Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/r-cran-ape-5.4-1/src/dist_nodes.c Examining data/r-cran-ape-5.4-1/src/me.h Examining data/r-cran-ape-5.4-1/src/plot_phylo.c Examining data/r-cran-ape-5.4-1/src/mat_expo.c Examining data/r-cran-ape-5.4-1/src/delta_plot.c Examining data/r-cran-ape-5.4-1/src/bNNI.c Examining data/r-cran-ape-5.4-1/src/nj.c Examining data/r-cran-ape-5.4-1/src/bitsplits.c Examining data/r-cran-ape-5.4-1/src/bipartition.c Examining data/r-cran-ape-5.4-1/src/triangMtd.c Examining data/r-cran-ape-5.4-1/src/njs.c Examining data/r-cran-ape-5.4-1/src/rTrait.c Examining data/r-cran-ape-5.4-1/src/prop_part.cpp Examining data/r-cran-ape-5.4-1/src/additive.c Examining data/r-cran-ape-5.4-1/src/reorder_Rcpp.cpp Examining data/r-cran-ape-5.4-1/src/mvr.c Examining data/r-cran-ape-5.4-1/src/heap.c Examining data/r-cran-ape-5.4-1/src/me_ols.c Examining data/r-cran-ape-5.4-1/src/SPR.c Examining data/r-cran-ape-5.4-1/src/ape.h Examining data/r-cran-ape-5.4-1/src/ape.c Examining data/r-cran-ape-5.4-1/src/pic.c Examining data/r-cran-ape-5.4-1/src/bionjs.c Examining data/r-cran-ape-5.4-1/src/ultrametric.c Examining data/r-cran-ape-5.4-1/src/triangMtds.c Examining data/r-cran-ape-5.4-1/src/ewLasso.c Examining data/r-cran-ape-5.4-1/src/tree_build.c Examining data/r-cran-ape-5.4-1/src/treePop.c Examining data/r-cran-ape-5.4-1/src/mvrs.c Examining data/r-cran-ape-5.4-1/src/dist_dna.c Examining data/r-cran-ape-5.4-1/src/me_balanced.c Examining data/r-cran-ape-5.4-1/src/me.c Examining data/r-cran-ape-5.4-1/src/NNI.c Examining data/r-cran-ape-5.4-1/src/BIONJ.c Examining data/r-cran-ape-5.4-1/src/read_dna.c Examining data/r-cran-ape-5.4-1/src/RcppExports.cpp Examining data/r-cran-ape-5.4-1/src/tree_phylo.c Examining data/r-cran-ape-5.4-1/src/reorder_phylo.c FINAL RESULTS: data/r-cran-ape-5.4-1/src/bitsplits.c:20:23: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static const unsigned char mask81[8] = {0x01, 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02}; data/r-cran-ape-5.4-1/src/bitsplits.c:34:20: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const unsigned char trailzeros[8] = {0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe}; data/r-cran-ape-5.4-1/src/dist_dna.c:1980:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(z, x, n * s); data/r-cran-ape-5.4-1/src/mat_expo.c:35:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(P, U, nc*sizeof(double)); data/r-cran-ape-5.4-1/src/me.h:69:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char name[MAX_LABEL_LENGTH]; data/r-cran-ape-5.4-1/src/me.h:90:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char label[EDGE_LABEL_LENGTH]; data/r-cran-ape-5.4-1/src/me.h:100:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char name[MAX_LABEL_LENGTH]; data/r-cran-ape-5.4-1/src/me_balanced.c:260:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char edgeLabel1[EDGE_LABEL_LENGTH]; data/r-cran-ape-5.4-1/src/me_balanced.c:261:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char edgeLabel2[EDGE_LABEL_LENGTH]; data/r-cran-ape-5.4-1/src/me_ols.c:408:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char edgelabel[EDGE_LABEL_LENGTH]; data/r-cran-ape-5.4-1/src/read_dna.c:218:10: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fl = fopen(filename, "a+"); data/r-cran-ape-5.4-1/src/read_dna.c:287:10: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fl = fopen(filename, "a+"); data/r-cran-ape-5.4-1/src/tree_build.c:33:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *endstr, str[100]; data/r-cran-ape-5.4-1/src/tree_build.c:48:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *endstr, str[100]; data/r-cran-ape-5.4-1/src/tree_build.c:62:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char str[100]; // *endstr, data/r-cran-ape-5.4-1/src/tree_build.c:78:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *endstr, str[100]; data/r-cran-ape-5.4-1/src/tree_build.c:184:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char lab[512]; data/r-cran-ape-5.4-1/src/tree_build.c:283:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char lab[512]; data/r-cran-ape-5.4-1/src/tree_build.c:353:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char lab[512], tip[512]; data/r-cran-ape-5.4-1/src/tree_build.c:440:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char lab[512], tip[512]; data/r-cran-ape-5.4-1/src/me.c:226:3: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(newEdge->label,label,EDGE_LABEL_LENGTH-1); data/r-cran-ape-5.4-1/src/read_dna.c:337:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int n = strlen(xr); data/r-cran-ape-5.4-1/src/tree_build.c:147:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). n = strlen(x); \ ANALYSIS SUMMARY: Hits = 23 Lines analyzed = 10566 in approximately 0.32 seconds (33319 lines/second) Physical Source Lines of Code (SLOC) = 7763 Hits@level = [0] 6 [1] 3 [2] 20 [3] 0 [4] 0 [5] 0 Hits@level+ = [0+] 29 [1+] 23 [2+] 20 [3+] 0 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 3.73567 [1+] 2.96277 [2+] 2.57632 [3+] 0 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.