Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/uc-echo-1.12/hashing.cpp
Examining data/uc-echo-1.12/NeighborMerge.cpp
Examining data/uc-echo-1.12/DNASeq.cpp
Examining data/uc-echo-1.12/DNASeq.hpp
Examining data/uc-echo-1.12/KmerHashMap.cpp
Examining data/uc-echo-1.12/Voting.cpp
Examining data/uc-echo-1.12/HashMerge.cpp
Examining data/uc-echo-1.12/NeighborJoin.cpp
Examining data/uc-echo-1.12/NeighborSet.cpp
Examining data/uc-echo-1.12/KmerHashMap.hpp
Examining data/uc-echo-1.12/NeighborJoinParam.cpp
Examining data/uc-echo-1.12/MMAPReads.hpp
Examining data/uc-echo-1.12/util.hpp
Examining data/uc-echo-1.12/MMAP.hpp
Examining data/uc-echo-1.12/NeighborSet.hpp
FINAL RESULTS:
data/uc-echo-1.12/HashMerge.cpp:35:18: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
FILE *fout = fopen((string(opt.fpre) + opt.fsuf + ".hash").c_str(), "wb");
data/uc-echo-1.12/HashMerge.cpp:38:23: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
FILE *findexout = fopen((string(opt.fpre) + opt.fsuf + ".index").c_str(), "wb");
data/uc-echo-1.12/KmerHashMap.hpp:76:23: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fout[i] = fopen(fname.str().c_str(), "wb");
data/uc-echo-1.12/KmerHashMap.hpp:77:28: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
findexout[i] = fopen(findexname.str().c_str(), "wb");
data/uc-echo-1.12/MMAP.hpp:21:15: [2] (tmpfile) tmpfile:
Function tmpfile() has a security flaw on some systems (e.g., older System
V systems) (CWE-377).
FILE *tmpfile;
data/uc-echo-1.12/MMAP.hpp:22:19: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
tmpfile = fopen(fname, "rb");
data/uc-echo-1.12/MMAP.hpp:26:20: [2] (tmpfile) tmpfile:
Function tmpfile() has a security flaw on some systems (e.g., older System
V systems) (CWE-377).
fclose(tmpfile);
data/uc-echo-1.12/MMAP.hpp:30:16: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fdes = open(fname, O_RDONLY);
data/uc-echo-1.12/NeighborJoin.cpp:47:21: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
FILE *tmpfile = fopen(opt.inputFNames[0], "rb");
data/uc-echo-1.12/NeighborJoin.cpp:51:16: [2] (tmpfile) tmpfile:
Function tmpfile() has a security flaw on some systems (e.g., older System
V systems) (CWE-377).
fclose(tmpfile);
data/uc-echo-1.12/NeighborJoin.cpp:54:15: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
tmpfile = fopen(opt.inputFNames[1], "rb");
data/uc-echo-1.12/NeighborJoin.cpp:58:16: [2] (tmpfile) tmpfile:
Function tmpfile() has a security flaw on some systems (e.g., older System
V systems) (CWE-377).
fclose(tmpfile);
data/uc-echo-1.12/NeighborJoinParam.cpp:50:21: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
FILE *tmpfile = fopen(opt.inputFNames[0], "rb");
data/uc-echo-1.12/NeighborJoinParam.cpp:54:16: [2] (tmpfile) tmpfile:
Function tmpfile() has a security flaw on some systems (e.g., older System
V systems) (CWE-377).
fclose(tmpfile);
data/uc-echo-1.12/NeighborJoinParam.cpp:57:15: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
tmpfile = fopen(opt.inputFNames[1], "rb");
data/uc-echo-1.12/NeighborJoinParam.cpp:61:16: [2] (tmpfile) tmpfile:
Function tmpfile() has a security flaw on some systems (e.g., older System
V systems) (CWE-377).
fclose(tmpfile);
data/uc-echo-1.12/NeighborSet.hpp:104:16: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fout = fopen(fname.str().c_str(), "wb");
data/uc-echo-1.12/NeighborSet.hpp:189:24: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
NeighborFile = fopen(NeighborFName, "rb");
data/uc-echo-1.12/Voting.cpp:131:10: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fout.open(fname.str().c_str());
data/uc-echo-1.12/Voting.cpp:132:11: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fqual.open(fqualname.str().c_str());
data/uc-echo-1.12/Voting.cpp:344:14: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fout.open(fname.str().c_str());
data/uc-echo-1.12/Voting.cpp:352:14: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fout.open(fname.str().c_str());
data/uc-echo-1.12/util.hpp:52:21: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
K = atoi(argv[i+1]);
data/uc-echo-1.12/util.hpp:54:21: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
h = atoi(argv[i+1]);
data/uc-echo-1.12/util.hpp:58:27: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
max_cov = atoi(argv[i+1]);
data/uc-echo-1.12/util.hpp:60:27: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
min_cov = atoi(argv[i+1]);
data/uc-echo-1.12/util.hpp:62:23: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
cov = atoi(argv[i+1]);
data/uc-echo-1.12/util.hpp:64:25: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
nhash = atoi(argv[i+1]);
data/uc-echo-1.12/util.hpp:66:28: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
ihash_st = atoi(argv[i+1]);
data/uc-echo-1.12/util.hpp:68:28: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
ihash_ed = atoi(argv[i+1]);
data/uc-echo-1.12/util.hpp:70:29: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
blocksize = atoi(argv[i+1]);
data/uc-echo-1.12/util.hpp:72:27: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
read_st = atoi(argv[i+1]);
data/uc-echo-1.12/util.hpp:74:27: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
read_ed = atoi(argv[i+1]);
data/uc-echo-1.12/util.hpp:76:28: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
read_st2 = atoi(argv[i+1]);
data/uc-echo-1.12/util.hpp:78:28: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
read_ed2 = atoi(argv[i+1]);
data/uc-echo-1.12/util.hpp:90:30: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
save_stats = atoi(argv[i+1]);
data/uc-echo-1.12/DNASeq.hpp:40:23: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
seq_len = strlen(seq);
data/uc-echo-1.12/HashMerge.cpp:111:43: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
fwrite(kmer_string, sizeof(char), strlen(kmer_string)+1, findexout);
data/uc-echo-1.12/KmerHashMap.hpp:116:44: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
fwrite(kmer, sizeof(char), strlen(kmer)+1, findexout[i]);
data/uc-echo-1.12/KmerHashMap.hpp:223:47: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
return *(unsigned int*)index_mmap[strlen((char*)index_mmap[fpos]) + 1 + fpos];
data/uc-echo-1.12/KmerHashMap.hpp:235:26: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
int offset = strlen((char*)index_mmap[fpos]) + 1;
data/uc-echo-1.12/KmerHashMap.hpp:273:33: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
unsigned int len_kmer = strlen((char*)index_mmap[sizeof(unsigned int)])+1;
data/uc-echo-1.12/NeighborJoin.cpp:78:70: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
for(HashMMAP::ConstReadIterator read=kmer_iter.read_begin(); read!=kmer_iter.read_end(); ++read) {
data/uc-echo-1.12/NeighborJoin.cpp:78:100: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
for(HashMMAP::ConstReadIterator read=kmer_iter.read_begin(); read!=kmer_iter.read_end(); ++read) {
data/uc-echo-1.12/NeighborJoin.cpp:80:19: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
Reads[read.getReadID()] = readfile[read.getReadID()];
data/uc-echo-1.12/NeighborJoin.cpp:80:48: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
Reads[read.getReadID()] = readfile[read.getReadID()];
data/uc-echo-1.12/NeighborJoin.cpp:81:55: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
kmer_occurrences.push_back(KmerOccurrence(read.getReadID(), read.getPos()));
data/uc-echo-1.12/NeighborJoin.cpp:81:73: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
kmer_occurrences.push_back(KmerOccurrence(read.getReadID(), read.getPos()));
data/uc-echo-1.12/NeighborJoin.cpp:82:19: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
Reads[read.getReadID()] = readfile[read.getReadID()];
data/uc-echo-1.12/NeighborJoin.cpp:82:48: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
Reads[read.getReadID()] = readfile[read.getReadID()];
data/uc-echo-1.12/NeighborJoin.cpp:83:56: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
kmer_occurrences2.push_back(KmerOccurrence(read.getReadID(), read.getPos()));
data/uc-echo-1.12/NeighborJoin.cpp:83:74: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
kmer_occurrences2.push_back(KmerOccurrence(read.getReadID(), read.getPos()));
data/uc-echo-1.12/NeighborJoinParam.cpp:79:70: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
for(HashMMAP::ConstReadIterator read=kmer_iter.read_begin(); read!=kmer_iter.read_end(); ++read) {
data/uc-echo-1.12/NeighborJoinParam.cpp:79:100: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
for(HashMMAP::ConstReadIterator read=kmer_iter.read_begin(); read!=kmer_iter.read_end(); ++read) {
data/uc-echo-1.12/NeighborJoinParam.cpp:81:16: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if(read.getReadID() >= read_st && read.getReadID() < read_ed) {
data/uc-echo-1.12/NeighborJoinParam.cpp:81:47: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if(read.getReadID() >= read_st && read.getReadID() < read_ed) {
data/uc-echo-1.12/NeighborJoinParam.cpp:82:23: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
Reads[read.getReadID()] = readfile[read.getReadID()];
data/uc-echo-1.12/NeighborJoinParam.cpp:82:52: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
Reads[read.getReadID()] = readfile[read.getReadID()];
data/uc-echo-1.12/NeighborJoinParam.cpp:83:59: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
kmer_occurrences.push_back(KmerOccurrence(read.getReadID(), read.getPos()));
data/uc-echo-1.12/NeighborJoinParam.cpp:83:77: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
kmer_occurrences.push_back(KmerOccurrence(read.getReadID(), read.getPos()));
data/uc-echo-1.12/NeighborJoinParam.cpp:85:19: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
Reads[read.getReadID()] = readfile[read.getReadID()];
data/uc-echo-1.12/NeighborJoinParam.cpp:85:48: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
Reads[read.getReadID()] = readfile[read.getReadID()];
data/uc-echo-1.12/NeighborJoinParam.cpp:86:56: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
kmer_occurrences2.push_back(KmerOccurrence(read.getReadID(), read.getPos()));
data/uc-echo-1.12/NeighborJoinParam.cpp:86:74: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
kmer_occurrences2.push_back(KmerOccurrence(read.getReadID(), read.getPos()));
data/uc-echo-1.12/NeighborMerge.cpp:45:32: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
int seq_len2 = strlen(readfile[nn->first]);
data/uc-echo-1.12/Voting.cpp:107:23: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
int seq_len = strlen(readfile[readid]);
data/uc-echo-1.12/Voting.cpp:167:32: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
int seq_len2 = strlen(readfile[nn->first]);
data/uc-echo-1.12/Voting.cpp:182:42: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
const int neighbor_seq_len = strlen(neighbor_seq);
ANALYSIS SUMMARY:
Hits = 68
Lines analyzed = 1883 in approximately 0.08 seconds (23814 lines/second)
Physical Source Lines of Code (SLOC) = 1405
Hits@level = [0] 5 [1] 32 [2] 36 [3] 0 [4] 0 [5] 0
Hits@level+ = [0+] 73 [1+] 68 [2+] 36 [3+] 0 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 51.9573 [1+] 48.3986 [2+] 25.6228 [3+] 0 [4+] 0 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.