Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/r-cran-ape-5.4-1/src/dist_nodes.c
Examining data/r-cran-ape-5.4-1/src/me.h
Examining data/r-cran-ape-5.4-1/src/plot_phylo.c
Examining data/r-cran-ape-5.4-1/src/mat_expo.c
Examining data/r-cran-ape-5.4-1/src/delta_plot.c
Examining data/r-cran-ape-5.4-1/src/bNNI.c
Examining data/r-cran-ape-5.4-1/src/nj.c
Examining data/r-cran-ape-5.4-1/src/bitsplits.c
Examining data/r-cran-ape-5.4-1/src/bipartition.c
Examining data/r-cran-ape-5.4-1/src/triangMtd.c
Examining data/r-cran-ape-5.4-1/src/njs.c
Examining data/r-cran-ape-5.4-1/src/rTrait.c
Examining data/r-cran-ape-5.4-1/src/prop_part.cpp
Examining data/r-cran-ape-5.4-1/src/additive.c
Examining data/r-cran-ape-5.4-1/src/reorder_Rcpp.cpp
Examining data/r-cran-ape-5.4-1/src/mvr.c
Examining data/r-cran-ape-5.4-1/src/heap.c
Examining data/r-cran-ape-5.4-1/src/me_ols.c
Examining data/r-cran-ape-5.4-1/src/SPR.c
Examining data/r-cran-ape-5.4-1/src/ape.h
Examining data/r-cran-ape-5.4-1/src/ape.c
Examining data/r-cran-ape-5.4-1/src/pic.c
Examining data/r-cran-ape-5.4-1/src/bionjs.c
Examining data/r-cran-ape-5.4-1/src/ultrametric.c
Examining data/r-cran-ape-5.4-1/src/triangMtds.c
Examining data/r-cran-ape-5.4-1/src/ewLasso.c
Examining data/r-cran-ape-5.4-1/src/tree_build.c
Examining data/r-cran-ape-5.4-1/src/treePop.c
Examining data/r-cran-ape-5.4-1/src/mvrs.c
Examining data/r-cran-ape-5.4-1/src/dist_dna.c
Examining data/r-cran-ape-5.4-1/src/me_balanced.c
Examining data/r-cran-ape-5.4-1/src/me.c
Examining data/r-cran-ape-5.4-1/src/NNI.c
Examining data/r-cran-ape-5.4-1/src/BIONJ.c
Examining data/r-cran-ape-5.4-1/src/read_dna.c
Examining data/r-cran-ape-5.4-1/src/RcppExports.cpp
Examining data/r-cran-ape-5.4-1/src/tree_phylo.c
Examining data/r-cran-ape-5.4-1/src/reorder_phylo.c
FINAL RESULTS:
data/r-cran-ape-5.4-1/src/bitsplits.c:20:23: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static const unsigned char mask81[8] = {0x01, 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02};
data/r-cran-ape-5.4-1/src/bitsplits.c:34:20: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const unsigned char trailzeros[8] = {0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe};
data/r-cran-ape-5.4-1/src/dist_dna.c:1980:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(z, x, n * s);
data/r-cran-ape-5.4-1/src/mat_expo.c:35:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(P, U, nc*sizeof(double));
data/r-cran-ape-5.4-1/src/me.h:69:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char name[MAX_LABEL_LENGTH];
data/r-cran-ape-5.4-1/src/me.h:90:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char label[EDGE_LABEL_LENGTH];
data/r-cran-ape-5.4-1/src/me.h:100:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char name[MAX_LABEL_LENGTH];
data/r-cran-ape-5.4-1/src/me_balanced.c:260:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char edgeLabel1[EDGE_LABEL_LENGTH];
data/r-cran-ape-5.4-1/src/me_balanced.c:261:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char edgeLabel2[EDGE_LABEL_LENGTH];
data/r-cran-ape-5.4-1/src/me_ols.c:408:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char edgelabel[EDGE_LABEL_LENGTH];
data/r-cran-ape-5.4-1/src/read_dna.c:218:10: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fl = fopen(filename, "a+");
data/r-cran-ape-5.4-1/src/read_dna.c:287:10: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fl = fopen(filename, "a+");
data/r-cran-ape-5.4-1/src/tree_build.c:33:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char *endstr, str[100];
data/r-cran-ape-5.4-1/src/tree_build.c:48:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char *endstr, str[100];
data/r-cran-ape-5.4-1/src/tree_build.c:62:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char str[100]; // *endstr,
data/r-cran-ape-5.4-1/src/tree_build.c:78:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char *endstr, str[100];
data/r-cran-ape-5.4-1/src/tree_build.c:184:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char lab[512];
data/r-cran-ape-5.4-1/src/tree_build.c:283:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char lab[512];
data/r-cran-ape-5.4-1/src/tree_build.c:353:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char lab[512], tip[512];
data/r-cran-ape-5.4-1/src/tree_build.c:440:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char lab[512], tip[512];
data/r-cran-ape-5.4-1/src/me.c:226:3: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(newEdge->label,label,EDGE_LABEL_LENGTH-1);
data/r-cran-ape-5.4-1/src/read_dna.c:337:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
int n = strlen(xr);
data/r-cran-ape-5.4-1/src/tree_build.c:147:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
n = strlen(x); \
ANALYSIS SUMMARY:
Hits = 23
Lines analyzed = 10566 in approximately 0.32 seconds (33319 lines/second)
Physical Source Lines of Code (SLOC) = 7763
Hits@level = [0] 6 [1] 3 [2] 20 [3] 0 [4] 0 [5] 0
Hits@level+ = [0+] 29 [1+] 23 [2+] 20 [3+] 0 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 3.73567 [1+] 2.96277 [2+] 2.57632 [3+] 0 [4+] 0 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.