Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/unicycler-0.4.8+dfsg/unicycler/include/consensus_align.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/global_align.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/kmers.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/miniasm/asg.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/miniasm/eps.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/miniasm/kdq.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/miniasm/khash.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/miniasm/kseq.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/miniasm/ksort.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/miniasm/kvec.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/miniasm/miniasm.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/miniasm/paf.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/miniasm/sdict.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/miniasm/sys.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/miniasm_assembly.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/minimap/bseq.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/minimap/kdq.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/minimap/khash.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/minimap/kseq.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/minimap/ksort.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/minimap/kvec.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/minimap/minimap.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/minimap/sdust.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/minimap_align.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/nanoflann.hpp Examining data/unicycler-0.4.8+dfsg/unicycler/include/overlap_align.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/path_align.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/random_alignments.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/ref_seqs.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/scoredalignment.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/scrub.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/semi_global_align.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/semi_global_align_exhaustive.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/settings.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/start_end_align.h Examining data/unicycler-0.4.8+dfsg/unicycler/include/string_functions.h Examining data/unicycler-0.4.8+dfsg/unicycler/src/consensus_align.cpp Examining data/unicycler-0.4.8+dfsg/unicycler/src/global_align.cpp Examining data/unicycler-0.4.8+dfsg/unicycler/src/kmers.cpp Examining data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/asg.cpp Examining data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/asm.cpp Examining data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/dotter.cpp Examining data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/hit.cpp Examining data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/paf.cpp Examining data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/sdict.cpp Examining data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/sys.cpp Examining data/unicycler-0.4.8+dfsg/unicycler/src/miniasm_assembly.cpp Examining data/unicycler-0.4.8+dfsg/unicycler/src/minimap/bseq.cpp Examining data/unicycler-0.4.8+dfsg/unicycler/src/minimap/index.cpp Examining data/unicycler-0.4.8+dfsg/unicycler/src/minimap/kthread.cpp Examining data/unicycler-0.4.8+dfsg/unicycler/src/minimap/map.cpp Examining data/unicycler-0.4.8+dfsg/unicycler/src/minimap/misc.cpp Examining data/unicycler-0.4.8+dfsg/unicycler/src/minimap/sdust.cpp Examining data/unicycler-0.4.8+dfsg/unicycler/src/minimap/sketch.cpp Examining data/unicycler-0.4.8+dfsg/unicycler/src/minimap_align.cpp Examining data/unicycler-0.4.8+dfsg/unicycler/src/overlap_align.cpp Examining data/unicycler-0.4.8+dfsg/unicycler/src/path_align.cpp Examining data/unicycler-0.4.8+dfsg/unicycler/src/random_alignments.cpp Examining data/unicycler-0.4.8+dfsg/unicycler/src/ref_seqs.cpp Examining data/unicycler-0.4.8+dfsg/unicycler/src/scoredalignment.cpp Examining data/unicycler-0.4.8+dfsg/unicycler/src/scrub.cpp Examining data/unicycler-0.4.8+dfsg/unicycler/src/semi_global_align.cpp Examining data/unicycler-0.4.8+dfsg/unicycler/src/semi_global_align_exhaustive.cpp Examining data/unicycler-0.4.8+dfsg/unicycler/src/start_end_align.cpp Examining data/unicycler-0.4.8+dfsg/unicycler/src/string_functions.cpp FINAL RESULTS: data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/dotter.cpp:71:14: [3] (buffer) getopt: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. while ((c = getopt(argc, argv, "m:i:s:w:f:Ld")) >= 0) { data/unicycler-0.4.8+dfsg/unicycler/src/minimap/sdust.cpp:189:14: [3] (buffer) getopt: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. while ((c = getopt(argc, argv, "w:t:")) >= 0) { data/unicycler-0.4.8+dfsg/unicycler/include/miniasm/eps.h:8:21: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). #define eps_open(s) fopen((s),"w+") data/unicycler-0.4.8+dfsg/unicycler/include/miniasm/kseq.h:135:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(str->s + str->l, ks->buf + ks->begin, i - ks->begin); \ data/unicycler-0.4.8+dfsg/unicycler/include/miniasm/kvec.h:74:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy((v1).a, (v0).a, sizeof(type) * (v0).n); \ data/unicycler-0.4.8+dfsg/unicycler/include/minimap/kseq.h:127:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(str->s + str->l, ks->buf + ks->begin, i - ks->begin); \ data/unicycler-0.4.8+dfsg/unicycler/include/minimap/kvec.h:74:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy((v1).a, (v0).a, sizeof(type) * (v0).n); \ data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/asm.cpp:64:16: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *fp = fopen(graph_filename.c_str(), "w"); data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/asm.cpp:162:16: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *fp = fopen(graph_filename.c_str(), "w"); data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/asm.cpp:163:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char name[32]; data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/asm.cpp:166:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(name, "utg%.6d%c", i + 1, "lc"[p->circ]); data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/dotter.cpp:72:29: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). if (c == 'm') min_match = atoi(optarg); data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/dotter.cpp:74:33: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). else if (c == 's') min_span = atoi(optarg); data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/dotter.cpp:75:30: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). else if (c == 'w') width = atoi(optarg); data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/dotter.cpp:76:34: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). else if (c == 'f') font_size = atoi(optarg); data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/hit.cpp:342:19: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). all_list_file.open(all_read_list); data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/hit.cpp:404:15: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). list_file.open(contained_read_list); data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/sys.cpp:40:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buf[256]; data/unicycler-0.4.8+dfsg/unicycler/src/miniasm_assembly.cpp:73:13: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). outFile.open(miniasm_output); data/unicycler-0.4.8+dfsg/unicycler/src/minimap/bseq.cpp:10:17: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. extern unsigned char seq_nt4_table[256]; data/unicycler-0.4.8+dfsg/unicycler/src/minimap/index.cpp:316:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char magic[4]; data/unicycler-0.4.8+dfsg/unicycler/src/minimap/map.cpp:321:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(step->reg[i], regs, n_regs * sizeof(mm_reg1_t)); data/unicycler-0.4.8+dfsg/unicycler/src/minimap/sdust.cpp:25:10: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char seq_nt4_table[256] = { data/unicycler-0.4.8+dfsg/unicycler/src/minimap/sdust.cpp:44:17: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. extern unsigned char seq_nt4_table[256]; data/unicycler-0.4.8+dfsg/unicycler/src/minimap/sdust.cpp:110:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(c, cv, SD_WTOT * sizeof(int)); data/unicycler-0.4.8+dfsg/unicycler/src/minimap/sdust.cpp:190:21: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). if (c == 'w') W = atoi(optarg); data/unicycler-0.4.8+dfsg/unicycler/src/minimap/sdust.cpp:191:26: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). else if (c == 't') T = atoi(optarg); data/unicycler-0.4.8+dfsg/unicycler/src/minimap/sketch.cpp:10:10: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char seq_nt4_table[256] = { data/unicycler-0.4.8+dfsg/unicycler/src/semi_global_align.cpp:685:19: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). allPointsFile.open(filename); data/unicycler-0.4.8+dfsg/unicycler/src/semi_global_align.cpp:698:22: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). chainedSeedsFile.open(filename); data/unicycler-0.4.8+dfsg/unicycler/src/semi_global_align.cpp:721:19: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). traceDotsFile.open(filename); data/unicycler-0.4.8+dfsg/unicycler/src/semi_global_align.cpp:729:22: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). filteredDataFile.open(filename); data/unicycler-0.4.8+dfsg/unicycler/src/minimap/index.cpp:212:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). assert(strlen(s->seq[i].name) <= 254); data/unicycler-0.4.8+dfsg/unicycler/src/minimap/index.cpp:290:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). l = strlen(mi->name[i]); data/unicycler-0.4.8+dfsg/unicycler/src/minimap/sdust.cpp:143:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (l_seq < 0) l_seq = strlen((const char*)seq); ANALYSIS SUMMARY: Hits = 35 Lines analyzed = 10959 in approximately 0.35 seconds (31239 lines/second) Physical Source Lines of Code (SLOC) = 7738 Hits@level = [0] 73 [1] 3 [2] 30 [3] 2 [4] 0 [5] 0 Hits@level+ = [0+] 108 [1+] 35 [2+] 32 [3+] 2 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 13.9571 [1+] 4.52313 [2+] 4.13544 [3+] 0.258465 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.