Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/kraken-1.1.1/src/classify.cpp
Examining data/kraken-1.1.1/src/db_shrink.cpp
Examining data/kraken-1.1.1/src/db_sort.cpp
Examining data/kraken-1.1.1/src/kmer_estimator.cpp
Examining data/kraken-1.1.1/src/kraken_headers.hpp
Examining data/kraken-1.1.1/src/krakendb.cpp
Examining data/kraken-1.1.1/src/krakendb.hpp
Examining data/kraken-1.1.1/src/krakenutil.cpp
Examining data/kraken-1.1.1/src/krakenutil.hpp
Examining data/kraken-1.1.1/src/make_seqid_to_taxid_map.cpp
Examining data/kraken-1.1.1/src/quickfile.cpp
Examining data/kraken-1.1.1/src/quickfile.hpp
Examining data/kraken-1.1.1/src/seqreader.cpp
Examining data/kraken-1.1.1/src/seqreader.hpp
Examining data/kraken-1.1.1/src/set_lcas.cpp
FINAL RESULTS:
data/kraken-1.1.1/src/classify.cpp:485:17: [3] (buffer) getopt:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
while ((opt = getopt(argc, argv, "d:i:t:u:n:m:o:qfFPcC:O:U:M")) != -1) {
data/kraken-1.1.1/src/db_shrink.cpp:128:17: [3] (buffer) getopt:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
while ((opt = getopt(argc, argv, "d:o:n:O:")) != -1) {
data/kraken-1.1.1/src/db_sort.cpp:131:17: [3] (buffer) getopt:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
while ((opt = getopt(argc, argv, "n:d:o:i:t:zM")) != -1) {
data/kraken-1.1.1/src/kmer_estimator.cpp:98:17: [3] (buffer) getopt:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
while ((opt = getopt(argc, argv, "t:k:m:")) != -1) {
data/kraken-1.1.1/src/set_lcas.cpp:203:17: [3] (buffer) getopt:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
while ((opt = getopt(argc, argv, "f:d:i:t:n:m:F:xM")) != -1) {
data/kraken-1.1.1/src/db_shrink.cpp:53:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&key_bits, buffer, 8);
data/kraken-1.1.1/src/db_shrink.cpp:61:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&val_len, buffer + 16, 8);
data/kraken-1.1.1/src/db_shrink.cpp:62:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&key_count, buffer + 48, 8);
data/kraken-1.1.1/src/db_shrink.cpp:73:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buffer + 48, &Output_count, 8);
data/kraken-1.1.1/src/db_sort.cpp:58:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(header, input_db_file.ptr(), skip_len);
data/kraken-1.1.1/src/db_sort.cpp:84:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char pair[pair_size];
data/kraken-1.1.1/src/db_sort.cpp:94:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&kmer, pair, key_len);
data/kraken-1.1.1/src/db_sort.cpp:98:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(pair_pos, pair, pair_size);
data/kraken-1.1.1/src/db_sort.cpp:115:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&aval, a, Key_len);
data/kraken-1.1.1/src/db_sort.cpp:116:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&bval, b, Key_len);
data/kraken-1.1.1/src/krakendb.cpp:62:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&key_bits, ptr + 8, 8);
data/kraken-1.1.1/src/krakendb.cpp:63:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&val_len, ptr + 16, 8);
data/kraken-1.1.1/src/krakendb.cpp:64:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&key_ct, ptr + 48, 8);
data/kraken-1.1.1/src/krakendb.cpp:80:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&kmer, ptr + i * pair_size(), key_len);
data/kraken-1.1.1/src/krakendb.cpp:94:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(idx_ptr, KRAKEN_INDEX2_STRING, strlen(KRAKEN_INDEX2_STRING));
data/kraken-1.1.1/src/krakendb.cpp:96:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(idx_ptr++, &nt, 1);
data/kraken-1.1.1/src/krakendb.cpp:97:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(idx_ptr, bin_offsets, sizeof(*bin_offsets) * (entries + 1));
data/kraken-1.1.1/src/krakendb.cpp:233:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&comp_kmer, ptr + pair_sz * mid, key_len);
data/kraken-1.1.1/src/krakendb.cpp:245:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&comp_kmer, ptr + pair_sz * mid, key_len);
data/kraken-1.1.1/src/krakendb.cpp:293:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&nt, ptr, 1);
data/kraken-1.1.1/src/quickfile.cpp:45:8: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fd = open(filename, o_flags, 0666);
data/kraken-1.1.1/src/quickfile.cpp:49:10: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fd = open(filename, o_flags, 0666);
data/kraken-1.1.1/src/quickfile.cpp:85:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[thread_ct][page_size];
data/kraken-1.1.1/src/quickfile.cpp:98:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buf[thread], fptr + pos, this_page_size);
data/kraken-1.1.1/src/seqreader.cpp:27:10: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
file.open(filename.c_str());
data/kraken-1.1.1/src/seqreader.cpp:88:10: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
file.open(filename.c_str());
data/kraken-1.1.1/src/db_shrink.cpp:48:14: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
input_file.read(buffer, 8);
data/kraken-1.1.1/src/db_shrink.cpp:52:14: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
input_file.read(buffer, 8);
data/kraken-1.1.1/src/db_shrink.cpp:60:14: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
input_file.read(buffer, header_size);
data/kraken-1.1.1/src/db_shrink.cpp:105:16: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
input_file.read(buffer, pairs_to_read * pair_size);
data/kraken-1.1.1/src/db_sort.cpp:92:16: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
input_file.read(pair, pair_size);
data/kraken-1.1.1/src/krakendb.cpp:60:40: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strncmp(ptr, DATABASE_FILE_TYPE, strlen(DATABASE_FILE_TYPE)))
data/kraken-1.1.1/src/krakendb.cpp:92:5: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strlen(KRAKEN_INDEX2_STRING) + 1 + sizeof(*bin_offsets) * (entries + 1));
data/kraken-1.1.1/src/krakendb.cpp:94:41: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
memcpy(idx_ptr, KRAKEN_INDEX2_STRING, strlen(KRAKEN_INDEX2_STRING));
data/kraken-1.1.1/src/krakendb.cpp:95:14: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
idx_ptr += strlen(KRAKEN_INDEX2_STRING);
data/kraken-1.1.1/src/krakendb.cpp:287:41: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strncmp(ptr, KRAKEN_INDEX_STRING, strlen(KRAKEN_INDEX_STRING))) {
data/kraken-1.1.1/src/krakendb.cpp:289:44: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strncmp(ptr, KRAKEN_INDEX2_STRING, strlen(KRAKEN_INDEX2_STRING)))
data/kraken-1.1.1/src/krakendb.cpp:292:10: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ptr += strlen(KRAKEN_INDEX_STRING);
data/kraken-1.1.1/src/krakendb.cpp:308:31: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
return (uint64_t *) (fptr + strlen(KRAKEN_INDEX_STRING) + 1);
data/kraken-1.1.1/src/make_seqid_to_taxid_map.cpp:104:44: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strncmp(fptr, USER_SPECIFIED_FLAG, strlen(USER_SPECIFIED_FLAG)) == 0) {
data/kraken-1.1.1/src/set_lcas.cpp:67:9: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
ifs.read(temp_ptr, db_file_size);
ANALYSIS SUMMARY:
Hits = 46
Lines analyzed = 2589 in approximately 0.52 seconds (4960 lines/second)
Physical Source Lines of Code (SLOC) = 1924
Hits@level = [0] 4 [1] 15 [2] 26 [3] 5 [4] 0 [5] 0
Hits@level+ = [0+] 50 [1+] 46 [2+] 31 [3+] 5 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 25.9875 [1+] 23.9085 [2+] 16.1123 [3+] 2.59875 [4+] 0 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.