Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/harvest-tools-1.3/src/harvest-phylogeny.c Examining data/harvest-tools-1.3/src/harvest/AnnotationList.cpp Examining data/harvest-tools-1.3/src/harvest/AnnotationList.h Examining data/harvest-tools-1.3/src/harvest/HarvestIO.cpp Examining data/harvest-tools-1.3/src/harvest/HarvestIO.h Examining data/harvest-tools-1.3/src/harvest/LcbList.cpp Examining data/harvest-tools-1.3/src/harvest/LcbList.h Examining data/harvest-tools-1.3/src/harvest/PhylogenyTree.cpp Examining data/harvest-tools-1.3/src/harvest/PhylogenyTree.h Examining data/harvest-tools-1.3/src/harvest/PhylogenyTreeNode.cpp Examining data/harvest-tools-1.3/src/harvest/PhylogenyTreeNode.h Examining data/harvest-tools-1.3/src/harvest/ReferenceList.cpp Examining data/harvest-tools-1.3/src/harvest/ReferenceList.h Examining data/harvest-tools-1.3/src/harvest/TrackList.cpp Examining data/harvest-tools-1.3/src/harvest/TrackList.h Examining data/harvest-tools-1.3/src/harvest/VariantList.cpp Examining data/harvest-tools-1.3/src/harvest/VariantList.h Examining data/harvest-tools-1.3/src/harvest/exceptions.h Examining data/harvest-tools-1.3/src/harvest/harvest.cpp Examining data/harvest-tools-1.3/src/harvest/memcpyLink.h Examining data/harvest-tools-1.3/src/harvest/memcpyWrap.c Examining data/harvest-tools-1.3/src/harvest/parse.cpp Examining data/harvest-tools-1.3/src/harvest/parse.h FINAL RESULTS: data/harvest-tools-1.3/src/harvest/LcbList.cpp:180:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(referenceBaseName, referenceFileName); data/harvest-tools-1.3/src/harvest/harvest.cpp:315:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(arg, bed[i]); data/harvest-tools-1.3/src/harvest/AnnotationList.cpp:221:13: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). start = atoi(strtok(token, ".")) + offset - 1; data/harvest-tools-1.3/src/harvest/AnnotationList.cpp:222:11: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). end = atoi(strtok(0, ".,)<>")) + offset - 1; data/harvest-tools-1.3/src/harvest/HarvestIO.cpp:67:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char header[capnpHeaderLength]; data/harvest-tools-1.3/src/harvest/HarvestIO.cpp:109:12: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int fd = open(file, O_RDONLY); data/harvest-tools-1.3/src/harvest/HarvestIO.cpp:117:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[1024]; data/harvest-tools-1.3/src/harvest/HarvestIO.cpp:200:11: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int fd = open(file, O_RDONLY); data/harvest-tools-1.3/src/harvest/HarvestIO.cpp:315:12: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int fd = open(file, O_CREAT | O_WRONLY | O_TRUNC, 0644); data/harvest-tools-1.3/src/harvest/HarvestIO.cpp:332:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[1024]; data/harvest-tools-1.3/src/harvest/HarvestIO.cpp:542:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char in[CHUNK]; data/harvest-tools-1.3/src/harvest/HarvestIO.cpp:543:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char out[CHUNK]; data/harvest-tools-1.3/src/harvest/HarvestIO.cpp:598:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char in[CHUNK]; data/harvest-tools-1.3/src/harvest/HarvestIO.cpp:599:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char out[CHUNK]; data/harvest-tools-1.3/src/harvest/LcbList.cpp:170:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char referenceBaseName[strlen(referenceFileName)]; data/harvest-tools-1.3/src/harvest/LcbList.cpp:817:19: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). track->size = atoi(length_t.c_str()); data/harvest-tools-1.3/src/harvest/LcbList.cpp:829:17: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). trackIndex = atoi(strtok(suffix, ":")) - 1; data/harvest-tools-1.3/src/harvest/LcbList.cpp:857:23: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). region->position = atoi(strtok(0, "-")); data/harvest-tools-1.3/src/harvest/LcbList.cpp:864:14: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int end = atoi(strtok(0, " ")); data/harvest-tools-1.3/src/harvest/VariantList.cpp:53:13: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int seq = atoi(strtok(line, "\t")) - 1; data/harvest-tools-1.3/src/harvest/VariantList.cpp:54:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int start = atoi(strtok(0, "\t")) - 1; data/harvest-tools-1.3/src/harvest/VariantList.cpp:55:13: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int end = atoi(strtok(0, "\t")) - 1; data/harvest-tools-1.3/src/harvest/VariantList.cpp:94:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char col[seqs.size() + 1]; data/harvest-tools-1.3/src/harvest/VariantList.cpp:589:30: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). alleleIndeces.push_back(atoi(alleleIndex.c_str())); data/harvest-tools-1.3/src/harvest/harvest.cpp:378:9: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fout.open(outFasta); data/harvest-tools-1.3/src/harvest/harvest.cpp:394:9: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fout.open(outMfa); data/harvest-tools-1.3/src/harvest/harvest.cpp:413:9: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fout.open(outMfaFiltered); data/harvest-tools-1.3/src/harvest/harvest.cpp:414:10: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fout2.open(outMfaFilteredPositions); data/harvest-tools-1.3/src/harvest/harvest.cpp:431:9: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fout.open(outNewick); data/harvest-tools-1.3/src/harvest/harvest.cpp:446:9: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fout.open(outSnp); data/harvest-tools-1.3/src/harvest/harvest.cpp:462:9: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fout.open(outBB); data/harvest-tools-1.3/src/harvest/harvest.cpp:478:9: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fout.open(outXmfa); data/harvest-tools-1.3/src/harvest/harvest.cpp:500:9: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fout.open(outVcf); data/harvest-tools-1.3/src/harvest/memcpyWrap.c:6:10: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. return memcpy(dest, src, n); data/harvest-tools-1.3/src/harvest/AnnotationList.cpp:267:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). while ( suffix[strlen(suffix) - 1] != '"' ) data/harvest-tools-1.3/src/harvest/AnnotationList.cpp:277:50: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). annotation->description.append(suffix - 1, strlen(suffix)); data/harvest-tools-1.3/src/harvest/HarvestIO.cpp:69:5: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). in.read(header, capnpHeaderLength); data/harvest-tools-1.3/src/harvest/HarvestIO.cpp:119:3: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). read(fd, buffer, capnpHeaderLength); data/harvest-tools-1.3/src/harvest/HarvestIO.cpp:337:24: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). while ( (bytesRead = read(fds[0], buffer, sizeof(buffer))) > 0) data/harvest-tools-1.3/src/harvest/HarvestIO.cpp:555:25: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). strm.avail_in = read(fdSource, in, CHUNK); data/harvest-tools-1.3/src/harvest/HarvestIO.cpp:613:25: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). strm.avail_in = read(fdSource, in, CHUNK); data/harvest-tools-1.3/src/harvest/HarvestIO.h:22:38: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). static const int capnpHeaderLength = strlen(capnpHeader); data/harvest-tools-1.3/src/harvest/LcbList.cpp:170:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char referenceBaseName[strlen(referenceFileName)]; data/harvest-tools-1.3/src/harvest/LcbList.cpp:772:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). for ( int i = 0; i < strlen(suffix) - 1; i++ ) data/harvest-tools-1.3/src/harvest/LcbList.cpp:948:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). lcbLength += strlen(line); data/harvest-tools-1.3/src/harvest/harvest.cpp:313:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char * arg = new char[strlen(bed[i]) + 1]; data/harvest-tools-1.3/src/harvest/parse.cpp:26:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t len = strlen(substring); ANALYSIS SUMMARY: Hits = 47 Lines analyzed = 6575 in approximately 0.20 seconds (33008 lines/second) Physical Source Lines of Code (SLOC) = 5076 Hits@level = [0] 13 [1] 13 [2] 32 [3] 0 [4] 2 [5] 0 Hits@level+ = [0+] 60 [1+] 47 [2+] 34 [3+] 2 [4+] 2 [5+] 0 Hits/KSLOC@level+ = [0+] 11.8203 [1+] 9.25926 [2+] 6.69819 [3+] 0.394011 [4+] 0.394011 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.