Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/vsearch-2.15.1/src/align.cc Examining data/vsearch-2.15.1/src/align.h Examining data/vsearch-2.15.1/src/align_simd.cc Examining data/vsearch-2.15.1/src/align_simd.h Examining data/vsearch-2.15.1/src/allpairs.cc Examining data/vsearch-2.15.1/src/allpairs.h Examining data/vsearch-2.15.1/src/arch.h Examining data/vsearch-2.15.1/src/attributes.cc Examining data/vsearch-2.15.1/src/attributes.h Examining data/vsearch-2.15.1/src/bitmap.cc Examining data/vsearch-2.15.1/src/bitmap.h Examining data/vsearch-2.15.1/src/chimera.cc Examining data/vsearch-2.15.1/src/chimera.h Examining data/vsearch-2.15.1/src/city.cc Examining data/vsearch-2.15.1/src/city.h Examining data/vsearch-2.15.1/src/citycrc.h Examining data/vsearch-2.15.1/src/cluster.cc Examining data/vsearch-2.15.1/src/cluster.h Examining data/vsearch-2.15.1/src/cpu.cc Examining data/vsearch-2.15.1/src/cpu.h Examining data/vsearch-2.15.1/src/cut.cc Examining data/vsearch-2.15.1/src/cut.h Examining data/vsearch-2.15.1/src/db.cc Examining data/vsearch-2.15.1/src/db.h Examining data/vsearch-2.15.1/src/dbhash.cc Examining data/vsearch-2.15.1/src/dbhash.h Examining data/vsearch-2.15.1/src/dbindex.cc Examining data/vsearch-2.15.1/src/dbindex.h Examining data/vsearch-2.15.1/src/derep.cc Examining data/vsearch-2.15.1/src/derep.h Examining data/vsearch-2.15.1/src/dynlibs.cc Examining data/vsearch-2.15.1/src/dynlibs.h Examining data/vsearch-2.15.1/src/eestats.cc Examining data/vsearch-2.15.1/src/eestats.h Examining data/vsearch-2.15.1/src/fasta.cc Examining data/vsearch-2.15.1/src/fasta.h Examining data/vsearch-2.15.1/src/fastq.cc Examining data/vsearch-2.15.1/src/fastq.h Examining data/vsearch-2.15.1/src/fastqjoin.cc Examining data/vsearch-2.15.1/src/fastqjoin.h Examining data/vsearch-2.15.1/src/fastqops.cc Examining data/vsearch-2.15.1/src/fastqops.h Examining data/vsearch-2.15.1/src/fastx.cc Examining data/vsearch-2.15.1/src/fastx.h Examining data/vsearch-2.15.1/src/filter.cc Examining data/vsearch-2.15.1/src/filter.h Examining data/vsearch-2.15.1/src/getseq.cc Examining data/vsearch-2.15.1/src/getseq.h Examining data/vsearch-2.15.1/src/kmerhash.cc Examining data/vsearch-2.15.1/src/kmerhash.h Examining data/vsearch-2.15.1/src/linmemalign.cc Examining data/vsearch-2.15.1/src/linmemalign.h Examining data/vsearch-2.15.1/src/maps.cc Examining data/vsearch-2.15.1/src/maps.h Examining data/vsearch-2.15.1/src/mask.cc Examining data/vsearch-2.15.1/src/mask.h Examining data/vsearch-2.15.1/src/md5.c Examining data/vsearch-2.15.1/src/md5.h Examining data/vsearch-2.15.1/src/mergepairs.cc Examining data/vsearch-2.15.1/src/mergepairs.h Examining data/vsearch-2.15.1/src/minheap.cc Examining data/vsearch-2.15.1/src/minheap.h Examining data/vsearch-2.15.1/src/msa.cc Examining data/vsearch-2.15.1/src/msa.h Examining data/vsearch-2.15.1/src/otutable.cc Examining data/vsearch-2.15.1/src/otutable.h Examining data/vsearch-2.15.1/src/rerep.cc Examining data/vsearch-2.15.1/src/rerep.h Examining data/vsearch-2.15.1/src/results.cc Examining data/vsearch-2.15.1/src/results.h Examining data/vsearch-2.15.1/src/search.cc Examining data/vsearch-2.15.1/src/search.h Examining data/vsearch-2.15.1/src/searchcore.cc Examining data/vsearch-2.15.1/src/searchcore.h Examining data/vsearch-2.15.1/src/searchexact.cc Examining data/vsearch-2.15.1/src/searchexact.h Examining data/vsearch-2.15.1/src/sffconvert.cc Examining data/vsearch-2.15.1/src/sffconvert.h Examining data/vsearch-2.15.1/src/sha1.c Examining data/vsearch-2.15.1/src/sha1.h Examining data/vsearch-2.15.1/src/showalign.cc Examining data/vsearch-2.15.1/src/showalign.h Examining data/vsearch-2.15.1/src/shuffle.cc Examining data/vsearch-2.15.1/src/shuffle.h Examining data/vsearch-2.15.1/src/sintax.cc Examining data/vsearch-2.15.1/src/sintax.h Examining data/vsearch-2.15.1/src/sortbylength.cc Examining data/vsearch-2.15.1/src/sortbylength.h Examining data/vsearch-2.15.1/src/sortbysize.cc Examining data/vsearch-2.15.1/src/sortbysize.h Examining data/vsearch-2.15.1/src/subsample.cc Examining data/vsearch-2.15.1/src/subsample.h Examining data/vsearch-2.15.1/src/udb.cc Examining data/vsearch-2.15.1/src/udb.h Examining data/vsearch-2.15.1/src/unique.cc Examining data/vsearch-2.15.1/src/unique.h Examining data/vsearch-2.15.1/src/userfields.cc Examining data/vsearch-2.15.1/src/userfields.h Examining data/vsearch-2.15.1/src/util.cc Examining data/vsearch-2.15.1/src/util.h Examining data/vsearch-2.15.1/src/vsearch.cc Examining data/vsearch-2.15.1/src/vsearch.h Examining data/vsearch-2.15.1/src/xstring.h Examining data/vsearch-2.15.1/src/arch.cc FINAL RESULTS: data/vsearch-2.15.1/src/align_simd.cc:1419:17: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(pcigar[cand_id], s->cigar); data/vsearch-2.15.1/src/chimera.cc:1177:15: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(ci->query_head, fasta_get_header(query_fasta_h)); data/vsearch-2.15.1/src/chimera.cc:1178:15: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(ci->query_seq, fasta_get_sequence(query_fasta_h)); data/vsearch-2.15.1/src/chimera.cc:1198:15: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(ci->query_head, db_getheader(seqno)); data/vsearch-2.15.1/src/chimera.cc:1199:15: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(ci->query_seq, db_getsequence(seqno)); data/vsearch-2.15.1/src/cluster.cc:162:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(si->qsequence, db_getsequence(seqno)); data/vsearch-2.15.1/src/cluster.cc:337:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(label, "%s%d", opt_relabel, clusterno+1); data/vsearch-2.15.1/src/cluster.cc:1262:15: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(fn_clusters, "%s%d", opt_clusters, clusterno); data/vsearch-2.15.1/src/fastqjoin.cc:161:7: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(seq, fastq_get_sequence(fastq_fwd)); data/vsearch-2.15.1/src/fastqjoin.cc:162:7: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(qual, fastq_get_quality(fastq_fwd)); data/vsearch-2.15.1/src/fastqjoin.cc:165:7: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(seq + len, padgap); data/vsearch-2.15.1/src/fastqjoin.cc:166:7: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(qual + len, padgapq); data/vsearch-2.15.1/src/getseq.cc:155:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(field_buffer, "%s=", opt_label_field); data/vsearch-2.15.1/src/getseq.cc:191:11: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(field_buffer + field_len + 1, needle); data/vsearch-2.15.1/src/getseq.cc:232:15: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(field_buffer + field_len + 1, needle); data/vsearch-2.15.1/src/linmemalign.cc:222:9: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. printf(" %2" PRId64, scorematrix[16*i+j]); data/vsearch-2.15.1/src/mask.cc:128:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(s, m); data/vsearch-2.15.1/src/mergepairs.cc:978:7: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(ip->fwd_header, fastq_get_header(fastq_fwd)); data/vsearch-2.15.1/src/mergepairs.cc:979:7: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(ip->rev_header, fastq_get_header(fastq_rev)); data/vsearch-2.15.1/src/mergepairs.cc:980:7: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(ip->fwd_sequence, fastq_get_sequence(fastq_fwd)); data/vsearch-2.15.1/src/mergepairs.cc:981:7: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(ip->rev_sequence, fastq_get_sequence(fastq_rev)); data/vsearch-2.15.1/src/mergepairs.cc:982:7: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(ip->fwd_quality, fastq_get_quality(fastq_fwd)); data/vsearch-2.15.1/src/mergepairs.cc:983:7: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(ip->rev_quality, fastq_get_quality(fastq_rev)); data/vsearch-2.15.1/src/msa.cc:366:13: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(fp_profile, "\t%" PRId64, profile[PROFSIZE*i+c]); data/vsearch-2.15.1/src/msa.cc:368:11: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(fp_profile, "\t%" PRId64, profile[PROFSIZE*i+5]); data/vsearch-2.15.1/src/msa.cc:370:11: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(fp_profile, "\t%" PRId64, profile[PROFSIZE*i+4]); data/vsearch-2.15.1/src/otutable.cc:243:11: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(fp, "\t%" PRIu64, a); data/vsearch-2.15.1/src/otutable.cc:282:7: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(fp, "vsearch\t%s\t%" PRId64, it_sample->c_str(), numotus); data/vsearch-2.15.1/src/otutable.cc:296:11: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(fp, "\t%" PRIu64, a); data/vsearch-2.15.1/src/results.cc:298:11: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(fp, "%" PRId64, hp ? (hp->strand ? qseqlen : 1) : 0); data/vsearch-2.15.1/src/results.cc:301:11: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(fp, "%" PRId64, hp ? (hp->strand ? 1 : qseqlen) : 0); data/vsearch-2.15.1/src/results.cc:307:11: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(fp, "%" PRId64, tseqlen); data/vsearch-2.15.1/src/results.cc:313:11: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(fp, "%" PRId64, qseqlen); data/vsearch-2.15.1/src/results.cc:316:11: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(fp, "%" PRId64, hp ? tseqlen : 0); data/vsearch-2.15.1/src/results.cc:319:11: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(fp, "%" PRId64, qseqlen); data/vsearch-2.15.1/src/results.cc:322:11: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(fp, "%" PRId64, hp ? tseqlen : 0); data/vsearch-2.15.1/src/results.cc:423:11: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(fp, "%" PRId64, hp ? qseqlen - hp->trim_q_right : 0); data/vsearch-2.15.1/src/results.cc:429:11: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(fp, "%" PRId64, hp ? tseqlen - hp->trim_t_right : 0); data/vsearch-2.15.1/src/results.cc:481:25: [4] (format) snprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. int qlenlen = snprintf(0, 0, "%" PRId64, qseqlen); data/vsearch-2.15.1/src/results.cc:482:25: [4] (format) snprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. int tlenlen = snprintf(0, 0, "%" PRId64, dseqlen); data/vsearch-2.15.1/src/search.cc:341:11: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(si_plus[t].query_head, qhead); data/vsearch-2.15.1/src/search.cc:342:11: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(si_plus[t].qsequence, qseq); data/vsearch-2.15.1/src/search.cc:353:15: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(si_minus[t].query_head, si_plus[t].query_head); data/vsearch-2.15.1/src/searchcore.cc:292:11: [4] (buffer) sscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a different input function. If the scanf format is influenceable by an attacker, it's exploitable. sscanf(p, "%" PRId64, &run); data/vsearch-2.15.1/src/searchexact.cc:411:11: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(si_plus[t].query_head, qhead); data/vsearch-2.15.1/src/searchexact.cc:412:11: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(si_plus[t].qsequence, qseq); data/vsearch-2.15.1/src/searchexact.cc:423:15: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(si_minus[t].query_head, si_plus[t].query_head); data/vsearch-2.15.1/src/sintax.cc:467:11: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(si_plus[t].query_head, qhead); data/vsearch-2.15.1/src/sintax.cc:468:11: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(si_plus[t].qsequence, qseq); data/vsearch-2.15.1/src/sintax.cc:479:15: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(si_minus[t].query_head, si_plus[t].query_head); data/vsearch-2.15.1/src/util.cc:133:3: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(stderr, format, message); data/vsearch-2.15.1/src/util.cc:139:7: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(fp_log, format, message); data/vsearch-2.15.1/src/util.cc:150:10: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). return strcpy(p, s); data/vsearch-2.15.1/src/util.cc:168:13: [4] (format) vsnprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. int len = vsnprintf(0, 0, format, ap); data/vsearch-2.15.1/src/util.cc:174:9: [4] (format) vsnprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. len = vsnprintf(p, len + 1, format, ap); data/vsearch-2.15.1/src/vsearch.cc:4980:7: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(cmdline, argv[i]); data/vsearch-2.15.1/src/xstring.h:140:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(string + length, s); data/vsearch-2.15.1/src/arch.cc:172:7: [3] (random) srand: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. srand(GetTickCount()); data/vsearch-2.15.1/src/arch.cc:180:7: [3] (random) srandom: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. srandom(seed); data/vsearch-2.15.1/src/arch.cc:186:7: [3] (random) srand: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. srand(seed); data/vsearch-2.15.1/src/arch.cc:188:7: [3] (random) srandom: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. srandom(seed); data/vsearch-2.15.1/src/arch.cc:198:10: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. return random(); data/vsearch-2.15.1/src/subsample.cc:150:11: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. if (random < x) data/vsearch-2.15.1/src/vsearch.h:173:26: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. #define getopt_long_only getopt_long data/vsearch-2.15.1/src/align.cc:85:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[25]; data/vsearch-2.15.1/src/align.cc:86:17: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. int len = sprintf(buf, "%d", *count); data/vsearch-2.15.1/src/align.cc:88:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(*cigarendp, buf, (size_t)len); data/vsearch-2.15.1/src/align.cc:102:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[25]; data/vsearch-2.15.1/src/align.cc:103:17: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. int len = sprintf(buf, "%d", *count); data/vsearch-2.15.1/src/align.cc:105:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(*cigarendp, buf, (size_t)len); data/vsearch-2.15.1/src/align_simd.cc:770:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[11]; data/vsearch-2.15.1/src/align_simd.cc:771:21: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. int len = sprintf(buf, "%d", s->opcount); data/vsearch-2.15.1/src/align_simd.cc:773:11: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(s->cigarend, buf, len); data/vsearch-2.15.1/src/align_simd.cc:787:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[11]; data/vsearch-2.15.1/src/align_simd.cc:788:21: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. int len = sprintf(buf, "%d", s->opcount); data/vsearch-2.15.1/src/align_simd.cc:790:11: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(s->cigarend, buf, len); data/vsearch-2.15.1/src/arch.cc:174:16: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int fd = open("/dev/urandom", O_RDONLY); data/vsearch-2.15.1/src/arch.cc:287:10: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). return open(path, O_RDONLY); data/vsearch-2.15.1/src/arch.cc:298:10: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). return open(path, data/vsearch-2.15.1/src/attributes.cc:143:24: [2] (integer) atol: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int64_t number = atol(header + start + 5); data/vsearch-2.15.1/src/chimera.cc:132:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char * nwcigar[maxcandidates]; data/vsearch-2.15.1/src/chimera.cc:145:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char * paln[2]; data/vsearch-2.15.1/src/city.cc:597:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[240]; data/vsearch-2.15.1/src/city.cc:598:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, s, len); data/vsearch-2.15.1/src/cluster.cc:342:7: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(label, "%.*s", seqlen, sequence); data/vsearch-2.15.1/src/db.cc:174:11: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(datap + header_p, data/vsearch-2.15.1/src/db.cc:181:11: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(datap + sequence_p, data/vsearch-2.15.1/src/db.cc:190:15: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(datap+quality_p, data/vsearch-2.15.1/src/fasta.cc:88:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char msg[200]; data/vsearch-2.15.1/src/fastq.cc:170:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char msg[200]; data/vsearch-2.15.1/src/fastx.cc:125:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dest_buffer->data + dest_buffer->length, data/vsearch-2.15.1/src/fastx.cc:275:16: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char magic[2]; data/vsearch-2.15.1/src/getseq.cc:91:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[buffer_size]; data/vsearch-2.15.1/src/maps.cc:375:16: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const unsigned char chrmap_complement[256] = data/vsearch-2.15.1/src/maps.cc:406:16: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const unsigned char chrmap_normalize[256] = data/vsearch-2.15.1/src/maps.cc:438:16: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const unsigned char chrmap_upcase[256] = data/vsearch-2.15.1/src/maps.cc:470:16: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const unsigned char chrmap_no_change[256] = data/vsearch-2.15.1/src/maps.cc:501:16: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const unsigned char chrmap_identity[256] = data/vsearch-2.15.1/src/maps.h:61:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. extern char sym_nt_2bit[5]; data/vsearch-2.15.1/src/maps.h:62:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. extern char sym_nt_4bit[17]; data/vsearch-2.15.1/src/maps.h:74:23: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. extern const unsigned char chrmap_complement[256]; data/vsearch-2.15.1/src/maps.h:75:23: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. extern const unsigned char chrmap_normalize[256]; data/vsearch-2.15.1/src/maps.h:76:23: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. extern const unsigned char chrmap_upcase[256]; data/vsearch-2.15.1/src/maps.h:77:23: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. extern const unsigned char chrmap_no_change[256]; data/vsearch-2.15.1/src/maps.h:78:23: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. extern const unsigned char chrmap_identity[256]; data/vsearch-2.15.1/src/md5.c:226:25: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&ctx->buffer[used], data, size); data/vsearch-2.15.1/src/md5.c:230:17: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&ctx->buffer[used], data, free); data/vsearch-2.15.1/src/md5.c:241:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ctx->buffer, data, size); data/vsearch-2.15.1/src/md5.h:41:18: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buffer[64]; data/vsearch-2.15.1/src/mergepairs.cc:101:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char merge_qual_same[128][128]; data/vsearch-2.15.1/src/mergepairs.cc:102:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char merge_qual_diff[128][128]; data/vsearch-2.15.1/src/otutable.cc:316:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char date[50]; data/vsearch-2.15.1/src/results.cc:647:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char md5hex[LEN_HEX_DIG_MD5]; data/vsearch-2.15.1/src/searchcore.cc:512:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char * nwcigar_list[MAXDELAYED]; data/vsearch-2.15.1/src/sffconvert.cc:94:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[BLOCKSIZE]; data/vsearch-2.15.1/src/sffconvert.cc:182:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char index_kind[9]; data/vsearch-2.15.1/src/sha1.c:143:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(block, buffer, 64); data/vsearch-2.15.1/src/sha1.c:215:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&context->buffer[j], data, (i = 64-j)); data/vsearch-2.15.1/src/sha1.c:223:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&context->buffer[j], &data[i], len - i); data/vsearch-2.15.1/src/sha1.c:270:10: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char digest[SHA1_DIGEST_SIZE], buffer[16384]; data/vsearch-2.15.1/src/sha1.c:283:22: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!(file = fopen(argv[1], "rb"))) { data/vsearch-2.15.1/src/sha1.c:327:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(c,"%02X", digest[i*4+j]); data/vsearch-2.15.1/src/sha1.c:341:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char output[80]; data/vsearch-2.15.1/src/util.cc:310:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char digest[LEN_DIG_SHA1]; data/vsearch-2.15.1/src/util.cc:333:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char digest[LEN_DIG_MD5]; data/vsearch-2.15.1/src/util.cc:350:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char digest[LEN_HEX_DIG_SHA1]; data/vsearch-2.15.1/src/util.cc:357:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char digest[LEN_HEX_DIG_MD5]; data/vsearch-2.15.1/src/util.cc:374:12: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). return fopen(filename, "rb"); data/vsearch-2.15.1/src/util.cc:389:12: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). return fopen(filename, "w"); data/vsearch-2.15.1/src/vsearch.cc:315:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char progheader[80]; data/vsearch-2.15.1/src/vsearch.cc:5012:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char time_string[26]; data/vsearch-2.15.1/src/vsearch.cc:5109:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char time_string[26]; data/vsearch-2.15.1/src/xstring.h:61:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char empty_string[1] = ""; data/vsearch-2.15.1/src/xstring.h:128:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(string + length, "%d", d); data/vsearch-2.15.1/src/align_simd.cc:1418:52: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). pcigar[cand_id] = (char *) xmalloc(strlen(s->cigar)+1); data/vsearch-2.15.1/src/allpairs.cc:226:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(query_head), data/vsearch-2.15.1/src/allpairs.cc:241:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(query_head), data/vsearch-2.15.1/src/arch.cc:177:11: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if (read(fd, & seed, sizeof(seed)) < 0) data/vsearch-2.15.1/src/attributes.cc:83:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int alen = strlen(attribute); data/vsearch-2.15.1/src/chimera.cc:221:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char * e = p + strlen(p); data/vsearch-2.15.1/src/chimera.cc:401:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char * e = p + strlen(p); data/vsearch-2.15.1/src/chimera.cc:460:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char * e = p + strlen(p); data/vsearch-2.15.1/src/chimera.cc:1051:7: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(si->qsequence, p, len); data/vsearch-2.15.1/src/cluster.cc:336:31: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). label = (char*) xmalloc(strlen(opt_relabel) + 21); data/vsearch-2.15.1/src/cluster.cc:421:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(query_head), data/vsearch-2.15.1/src/cluster.cc:472:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(query_head), data/vsearch-2.15.1/src/cluster.cc:1219:36: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). fn_clusters = (char *) xmalloc(strlen(opt_clusters) + 25); data/vsearch-2.15.1/src/cut.cc:291:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int n = strlen(pattern); data/vsearch-2.15.1/src/derep.cc:629:35: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(bp->seq), data/vsearch-2.15.1/src/derep.cc:631:35: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(bp->header), data/vsearch-2.15.1/src/derep.cc:655:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int64_t len = strlen(bp->seq); data/vsearch-2.15.1/src/fastq.cc:519:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int slen = strlen(sequence); data/vsearch-2.15.1/src/fastq.cc:520:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int hlen = strlen(header); data/vsearch-2.15.1/src/fastqjoin.cc:100:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). uint64_t padlen = strlen(padgap); data/vsearch-2.15.1/src/fastqjoin.cc:112:17: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (padlen != strlen(padgapq)) data/vsearch-2.15.1/src/getseq.cc:95:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int len = strlen(buffer); data/vsearch-2.15.1/src/getseq.cc:148:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). field_len = strlen(opt_label_field); data/vsearch-2.15.1/src/getseq.cc:151:30: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). field_buffer_size += strlen(opt_label_word); data/vsearch-2.15.1/src/getseq.cc:161:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int wlen = strlen(needle); data/vsearch-2.15.1/src/getseq.cc:180:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int wlen = strlen(needle); data/vsearch-2.15.1/src/getseq.cc:194:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int wlen = strlen(needle); data/vsearch-2.15.1/src/getseq.cc:235:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int wlen = strlen(needle); data/vsearch-2.15.1/src/linmemalign.cc:114:74: [1] (buffer) mismatch: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. int64_t * LinearMemoryAligner::scorematrix_create(int64_t match, int64_t mismatch) data/vsearch-2.15.1/src/linmemalign.cc:127:19: [1] (buffer) mismatch: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. value = mismatch; data/vsearch-2.15.1/src/linmemalign.h:133:55: [1] (buffer) mismatch: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. int64_t * scorematrix_create(int64_t match, int64_t mismatch); data/vsearch-2.15.1/src/mergepairs.cc:398:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(ip->fwd_header), data/vsearch-2.15.1/src/mergepairs.cc:412:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(ip->fwd_header), data/vsearch-2.15.1/src/mergepairs.cc:502:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(ip->fwd_header), data/vsearch-2.15.1/src/mergepairs.cc:513:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(ip->rev_header), data/vsearch-2.15.1/src/mergepairs.cc:525:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(ip->fwd_header), data/vsearch-2.15.1/src/mergepairs.cc:538:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(ip->rev_header), data/vsearch-2.15.1/src/msa.cc:127:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char * e = p + strlen(p); data/vsearch-2.15.1/src/msa.cc:211:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char * e = p + strlen(p); data/vsearch-2.15.1/src/otutable.cc:153:3: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(sample_name, start_sample, len_sample); data/vsearch-2.15.1/src/otutable.cc:174:3: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(otu_name, start_otu, len_otu); data/vsearch-2.15.1/src/otutable.cc:191:7: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(tax_name, start_tax, len_tax); data/vsearch-2.15.1/src/results.cc:83:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(query_head), data/vsearch-2.15.1/src/results.cc:502:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(hp->nwalignment) data/vsearch-2.15.1/src/results.cc:560:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char * e = p + strlen(p); data/vsearch-2.15.1/src/search.cc:220:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(query_head), data/vsearch-2.15.1/src/search.cc:235:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(query_head), data/vsearch-2.15.1/src/searchcore.cc:282:33: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char * e = hit->nwalignment + strlen(hit->nwalignment); data/vsearch-2.15.1/src/searchexact.cc:292:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(query_head), data/vsearch-2.15.1/src/searchexact.cc:307:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(query_head), data/vsearch-2.15.1/src/sffconvert.cc:336:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(read_name), data/vsearch-2.15.1/src/sha1.c:330:9: [1] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source is a constant character. sprintf(c, " "); data/vsearch-2.15.1/src/sha1.c:347:55: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). SHA1_Update(&context, (uint8_t*)test_data[k], strlen(test_data[k])); data/vsearch-2.15.1/src/showalign.cc:270:11: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(r, s, len); data/vsearch-2.15.1/src/sintax.cc:115:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int alen = strlen(attribute); data/vsearch-2.15.1/src/udb.cc:104:28: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). uint64_t bytesread = read(fd, ((char*)buf) + i, rem); data/vsearch-2.15.1/src/udb.cc:158:24: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). uint64_t bytesread = read(fd, & magic, 4); data/vsearch-2.15.1/src/udb.cc:179:24: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). uint64_t bytesread = read(fd_udbinfo, buffer, 4 * 50); data/vsearch-2.15.1/src/userfields.cc:120:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char * e = p + strlen(p); // pointer to end of string data/vsearch-2.15.1/src/userfields.cc:147:44: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ((strncmp(p, *u, n) == 0) && (strlen(*u) == n)) data/vsearch-2.15.1/src/util.cc:148:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t len = strlen(s); data/vsearch-2.15.1/src/util.cc:161:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). return (char *)s + strlen(s); data/vsearch-2.15.1/src/vsearch.cc:409:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). for (size_t i=0; i<strlen(arg); i++) data/vsearch-2.15.1/src/vsearch.cc:448:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ((size_t)skip < strlen(arg)) data/vsearch-2.15.1/src/vsearch.cc:453:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ((size_t)skip < strlen(arg)) data/vsearch-2.15.1/src/vsearch.cc:631:46: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ((ret == 0) || (((unsigned int)(len)) < strlen(arg))) data/vsearch-2.15.1/src/vsearch.cc:641:46: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ((ret == 0) || (((unsigned int)(len)) < strlen(arg))) data/vsearch-2.15.1/src/vsearch.cc:4971:12: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len += strlen(argv[i]); data/vsearch-2.15.1/src/vsearch.cc:4979:9: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. strcat(cmdline, " "); data/vsearch-2.15.1/src/xstring.h:134:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t needed = strlen(s); ANALYSIS SUMMARY: Hits = 204 Lines analyzed = 36457 in approximately 0.99 seconds (36776 lines/second) Physical Source Lines of Code (SLOC) = 24334 Hits@level = [0] 700 [1] 70 [2] 70 [3] 7 [4] 57 [5] 0 Hits@level+ = [0+] 904 [1+] 204 [2+] 134 [3+] 64 [4+] 57 [5+] 0 Hits/KSLOC@level+ = [0+] 37.1497 [1+] 8.38333 [2+] 5.5067 [3+] 2.63006 [4+] 2.3424 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.