Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/r-cran-rgenoud-5.8-3.0/src/unif.h
Examining data/r-cran-rgenoud-5.8-3.0/src/print_format.cpp
Examining data/r-cran-rgenoud-5.8-3.0/src/genoud.cpp
Examining data/r-cran-rgenoud-5.8-3.0/src/frange_ran.cpp
Examining data/r-cran-rgenoud-5.8-3.0/src/evaluate.cpp
Examining data/r-cran-rgenoud-5.8-3.0/src/rgenoud.cpp
Examining data/r-cran-rgenoud-5.8-3.0/src/eval.cpp
Examining data/r-cran-rgenoud-5.8-3.0/src/numerics.cpp
Examining data/r-cran-rgenoud-5.8-3.0/src/gradient.h
Examining data/r-cran-rgenoud-5.8-3.0/src/unif.cpp
Examining data/r-cran-rgenoud-5.8-3.0/src/math.cpp
Examining data/r-cran-rgenoud-5.8-3.0/src/init.c
Examining data/r-cran-rgenoud-5.8-3.0/src/genoud.h
Examining data/r-cran-rgenoud-5.8-3.0/src/change_order.cpp
Examining data/r-cran-rgenoud-5.8-3.0/src/gradient.cpp
Examining data/r-cran-rgenoud-5.8-3.0/src/operators.cpp
Examining data/r-cran-rgenoud-5.8-3.0/src/multiply.cpp
FINAL RESULTS:
data/r-cran-rgenoud-5.8-3.0/src/genoud.cpp:69:3: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(time_str, ctime(&start_time));
data/r-cran-rgenoud-5.8-3.0/src/genoud.cpp:169:3: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(time_str, ctime(&stop_time));
data/r-cran-rgenoud-5.8-3.0/src/print_format.cpp:44:12: [4] (buffer) fscanf:
The scanf() family's %s operation, without a limit specification, permits
buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
different input function.
fint = fscanf(fp, "%s", ctmp);
data/r-cran-rgenoud-5.8-3.0/src/print_format.cpp:50:12: [4] (buffer) fscanf:
The scanf() family's %s operation, without a limit specification, permits
buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
different input function.
fint = fscanf(fp, "%s", ctmp);
data/r-cran-rgenoud-5.8-3.0/src/print_format.cpp:52:12: [4] (buffer) fscanf:
The scanf() family's %s operation, without a limit specification, permits
buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
different input function.
fint = fscanf(fp, "%s", ctmp);
data/r-cran-rgenoud-5.8-3.0/src/print_format.cpp:58:12: [4] (buffer) fscanf:
The scanf() family's %s operation, without a limit specification, permits
buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
different input function.
fint = fscanf(fp, "%s", ctmp); /* reads "Fit" */
data/r-cran-rgenoud-5.8-3.0/src/print_format.cpp:59:12: [4] (buffer) fscanf:
The scanf() family's %s operation, without a limit specification, permits
buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
different input function.
fint = fscanf(fp, "%s", ctmp); /* reads "Values:" */
data/r-cran-rgenoud-5.8-3.0/src/print_format.cpp:66:12: [4] (buffer) fscanf:
The scanf() family's %s operation, without a limit specification, permits
buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
different input function.
fint = fscanf(fp, "%s", ctmp);
data/r-cran-rgenoud-5.8-3.0/src/rgenoud.cpp:206:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(OutputPath,STRING_VALUE(output_path));
data/r-cran-rgenoud-5.8-3.0/src/rgenoud.cpp:207:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(ProjectPath,STRING_VALUE(project_path));
data/r-cran-rgenoud-5.8-3.0/src/evaluate.cpp:2229:10: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
double random;
data/r-cran-rgenoud-5.8-3.0/src/evaluate.cpp:2241:17: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
}while((random > cum_probab[i]) && (i< pop_size));
data/r-cran-rgenoud-5.8-3.0/src/evaluate.cpp:2278:10: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
double random;
data/r-cran-rgenoud-5.8-3.0/src/evaluate.cpp:2291:14: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
while((random > cum_probab[i]) && (i< pop_size));
data/r-cran-rgenoud-5.8-3.0/src/evaluate.cpp:328:18: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if((popout = fopen(Structure->ProjectPath, "r")) == NULL) {
data/r-cran-rgenoud-5.8-3.0/src/evaluate.cpp:341:20: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if((popout = fopen(Structure->ProjectPath, "a")) == NULL) {
data/r-cran-rgenoud-5.8-3.0/src/evaluate.cpp:383:20: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if((popout = fopen(Structure->ProjectPath, "w")) == NULL) {
data/r-cran-rgenoud-5.8-3.0/src/evaluate.cpp:698:18: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if((popout = fopen(Structure->ProjectPath, "w")) == NULL) {
data/r-cran-rgenoud-5.8-3.0/src/evaluate.cpp:740:18: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if((popout = fopen(Structure->ProjectPath, "a")) == NULL) {
data/r-cran-rgenoud-5.8-3.0/src/evaluate.cpp:1638:15: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if((popout = fopen(Structure->ProjectPath, "w")) == NULL) {
data/r-cran-rgenoud-5.8-3.0/src/evaluate.cpp:1680:15: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if((popout = fopen(Structure->ProjectPath, "a")) == NULL) {
data/r-cran-rgenoud-5.8-3.0/src/evaluate.cpp:2759:18: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if((popout = fopen(Structure->ProjectPath, "r")) == NULL) {
data/r-cran-rgenoud-5.8-3.0/src/evaluate.cpp:2779:20: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if((popout = fopen(Structure->ProjectPath, "a")) == NULL) {
data/r-cran-rgenoud-5.8-3.0/src/evaluate.cpp:2820:20: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if((popout = fopen(Structure->ProjectPath, "w")) == NULL) {
data/r-cran-rgenoud-5.8-3.0/src/evaluate.cpp:3085:18: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if((popout = fopen(Structure->ProjectPath, "w")) == NULL) {
data/r-cran-rgenoud-5.8-3.0/src/evaluate.cpp:3126:18: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if((popout = fopen(Structure->ProjectPath, "a")) == NULL) {
data/r-cran-rgenoud-5.8-3.0/src/evaluate.cpp:3715:15: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if((popout = fopen(Structure->ProjectPath, "w")) == NULL) {
data/r-cran-rgenoud-5.8-3.0/src/evaluate.cpp:3756:15: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if((popout = fopen(Structure->ProjectPath, "a")) == NULL) {
data/r-cran-rgenoud-5.8-3.0/src/genoud.cpp:55:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char time_str[27];
data/r-cran-rgenoud-5.8-3.0/src/print_format.cpp:32:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char ctmp[MAXPATH];
data/r-cran-rgenoud-5.8-3.0/src/rgenoud.cpp:205:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char OutputPath[1000], ProjectPath[1000];
data/r-cran-rgenoud-5.8-3.0/src/genoud.h:270:27: [1] (buffer) equal:
Function does not check the second iterator for over-read conditions
(CWE-126). This function is often discouraged by most C++ coding standards
in favor of its safer alternatives provided since C++14. Consider using a
form of this function that checks the second iterator before potentially
overflowing it.
void print_domains(MATRIX equal, int t_equ, short DataType);
data/r-cran-rgenoud-5.8-3.0/src/print_format.cpp:144:27: [1] (buffer) equal:
Function does not check the second iterator for over-read conditions
(CWE-126). This function is often discouraged by most C++ coding standards
in favor of its safer alternatives provided since C++14. Consider using a
form of this function that checks the second iterator before potentially
overflowing it.
void print_domains(MATRIX equal, int t_equ, short DataType)
data/r-cran-rgenoud-5.8-3.0/src/print_format.cpp:161:39: [1] (buffer) equal:
Function does not check the second iterator for over-read conditions
(CWE-126). This function is often discouraged by most C++ coding standards
in favor of its safer alternatives provided since C++14. Consider using a
form of this function that checks the second iterator before potentially
overflowing it.
Rprintf(" <= X%-2d <= ",(int)equal[i][j]);
data/r-cran-rgenoud-5.8-3.0/src/print_format.cpp:163:26: [1] (buffer) equal:
Function does not check the second iterator for over-read conditions
(CWE-126). This function is often discouraged by most C++ coding standards
in favor of its safer alternatives provided since C++14. Consider using a
form of this function that checks the second iterator before potentially
overflowing it.
Rprintf(" %d ",(int) equal[i][j]);
data/r-cran-rgenoud-5.8-3.0/src/print_format.cpp:173:39: [1] (buffer) equal:
Function does not check the second iterator for over-read conditions
(CWE-126). This function is often discouraged by most C++ coding standards
in favor of its safer alternatives provided since C++14. Consider using a
form of this function that checks the second iterator before potentially
overflowing it.
Rprintf(" <= X%-2d <= ",(int)equal[i][j]);
data/r-cran-rgenoud-5.8-3.0/src/print_format.cpp:175:20: [1] (buffer) equal:
Function does not check the second iterator for over-read conditions
(CWE-126). This function is often discouraged by most C++ coding standards
in favor of its safer alternatives provided since C++14. Consider using a
form of this function that checks the second iterator before potentially
overflowing it.
Rprintf(" %e ",equal[i][j]);
ANALYSIS SUMMARY:
Hits = 37
Lines analyzed = 9101 in approximately 0.25 seconds (36723 lines/second)
Physical Source Lines of Code (SLOC) = 5926
Hits@level = [0] 18 [1] 6 [2] 17 [3] 4 [4] 10 [5] 0
Hits@level+ = [0+] 55 [1+] 37 [2+] 31 [3+] 14 [4+] 10 [5+] 0
Hits/KSLOC@level+ = [0+] 9.28113 [1+] 6.24367 [2+] 5.23118 [3+] 2.36247 [4+] 1.68748 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.