Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/bio-rainbow-2.0.4+dfsg/aln_cigar.h Examining data/bio-rainbow-2.0.4+dfsg/asm_R2.h Examining data/bio-rainbow-2.0.4+dfsg/bitvec.h Examining data/bio-rainbow-2.0.4+dfsg/bloom_filter.h Examining data/bio-rainbow-2.0.4+dfsg/cluster.c Examining data/bio-rainbow-2.0.4+dfsg/divide.c Examining data/bio-rainbow-2.0.4+dfsg/dna.h Examining data/bio-rainbow-2.0.4+dfsg/ezmsim.c Examining data/bio-rainbow-2.0.4+dfsg/file_reader.c Examining data/bio-rainbow-2.0.4+dfsg/file_reader.h Examining data/bio-rainbow-2.0.4+dfsg/hashset.h Examining data/bio-rainbow-2.0.4+dfsg/heap.h Examining data/bio-rainbow-2.0.4+dfsg/list.h Examining data/bio-rainbow-2.0.4+dfsg/main.c Examining data/bio-rainbow-2.0.4+dfsg/mergecontig.c Examining data/bio-rainbow-2.0.4+dfsg/mergecontig.h Examining data/bio-rainbow-2.0.4+dfsg/mergectg.c Examining data/bio-rainbow-2.0.4+dfsg/mergectg.h Examining data/bio-rainbow-2.0.4+dfsg/mergetag.c Examining data/bio-rainbow-2.0.4+dfsg/rainbow.h Examining data/bio-rainbow-2.0.4+dfsg/rbasm_main.c Examining data/bio-rainbow-2.0.4+dfsg/simp_asm.h Examining data/bio-rainbow-2.0.4+dfsg/sort.h Examining data/bio-rainbow-2.0.4+dfsg/stdaln.c Examining data/bio-rainbow-2.0.4+dfsg/stdaln.h Examining data/bio-rainbow-2.0.4+dfsg/string.h Examining data/bio-rainbow-2.0.4+dfsg/vector.h Examining data/bio-rainbow-2.0.4+dfsg/asm_R2.c FINAL RESULTS: data/bio-rainbow-2.0.4+dfsg/file_reader.c:38:4: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(cmd, "gzip -dc %s", filenames[i]); data/bio-rainbow-2.0.4+dfsg/file_reader.c:40:15: [4] (shell) popen: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. fc->file = popen(cmd, "r"); data/bio-rainbow-2.0.4+dfsg/file_reader.c:44:4: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(fc->filename, filenames[i]); data/bio-rainbow-2.0.4+dfsg/file_reader.c:73:2: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(filename, prefix); data/bio-rainbow-2.0.4+dfsg/file_reader.c:74:2: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(filename, postfix); data/bio-rainbow-2.0.4+dfsg/file_reader.h:208:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(name, filename); data/bio-rainbow-2.0.4+dfsg/file_reader.h:209:2: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(name, suffix); data/bio-rainbow-2.0.4+dfsg/string.h:91:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(str, s); data/bio-rainbow-2.0.4+dfsg/dna.h:150:18: [3] (random) lrand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. if(c == 4) c = lrand48() & 0x03; data/bio-rainbow-2.0.4+dfsg/dna.h:159:18: [3] (random) lrand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. if(c == 4) c = lrand48(); data/bio-rainbow-2.0.4+dfsg/ezmsim.c:179:15: [3] (random) drand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. v1 = 2.0 * drand48() - 1.0; data/bio-rainbow-2.0.4+dfsg/ezmsim.c:180:15: [3] (random) drand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. v2 = 2.0 * drand48() - 1.0; data/bio-rainbow-2.0.4+dfsg/ezmsim.c:206:17: [3] (random) drand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. if (drand48() < INDEL_EXTEND) { data/bio-rainbow-2.0.4+dfsg/ezmsim.c:212:16: [3] (random) drand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. if (c < 4 && drand48() < MUT_RATE) { // mutation data/bio-rainbow-2.0.4+dfsg/ezmsim.c:213:8: [3] (random) drand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. if (drand48() >= INDEL_FRAC) { // substitution data/bio-rainbow-2.0.4+dfsg/ezmsim.c:214:16: [3] (random) drand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. double r = drand48(); data/bio-rainbow-2.0.4+dfsg/ezmsim.c:216:19: [3] (random) drand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. if (is_hap || drand48() < HOM_RATE) { // hom data/bio-rainbow-2.0.4+dfsg/ezmsim.c:219:10: [3] (random) drand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. ret[drand48()<0.5?0:1]->s[i] = SUBSTITUTE|c; data/bio-rainbow-2.0.4+dfsg/ezmsim.c:222:9: [3] (random) drand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. if (drand48() < 0.5) { // deletion data/bio-rainbow-2.0.4+dfsg/ezmsim.c:223:20: [3] (random) drand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. if (is_hap || drand48() < HOM_RATE) { // hom-del data/bio-rainbow-2.0.4+dfsg/ezmsim.c:227:36: [3] (random) drand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. deleting = drand48()<0.5?1:2; data/bio-rainbow-2.0.4+dfsg/ezmsim.c:234:50: [3] (random) drand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. ins = (ins << 2) | (int)(drand48() * 4.0); data/bio-rainbow-2.0.4+dfsg/ezmsim.c:235:44: [3] (random) drand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. } while(num_ins < 4 && drand48() < INDEL_EXTEND); data/bio-rainbow-2.0.4+dfsg/ezmsim.c:237:20: [3] (random) drand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. if (is_hap || drand48() < HOM_RATE) { // hom-ins data/bio-rainbow-2.0.4+dfsg/ezmsim.c:240:11: [3] (random) drand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. ret[drand48()<0.5?0:1]->s[i] = (num_ins << 12) | (ins << 4) | c; data/bio-rainbow-2.0.4+dfsg/ezmsim.c:311:11: [3] (random) drand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. p = p * drand48(); data/bio-rainbow-2.0.4+dfsg/ezmsim.c:356:9: [3] (random) drand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. if (drand48() < 0.5) { data/bio-rainbow-2.0.4+dfsg/ezmsim.c:368:15: [3] (random) drand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. else if (drand48() < ERR_RATE) { data/bio-rainbow-2.0.4+dfsg/ezmsim.c:369:22: [3] (random) drand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. c = (c + (int)(drand48()*3.0 + 1)) & 3; data/bio-rainbow-2.0.4+dfsg/ezmsim.c:377:15: [3] (random) drand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. else if (drand48() < ERR_RATE) { data/bio-rainbow-2.0.4+dfsg/ezmsim.c:378:22: [3] (random) drand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. c = (c + (int)(drand48()*3.0 + 1)) & 3; data/bio-rainbow-2.0.4+dfsg/ezmsim.c:434:14: [3] (buffer) getopt: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. while ((c = getopt(argc, argv, "e:D:1:2:d:s:z:p:")) != -1) { data/bio-rainbow-2.0.4+dfsg/ezmsim.c:522:23: [3] (random) drand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. d = dist + (int)(drand48()*overlap); data/bio-rainbow-2.0.4+dfsg/ezmsim.c:534:20: [3] (random) drand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. target = rseq[drand48()<0.5?0:1].s; data/bio-rainbow-2.0.4+dfsg/ezmsim.c:575:16: [3] (random) drand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. else if (drand48() < ERR_RATE) { data/bio-rainbow-2.0.4+dfsg/ezmsim.c:576:23: [3] (random) drand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. c = (c + (int)(drand48()*3.0+1)) & 3; data/bio-rainbow-2.0.4+dfsg/ezmsim.c:585:16: [3] (random) drand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. else if (drand48() < ERR_RATE) { data/bio-rainbow-2.0.4+dfsg/ezmsim.c:586:23: [3] (random) drand48: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. c = (c + (int)(drand48()*3.0 + 1)) & 3; data/bio-rainbow-2.0.4+dfsg/ezmsim.c:701:14: [3] (buffer) getopt: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. while ((c = getopt(argc, argv, "e:D:1:2:d:s:z:p:o:t:R:rh:Hm:")) != -1) { data/bio-rainbow-2.0.4+dfsg/main.c:85:13: [3] (buffer) getopt: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. while((c = getopt(argc, argv, "h1:2:m:e:l:L")) != -1){ data/bio-rainbow-2.0.4+dfsg/main.c:155:13: [3] (buffer) getopt: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. while((c = getopt(argc, argv, "hi:o:k:K:f:")) != -1){ data/bio-rainbow-2.0.4+dfsg/main.c:200:14: [3] (buffer) getopt: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. while ((c = getopt(argc, argv, "hi:l:p:k:o:s:N:f:r:R:a")) != -1) { data/bio-rainbow-2.0.4+dfsg/mergetag.c:149:13: [3] (buffer) getopt: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. while((c = getopt(argc, argv, "hi:o:j:m:")) != -1){ data/bio-rainbow-2.0.4+dfsg/rbasm_main.c:16:13: [3] (buffer) getopt: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. while((c = getopt(argc, argv, "hi:o:r:R:l:s:")) != -1){ data/bio-rainbow-2.0.4+dfsg/aln_cigar.h:36:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static const char aln_cigar_string[8] = "?IDM?SHN"; data/bio-rainbow-2.0.4+dfsg/asm_R2.c:91:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(rd->seq, seq, rd_len); data/bio-rainbow-2.0.4+dfsg/asm_R2.c:129:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ef->eseq, eseq, rd_len); data/bio-rainbow-2.0.4+dfsg/asm_R2.c:360:9: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). eid = atoi(get_col_str(in, 1)); data/bio-rainbow-2.0.4+dfsg/asm_R2.c:379:11: [2] (integer) atol: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). seqid = atol(get_col_str(in, 0)); data/bio-rainbow-2.0.4+dfsg/asm_R2.h:45:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char seq[MAX_RD_LEN+1]; data/bio-rainbow-2.0.4+dfsg/asm_R2.h:63:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char eseq[MAX_RD_LEN]; data/bio-rainbow-2.0.4+dfsg/cluster.c:341:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char seq1[256], seq2[256]; data/bio-rainbow-2.0.4+dfsg/divide.c:243:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char route[257]; data/bio-rainbow-2.0.4+dfsg/dna.h:72:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static const char bit_base_table[6] = "ACGTN-"; data/bio-rainbow-2.0.4+dfsg/dna.h:73:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static const char bit4_base_table[16] = "-ACMGRSVTWYHKDBN"; data/bio-rainbow-2.0.4+dfsg/ezmsim.c:110:12: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((fp = fopen(fn, mode)) == 0) { data/bio-rainbow-2.0.4+dfsg/ezmsim.c:324:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char name[256], *qstr; data/bio-rainbow-2.0.4+dfsg/ezmsim.c:438:22: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). case '1': size_l = atoi(optarg); break; data/bio-rainbow-2.0.4+dfsg/ezmsim.c:439:22: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). case '2': size_r = atoi(optarg); break; data/bio-rainbow-2.0.4+dfsg/ezmsim.c:441:19: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). case 'p': pos = atoi(optarg); data/bio-rainbow-2.0.4+dfsg/ezmsim.c:478:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char name[256], *qstr; data/bio-rainbow-2.0.4+dfsg/ezmsim.c:705:22: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). case '1': size_l = atoi(optarg); break; data/bio-rainbow-2.0.4+dfsg/ezmsim.c:706:22: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). case '2': size_r = atoi(optarg); break; data/bio-rainbow-2.0.4+dfsg/ezmsim.c:708:19: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). case 'p': pos = atoi(optarg); data/bio-rainbow-2.0.4+dfsg/ezmsim.c:710:20: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). case 'd': dist = atoi(optarg); break; data/bio-rainbow-2.0.4+dfsg/ezmsim.c:712:23: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). case 'o': overlap = atoi(optarg); break; data/bio-rainbow-2.0.4+dfsg/ezmsim.c:713:20: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). case 't': step = atoi(optarg); break; data/bio-rainbow-2.0.4+dfsg/file_reader.c:42:25: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). } else if((fc->file = fopen(filenames[i], "r")) != NULL){ data/bio-rainbow-2.0.4+dfsg/file_reader.c:64:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *filenames[1]; data/bio-rainbow-2.0.4+dfsg/file_reader.h:142:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(full_name, name, strlen(name)); data/bio-rainbow-2.0.4+dfsg/file_reader.h:143:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(full_name + strlen(name), suffix, strlen(suffix) + 1); data/bio-rainbow-2.0.4+dfsg/file_reader.h:145:9: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). file = fopen(full_name, "r"); data/bio-rainbow-2.0.4+dfsg/file_reader.h:157:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(full_name, name, strlen(name)); data/bio-rainbow-2.0.4+dfsg/file_reader.h:158:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(full_name + strlen(name), suffix, strlen(suffix) + 1); data/bio-rainbow-2.0.4+dfsg/file_reader.h:160:9: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). file = fopen(full_name, "w+"); data/bio-rainbow-2.0.4+dfsg/file_reader.h:172:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(full_name, name, strlen(name)); data/bio-rainbow-2.0.4+dfsg/file_reader.h:173:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(full_name + strlen(name), suffix, strlen(suffix) + 1); data/bio-rainbow-2.0.4+dfsg/file_reader.h:175:9: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). file = fopen(full_name, "a+"); data/bio-rainbow-2.0.4+dfsg/file_reader.h:198:13: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if((file = fopen(filename, "r+")) == NULL){ data/bio-rainbow-2.0.4+dfsg/file_reader.h:210:13: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if((file = fopen(name, "r+")) == NULL){ data/bio-rainbow-2.0.4+dfsg/list.h:154:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(list1->buffer + list1->size, list2->buffer, sizeof(e_type) * list2->size); \ data/bio-rainbow-2.0.4+dfsg/main.c:91:27: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). case 'l': fix_rd_len = atoi(optarg); break; data/bio-rainbow-2.0.4+dfsg/main.c:92:23: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). case 'm': max_mm = atoi(optarg); break; data/bio-rainbow-2.0.4+dfsg/main.c:93:28: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). case 'e': exact_limit = atoi(optarg); break; data/bio-rainbow-2.0.4+dfsg/main.c:160:25: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). case 'k': k_allele = atoi(optarg); break; data/bio-rainbow-2.0.4+dfsg/main.c:161:25: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). case 'K': K_allele = atoi(optarg); break; data/bio-rainbow-2.0.4+dfsg/main.c:173:13: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if((out = fopen(outfile, "w")) == NULL){ data/bio-rainbow-2.0.4+dfsg/main.c:205:28: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). case 'l': min_overlap = atoi(optarg); break; data/bio-rainbow-2.0.4+dfsg/main.c:207:25: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). case 'k': min_kmer = atoi(optarg); break; data/bio-rainbow-2.0.4+dfsg/main.c:210:25: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). case 's': kmersize = atoi(optarg); break; data/bio-rainbow-2.0.4+dfsg/main.c:211:28: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). case 'N': max_cluster = atoi(optarg); break; data/bio-rainbow-2.0.4+dfsg/main.c:213:25: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). case 'r': min_read = atoi(optarg); break; data/bio-rainbow-2.0.4+dfsg/main.c:214:25: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). case 'R': max_read = atoi(optarg); break; data/bio-rainbow-2.0.4+dfsg/main.c:225:14: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((out = fopen(outfile, "w")) == NULL) { data/bio-rainbow-2.0.4+dfsg/mergecontig.c:26:9: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). key = atoi(get_col_str(fr2, 1)); data/bio-rainbow-2.0.4+dfsg/mergecontig.c:27:9: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). val = atoi(get_col_str(fr2, 4)); data/bio-rainbow-2.0.4+dfsg/mergecontig.c:57:9: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). id = atoi(line->string+2); data/bio-rainbow-2.0.4+dfsg/mergecontig.h:16:17: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static unsigned char aln_nt16_table[256] = { data/bio-rainbow-2.0.4+dfsg/mergectg.c:53:9: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). cid = atoi(get_col_str(in, 4)); data/bio-rainbow-2.0.4+dfsg/mergectg.c:58:9: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). eid = atoi(get_col_str(in, 1)); data/bio-rainbow-2.0.4+dfsg/mergectg.c:74:17: [2] (integer) atol: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). rd->seq_id = atol(get_col_str(in, 0)); data/bio-rainbow-2.0.4+dfsg/mergectg.c:83:16: [2] (integer) atol: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). rd->seq_id = atol(get_col_str(in, 0)); data/bio-rainbow-2.0.4+dfsg/mergectg.c:587:9: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). cid = atoi(get_col_str(in, 4)); data/bio-rainbow-2.0.4+dfsg/mergectg.h:14:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char seq[MAX_RD_LEN+1]; data/bio-rainbow-2.0.4+dfsg/mergetag.c:154:23: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). case 'm': max_mm = atoi(optarg); break; data/bio-rainbow-2.0.4+dfsg/mergetag.c:164:17: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). else if((out = fopen(ouf, "w")) == NULL){ data/bio-rainbow-2.0.4+dfsg/rbasm_main.c:20:23: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). case 'l': min_ol = atoi(optarg); break; data/bio-rainbow-2.0.4+dfsg/rbasm_main.c:22:25: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). case 'r': min_read = atoi(optarg); break; data/bio-rainbow-2.0.4+dfsg/rbasm_main.c:23:25: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). case 'R': max_read = atoi(optarg); break; data/bio-rainbow-2.0.4+dfsg/rbasm_main.c:33:17: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). else if((out = fopen(outfile, "w")) == NULL){ data/bio-rainbow-2.0.4+dfsg/stdaln.c:29:10: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char aln_nt16_table[256] = { data/bio-rainbow-2.0.4+dfsg/stdaln.c:50:10: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char aln_nt4_table[256] = { data/bio-rainbow-2.0.4+dfsg/stdaln.c:71:10: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char aln_aa_table[256] = { data/bio-rainbow-2.0.4+dfsg/stdaln.c:93:10: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char aln_trans_table_eu[66] = { data/bio-rainbow-2.0.4+dfsg/ezmsim.c:67:22: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). while (!feof(fp) && fgetc(fp) != '>'); data/bio-rainbow-2.0.4+dfsg/ezmsim.c:70:27: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). while (!feof(fp) && (c = fgetc(fp)) != ' ' && c != '\t' && c != '\n') data/bio-rainbow-2.0.4+dfsg/ezmsim.c:76:30: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). while (!feof(fp) && ((c = fgetc(fp)) == ' ' || c == '\t')); data/bio-rainbow-2.0.4+dfsg/ezmsim.c:79:30: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). while (!feof(fp) && (c = fgetc(fp)) != '\n') data/bio-rainbow-2.0.4+dfsg/ezmsim.c:84:44: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). } else if (c != '\n') while (!feof(fp) && fgetc(fp) != '\n'); data/bio-rainbow-2.0.4+dfsg/ezmsim.c:86:27: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). while (!feof(fp) && (c = fgetc(fp)) != '>') { data/bio-rainbow-2.0.4+dfsg/ezmsim.c:451:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(cut)==0) { data/bio-rainbow-2.0.4+dfsg/ezmsim.c:464:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). pos = strlen(cut)/2; data/bio-rainbow-2.0.4+dfsg/ezmsim.c:726:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(cut)==0) { data/bio-rainbow-2.0.4+dfsg/ezmsim.c:739:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). pos = strlen(cut)/2; data/bio-rainbow-2.0.4+dfsg/file_reader.c:36:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). } else if(strlen(filenames[i]) > 3 && strcmp(filenames[i] + strlen(filenames[i]) - 3, ".gz") == 0){ data/bio-rainbow-2.0.4+dfsg/file_reader.c:36:63: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). } else if(strlen(filenames[i]) > 3 && strcmp(filenames[i] + strlen(filenames[i]) - 3, ".gz") == 0){ data/bio-rainbow-2.0.4+dfsg/file_reader.c:37:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). cmd = (char*)malloc(strlen(filenames[i]) + 20); data/bio-rainbow-2.0.4+dfsg/file_reader.c:39:48: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). fc->filename = (char*)malloc(sizeof(char)* (strlen(filenames[i])+1)); data/bio-rainbow-2.0.4+dfsg/file_reader.c:43:48: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). fc->filename = (char*)malloc(sizeof(char)* (strlen(filenames[i])+1)); data/bio-rainbow-2.0.4+dfsg/file_reader.c:71:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). filename = alloca(strlen(prefix) + strlen(postfix) + 1); data/bio-rainbow-2.0.4+dfsg/file_reader.c:71:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). filename = alloca(strlen(prefix) + strlen(postfix) + 1); data/bio-rainbow-2.0.4+dfsg/file_reader.c:88:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). fr->size = strlen(string); data/bio-rainbow-2.0.4+dfsg/file_reader.c:105:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if(fc->filename && strlen(fc->filename) > 3 && strcmp(fc->filename + strlen(fc->filename) - 3, ".gz") == 0) pclose(fc->file); data/bio-rainbow-2.0.4+dfsg/file_reader.c:105:73: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if(fc->filename && strlen(fc->filename) > 3 && strcmp(fc->filename + strlen(fc->filename) - 3, ".gz") == 0) pclose(fc->file); data/bio-rainbow-2.0.4+dfsg/file_reader.c:125:7: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). c = getchar(); data/bio-rainbow-2.0.4+dfsg/file_reader.c:191:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(expr); data/bio-rainbow-2.0.4+dfsg/file_reader.h:141:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). full_name = (char*)alloca(strlen(name) + strlen(suffix) + 1); data/bio-rainbow-2.0.4+dfsg/file_reader.h:141:44: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). full_name = (char*)alloca(strlen(name) + strlen(suffix) + 1); data/bio-rainbow-2.0.4+dfsg/file_reader.h:142:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). memcpy(full_name, name, strlen(name)); data/bio-rainbow-2.0.4+dfsg/file_reader.h:143:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). memcpy(full_name + strlen(name), suffix, strlen(suffix) + 1); data/bio-rainbow-2.0.4+dfsg/file_reader.h:143:44: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). memcpy(full_name + strlen(name), suffix, strlen(suffix) + 1); data/bio-rainbow-2.0.4+dfsg/file_reader.h:156:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). full_name = (char*)alloca(strlen(name) + strlen(suffix) + 1); data/bio-rainbow-2.0.4+dfsg/file_reader.h:156:44: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). full_name = (char*)alloca(strlen(name) + strlen(suffix) + 1); data/bio-rainbow-2.0.4+dfsg/file_reader.h:157:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). memcpy(full_name, name, strlen(name)); data/bio-rainbow-2.0.4+dfsg/file_reader.h:158:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). memcpy(full_name + strlen(name), suffix, strlen(suffix) + 1); data/bio-rainbow-2.0.4+dfsg/file_reader.h:158:44: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). memcpy(full_name + strlen(name), suffix, strlen(suffix) + 1); data/bio-rainbow-2.0.4+dfsg/file_reader.h:171:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). full_name = (char*)alloca(strlen(name) + strlen(suffix) + 1); data/bio-rainbow-2.0.4+dfsg/file_reader.h:171:44: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). full_name = (char*)alloca(strlen(name) + strlen(suffix) + 1); data/bio-rainbow-2.0.4+dfsg/file_reader.h:172:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). memcpy(full_name, name, strlen(name)); data/bio-rainbow-2.0.4+dfsg/file_reader.h:173:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). memcpy(full_name + strlen(name), suffix, strlen(suffix) + 1); data/bio-rainbow-2.0.4+dfsg/file_reader.h:173:44: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). memcpy(full_name + strlen(name), suffix, strlen(suffix) + 1); data/bio-rainbow-2.0.4+dfsg/file_reader.h:207:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). name = alloca(strlen(filename) + strlen(suffix) + 1); data/bio-rainbow-2.0.4+dfsg/file_reader.h:207:35: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). name = alloca(strlen(filename) + strlen(suffix) + 1); data/bio-rainbow-2.0.4+dfsg/mergecontig.c:59:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (len < (int)strlen(line->string+2)) { data/bio-rainbow-2.0.4+dfsg/mergecontig.c:60:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = (int)strlen(line->string+2); data/bio-rainbow-2.0.4+dfsg/mergecontig.c:167:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). aln_len = strlen(aa->out1); data/bio-rainbow-2.0.4+dfsg/mergecontig.c:243:12: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). seqlen = strlen(c0->seq); data/bio-rainbow-2.0.4+dfsg/mergecontig.c:283:12: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). seqlen = strlen(c0->seq); data/bio-rainbow-2.0.4+dfsg/mergecontig.c:405:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). aln_len = strlen(aa->out1); data/bio-rainbow-2.0.4+dfsg/mergecontig.c:454:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). aln_len = strlen(aa->out1); data/bio-rainbow-2.0.4+dfsg/mergecontig.h:89:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len1 = strlen(s1); data/bio-rainbow-2.0.4+dfsg/mergecontig.h:90:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len2 = strlen(s2); data/bio-rainbow-2.0.4+dfsg/mergectg.c:69:35: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). append_string(ctg->path, path, strlen(path)); data/bio-rainbow-2.0.4+dfsg/mergectg.c:263:7: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). n1 = strlen(c1->path->string); data/bio-rainbow-2.0.4+dfsg/mergectg.c:264:7: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). n2 = strlen(c2->path->string); data/bio-rainbow-2.0.4+dfsg/mergectg.c:413:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(path); data/bio-rainbow-2.0.4+dfsg/stdaln.c:731:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (len1 < 0) len1 = strlen(seq1); data/bio-rainbow-2.0.4+dfsg/stdaln.c:732:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (len2 < 0) len2 = strlen(seq2); data/bio-rainbow-2.0.4+dfsg/string.h:62:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size = strlen(string); data/bio-rainbow-2.0.4+dfsg/string.h:88:10: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len += strlen(s); data/bio-rainbow-2.0.4+dfsg/string.h:133:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(chs); ANALYSIS SUMMARY: Hits = 171 Lines analyzed = 8583 in approximately 0.32 seconds (27086 lines/second) Physical Source Lines of Code (SLOC) = 7111 Hits@level = [0] 154 [1] 57 [2] 70 [3] 36 [4] 8 [5] 0 Hits@level+ = [0+] 325 [1+] 171 [2+] 114 [3+] 44 [4+] 8 [5+] 0 Hits/KSLOC@level+ = [0+] 45.7038 [1+] 24.0473 [2+] 16.0315 [3+] 6.1876 [4+] 1.12502 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.