Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/flash-1.2.11/combine_reads.c Examining data/flash-1.2.11/combine_reads.h Examining data/flash-1.2.11/flash.c Examining data/flash-1.2.11/iostream.c Examining data/flash-1.2.11/iostream.h Examining data/flash-1.2.11/read.h Examining data/flash-1.2.11/read_io.c Examining data/flash-1.2.11/read_io.h Examining data/flash-1.2.11/read_queue.c Examining data/flash-1.2.11/read_queue.h Examining data/flash-1.2.11/read_util.c Examining data/flash-1.2.11/util.c Examining data/flash-1.2.11/util.h FINAL RESULTS: data/flash-1.2.11/flash.c:1002:4: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(out_suffix, ".%s", optarg); data/flash-1.2.11/flash.c:1011:4: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(compress_prog_args, "%s -c -", optarg); data/flash-1.2.11/flash.c:1019:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(out_suffix, ".%s", optarg); data/flash-1.2.11/flash.c:1147:22: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. suffix = name_buf + sprintf(name_buf, "%s/%s", output_dir, prefix); data/flash-1.2.11/flash.c:1150:3: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(suffix, ".readsAndPairs.%s%s", out_filetype, out_suffix); data/flash-1.2.11/flash.c:1156:3: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(suffix, ".extendedFrags.%s%s", out_filetype, out_suffix); data/flash-1.2.11/flash.c:1164:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(suffix, ".notCombined.%s%s", data/flash-1.2.11/flash.c:1171:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(suffix, ".notCombined_1.%s%s", data/flash-1.2.11/flash.c:1178:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(suffix, ".notCombined_2.%s%s", data/flash-1.2.11/flash.c:1365:4: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(suffix, ".hist%s", hist_specs[i].suffix); data/flash-1.2.11/flash.c:1371:4: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(suffix, ".histogram%s", hist_specs[i].suffix); data/flash-1.2.11/iostream.c:572:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. p += sprintf(p, "%s %s", filter_prog, filter_prog_args); data/flash-1.2.11/iostream.c:574:3: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(p, " > '%s'", path); data/flash-1.2.11/iostream.c:576:6: [4] (shell) popen: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. f = popen(command, "w"); data/flash-1.2.11/util.c:116:2: [4] (format) vfprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. vfprintf(stderr, msg, va); data/flash-1.2.11/util.c:137:2: [4] (format) vfprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. vfprintf(stderr, msg, va); data/flash-1.2.11/util.c:163:2: [4] (format) vfprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. vfprintf(stderr, msg, va); data/flash-1.2.11/util.c:180:2: [4] (format) vfprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. vfprintf(infofile, msg, va); data/flash-1.2.11/util.c:214:9: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). return strcpy(xmalloc(strlen(str) + 1), str); data/flash-1.2.11/util.h:31:62: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fatal_error(const char *msg, ...) __noreturn __cold __format(printf, 1, 2); data/flash-1.2.11/util.h:34:73: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fatal_error_with_errno(const char *msg, ...) __noreturn __cold __format(printf, 1, 2); data/flash-1.2.11/util.h:39:47: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. warning(const char *msg, ...) __cold __format(printf, 1, 2); data/flash-1.2.11/util.h:44:37: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. info(const char *msg, ...) __format(printf, 1, 2); data/flash-1.2.11/flash.c:875:14: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. while ((c = getopt_long(argc, argv, optstring, longopts, NULL)) != -1) { data/flash-1.2.11/flash.c:1144:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char name_buf[strlen(output_dir) + 1 + strlen(prefix) + data/flash-1.2.11/flash.c:1224:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[256]; data/flash-1.2.11/iostream.c:94:13: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *fp = fopen(path, mode); data/flash-1.2.11/iostream.c:127:8: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fd = open(path, flags | O_BINARY, mode); data/flash-1.2.11/iostream.c:351:11: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). void * (*open)(const char *path); data/flash-1.2.11/iostream.c:388:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char magic[2] = {0, 0}; data/flash-1.2.11/iostream.c:415:22: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). in->fp = (*in->ops->open)(path); data/flash-1.2.11/iostream.c:511:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(*lineptr + offset, in->buf_cur_begin, copysize); data/flash-1.2.11/iostream.c:568:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char command[len + 1]; data/flash-1.2.11/iostream.c:595:10: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). void *(*open)(const char *path, data/flash-1.2.11/iostream.c:685:24: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). out->fp = (*out->ops->open)(path, filter_prog, filter_prog_args); data/flash-1.2.11/iostream.c:727:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(out->buf_cur_end, ptr, tocopy); data/flash-1.2.11/read_util.c:44:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static const char canonical_ascii_tab[256] = { data/flash-1.2.11/read_util.c:201:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(to->tag, from->tag, from->tag_len + 1); data/flash-1.2.11/util.c:288:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char dir_copy[len + 1]; data/flash-1.2.11/combine_reads.c:248:25: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). pair_align(const struct read *read_1, const struct read *read_2, data/flash-1.2.11/combine_reads.c:248:52: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). pair_align(const struct read *read_1, const struct read *read_2, data/flash-1.2.11/combine_reads.c:303:16: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). const struct read *tmp = read_1; data/flash-1.2.11/combine_reads.c:320:37: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). generate_combined_read(const struct read *read_1, data/flash-1.2.11/combine_reads.c:321:23: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). const struct read *read_2, data/flash-1.2.11/combine_reads.c:322:17: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read *combined_read, data/flash-1.2.11/combine_reads.c:454:28: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). combine_reads(const struct read *read_1, const struct read *read_2, data/flash-1.2.11/combine_reads.c:454:55: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). combine_reads(const struct read *read_1, const struct read *read_2, data/flash-1.2.11/combine_reads.c:455:15: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read *combined_read, data/flash-1.2.11/combine_reads.c:499:16: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). const struct read *tmp; data/flash-1.2.11/combine_reads.h:6:8: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read; data/flash-1.2.11/combine_reads.h:52:28: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). combine_reads(const struct read *read_1, const struct read *read_2, data/flash-1.2.11/combine_reads.h:52:55: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). combine_reads(const struct read *read_1, const struct read *read_2, data/flash-1.2.11/combine_reads.h:53:15: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read *combined_read, data/flash-1.2.11/flash.c:687:11: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read *r1 = s1->reads[i]; data/flash-1.2.11/flash.c:688:11: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read *r2 = s2->reads[i]; data/flash-1.2.11/flash.c:689:11: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read *r_combined; data/flash-1.2.11/flash.c:1001:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). out_suffix = xmalloc(strlen(optarg) + 2); data/flash-1.2.11/flash.c:1010:33: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). compress_prog_args = xmalloc(strlen(optarg) + 6); data/flash-1.2.11/flash.c:1018:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). out_suffix = xmalloc(strlen(optarg) + 2); data/flash-1.2.11/flash.c:1144:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char name_buf[strlen(output_dir) + 1 + strlen(prefix) + data/flash-1.2.11/flash.c:1144:41: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char name_buf[strlen(output_dir) + 1 + strlen(prefix) + data/flash-1.2.11/flash.c:1145:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). 100 + strlen(out_suffix) + 1]; data/flash-1.2.11/iostream.c:245:17: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ssize_t ret = read(fd, buf, trycount); data/flash-1.2.11/iostream.c:355:11: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). size_t (*read)(void *fp, void *buf, size_t count, const char *name); data/flash-1.2.11/iostream.c:479:24: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). navail = (*in->ops->read)(in->fp, data/flash-1.2.11/iostream.c:539:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). xfree(in->name, strlen(in->name)); data/flash-1.2.11/iostream.c:566:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t len = strlen(filter_prog) + 32 + data/flash-1.2.11/iostream.c:567:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(path) + strlen(filter_prog_args); data/flash-1.2.11/iostream.c:567:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(path) + strlen(filter_prog_args); data/flash-1.2.11/iostream.c:738:30: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). output_stream_write(out, s, strlen(s)); data/flash-1.2.11/iostream.c:758:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). xfree(out->name, strlen(out->name)); data/flash-1.2.11/read.h:7:8: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read { data/flash-1.2.11/read.h:36:27: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). reverse_complement(struct read *r); data/flash-1.2.11/read.h:39:19: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). clean_read(struct read *r, int phred_offset, struct input_stream *in, data/flash-1.2.11/read.h:43:29: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). clean_read_for_write(struct read *r, int phred_offset); data/flash-1.2.11/read.h:46:17: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). copy_tag(struct read *to, const struct read *from); data/flash-1.2.11/read.h:46:40: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). copy_tag(struct read *to, const struct read *from); data/flash-1.2.11/read.h:49:31: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). get_combined_tag(const struct read *read_1, data/flash-1.2.11/read.h:50:17: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). const struct read *read_2, data/flash-1.2.11/read.h:51:11: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read *combined_read); data/flash-1.2.11/read_io.c:39:49: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). load_fastq_read(struct input_stream *in, struct read *r, data/flash-1.2.11/read_io.c:98:57: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). load_tab_delimited_read(struct input_stream *in, struct read *r, data/flash-1.2.11/read_io.c:157:11: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read *r1, struct read *r2, uint64_t *line_no_p) data/flash-1.2.11/read_io.c:157:28: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read *r1, struct read *r2, uint64_t *line_no_p) data/flash-1.2.11/read_io.c:256:11: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read *r, uint64_t *line_no_p) data/flash-1.2.11/read_io.c:289:16: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read *r1, struct read *r2, data/flash-1.2.11/read_io.c:289:33: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read *r1, struct read *r2, data/flash-1.2.11/read_io.c:321:58: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). write_fastq_read(struct output_stream *out, const struct read *r) data/flash-1.2.11/read_io.c:338:66: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). write_tab_delimited_read(struct output_stream *out, const struct read *r) data/flash-1.2.11/read_io.c:357:18: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). const struct read *r1, const struct read *r2) data/flash-1.2.11/read_io.c:357:41: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). const struct read *r1, const struct read *r2) data/flash-1.2.11/read_io.c:388:12: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read *r) data/flash-1.2.11/read_io.c:411:10: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read *r1, struct read *r2) data/flash-1.2.11/read_io.c:411:27: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read *r1, struct read *r2) data/flash-1.2.11/read_io.h:9:8: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read; data/flash-1.2.11/read_io.h:30:12: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read *read); data/flash-1.2.11/read_io.h:30:18: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read *read); data/flash-1.2.11/read_io.h:35:10: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read *read_1, struct read *read_2); data/flash-1.2.11/read_io.h:35:31: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read *read_1, struct read *read_2); data/flash-1.2.11/read_io.h:40:11: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read *read, uint64_t *line_no_p); data/flash-1.2.11/read_io.h:40:17: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read *read, uint64_t *line_no_p); data/flash-1.2.11/read_io.h:45:16: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read *read_1, struct read *read_2, data/flash-1.2.11/read_io.h:45:37: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read *read_1, struct read *read_2, data/flash-1.2.11/read_queue.c:40:15: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). static struct read * data/flash-1.2.11/read_queue.c:43:31: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). return xzalloc(sizeof(struct read)); data/flash-1.2.11/read_queue.c:47:18: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). free_read(struct read *r) data/flash-1.2.11/read_queue.c:319:11: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read *r = s_read1->reads[s_read1->filled]; data/flash-1.2.11/read_queue.c:517:9: [1] (buffer) mismatch: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. goto mismatch; data/flash-1.2.11/read_queue.c:524:8: [1] (buffer) mismatch: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. goto mismatch; data/flash-1.2.11/read_queue.c:527:1: [1] (buffer) mismatch: Function does not check the second iterator for over-read conditions (CWE-126). This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it. mismatch: data/flash-1.2.11/read_queue.h:6:8: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read; data/flash-1.2.11/read_queue.h:40:9: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read *reads[]; data/flash-1.2.11/read_util.c:115:27: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). reverse_complement(struct read *r) data/flash-1.2.11/read_util.c:132:19: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). clean_read(struct read *r, int phred_offset, struct input_stream *in, data/flash-1.2.11/read_util.c:180:29: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). clean_read_for_write(struct read *r, int phred_offset) data/flash-1.2.11/read_util.c:194:17: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). copy_tag(struct read *to, const struct read *from) data/flash-1.2.11/read_util.c:194:40: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). copy_tag(struct read *to, const struct read *from) data/flash-1.2.11/read_util.c:213:31: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). get_combined_tag(const struct read *read_1, data/flash-1.2.11/read_util.c:214:17: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). const struct read *read_2, data/flash-1.2.11/read_util.c:215:11: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). struct read *combined_read) data/flash-1.2.11/util.c:214:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). return strcpy(xmalloc(strlen(str) + 1), str); data/flash-1.2.11/util.c:287:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t len = strlen(dir); ANALYSIS SUMMARY: Hits = 122 Lines analyzed = 4890 in approximately 0.22 seconds (21986 lines/second) Physical Source Lines of Code (SLOC) = 3549 Hits@level = [0] 9 [1] 83 [2] 15 [3] 1 [4] 23 [5] 0 Hits@level+ = [0+] 131 [1+] 122 [2+] 39 [3+] 24 [4+] 23 [5+] 0 Hits/KSLOC@level+ = [0+] 36.9118 [1+] 34.3759 [2+] 10.989 [3+] 6.76247 [4+] 6.4807 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.