Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/aegean-0.16.0+dfsg/inc/core/AgnAttributeFilterStream.h Examining data/aegean-0.16.0+dfsg/inc/core/AgnCliquePair.h Examining data/aegean-0.16.0+dfsg/inc/core/AgnCompareReportHTML.h Examining data/aegean-0.16.0+dfsg/inc/core/AgnCompareReportText.h Examining data/aegean-0.16.0+dfsg/inc/core/AgnComparison.h Examining data/aegean-0.16.0+dfsg/inc/core/AgnFilterStream.h Examining data/aegean-0.16.0+dfsg/inc/core/AgnGaevalVisitor.h Examining data/aegean-0.16.0+dfsg/inc/core/AgnGeneStream.h Examining data/aegean-0.16.0+dfsg/inc/core/AgnInferCDSVisitor.h Examining data/aegean-0.16.0+dfsg/inc/core/AgnInferExonsVisitor.h Examining data/aegean-0.16.0+dfsg/inc/core/AgnInferParentStream.h Examining data/aegean-0.16.0+dfsg/inc/core/AgnLocus.h Examining data/aegean-0.16.0+dfsg/inc/core/AgnLocusFilterStream.h Examining data/aegean-0.16.0+dfsg/inc/core/AgnLocusMapVisitor.h Examining data/aegean-0.16.0+dfsg/inc/core/AgnLocusRefineStream.h Examining data/aegean-0.16.0+dfsg/inc/core/AgnLocusStream.h Examining data/aegean-0.16.0+dfsg/inc/core/AgnMrnaRepVisitor.h Examining data/aegean-0.16.0+dfsg/inc/core/AgnPseudogeneFixVisitor.h Examining data/aegean-0.16.0+dfsg/inc/core/AgnRemoveChildrenVisitor.h Examining data/aegean-0.16.0+dfsg/inc/core/AgnTranscriptClique.h Examining data/aegean-0.16.0+dfsg/inc/core/AgnTypecheck.h Examining data/aegean-0.16.0+dfsg/inc/core/AgnUnitTest.h Examining data/aegean-0.16.0+dfsg/inc/core/AgnUtils.h Examining data/aegean-0.16.0+dfsg/inc/core/aegean.h Examining data/aegean-0.16.0+dfsg/src/ParsEval/parseval.c Examining data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.h Examining data/aegean-0.16.0+dfsg/src/ParsEval/pe_utils.c Examining data/aegean-0.16.0+dfsg/src/ParsEval/pe_utils.h Examining data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.c Examining data/aegean-0.16.0+dfsg/src/canon-gff3.c Examining data/aegean-0.16.0+dfsg/src/core/AgnAttributeFilterStream.c Examining data/aegean-0.16.0+dfsg/src/core/AgnCliquePair.c Examining data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c Examining data/aegean-0.16.0+dfsg/src/core/AgnCompareReportText.c Examining data/aegean-0.16.0+dfsg/src/core/AgnComparison.c Examining data/aegean-0.16.0+dfsg/src/core/AgnFilterStream.c Examining data/aegean-0.16.0+dfsg/src/core/AgnGaevalVisitor.c Examining data/aegean-0.16.0+dfsg/src/core/AgnGeneStream.c Examining data/aegean-0.16.0+dfsg/src/core/AgnInferCDSVisitor.c Examining data/aegean-0.16.0+dfsg/src/core/AgnInferExonsVisitor.c Examining data/aegean-0.16.0+dfsg/src/core/AgnInferParentStream.c Examining data/aegean-0.16.0+dfsg/src/core/AgnLocus.c Examining data/aegean-0.16.0+dfsg/src/core/AgnLocusFilterStream.c Examining data/aegean-0.16.0+dfsg/src/core/AgnLocusMapVisitor.c Examining data/aegean-0.16.0+dfsg/src/core/AgnLocusRefineStream.c Examining data/aegean-0.16.0+dfsg/src/core/AgnLocusStream.c Examining data/aegean-0.16.0+dfsg/src/core/AgnMrnaRepVisitor.c Examining data/aegean-0.16.0+dfsg/src/core/AgnPseudogeneFixVisitor.c Examining data/aegean-0.16.0+dfsg/src/core/AgnRemoveChildrenVisitor.c Examining data/aegean-0.16.0+dfsg/src/core/AgnTranscriptClique.c Examining data/aegean-0.16.0+dfsg/src/core/AgnTypecheck.c Examining data/aegean-0.16.0+dfsg/src/core/AgnUnitTest.c Examining data/aegean-0.16.0+dfsg/src/core/AgnUtils.c Examining data/aegean-0.16.0+dfsg/src/gaeval.c Examining data/aegean-0.16.0+dfsg/src/locuspocus.c Examining data/aegean-0.16.0+dfsg/src/pmrna.c Examining data/aegean-0.16.0+dfsg/src/tidygff3.c Examining data/aegean-0.16.0+dfsg/src/xtractore.c Examining data/aegean-0.16.0+dfsg/test/unittests.c FINAL RESULTS: data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.c:161:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(cmd, "cp %s/pe.filter pe.filter", options->data_path); data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.c:165:8: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. if(system(cmd) != 0) data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.c:203:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(dircmd, "test -d %s", options->outfilename); data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.c:204:10: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. if(system(dircmd) == 0) data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.c:209:11: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(rmcmd, "rm -r %s", options->outfilename); data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.c:210:14: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. if(system(rmcmd) != 0) data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.c:228:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(filecmd, "test -f %s", options->outfilename); data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.c:229:10: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. if(system(filecmd) == 0 && !options->overwrite) data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.c:248:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(dircmd, "mkdir %s", options->outfilename); data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.c:249:8: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. if(system(dircmd) != 0) data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.c:256:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(outname, "%s/index.html", options->outfilename); data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.c:265:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(copy_cmd,"cp -LR %s/* %s", options->data_path, options->outfilename); data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.c:268:8: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. if(system(copy_cmd) != 0) data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.c:302:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(options->pngdata.filename_template, "%s/%%s/%%s_%%lu-%%lu.png", data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.c:304:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(options->pngdata.stylefile, "%s/pe.style", options->data_path); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:212:3: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(filename, "%s/index.html", rpt->outdir); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:480:3: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(filename, "%s/%s/%lu-%lu.html", rpt->outdir, gt_str_get(seqid), data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:720:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(filename, "%s/perfectmatches.html", rpt->outdir); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:742:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(filename, "%s/mislabeled.html", rpt->outdir); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:765:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(filename, "%s/cdsmatches.html", rpt->outdir); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:787:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(filename, "%s/exonmatches.html", rpt->outdir); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:809:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(filename, "%s/utrmatches.html", rpt->outdir); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:831:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(filename, "%s/nonmatches.html", rpt->outdir); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:969:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(seqfilename, "%s/%s/index.html", rpt->outdir, seqid); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:1405:3: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(seqdircmd, "mkdir %s/%s", rpt->outdir, seqid); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:1406:6: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. if(system(seqdircmd)) data/aegean-0.16.0+dfsg/src/core/AgnInferExonsVisitor.c:331:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(parentstr + strlen(parentstr), ",%s", tid); data/aegean-0.16.0+dfsg/src/core/AgnLocus.c:773:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(trackname, "Reference annotations (%s)", metadata->refrfile); data/aegean-0.16.0+dfsg/src/core/AgnLocus.c:778:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(trackname, "%s (Reference)", metadata->refrlabel); data/aegean-0.16.0+dfsg/src/core/AgnLocus.c:787:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(trackname, "Prediction annotations (%s)", metadata->predfile); data/aegean-0.16.0+dfsg/src/core/AgnLocus.c:792:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(trackname, "%s (Prediction)", metadata->predlabel); data/aegean-0.16.0+dfsg/src/core/AgnLocus.c:893:3: [4] (format) sprintf: Potential format string problem (CWE-134). Make format string constant. sprintf(pngfile, metadata->filename_template, gt_str_get(seqid), data/aegean-0.16.0+dfsg/src/core/AgnLocusRefineStream.c:724:5: [4] (format) sprintf: Potential format string problem (CWE-134). Make format string constant. sprintf(locusname, gt_str_get(stream->nameformat), stream->count); data/aegean-0.16.0+dfsg/src/core/AgnLocusRefineStream.c:780:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(key, "child_%s", *attrkey); data/aegean-0.16.0+dfsg/src/core/AgnLocusStream.c:524:5: [4] (format) sprintf: Potential format string problem (CWE-134). Make format string constant. sprintf(locusname, gt_str_get(stream->nameformat), stream->count); data/aegean-0.16.0+dfsg/src/core/AgnLocusStream.c:580:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(key, "child_%s", *attrkey); data/aegean-0.16.0+dfsg/src/core/AgnTranscriptClique.c:195:14: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. idptr += sprintf(idptr, "%s", gt_feature_node_get_attribute(current, "ID")); data/aegean-0.16.0+dfsg/src/xtractore.c:354:3: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(subseqid, "%s_%lu-%lu%c", gt_str_get(seqid), range.start, range.end, data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.c:47:14: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. for(opt = getopt_long(argc, argv, optstr, parseval_options, &optindex); data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.c:49:14: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. opt = getopt_long(argc, argv, optstr, parseval_options, &optindex)) data/aegean-0.16.0+dfsg/src/canon-gff3.c:54:13: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. for(opt = getopt_long(argc, argv, optstr, init_options, &optindex); data/aegean-0.16.0+dfsg/src/canon-gff3.c:56:13: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. opt = getopt_long(argc, argv, optstr, init_options, &optindex)) data/aegean-0.16.0+dfsg/src/gaeval.c:78:14: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. for(opt = getopt_long(argc, argv + 0, optstr, gaeval_options, &optindex); data/aegean-0.16.0+dfsg/src/gaeval.c:80:14: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. opt = getopt_long(argc, argv + 0, optstr, gaeval_options, &optindex)) data/aegean-0.16.0+dfsg/src/locuspocus.c:175:14: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. for( opt = getopt_long(argc, argv + 0, optstr, locuspocus_options, &optindex); data/aegean-0.16.0+dfsg/src/locuspocus.c:177:14: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. opt = getopt_long(argc, argv + 0, optstr, locuspocus_options, &optindex)) data/aegean-0.16.0+dfsg/src/pmrna.c:54:14: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. for(opt = getopt_long(argc, argv + 0, optstr, pmrna_options, &optindex); data/aegean-0.16.0+dfsg/src/pmrna.c:56:14: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. opt = getopt_long(argc, argv + 0, optstr, pmrna_options, &optindex)) data/aegean-0.16.0+dfsg/src/xtractore.c:136:13: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. for(opt = getopt_long(argc, argv + 0, optstr, xtractore_options, &optindex); data/aegean-0.16.0+dfsg/src/xtractore.c:138:13: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. opt = getopt_long(argc, argv + 0, optstr, xtractore_options, &optindex)) data/aegean-0.16.0+dfsg/inc/core/AgnComparison.h:39:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char sns[7]; data/aegean-0.16.0+dfsg/inc/core/AgnComparison.h:40:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char sps[7]; data/aegean-0.16.0+dfsg/inc/core/AgnComparison.h:41:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char f1s[7]; data/aegean-0.16.0+dfsg/inc/core/AgnComparison.h:42:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char eds[16]; data/aegean-0.16.0+dfsg/inc/core/AgnComparison.h:63:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char mcs[7]; data/aegean-0.16.0+dfsg/inc/core/AgnComparison.h:64:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char ccs[7]; data/aegean-0.16.0+dfsg/inc/core/AgnComparison.h:65:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char sns[7]; data/aegean-0.16.0+dfsg/inc/core/AgnComparison.h:66:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char sps[7]; data/aegean-0.16.0+dfsg/inc/core/AgnComparison.h:67:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char f1s[7]; data/aegean-0.16.0+dfsg/inc/core/AgnComparison.h:68:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char eds[16]; data/aegean-0.16.0+dfsg/inc/core/AgnLocus.h:49:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char filename_template[512]; data/aegean-0.16.0+dfsg/inc/core/AgnLocus.h:50:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char stylefile[512]; data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.c:104:26: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *filterfile = fopen(optarg, "r"); data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.c:160:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char cmd[512]; data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.c:202:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char dircmd[1024]; data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.c:208:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char rmcmd[1024]; data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.c:227:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char filecmd[1024]; data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.c:247:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char dircmd[1024]; data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.c:255:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char outname[1024]; data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.c:257:24: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). options->outfile = fopen(outname, "w"); data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.c:264:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char copy_cmd[1024]; data/aegean-0.16.0+dfsg/src/ParsEval/pe_options.c:285:26: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). options->outfile = fopen(options->outfilename, "w"); data/aegean-0.16.0+dfsg/src/ParsEval/pe_utils.c:23:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char timestr[128]; data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:45:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char seqid[64]; data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:211:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char filename[1024]; data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:213:21: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *outstream = fopen(filename, "w"); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:479:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char filename[1024]; data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:482:21: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *outstream = fopen(filename, "w"); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:719:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char filename[AGN_MAX_FILENAME_SIZE]; data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:721:23: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *outstream = fopen(filename, "w"); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:741:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char filename[AGN_MAX_FILENAME_SIZE]; data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:743:23: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *outstream = fopen(filename, "w"); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:764:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char filename[AGN_MAX_FILENAME_SIZE]; data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:766:23: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *outstream = fopen(filename, "w"); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:786:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char filename[AGN_MAX_FILENAME_SIZE]; data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:788:23: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *outstream = fopen(filename, "w"); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:808:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char filename[AGN_MAX_FILENAME_SIZE]; data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:810:23: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *outstream = fopen(filename, "w"); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:830:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char filename[AGN_MAX_FILENAME_SIZE]; data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:832:23: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *outstream = fopen(filename, "w"); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:854:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char sstart[64], send[64], slength[64]; data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:968:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char seqfilename[AGN_MAX_FILENAME_SIZE]; data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:970:23: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *outstream = fopen(seqfilename, "w"); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:1319:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char rmatchp[32], rnomatchp[32], pmatchr[32], pnomatchr[32]; data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:1322:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(rmatchp, "%.1f%%", (float)stats->correct / (float)refrcnt * 100); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:1323:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(rnomatchp, "%.1f%%", (float)stats->missing / (float)refrcnt * 100); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:1327:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(rmatchp, "--"); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:1328:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(rnomatchp, "--"); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:1332:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(pmatchr, "%.1f%%", (float)stats->correct / (float)predcnt * 100); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:1333:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(pnomatchr, "%.1f%%", (float)stats->wrong / (float)predcnt * 100); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:1337:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(pmatchr, "--"); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:1338:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(pnomatchr, "--"); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportHTML.c:1404:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char seqdircmd[AGN_MAX_FILENAME_SIZE]; data/aegean-0.16.0+dfsg/src/core/AgnCompareReportText.c:284:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char header[128]; data/aegean-0.16.0+dfsg/src/core/AgnCompareReportText.c:285:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(header, " .......................................%lu (%.1f%%)\n", data/aegean-0.16.0+dfsg/src/core/AgnCompareReportText.c:561:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[128]; data/aegean-0.16.0+dfsg/src/core/AgnCompareReportText.c:566:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char rmatchp[32], rnomatchp[32], pmatchr[32], pnomatchr[32]; data/aegean-0.16.0+dfsg/src/core/AgnCompareReportText.c:569:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(rmatchp, "%.1f%%", (float)stats->correct / (float)refrcnt * 100); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportText.c:570:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(rnomatchp, "%.1f%%", (float)stats->missing / (float)refrcnt * 100); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportText.c:574:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(rmatchp, "--"); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportText.c:575:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(rnomatchp, "--"); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportText.c:579:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(pmatchr, "%.1f%%", (float)stats->correct / (float)predcnt * 100); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportText.c:580:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(pnomatchr, "%.1f%%", (float)stats->wrong / (float)predcnt * 100); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportText.c:584:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(pmatchr, "--"); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportText.c:585:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(pnomatchr, "--"); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportText.c:588:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buffer, " reference .............................%lu\n", refrcnt); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportText.c:598:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buffer, " prediction ............................%lu\n", predcnt); data/aegean-0.16.0+dfsg/src/core/AgnComparison.c:189:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(stats->sns, "--"); data/aegean-0.16.0+dfsg/src/core/AgnComparison.c:191:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(stats->sns, "%.3lf", stats->sn); data/aegean-0.16.0+dfsg/src/core/AgnComparison.c:196:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(stats->sps, "--"); data/aegean-0.16.0+dfsg/src/core/AgnComparison.c:198:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(stats->sps, "%.3lf", stats->sp); data/aegean-0.16.0+dfsg/src/core/AgnComparison.c:205:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(stats->f1s, "--"); data/aegean-0.16.0+dfsg/src/core/AgnComparison.c:207:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(stats->f1s, "%.3lf", stats->f1); data/aegean-0.16.0+dfsg/src/core/AgnComparison.c:213:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(stats->eds, "--"); data/aegean-0.16.0+dfsg/src/core/AgnComparison.c:215:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(stats->eds, "%.3lf", stats->ed); data/aegean-0.16.0+dfsg/src/core/AgnComparison.c:269:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(stats->mcs, "--"); data/aegean-0.16.0+dfsg/src/core/AgnComparison.c:271:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(stats->mcs, "%.3lf", stats->mc); data/aegean-0.16.0+dfsg/src/core/AgnComparison.c:276:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(stats->ccs, "--"); data/aegean-0.16.0+dfsg/src/core/AgnComparison.c:278:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(stats->ccs, "%.3lf", stats->cc); data/aegean-0.16.0+dfsg/src/core/AgnComparison.c:283:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(stats->sns, "--"); data/aegean-0.16.0+dfsg/src/core/AgnComparison.c:285:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(stats->sns, "%.3lf", stats->sn); data/aegean-0.16.0+dfsg/src/core/AgnComparison.c:290:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(stats->sps, "--"); data/aegean-0.16.0+dfsg/src/core/AgnComparison.c:292:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(stats->sps, "%.3lf", stats->sp); data/aegean-0.16.0+dfsg/src/core/AgnComparison.c:299:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(stats->f1s, "--"); data/aegean-0.16.0+dfsg/src/core/AgnComparison.c:301:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(stats->f1s, "%.3lf", stats->f1); data/aegean-0.16.0+dfsg/src/core/AgnComparison.c:307:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(stats->eds, "--"); data/aegean-0.16.0+dfsg/src/core/AgnComparison.c:309:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(stats->eds, "%.3lf", stats->ed); data/aegean-0.16.0+dfsg/src/core/AgnGaevalVisitor.c:538:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char covstr[16]; data/aegean-0.16.0+dfsg/src/core/AgnGaevalVisitor.c:539:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(covstr, "%.3lf", coverage); data/aegean-0.16.0+dfsg/src/core/AgnGaevalVisitor.c:544:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char intstr[16]; data/aegean-0.16.0+dfsg/src/core/AgnGaevalVisitor.c:545:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(intstr, "%.3lf", integrity); data/aegean-0.16.0+dfsg/src/core/AgnGeneStream.c:309:15: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *log = fopen("/dev/null", "w"); data/aegean-0.16.0+dfsg/src/core/AgnInferCDSVisitor.c:238:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char newid[64]; data/aegean-0.16.0+dfsg/src/core/AgnInferCDSVisitor.c:239:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(newid, "CDS%lu", v->cdscounter++); data/aegean-0.16.0+dfsg/src/core/AgnInferExonsVisitor.c:329:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char parentstr[1024]; data/aegean-0.16.0+dfsg/src/core/AgnLocus.c:410:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[256]; data/aegean-0.16.0+dfsg/src/core/AgnLocus.c:460:24: [2] (integer) atol: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). filter.testvalue = atol(valuestr); data/aegean-0.16.0+dfsg/src/core/AgnLocus.c:767:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char trackname[512]; data/aegean-0.16.0+dfsg/src/core/AgnLocus.c:892:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char pngfile[512]; data/aegean-0.16.0+dfsg/src/core/AgnLocusRefineStream.c:351:14: [2] (integer) atol: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). origro = atol(rostr); data/aegean-0.16.0+dfsg/src/core/AgnLocusRefineStream.c:438:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char lenstr[32]; data/aegean-0.16.0+dfsg/src/core/AgnLocusRefineStream.c:439:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(lenstr, "%lu", gt_range_length(&origrange) - origro); data/aegean-0.16.0+dfsg/src/core/AgnLocusRefineStream.c:464:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char exceptstr[32]; data/aegean-0.16.0+dfsg/src/core/AgnLocusRefineStream.c:466:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(exceptstr, "complex-overlap-%lu", genenum); data/aegean-0.16.0+dfsg/src/core/AgnLocusRefineStream.c:482:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char lenstr[32]; data/aegean-0.16.0+dfsg/src/core/AgnLocusRefineStream.c:483:7: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(lenstr, "%lu", gt_range_length(&origrange) - origro); data/aegean-0.16.0+dfsg/src/core/AgnLocusRefineStream.c:517:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char lenstr[32]; data/aegean-0.16.0+dfsg/src/core/AgnLocusRefineStream.c:518:7: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(lenstr, "%lu", gt_range_length(&origrange) - origro); data/aegean-0.16.0+dfsg/src/core/AgnLocusRefineStream.c:543:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char lenstr1[32]; data/aegean-0.16.0+dfsg/src/core/AgnLocusRefineStream.c:544:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char lenstr2[32]; data/aegean-0.16.0+dfsg/src/core/AgnLocusRefineStream.c:545:7: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(lenstr1, "%lu", elen1); data/aegean-0.16.0+dfsg/src/core/AgnLocusRefineStream.c:546:7: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(lenstr2, "%lu", elen2); data/aegean-0.16.0+dfsg/src/core/AgnLocusRefineStream.c:590:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char lenstr[32]; data/aegean-0.16.0+dfsg/src/core/AgnLocusRefineStream.c:591:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(lenstr, "%lu", gt_range_length(&origrange) - origro); data/aegean-0.16.0+dfsg/src/core/AgnLocusRefineStream.c:594:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char exceptstr[32]; data/aegean-0.16.0+dfsg/src/core/AgnLocusRefineStream.c:596:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(exceptstr, "complex-overlap-%lu", genenum); data/aegean-0.16.0+dfsg/src/core/AgnLocusRefineStream.c:665:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char lenstr[32]; data/aegean-0.16.0+dfsg/src/core/AgnLocusRefineStream.c:669:12: [2] (integer) atol: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). ro = atol(rostr); data/aegean-0.16.0+dfsg/src/core/AgnLocusRefineStream.c:670:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(lenstr, "%lu", gt_range_length(&rng) - ro); data/aegean-0.16.0+dfsg/src/core/AgnLocusRefineStream.c:723:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char locusname[256]; data/aegean-0.16.0+dfsg/src/core/AgnLocusRefineStream.c:778:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char key[128]; data/aegean-0.16.0+dfsg/src/core/AgnLocusRefineStream.c:779:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char value[32]; data/aegean-0.16.0+dfsg/src/core/AgnLocusRefineStream.c:781:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(value, "%lu", *attrvalue); data/aegean-0.16.0+dfsg/src/core/AgnLocusStream.c:300:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char ovrlp[16]; data/aegean-0.16.0+dfsg/src/core/AgnLocusStream.c:301:7: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(ovrlp, "%lu", overlap); data/aegean-0.16.0+dfsg/src/core/AgnLocusStream.c:322:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char ovrlp[16]; data/aegean-0.16.0+dfsg/src/core/AgnLocusStream.c:323:7: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(ovrlp, "%lu", overlap); data/aegean-0.16.0+dfsg/src/core/AgnLocusStream.c:368:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char iilocuslen[32]; data/aegean-0.16.0+dfsg/src/core/AgnLocusStream.c:369:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(iilocuslen, "%lu", gt_range_length(&irange)); data/aegean-0.16.0+dfsg/src/core/AgnLocusStream.c:523:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char locusname[256]; data/aegean-0.16.0+dfsg/src/core/AgnLocusStream.c:578:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char key[128]; data/aegean-0.16.0+dfsg/src/core/AgnLocusStream.c:579:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char value[32]; data/aegean-0.16.0+dfsg/src/core/AgnLocusStream.c:581:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(value, "%lu", *attrvalue); data/aegean-0.16.0+dfsg/src/core/AgnTranscriptClique.c:180:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char id[32768]; data/aegean-0.16.0+dfsg/src/core/AgnUtils.c:317:18: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. int spaces = sprintf(buffer, "%lu", n); data/aegean-0.16.0+dfsg/src/core/AgnUtils.c:323:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buffer, ",%03lu", n % 1000); data/aegean-0.16.0+dfsg/src/gaeval.c:83:39: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). options->params.exp_3putr_len = atoi(optarg); data/aegean-0.16.0+dfsg/src/gaeval.c:85:39: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). options->params.exp_5putr_len = atoi(optarg); data/aegean-0.16.0+dfsg/src/gaeval.c:91:37: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). options->params.exp_cds_len = atoi(optarg); data/aegean-0.16.0+dfsg/src/locuspocus.c:215:29: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). options->genestream = fopen(optarg, "w"); data/aegean-0.16.0+dfsg/src/locuspocus.c:226:27: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). options->ilenfile = fopen(optarg, "w"); data/aegean-0.16.0+dfsg/src/locuspocus.c:289:30: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). options->transstream = fopen(optarg, "w"); data/aegean-0.16.0+dfsg/src/pmrna.c:69:28: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). options->mapstream = fopen(optarg, "w"); data/aegean-0.16.0+dfsg/src/xtractore.c:151:25: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). options->idfile = fopen(optarg, "r"); data/aegean-0.16.0+dfsg/src/xtractore.c:157:26: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). options->outfile = fopen(optarg, "w"); data/aegean-0.16.0+dfsg/src/xtractore.c:345:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char subseqid[1024]; data/aegean-0.16.0+dfsg/src/core/AgnCliquePair.c:338:7: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(refr_vector) == gt_genome_node_get_length(pair->refr_clique) && data/aegean-0.16.0+dfsg/src/core/AgnCliquePair.c:339:7: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(pred_vector) == gt_genome_node_get_length(pair->refr_clique) data/aegean-0.16.0+dfsg/src/core/AgnCompareReportText.c:287:3: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(header + 4, label, strlen(label)); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportText.c:287:30: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strncpy(header + 4, label, strlen(label)); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportText.c:589:3: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(buffer + 14, units, strlen(units)); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportText.c:589:31: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strncpy(buffer + 14, units, strlen(units)); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportText.c:599:3: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(buffer + 15, units, strlen(units)); data/aegean-0.16.0+dfsg/src/core/AgnCompareReportText.c:599:31: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strncpy(buffer + 15, units, strlen(units)); data/aegean-0.16.0+dfsg/src/core/AgnInferExonsVisitor.c:323:10: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if(strlen(tid) > 1023) data/aegean-0.16.0+dfsg/src/core/AgnInferExonsVisitor.c:327:59: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). "characters), will be truncated\n", strlen(tid)); data/aegean-0.16.0+dfsg/src/core/AgnInferExonsVisitor.c:330:7: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(parentstr, parentattr, 1023); data/aegean-0.16.0+dfsg/src/core/AgnInferExonsVisitor.c:331:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sprintf(parentstr + strlen(parentstr), ",%s", tid); data/aegean-0.16.0+dfsg/src/core/AgnLocus.c:415:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if(strlen(buffer) == 0 || buffer[0] == '\n' || buffer[0] == '#') data/aegean-0.16.0+dfsg/src/core/AgnTranscriptClique.c:194:16: [1] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source is a constant character. idptr += sprintf(idptr, ","); data/aegean-0.16.0+dfsg/src/core/AgnTranscriptClique.c:539:46: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). agn_assert(gt_range_length(&locusrange) == strlen(modelvector)); data/aegean-0.16.0+dfsg/src/xtractore.c:264:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(outseqp, (char *)(sequence + region->r.start - 1), rlength); data/aegean-0.16.0+dfsg/src/xtractore.c:278:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). GtUword seqlen = strlen(sequence); ANALYSIS SUMMARY: Hits = 213 Lines analyzed = 16157 in approximately 0.49 seconds (32746 lines/second) Physical Source Lines of Code (SLOC) = 12050 Hits@level = [0] 241 [1] 17 [2] 146 [3] 12 [4] 38 [5] 0 Hits@level+ = [0+] 454 [1+] 213 [2+] 196 [3+] 50 [4+] 38 [5+] 0 Hits/KSLOC@level+ = [0+] 37.6763 [1+] 17.6763 [2+] 16.2656 [3+] 4.14938 [4+] 3.15353 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.