [1] 0 [2] 0 [3] 1 [4] 3 [5] 0 Hits@level+ = [0+] 16 [1+] 4 [2+] 4 [3+] 4 [4+] 3 [5+] 0 Hits/KSLOC@level+ = [0+] 113.475 [1+] 28.3688 [2+] 28.3688 [3+] 28.3688 [4+] 21.2766 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.