Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/phyx-1.01+ds/src/aa2cdn.cpp Examining data/phyx-1.01+ds/src/aa2cdn.h Examining data/phyx-1.01+ds/src/bd_fit.cpp Examining data/phyx-1.01+ds/src/bd_fit.h Examining data/phyx-1.01+ds/src/bd_sim.cpp Examining data/phyx-1.01+ds/src/bd_sim.h Examining data/phyx-1.01+ds/src/branch_segment.cpp Examining data/phyx-1.01+ds/src/branch_segment.h Examining data/phyx-1.01+ds/src/clean_tree.cpp Examining data/phyx-1.01+ds/src/clean_tree.h Examining data/phyx-1.01+ds/src/clsq.cpp Examining data/phyx-1.01+ds/src/clsq.h Examining data/phyx-1.01+ds/src/collapse_tree.cpp Examining data/phyx-1.01+ds/src/collapse_tree.h Examining data/phyx-1.01+ds/src/comp_test.cpp Examining data/phyx-1.01+ds/src/comp_test.h Examining data/phyx-1.01+ds/src/concat.cpp Examining data/phyx-1.01+ds/src/concat.h Examining data/phyx-1.01+ds/src/constants.h Examining data/phyx-1.01+ds/src/cont_models.cpp Examining data/phyx-1.01+ds/src/cont_models.h Examining data/phyx-1.01+ds/src/delta.cpp Examining data/phyx-1.01+ds/src/delta.h Examining data/phyx-1.01+ds/src/distmatrix.cpp Examining data/phyx-1.01+ds/src/edlib.cpp Examining data/phyx-1.01+ds/src/edlib.h Examining data/phyx-1.01+ds/src/log.cpp Examining data/phyx-1.01+ds/src/log.h Examining data/phyx-1.01+ds/src/log_manip.cpp Examining data/phyx-1.01+ds/src/log_manip.h Examining data/phyx-1.01+ds/src/main.cpp Examining data/phyx-1.01+ds/src/main_JWB.cpp Examining data/phyx-1.01+ds/src/main_aa2cdn.cpp Examining data/phyx-1.01+ds/src/main_bd_fit.cpp Examining data/phyx-1.01+ds/src/main_bd_sim.cpp Examining data/phyx-1.01+ds/src/main_boot.cpp Examining data/phyx-1.01+ds/src/main_bp.cpp Examining data/phyx-1.01+ds/src/main_bpseq.cpp Examining data/phyx-1.01+ds/src/main_clsq.cpp Examining data/phyx-1.01+ds/src/main_cltr.cpp Examining data/phyx-1.01+ds/src/main_colt.cpp Examining data/phyx-1.01+ds/src/main_comp.cpp Examining data/phyx-1.01+ds/src/main_concat.cpp Examining data/phyx-1.01+ds/src/main_consq.cpp Examining data/phyx-1.01+ds/src/main_contbl.cpp Examining data/phyx-1.01+ds/src/main_contrates.cpp Examining data/phyx-1.01+ds/src/main_delta.cpp Examining data/phyx-1.01+ds/src/main_fqfilt.cpp Examining data/phyx-1.01+ds/src/main_kaks.cpp Examining data/phyx-1.01+ds/src/main_log.cpp Examining data/phyx-1.01+ds/src/main_lssq.cpp Examining data/phyx-1.01+ds/src/main_lstr.cpp Examining data/phyx-1.01+ds/src/main_medusa.cpp Examining data/phyx-1.01+ds/src/main_mrca.cpp Examining data/phyx-1.01+ds/src/main_mrca_cut.cpp Examining data/phyx-1.01+ds/src/main_mrca_name.cpp Examining data/phyx-1.01+ds/src/main_nj.cpp Examining data/phyx-1.01+ds/src/main_nni.cpp Examining data/phyx-1.01+ds/src/main_nw.cpp Examining data/phyx-1.01+ds/src/main_recode.cpp Examining data/phyx-1.01+ds/src/main_revcomp.cpp Examining data/phyx-1.01+ds/src/main_rls.cpp Examining data/phyx-1.01+ds/src/main_rlt.cpp Examining data/phyx-1.01+ds/src/main_rmk.cpp Examining data/phyx-1.01+ds/src/main_rms.cpp Examining data/phyx-1.01+ds/src/main_rmt.cpp Examining data/phyx-1.01+ds/src/main_rr.cpp Examining data/phyx-1.01+ds/src/main_s2fa.cpp Examining data/phyx-1.01+ds/src/main_s2nex.cpp Examining data/phyx-1.01+ds/src/main_s2phy.cpp Examining data/phyx-1.01+ds/src/main_seq_test.cpp Examining data/phyx-1.01+ds/src/main_seqgen.cpp Examining data/phyx-1.01+ds/src/main_sm0.cpp Examining data/phyx-1.01+ds/src/main_sm2a.cpp Examining data/phyx-1.01+ds/src/main_ssort.cpp Examining data/phyx-1.01+ds/src/main_sstat.cpp Examining data/phyx-1.01+ds/src/main_strec.cpp Examining data/phyx-1.01+ds/src/main_sw.cpp Examining data/phyx-1.01+ds/src/main_t2new.cpp Examining data/phyx-1.01+ds/src/main_t2nex.cpp Examining data/phyx-1.01+ds/src/main_tcol.cpp Examining data/phyx-1.01+ds/src/main_tcomb.cpp Examining data/phyx-1.01+ds/src/main_tdist.cpp Examining data/phyx-1.01+ds/src/main_test.cpp Examining data/phyx-1.01+ds/src/main_tlate.cpp Examining data/phyx-1.01+ds/src/main_trt.cpp Examining data/phyx-1.01+ds/src/main_tscale.cpp Examining data/phyx-1.01+ds/src/main_upgma.cpp Examining data/phyx-1.01+ds/src/main_vcf2fa.cpp Examining data/phyx-1.01+ds/src/mcmc.cpp Examining data/phyx-1.01+ds/src/mcmc.h Examining data/phyx-1.01+ds/src/nj.cpp Examining data/phyx-1.01+ds/src/nj.h Examining data/phyx-1.01+ds/src/node.cpp Examining data/phyx-1.01+ds/src/node.h Examining data/phyx-1.01+ds/src/node_object.h Examining data/phyx-1.01+ds/src/optimize_cont_models_nlopt.cpp Examining data/phyx-1.01+ds/src/optimize_cont_models_nlopt.h Examining data/phyx-1.01+ds/src/optimize_state_reconstructor_gsl.cpp Examining data/phyx-1.01+ds/src/optimize_state_reconstructor_gsl.h Examining data/phyx-1.01+ds/src/optimize_state_reconstructor_nlopt.cpp Examining data/phyx-1.01+ds/src/optimize_state_reconstructor_nlopt.h Examining data/phyx-1.01+ds/src/optimize_state_reconstructor_periods_nlopt.cpp Examining data/phyx-1.01+ds/src/optimize_state_reconstructor_periods_nlopt.h Examining data/phyx-1.01+ds/src/pairwise_alignment.cpp Examining data/phyx-1.01+ds/src/pairwise_alignment.h Examining data/phyx-1.01+ds/src/rate_model.cpp Examining data/phyx-1.01+ds/src/rate_model.h Examining data/phyx-1.01+ds/src/recode.cpp Examining data/phyx-1.01+ds/src/recode.h Examining data/phyx-1.01+ds/src/relabel.cpp Examining data/phyx-1.01+ds/src/relabel.h Examining data/phyx-1.01+ds/src/seq_gen.cpp Examining data/phyx-1.01+ds/src/seq_gen.h Examining data/phyx-1.01+ds/src/seq_info.cpp Examining data/phyx-1.01+ds/src/seq_info.h Examining data/phyx-1.01+ds/src/seq_models.cpp Examining data/phyx-1.01+ds/src/seq_models.h Examining data/phyx-1.01+ds/src/seq_reader.cpp Examining data/phyx-1.01+ds/src/seq_reader.h Examining data/phyx-1.01+ds/src/seq_sample.cpp Examining data/phyx-1.01+ds/src/seq_sample.h Examining data/phyx-1.01+ds/src/seq_utils.cpp Examining data/phyx-1.01+ds/src/seq_utils.h Examining data/phyx-1.01+ds/src/sequence.cpp Examining data/phyx-1.01+ds/src/sequence.h Examining data/phyx-1.01+ds/src/sstat.cpp Examining data/phyx-1.01+ds/src/sstat.h Examining data/phyx-1.01+ds/src/state_reconstructor.cpp Examining data/phyx-1.01+ds/src/state_reconstructor.h Examining data/phyx-1.01+ds/src/state_reconstructor_simple.cpp Examining data/phyx-1.01+ds/src/state_reconstructor_simple.h Examining data/phyx-1.01+ds/src/string_node_object.h Examining data/phyx-1.01+ds/src/superdouble.cpp Examining data/phyx-1.01+ds/src/superdouble.h Examining data/phyx-1.01+ds/src/tlate.h Examining data/phyx-1.01+ds/src/tree.cpp Examining data/phyx-1.01+ds/src/tree.h Examining data/phyx-1.01+ds/src/tree_info.cpp Examining data/phyx-1.01+ds/src/tree_info.h Examining data/phyx-1.01+ds/src/tree_reader.cpp Examining data/phyx-1.01+ds/src/tree_reader.h Examining data/phyx-1.01+ds/src/tree_utils.cpp Examining data/phyx-1.01+ds/src/tree_utils.h Examining data/phyx-1.01+ds/src/tscale.cpp Examining data/phyx-1.01+ds/src/tscale.h Examining data/phyx-1.01+ds/src/upgma.cpp Examining data/phyx-1.01+ds/src/upgma.h Examining data/phyx-1.01+ds/src/utils.cpp Examining data/phyx-1.01+ds/src/utils.h Examining data/phyx-1.01+ds/src/vcf_reader.cpp Examining data/phyx-1.01+ds/src/vcf_reader.h Examining data/phyx-1.01+ds/src/vector_node_object.h Examining data/phyx-1.01+ds/src/tlate.cpp FINAL RESULTS: data/phyx-1.01+ds/src/main_aa2cdn.cpp:74:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "a:o:n:rhV", long_options, &oi); data/phyx-1.01+ds/src/main_bd_fit.cpp:61:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "t:m:o:x:hV", long_options, &oi); data/phyx-1.01+ds/src/main_bd_sim.cpp:79:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "e:t:b:d:n:o:x:shV", long_options, &oi); data/phyx-1.01+ds/src/main_boot.cpp:69:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "s:o:p:f:x:hV", long_options, &oi); data/phyx-1.01+ds/src/main_bp.cpp:81:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "t:o:m:c:vseufhV", long_options, &oi); data/phyx-1.01+ds/src/main_bpseq.cpp:63:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "s:t:o:hV", long_options, &oi); data/phyx-1.01+ds/src/main_clsq.cpp:69:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "s:o:p:avhV", long_options, &oi); data/phyx-1.01+ds/src/main_cltr.cpp:70:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "t:rlo:x:hV", long_options, &oi); data/phyx-1.01+ds/src/main_colt.cpp:64:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "t:l:s:o:hV", long_options, &oi); data/phyx-1.01+ds/src/main_comp.cpp:58:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "s:o:p:hV", long_options, &oi); data/phyx-1.01+ds/src/main_concat.cpp:81:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "s:f:o:p:uhV", long_options, &oi); data/phyx-1.01+ds/src/main_consq.cpp:55:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "s:o:hV", long_options, &oi); data/phyx-1.01+ds/src/main_contbl.cpp:64:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "c:t:o:hV", long_options, &oi); data/phyx-1.01+ds/src/main_contrates.cpp:67:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "c:t:o:a:hV", long_options, &oi); data/phyx-1.01+ds/src/main_fqfilt.cpp:58:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "m:s:o:hV", long_options, &oi); data/phyx-1.01+ds/src/main_kaks.cpp:50:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "i:o:hV", long_options, &oi); data/phyx-1.01+ds/src/main_log.cpp:93:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "p:t:o:b:n:r:icd:k:x:vhV", long_options, &oi); data/phyx-1.01+ds/src/main_lssq.cpp:82:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "s:o:inclpafmhV", long_options, &oi); data/phyx-1.01+ds/src/main_lstr.cpp:80:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "t:vranublio:x:hV", long_options, &oi); data/phyx-1.01+ds/src/main_medusa.cpp:61:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "t:m:o:x:hV", long_options, &oi); data/phyx-1.01+ds/src/main_mrca.cpp:65:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "t:o:m:hV", long_options, &oi); data/phyx-1.01+ds/src/main_mrca_cut.cpp:67:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "t:o:m:hV", long_options, &oi); data/phyx-1.01+ds/src/main_mrca_name.cpp:77:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "t:o:m:hV", long_options, &oi); data/phyx-1.01+ds/src/main_nj.cpp:81:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "s:o:n:hV", long_options, &oi); data/phyx-1.01+ds/src/main_nni.cpp:65:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "t:o:x:hV", long_options, &oi); data/phyx-1.01+ds/src/main_nni.cpp:123:9: [3] (random) srand: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. srand(seed); data/phyx-1.01+ds/src/main_nni.cpp:125:9: [3] (random) srand: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. srand(get_clock_seed()); data/phyx-1.01+ds/src/main_nw.cpp:84:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "s:o:a:t:m:n:vhV", long_options, &oi); data/phyx-1.01+ds/src/main_recode.cpp:72:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "s:r:o:hV", long_options, &oi); data/phyx-1.01+ds/src/main_revcomp.cpp:85:5: [3] (random) srand: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. srand (time(NULL)); data/phyx-1.01+ds/src/main_revcomp.cpp:102:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "s:i:o:mgphV", long_options, &oi); data/phyx-1.01+ds/src/main_rls.cpp:66:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "s:c:n:o:vhV", long_options, &oi); data/phyx-1.01+ds/src/main_rlt.cpp:65:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "t:c:n:o:vhV", long_options, &oi); data/phyx-1.01+ds/src/main_rmk.cpp:57:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "t:vranublio:x:hV", long_options, &oi); data/phyx-1.01+ds/src/main_rms.cpp:75:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "s:n:f:co:hV", long_options, &oi); data/phyx-1.01+ds/src/main_rmt.cpp:74:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "t:n:f:co:shV", long_options, &oi); data/phyx-1.01+ds/src/main_rr.cpp:71:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "t:g:ruo:shV", long_options, &oi); data/phyx-1.01+ds/src/main_s2fa.cpp:58:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "s:o:uhV", long_options, &oi); data/phyx-1.01+ds/src/main_s2nex.cpp:59:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "s:o:uhV", long_options, &oi); data/phyx-1.01+ds/src/main_s2phy.cpp:59:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "s:o:uhV", long_options, &oi); data/phyx-1.01+ds/src/main_seqgen.cpp:141:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "t:o:l:b:g:i:r:w:q:n:x:apcm:k:hV", long_options, &oi); data/phyx-1.01+ds/src/main_sm0.cpp:65:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "s:t:o:hV", long_options, &oi); data/phyx-1.01+ds/src/main_sm2a.cpp:65:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "s:t:o:hV", long_options, &oi); data/phyx-1.01+ds/src/main_ssort.cpp:83:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "s:b:o:hgV", long_options, &oi); data/phyx-1.01+ds/src/main_sstat.cpp:56:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "s:o:hV", long_options, &oi); data/phyx-1.01+ds/src/main_strec.cpp:129:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "d:t:c:o:n:m:a:l:p:hVwz", long_options, &oi); data/phyx-1.01+ds/src/main_sw.cpp:83:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "s:o:a:t:m:n:vhV", long_options, &oi); data/phyx-1.01+ds/src/main_t2new.cpp:55:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "t:o:hV", long_options, &oi); data/phyx-1.01+ds/src/main_t2nex.cpp:55:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "t:o:hV", long_options, &oi); data/phyx-1.01+ds/src/main_tcol.cpp:64:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "t:m:d:o:hV", long_options, &oi); data/phyx-1.01+ds/src/main_tcomb.cpp:73:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "t:a:o:x:hV", long_options, &oi); data/phyx-1.01+ds/src/main_tdist.cpp:79:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "t:a:d:o:x:hV", long_options, &oi); data/phyx-1.01+ds/src/main_tlate.cpp:71:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "s:t:o:hV", long_options, &oi); data/phyx-1.01+ds/src/main_trt.cpp:70:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "t:n:f:o:shV", long_options, &oi); data/phyx-1.01+ds/src/main_tscale.cpp:63:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "t:s:r:o:hV", long_options, &oi); data/phyx-1.01+ds/src/main_upgma.cpp:65:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "s:o:hV", long_options, &oi); data/phyx-1.01+ds/src/main_vcf2fa.cpp:55:17: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int c = getopt_long(argc, argv, "s:o:uhV", long_options, &oi); data/phyx-1.01+ds/src/seq_sample.cpp:21:9: [3] (random) srand: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. srand(get_clock_seed()); data/phyx-1.01+ds/src/seq_sample.cpp:23:9: [3] (random) srand: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. srand(seed); data/phyx-1.01+ds/src/distmatrix.cpp:91:14: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). readline.open(fasta.c_str()); data/phyx-1.01+ds/src/edlib.cpp:269:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(cigar_, &(*cigar)[0], cigar->size() * sizeof(char)); data/phyx-1.01+ds/src/edlib.cpp:1324:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(*alignment, ulAlignment, ulAlignmentLength); data/phyx-1.01+ds/src/edlib.cpp:1325:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(*alignment + ulAlignmentLength, lrAlignment, lrAlignmentLength); data/phyx-1.01+ds/src/edlib.cpp:1362:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char letterIdx[256]; //!< letterIdx[c] is index of letter c in alphabet data/phyx-1.01+ds/src/log.cpp:11:13: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). phyxlog.open ("phyx.logfile", ios::out | ios::app); data/phyx-1.01+ds/src/log_manip.cpp:68:24: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). infilestr_.open(curfile.c_str()); data/phyx-1.01+ds/src/log_manip.cpp:121:24: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). infilestr_.open(curfile.c_str()); data/phyx-1.01+ds/src/log_manip.cpp:175:24: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). infilestr_.open(curfile.c_str()); data/phyx-1.01+ds/src/log_manip.cpp:207:20: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). infilestr_.open(curfile.c_str()); data/phyx-1.01+ds/src/log_manip.cpp:274:20: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). infilestr_.open(curfile.c_str()); data/phyx-1.01+ds/src/log_manip.cpp:336:24: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). infilestr_.open(curfile.c_str()); data/phyx-1.01+ds/src/log_manip.cpp:418:24: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). infilestr_.open(curfile.c_str()); data/phyx-1.01+ds/src/main_bd_sim.cpp:85:23: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). ext = atoi(strdup(optarg)); data/phyx-1.01+ds/src/main_bd_sim.cpp:107:25: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). nreps = atoi(strdup(optarg)); data/phyx-1.01+ds/src/main_bd_sim.cpp:114:24: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). seed = atoi(strdup(optarg)); data/phyx-1.01+ds/src/main_boot.cpp:95:24: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). seed = atoi(strdup(optarg)); data/phyx-1.01+ds/src/main_delta.cpp:39:43: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). vector<double> nums = delta.delta(atoi(argv[1]),atoi(argv[2]),atoi(argv[3])); data/phyx-1.01+ds/src/main_delta.cpp:39:57: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). vector<double> nums = delta.delta(atoi(argv[1]),atoi(argv[2]),atoi(argv[3])); data/phyx-1.01+ds/src/main_delta.cpp:39:71: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). vector<double> nums = delta.delta(atoi(argv[1]),atoi(argv[2]),atoi(argv[3])); data/phyx-1.01+ds/src/main_delta.cpp:77:21: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). outTreeFile.open(argv[2],ios::app ); data/phyx-1.01+ds/src/main_log.cpp:147:26: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). burnin = atoi(strdup(optarg)); data/phyx-1.01+ds/src/main_log.cpp:150:25: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). nthin = atoi(strdup(optarg)); data/phyx-1.01+ds/src/main_log.cpp:153:27: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). nrandom = atoi(strdup(optarg)); data/phyx-1.01+ds/src/main_log.cpp:174:24: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). seed = atoi(strdup(optarg)); data/phyx-1.01+ds/src/main_nj.cpp:96:27: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). threads = atoi(strdup(optarg)); data/phyx-1.01+ds/src/main_nni.cpp:83:24: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). seed = atoi(strdup(optarg)); data/phyx-1.01+ds/src/main_nw.cpp:103:27: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). seqtype = atoi(strdup(optarg)); data/phyx-1.01+ds/src/main_nw.cpp:115:31: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). num_threads = atoi(strdup(optarg)); data/phyx-1.01+ds/src/main_seqgen.cpp:169:26: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). seqlen = atoi(strdup(optarg)); data/phyx-1.01+ds/src/main_seqgen.cpp:252:25: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). nreps = atoi(strdup(optarg)); data/phyx-1.01+ds/src/main_seqgen.cpp:255:24: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). seed = atoi(strdup(optarg)); data/phyx-1.01+ds/src/main_ssort.cpp:94:26: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). sortby = atoi(strdup(optarg)); data/phyx-1.01+ds/src/main_strec.cpp:373:27: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int pos = atoi(searchtokens[j].c_str()); data/phyx-1.01+ds/src/main_strec.cpp:396:16: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). ancout.open(outanc,ios::out); data/phyx-1.01+ds/src/main_strec.cpp:404:18: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). stnumout.open(outnum,ios::out); data/phyx-1.01+ds/src/main_strec.cpp:416:19: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). sttimeout.open(outtime,ios::out); data/phyx-1.01+ds/src/main_strec.cpp:424:23: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). sttnumout_any.open(outnumany,ios::out); data/phyx-1.01+ds/src/main_strec.cpp:454:31: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int pos = atoi(searchtokens[n].c_str()); data/phyx-1.01+ds/src/main_sw.cpp:102:27: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). seqtype = atoi(strdup(optarg)); data/phyx-1.01+ds/src/main_sw.cpp:114:31: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). num_threads = atoi(strdup(optarg)); data/phyx-1.01+ds/src/seq_models.cpp:42:50: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). sc_mat[tokens[0][0]][order[j]] = atoi(tokens[j+1].c_str()); //#changed from int to float data/phyx-1.01+ds/src/seq_models.cpp:75:50: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). sc_mat[tokens[0][0]][order[j]] = atoi(tokens[j+1].c_str()); //#changed from int to float data/phyx-1.01+ds/src/seq_sample.cpp:185:17: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). start = atoi(tokens[2].c_str()) - 1; data/phyx-1.01+ds/src/seq_sample.cpp:189:16: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). stop = atoi(tokens[3].c_str()) - 1; data/phyx-1.01+ds/src/seq_sample.cpp:193:20: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). interval = atoi(tokens[4].c_str()); data/phyx-1.01+ds/src/utils.cpp:579:12: [1] (buffer) equal: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. return equal; data/phyx-1.01+ds/src/utils.cpp:589:12: [1] (buffer) equal: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. return equal; ANALYSIS SUMMARY: Hits = 107 Lines analyzed = 27307 in approximately 0.72 seconds (37997 lines/second) Physical Source Lines of Code (SLOC) = 21740 Hits@level = [0] 3 [1] 2 [2] 46 [3] 59 [4] 0 [5] 0 Hits@level+ = [0+] 110 [1+] 107 [2+] 105 [3+] 59 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 5.0598 [1+] 4.9218 [2+] 4.82981 [3+] 2.71389 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.