Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/parsnp-1.5.3+dfsg/src/Converter.cpp
Examining data/parsnp-1.5.3+dfsg/src/Converter.h
Examining data/parsnp-1.5.3+dfsg/src/LCB.cpp
Examining data/parsnp-1.5.3+dfsg/src/LCR.cpp
Examining data/parsnp-1.5.3+dfsg/src/MuscleInterface.cpp
Examining data/parsnp-1.5.3+dfsg/src/MuscleInterface.h
Examining data/parsnp-1.5.3+dfsg/src/Stack.h
Examining data/parsnp-1.5.3+dfsg/src/TMum.cpp
Examining data/parsnp-1.5.3+dfsg/src/csgmum/csg.c
Examining data/parsnp-1.5.3+dfsg/src/csgmum/csg.h
Examining data/parsnp-1.5.3+dfsg/src/csgmum/fastaread.c
Examining data/parsnp-1.5.3+dfsg/src/csgmum/fastaread.h
Examining data/parsnp-1.5.3+dfsg/src/csgmum/mum.c
Examining data/parsnp-1.5.3+dfsg/src/csgmum/mum.h
Examining data/parsnp-1.5.3+dfsg/src/csgmum/types.h
Examining data/parsnp-1.5.3+dfsg/src/ext/iniFile.cpp
Examining data/parsnp-1.5.3+dfsg/src/ext/iniFile.h
Examining data/parsnp-1.5.3+dfsg/src/parsnp.cpp
FINAL RESULTS:
data/parsnp-1.5.3+dfsg/src/ext/iniFile.cpp:249:3: [4] (format) vsprintf:
Potential format string problem (CWE-134). Make format string constant.
vsprintf( value, format, args);
data/parsnp-1.5.3+dfsg/src/ext/iniFile.cpp:312:11: [4] (buffer) sscanf:
The scanf() family's %s operation, without a limit specification, permits
buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
different input function. If the scanf format is influenceable by an
attacker, it's exploitable.
nVals = sscanf( value.c_str(), format,
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:530:22: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
int result = system(command.c_str());
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:541:22: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
int result = system(command.c_str());
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:629:42: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
int result = system(command.c_str());
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:1500:9: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(rs[0].sequence,(char *)this->genomes.at(0).substr(r1.start.at(0) + partpos,p).append(1,(char)5).c_str());
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:1501:9: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(rs[0].rc, (char *)reversec(this->genomes.at(0).substr(r1.start.at(0) + partpos,p)).append(1,(char)5).c_str());
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:1513:17: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(rs[a].sequence,(char *)this->genomes.at(a).substr(r1.start.at(a),r1.length.at(a)).append(1,(char)5).c_str());
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:1515:17: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(rs[a].rc,(char *)reversec(this->genomes.at(a).substr(r1.start.at(a),r1.length.at(a))).append(1,(char)5).c_str());
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:1885:9: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(rs[0].sequence,(char *)this->genomes.at(0).substr(r1.start.at(0) + partpos,p).append(1,(char)5).c_str());
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:1886:9: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(rs[0].rc, (char *)reversec(this->genomes.at(0).substr(r1.start.at(0) + partpos,p)).append(1,(char)5).c_str());
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:1897:17: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(rs[a].sequence,(char *)this->genomes.at(a).substr(r1.start.at(a),r1.length.at(a)).append(1,(char)5).c_str());
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:1898:17: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(rs[a].rc,(char *)reversec(this->genomes.at(a).substr(r1.start.at(a),r1.length.at(a))).append(1,(char)5).c_str());
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:1062:66: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
log << setw(2) << "Random MUM length: "<< setw(2) << this->random << endl;
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:2537:32: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
if (nt->length < this->random)
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:2685:5: [3] (random) srand:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
srand((unsigned int) seconds);
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:2719:9: [3] (random) srand:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
srand((unsigned int) seconds);
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:3120:63: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
Aligner align( genomes, files, c, d, q, p, anchors, mums, random, clustalparams, fasta,factor,harsh,gcCount,atCount,shustring,doAlign,gridRun,cores,extendmums, header_to_index,pos_to_header,headers,calc_mumi,diag_diff,prefix,outdir,recomb_filter,doUnalign);
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:3180:10: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
if ( random && ! mumfile.size() )
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:3184:24: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
align.random = random;
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:3185:29: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
align.filterRandom1(random);
data/parsnp-1.5.3+dfsg/src/csgmum/fastaread.c:85:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char buf[BUFSIZ];
data/parsnp-1.5.3+dfsg/src/csgmum/fastaread.c:142:14: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((fpin = open(name, O_RDONLY)) == -1) {
data/parsnp-1.5.3+dfsg/src/ext/iniFile.cpp:44:5: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
f.open( path.c_str(), ios::in);
data/parsnp-1.5.3+dfsg/src/ext/iniFile.cpp:106:5: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
f.open( path.c_str(), ios::out);
data/parsnp-1.5.3+dfsg/src/ext/iniFile.cpp:228:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char svalue[MAX_VALUEDATA]={'\0'};
data/parsnp-1.5.3+dfsg/src/ext/iniFile.cpp:230:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf( svalue, "%d", value);
data/parsnp-1.5.3+dfsg/src/ext/iniFile.cpp:237:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char svalue[MAX_VALUEDATA]={'\0'};
data/parsnp-1.5.3+dfsg/src/ext/iniFile.cpp:239:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf( svalue, "%f", value);
data/parsnp-1.5.3+dfsg/src/ext/iniFile.cpp:246:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char value[MAX_VALUEDATA];
data/parsnp-1.5.3+dfsg/src/ext/iniFile.cpp:276:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char svalue[MAX_VALUEDATA]={'\0'};
data/parsnp-1.5.3+dfsg/src/ext/iniFile.cpp:278:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf( svalue, "%d", defValue);
data/parsnp-1.5.3+dfsg/src/ext/iniFile.cpp:279:10: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
return atoi( GetValue( keyname, valuename, svalue).c_str());
data/parsnp-1.5.3+dfsg/src/ext/iniFile.cpp:284:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char svalue[MAX_VALUEDATA]={'\0'};
data/parsnp-1.5.3+dfsg/src/ext/iniFile.cpp:286:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf( svalue, "%f", defValue);
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:568:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char b[9];
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:618:21: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char bb[9];
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:619:21: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(bb,"%d",z+1);// C-style string formed without null
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:925:13: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(b,"%d",(int)z+1);// C-style string formed without null
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:931:26: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
clcbfile.open( lcbfile.c_str());
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:1927:20: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
mumifile = fopen(mmf.c_str(),"w");
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:2147:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char header[80];
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:2197:21: [2] (integer) atol:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
start = atol(mstart.c_str());
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:2210:21: [2] (integer) atol:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
mumlength = atol(mlength.c_str());
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:2430:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char header[80];
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:2479:21: [2] (integer) atol:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
start = atol(mstart.c_str());
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:2488:21: [2] (integer) atol:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
mumlength = atol(mlength.c_str());
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:2765:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[320], header[2520];
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:2905:13: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf( buffer, "file%d",i);
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:2907:13: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf( buffer, "reverse%d",i);
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:3050:21: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char tmpbuf[2520];
data/parsnp-1.5.3+dfsg/src/csgmum/fastaread.c:20:12: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
reads = read(fpin, buf, sizeof(buf)); \
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:2165:8: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
is.read (buffer,length);
data/parsnp-1.5.3+dfsg/src/parsnp.cpp:2446:8: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
is.read (buffer,length);
ANALYSIS SUMMARY:
Hits = 54
Lines analyzed = 5964 in approximately 0.15 seconds (39166 lines/second)
Physical Source Lines of Code (SLOC) = 4628
Hits@level = [0] 22 [1] 3 [2] 30 [3] 8 [4] 13 [5] 0
Hits@level+ = [0+] 76 [1+] 54 [2+] 51 [3+] 21 [4+] 13 [5+] 0
Hits/KSLOC@level+ = [0+] 16.4218 [1+] 11.6681 [2+] 11.0199 [3+] 4.5376 [4+] 2.80899 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.