Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/htseq-0.12.4/python2/src/StepVector_wrap.cxx
Examining data/htseq-0.12.4/python2/src/_HTSeq.c
Examining data/htseq-0.12.4/python2/src/step_vector.h
Examining data/htseq-0.12.4/python3/src/StepVector_wrap.cxx
Examining data/htseq-0.12.4/python3/src/_HTSeq.c
Examining data/htseq-0.12.4/python3/src/step_vector.h
FINAL RESULTS:
data/htseq-0.12.4/python2/src/StepVector_wrap.cxx:706:3: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(r,name);
data/htseq-0.12.4/python2/src/_HTSeq.c:776:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(__PYX_DEFAULT_STRING_ENCODING, default_encoding_c);
data/htseq-0.12.4/python3/src/StepVector_wrap.cxx:700:3: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(r,name);
data/htseq-0.12.4/python3/src/StepVector_wrap.cxx:840:25: [4] (format) _snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
# define PyOS_snprintf _snprintf
data/htseq-0.12.4/python3/src/StepVector_wrap.cxx:842:25: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
# define PyOS_snprintf snprintf
data/htseq-0.12.4/python3/src/StepVector_wrap.cxx:859:9: [4] (format) vsnprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
res = vsnprintf(buf, sizeof(buf), fmt, ap);
data/htseq-0.12.4/python3/src/_HTSeq.c:776:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(__PYX_DEFAULT_STRING_ENCODING, default_encoding_c);
data/htseq-0.12.4/python2/src/_HTSeq.c:50293:18: [3] (random) setstate:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
if (!setstate) PyErr_Clear();
data/htseq-0.12.4/python2/src/_HTSeq.c:50294:18: [3] (random) setstate:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
if (!setstate || __Pyx_setup_reduce_is_named(setstate, __pyx_n_s_setstate_cython)) {
data/htseq-0.12.4/python2/src/_HTSeq.c:50294:58: [3] (random) setstate:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
if (!setstate || __Pyx_setup_reduce_is_named(setstate, __pyx_n_s_setstate_cython)) {
data/htseq-0.12.4/python2/src/_HTSeq.c:50315:16: [3] (random) setstate:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
Py_XDECREF(setstate);
data/htseq-0.12.4/python3/src/_HTSeq.c:51474:18: [3] (random) setstate:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
if (!setstate) PyErr_Clear();
data/htseq-0.12.4/python3/src/_HTSeq.c:51475:18: [3] (random) setstate:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
if (!setstate || __Pyx_setup_reduce_is_named(setstate, __pyx_n_s_setstate_cython)) {
data/htseq-0.12.4/python3/src/_HTSeq.c:51475:58: [3] (random) setstate:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
if (!setstate || __Pyx_setup_reduce_is_named(setstate, __pyx_n_s_setstate_cython)) {
data/htseq-0.12.4/python3/src/_HTSeq.c:51496:16: [3] (random) setstate:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
Py_XDECREF(setstate);
data/htseq-0.12.4/python2/src/StepVector_wrap.cxx:657:16: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static const char hex[17] = "0123456789abcdef";
data/htseq-0.12.4/python2/src/StepVector_wrap.cxx:819:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(newstr, cstr, len+1);
data/htseq-0.12.4/python2/src/StepVector_wrap.cxx:1802:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char result[SWIG_BUFFER_SIZE];
data/htseq-0.12.4/python2/src/StepVector_wrap.cxx:1813:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char result[SWIG_BUFFER_SIZE];
data/htseq-0.12.4/python2/src/StepVector_wrap.cxx:1943:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(pack, ptr, size);
data/htseq-0.12.4/python2/src/StepVector_wrap.cxx:1961:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ptr, sobj->pack, size);
data/htseq-0.12.4/python2/src/StepVector_wrap.cxx:2505:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char mesg[256];
data/htseq-0.12.4/python2/src/StepVector_wrap.cxx:5930:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(gv->name, name, size);
data/htseq-0.12.4/python2/src/StepVector_wrap.cxx:6011:15: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buff, methods[i].ml_doc, ldoc);
data/htseq-0.12.4/python2/src/StepVector_wrap.cxx:6013:15: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buff, "swig_ptr: ", 10);
data/htseq-0.12.4/python2/src/_HTSeq.c:729:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char ascii_chars[128];
data/htseq-0.12.4/python2/src/_HTSeq.c:50327:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char warning[200];
data/htseq-0.12.4/python2/src/_HTSeq.c:52204:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char ctversion[4], rtversion[4];
data/htseq-0.12.4/python2/src/_HTSeq.c:52208:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char message[200];
data/htseq-0.12.4/python3/src/StepVector_wrap.cxx:651:16: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static const char hex[17] = "0123456789abcdef";
data/htseq-0.12.4/python3/src/StepVector_wrap.cxx:812:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(newstr, cstr, len+1);
data/htseq-0.12.4/python3/src/StepVector_wrap.cxx:856:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[SWIG_PYBUFFER_SIZE * 2];
data/htseq-0.12.4/python3/src/StepVector_wrap.cxx:2046:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char result[SWIG_BUFFER_SIZE];
data/htseq-0.12.4/python3/src/StepVector_wrap.cxx:2060:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char result[SWIG_BUFFER_SIZE];
data/htseq-0.12.4/python3/src/StepVector_wrap.cxx:2071:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char result[SWIG_BUFFER_SIZE];
data/htseq-0.12.4/python3/src/StepVector_wrap.cxx:2213:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(pack, ptr, size);
data/htseq-0.12.4/python3/src/StepVector_wrap.cxx:2231:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ptr, sobj->pack, size);
data/htseq-0.12.4/python3/src/StepVector_wrap.cxx:2868:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char mesg[256];
data/htseq-0.12.4/python3/src/_HTSeq.c:729:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char ascii_chars[128];
data/htseq-0.12.4/python3/src/_HTSeq.c:47970:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static const char DIGIT_PAIRS_10[2*10*10+1] = {
data/htseq-0.12.4/python3/src/_HTSeq.c:47982:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static const char DIGIT_PAIRS_8[2*8*8+1] = {
data/htseq-0.12.4/python3/src/_HTSeq.c:47992:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static const char DIGITS_HEX[2*16+1] = {
data/htseq-0.12.4/python3/src/_HTSeq.c:48087:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char digits[sizeof(long)*3+2];
data/htseq-0.12.4/python3/src/_HTSeq.c:48256:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy((char *)result_udata + char_pos * result_ukind, udata, (size_t) (ulength * result_ukind));
data/htseq-0.12.4/python3/src/_HTSeq.c:50056:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char digits[sizeof(Py_ssize_t)*3+2];
data/htseq-0.12.4/python3/src/_HTSeq.c:50911:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char digits[sizeof(int)*3+2];
data/htseq-0.12.4/python3/src/_HTSeq.c:51508:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char warning[200];
data/htseq-0.12.4/python3/src/_HTSeq.c:53385:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char ctversion[4], rtversion[4];
data/htseq-0.12.4/python3/src/_HTSeq.c:53389:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char message[200];
data/htseq-0.12.4/python2/src/StepVector_wrap.cxx:421:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
const char* te = tb + strlen(tb);
data/htseq-0.12.4/python2/src/StepVector_wrap.cxx:705:7: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(name) + 1 > (bsz - (r - buff))) return 0;
data/htseq-0.12.4/python2/src/StepVector_wrap.cxx:726:26: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t lname = (name ? strlen(name) : 0);
data/htseq-0.12.4/python2/src/StepVector_wrap.cxx:731:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(r,name,lname+1);
data/htseq-0.12.4/python2/src/StepVector_wrap.cxx:5927:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t size = strlen(name)+1;
data/htseq-0.12.4/python2/src/StepVector_wrap.cxx:5996:15: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strlen(const_table[j].name)) == 0) {
data/htseq-0.12.4/python2/src/StepVector_wrap.cxx:6007:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t lptr = strlen(ty->name)+2*sizeof(void*)+2;
data/htseq-0.12.4/python2/src/_HTSeq.c:652:87: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define __Pyx_PyByteArray_FromString(s) PyByteArray_FromStringAndSize((const char*)s, strlen((const char*)s))
data/htseq-0.12.4/python2/src/_HTSeq.c:774:52: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
__PYX_DEFAULT_STRING_ENCODING = (char*) malloc(strlen(default_encoding_c) + 1);
data/htseq-0.12.4/python2/src/_HTSeq.c:52252:65: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
return __Pyx_PyUnicode_FromStringAndSize(c_str, (Py_ssize_t)strlen(c_str));
data/htseq-0.12.4/python3/src/StepVector_wrap.cxx:415:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
const char* te = tb + strlen(tb);
data/htseq-0.12.4/python3/src/StepVector_wrap.cxx:699:7: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(name) + 1 > (bsz - (r - buff))) return 0;
data/htseq-0.12.4/python3/src/StepVector_wrap.cxx:720:26: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t lname = (name ? strlen(name) : 0);
data/htseq-0.12.4/python3/src/StepVector_wrap.cxx:725:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(r,name,lname+1);
data/htseq-0.12.4/python3/src/StepVector_wrap.cxx:889:91: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
# define PyString_AsStringAndSize(obj, s, len) {*s = PyString_AsString(obj); *len = *s ? strlen(*s) : 0;}
data/htseq-0.12.4/python3/src/StepVector_wrap.cxx:6241:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t size = strlen(name)+1;
data/htseq-0.12.4/python3/src/StepVector_wrap.cxx:6244:9: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(gv->name,name,size);
data/htseq-0.12.4/python3/src/StepVector_wrap.cxx:6308:15: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strlen(const_table[j].name)) == 0) {
data/htseq-0.12.4/python3/src/StepVector_wrap.cxx:6319:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t lptr = strlen(ty->name)+2*sizeof(void*)+2;
data/htseq-0.12.4/python3/src/StepVector_wrap.cxx:6323:15: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(buff, methods[i].ml_doc, ldoc);
data/htseq-0.12.4/python3/src/StepVector_wrap.cxx:6325:15: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy(buff, "swig_ptr: ", 10);
data/htseq-0.12.4/python3/src/_HTSeq.c:652:87: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define __Pyx_PyByteArray_FromString(s) PyByteArray_FromStringAndSize((const char*)s, strlen((const char*)s))
data/htseq-0.12.4/python3/src/_HTSeq.c:774:52: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
__PYX_DEFAULT_STRING_ENCODING = (char*) malloc(strlen(default_encoding_c) + 1);
data/htseq-0.12.4/python3/src/_HTSeq.c:53433:65: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
return __Pyx_PyUnicode_FromStringAndSize(c_str, (Py_ssize_t)strlen(c_str));
ANALYSIS SUMMARY:
Hits = 73
Lines analyzed = 119257 in approximately 3.25 seconds (36743 lines/second)
Physical Source Lines of Code (SLOC) = 81838
Hits@level = [0] 32 [1] 24 [2] 34 [3] 8 [4] 7 [5] 0
Hits@level+ = [0+] 105 [1+] 73 [2+] 49 [3+] 15 [4+] 7 [5+] 0
Hits/KSLOC@level+ = [0+] 1.28302 [1+] 0.892006 [2+] 0.598744 [3+] 0.183289 [4+] 0.0855348 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.