Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/glam2-1064/src/scan_output.c
Examining data/glam2-1064/src/column_sample.h
Examining data/glam2-1064/src/util.c
Examining data/glam2-1064/src/site_sample.h
Examining data/glam2-1064/src/output.h
Examining data/glam2-1064/src/dna_prior.c
Examining data/glam2-1064/src/version.h
Examining data/glam2-1064/src/util.h
Examining data/glam2-1064/src/args.h
Examining data/glam2-1064/src/output.c
Examining data/glam2-1064/src/glam2_aln.c
Examining data/glam2-1064/src/glam2mask.c
Examining data/glam2-1064/src/alphabet.c
Examining data/glam2-1064/src/init.h
Examining data/glam2-1064/src/scan.h
Examining data/glam2-1064/src/init.c
Examining data/glam2-1064/src/glam2.c
Examining data/glam2-1064/src/recode3_20comp.h
Examining data/glam2-1064/src/args.c
Examining data/glam2-1064/src/motif.c
Examining data/glam2-1064/src/glam2_aln.h
Examining data/glam2-1064/src/column_sample.c
Examining data/glam2-1064/src/dna_prior.h
Examining data/glam2-1064/src/fasta.c
Examining data/glam2-1064/src/recode3_20comp.c
Examining data/glam2-1064/src/site_sample.c
Examining data/glam2-1064/src/convolve.h
Examining data/glam2-1064/src/motif.h
Examining data/glam2-1064/src/fasta.h
Examining data/glam2-1064/src/alignment.h
Examining data/glam2-1064/src/dirichlet.c
Examining data/glam2-1064/src/dirichlet.h
Examining data/glam2-1064/src/glam2.h
Examining data/glam2-1064/src/scan_init.c
Examining data/glam2-1064/src/alignment.c
Examining data/glam2-1064/src/glam2format.c
Examining data/glam2-1064/src/heap.h
Examining data/glam2-1064/src/scan.c
Examining data/glam2-1064/src/heap.c
Examining data/glam2-1064/src/alphabet.h
Examining data/glam2-1064/src/scan_init.h
Examining data/glam2-1064/src/scan_args.c
Examining data/glam2-1064/src/convolve.c
Examining data/glam2-1064/src/scan_args.h
Examining data/glam2-1064/src/scan_output.h
Examining data/glam2-1064/purge/purge.c
Examining data/glam2-1064/purge/mheap.h
Examining data/glam2-1064/purge/stdinc.h
Examining data/glam2-1064/purge/afnio.c
Examining data/glam2-1064/purge/random.h
Examining data/glam2-1064/purge/alphabet.c
Examining data/glam2-1064/purge/mlist.h
Examining data/glam2-1064/purge/gblast.h
Examining data/glam2-1064/purge/sequence.h
Examining data/glam2-1064/purge/block.h
Examining data/glam2-1064/purge/karlin.c
Examining data/glam2-1064/purge/mheap.c
Examining data/glam2-1064/purge/seqset.h
Examining data/glam2-1064/purge/block.c
Examining data/glam2-1064/purge/gblast.c
Examining data/glam2-1064/purge/sequence.c
Examining data/glam2-1064/purge/pairaln.h
Examining data/glam2-1064/purge/random.c
Examining data/glam2-1064/purge/dheap.c
Examining data/glam2-1064/purge/pairaln.c
Examining data/glam2-1064/purge/alphabet.h
Examining data/glam2-1064/purge/afnio.h
Examining data/glam2-1064/purge/purge.h
Examining data/glam2-1064/purge/karlin.h
Examining data/glam2-1064/purge/residues.h
Examining data/glam2-1064/purge/dheap.h
Examining data/glam2-1064/purge/seqset.c
Examining data/glam2-1064/purge/pmain.c
Examining data/glam2-1064/purge/mlist.c

FINAL RESULTS:

data/glam2-1064/purge/afnio.c:9:2:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
	strcpy(s,fstring);
data/glam2-1064/purge/afnio.c:10:2:  [4] (buffer) strcat:
  Does not check for buffer overflows when concatenating to destination
  [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
  snprintf (warning: strncat is easily misused).
	strcat(s,subfile);
data/glam2-1064/purge/afnio.c:58:2:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
	strcpy(S,s); return S; 
data/glam2-1064/purge/alphabet.c:80:2:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
	strcpy(A->code2let,map_s); 
data/glam2-1064/purge/alphabet.c:82:2:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
	strcpy(A->code2lower,map_s); 
data/glam2-1064/purge/purge.c:107:4:  [4] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf.
	  sprintf(str,"%s.%c%ld",NameSeqSet(P),method,cutoff);
data/glam2-1064/purge/seqset.c:110:2:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
	strcpy(P->name,filename); P->A = A;
data/glam2-1064/src/util.c:289:3:  [4] (format) vfprintf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.
  vfprintf(stderr, fmt, args);
data/glam2-1064/src/util.c:322:10:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused).
  return strcpy(t, cs);
data/glam2-1064/src/args.c:100:15:  [3] (buffer) getopt:
  Some older implementations do not protect against internal buffer overflows
  (CWE-120, CWE-20). Check implementation on installation, or limit the size
  of all string inputs.
  while ((c = getopt(argc, argv, "hn:r:o:2a:b:z:w:D:E:I:J:pm:x:t:c:u:d:q:s:"))
data/glam2-1064/src/glam2format.c:319:15:  [3] (buffer) getopt:
  Some older implementations do not protect against internal buffer overflows
  (CWE-120, CWE-20). Check implementation on installation, or limit the size
  of all string inputs.
  while ((c = getopt(argc, argv, "o:cf:")) != -1) {  /* non-ANSI */
data/glam2-1064/src/glam2mask.c:71:15:  [3] (buffer) getopt:
  Some older implementations do not protect against internal buffer overflows
  (CWE-120, CWE-20). Check implementation on installation, or limit the size
  of all string inputs.
  while ((c = getopt(argc, argv, "o:x:")) != -1) {  /* non-ANSI */
data/glam2-1064/src/init.c:163:3:  [3] (random) srand:
  This function is not sufficiently random for security-related functions
  such as key and nonce creation (CWE-327). Use a more secure technique for
  acquiring random values.
  srand(d->a.seed);
data/glam2-1064/src/scan_args.c:57:15:  [3] (buffer) getopt:
  Some older implementations do not protect against internal buffer overflows
  (CWE-120, CWE-20). Check implementation on installation, or limit the size
  of all string inputs.
  while ((c = getopt(argc, argv, "ho:n:2D:E:I:J:d:")) != -1) {
data/glam2-1064/purge/afnio.c:6:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char	s[100];
data/glam2-1064/purge/afnio.c:11:13:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	if((fptr = fopen(s,cmnd)) == NULL) {
data/glam2-1064/purge/pmain.c:6:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char	score[100],*DBS_NAME,c=' ';
data/glam2-1064/purge/pmain.c:15:2:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
	sprintf(score,".%c%d",c,cutoff_score);
data/glam2-1064/purge/purge.c:16:2:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	char	str[100];
data/glam2-1064/purge/seqset.c:84:2:  [2] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination [MS-banned]
  (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
  easily misused). Risk is low because the source is a constant string.
	strcpy(P->name,"temp_file"); P->A = A;
data/glam2-1064/purge/seqset.c:130:20:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
        if((fptr = fopen(P->name,"r")) == NULL) {
data/glam2-1064/purge/sequence.c:111:20:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
        if((fptr = fopen(DBS_NAME,"r")) == NULL) {
data/glam2-1064/purge/sequence.c:610:20:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
        if((fptr = fopen(infile,"r")) == NULL) {
data/glam2-1064/purge/sequence.c:631:20:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
        if((fptr = fopen(infile,"r")) == NULL) {
data/glam2-1064/src/dirichlet.c:261:3:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
  char word[21];  /* allow for terminating NUL */
data/glam2-1064/src/glam2format.c:254:7:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
      memcpy(new_seq + left_tot, s->seq, aln_len);
data/glam2-1064/src/util.c:329:10:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  return memcpy(t, cs, n);
data/glam2-1064/src/util.c:395:8:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
  fp = fopen(filename, mode);
data/glam2-1064/src/util.h:9:23:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
#define COPY(s, t, n) memcpy(s, t, (n) * sizeof *(s))
data/glam2-1064/purge/afnio.c:56:24:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	if((S=(char*) calloc((strlen(s)+1),sizeof(char)))==NULL)
data/glam2-1064/purge/alphabet.c:59:13:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	NEW(A->prs,strlen(prs)+2,char);
data/glam2-1064/purge/alphabet.c:78:2:  [1] (buffer) strncpy:
  Easily used incorrectly; doesn't always \0-terminate or check for invalid
  pointers [MS-banned] (CWE-120).
	strncpy(A->alphabet,map_s,nAlpha(A)+1);	
data/glam2-1064/purge/alphabet.c:79:19:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	NEW(A->code2let,(strlen(map_s)+1),char);	/* CODE2LETTER */
data/glam2-1064/purge/alphabet.c:81:21:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	NEW(A->code2lower,(strlen(map_s)+1),char); 	/* LOWER*/
data/glam2-1064/purge/alphabet.c:111:5:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	if(strlen(R)==0) { A->R = NULL; return A; }
data/glam2-1064/purge/seqset.c:109:14:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	NEW(P->name,strlen(filename)+2,char);
data/glam2-1064/purge/seqset.c:241:11:  [1] (buffer) fgetc:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
	while((c=fgetc(fptr))!=EOF){ if(c=='>') break; }
data/glam2-1064/purge/seqset.c:243:23:  [1] (buffer) fgetc:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
		if(c=='>') while((c=fgetc(fptr))!=EOF){ if(c=='\n') break; }
data/glam2-1064/purge/seqset.c:248:16:  [1] (buffer) fgetc:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
			for(j=0; (c=fgetc(fptr)) != EOF; j++) {
data/glam2-1064/purge/seqset.c:256:22:  [1] (buffer) fgetc:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
           	   if((c=fgetc(fptr))==EOF) break; 
data/glam2-1064/purge/sequence.c:9:32:  [1] (buffer) fgetc:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
        while(c != EOF){ if((c=fgetc(fptr)) == '>') break; }
data/glam2-1064/purge/sequence.c:12:21:  [1] (buffer) fgetc:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
        for(i=0; (c=fgetc(fptr))!=EOF; i++){ 
data/glam2-1064/purge/sequence.c:18:26:  [1] (buffer) fgetc:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
        for(length=1; (c=fgetc(fptr))!=EOF; ){ 
data/glam2-1064/purge/sequence.c:117:18:  [1] (buffer) fgetc:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
        while((c=fgetc(fptr))!=EOF){ if(c=='>') break; }
data/glam2-1064/purge/sequence.c:121:37:  [1] (buffer) fgetc:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
                if(c=='>') while((c=fgetc(fptr))!=EOF){ if(c=='\n') break; }
data/glam2-1064/purge/sequence.c:134:26:  [1] (buffer) fgetc:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
                   if((c=fgetc(fptr))==EOF) break;
data/glam2-1064/purge/sequence.c:186:9:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
		len = strlen(E->info);
data/glam2-1064/purge/sequence.c:615:18:  [1] (buffer) fgetc:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
        while((c=fgetc(fptr))!=EOF){ if(c=='>') break; }
data/glam2-1064/purge/sequence.c:616:29:  [1] (buffer) fgetc:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
        if(c=='>') while((c=fgetc(fptr))!=EOF){ if(c=='\n') break; }
data/glam2-1064/purge/sequence.c:621:28:  [1] (buffer) fgetc:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
                  while((c=fgetc(fptr)) != EOF) {
data/glam2-1064/purge/sequence.c:628:20:  [1] (buffer) fgetc:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
             if((c=fgetc(fptr))==EOF) break;
data/glam2-1064/purge/stdinc.h:48:28:  [1] (buffer) getchar:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
                	    while(getchar()!='\n') if(feof(stdin)) exit(1);\
data/glam2-1064/purge/stdinc.h:50:15:  [1] (buffer) getchar:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
 			  } while(getchar()!='\n') if(feof(stdin)) exit(1);\
data/glam2-1064/purge/stdinc.h:55:28:  [1] (buffer) getchar:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
                	    while(getchar()!='\n') if(feof(stdin)) exit(1);\
data/glam2-1064/purge/stdinc.h:57:15:  [1] (buffer) getchar:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
 			  } while(getchar()!='\n') if(feof(stdin)) exit(1);\
data/glam2-1064/src/alignment.c:7:22:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  const size_t len = strlen(a->key_positions);
data/glam2-1064/src/alignment.c:10:9:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    if (strlen(a->seqs[i].seq) != len)
data/glam2-1064/src/alphabet.c:19:13:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  a->size = strlen(string);
data/glam2-1064/src/alphabet.c:40:13:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  a->size = strlen(string);
data/glam2-1064/src/alphabet.c:64:14:  [1] (buffer) getc:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
  while((c = getc(fp)) != EOF) {
data/glam2-1064/src/dirichlet.c:269:10:  [1] (buffer) fscanf:
  It's unclear if the %s limit in the format string is small enough
  (CWE-120). Check that the limit is sufficiently small, or use a different
  input function.
  while (fscanf(stream, "%20s", word) == 1) {
data/glam2-1064/src/fasta.c:105:14:  [1] (buffer) getc:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
  while((c = getc(fp)) != EOF) {
data/glam2-1064/src/fasta.c:133:15:  [1] (buffer) getc:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
  while ((c = getc(fp)) != EOF)
data/glam2-1064/src/glam2format.c:54:24:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    const size_t len = strlen(a->seqs[i].seq);
data/glam2-1064/src/glam2format.c:74:30:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	    s->name, (unsigned long)strlen(s->seq));
data/glam2-1064/src/glam2format.c:82:26:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
      const size_t len = strlen(s->seq);  /* slow */
data/glam2-1064/src/glam2format.c:237:27:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
      const int aln_len = strlen(s->seq);
data/glam2-1064/src/motif.c:17:23:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  const int columns = strlen(a->key_positions);
data/glam2-1064/src/motif.c:62:10:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  assert(strlen(aln.key_positions) <= INT_MAX);  /* can fail */
data/glam2-1064/src/util.c:321:15:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
  t = xmalloc(strlen(cs) + 1);
data/glam2-1064/src/util.c:426:14:  [1] (buffer) getc:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
  while((c = getc(stream)) != EOF) {

ANALYSIS SUMMARY:

Hits = 71
Lines analyzed = 8796 in approximately 0.33 seconds (26635 lines/second)
Physical Source Lines of Code (SLOC) = 6796
Hits@level = [0] 186 [1]  42 [2]  15 [3]   5 [4]   9 [5]   0
Hits@level+ = [0+] 257 [1+]  71 [2+]  29 [3+]  14 [4+]   9 [5+]   0
Hits/KSLOC@level+ = [0+] 37.8164 [1+] 10.4473 [2+] 4.26722 [3+] 2.06004 [4+] 1.32431 [5+]   0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.