Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/proftmb-1.1.12/src/Eval.h Examining data/proftmb-1.1.12/src/HMMEval.h Examining data/proftmb-1.1.12/src/HMMOutput.h Examining data/proftmb-1.1.12/src/HTools.h Examining data/proftmb-1.1.12/src/Load.h Examining data/proftmb-1.1.12/src/Output.h Examining data/proftmb-1.1.12/src/Par.h Examining data/proftmb-1.1.12/src/Regularization.h Examining data/proftmb-1.1.12/src/Seq.h Examining data/proftmb-1.1.12/src/Serialize.h Examining data/proftmb-1.1.12/src/Sov.h Examining data/proftmb-1.1.12/src/Tools.h Examining data/proftmb-1.1.12/src/TrainSeq.h Examining data/proftmb-1.1.12/src/Zscore.h Examining data/proftmb-1.1.12/src/constants.h Examining data/proftmb-1.1.12/src/structs.h Examining data/proftmb-1.1.12/src/Backward.cpp Examining data/proftmb-1.1.12/src/BaumWelch.cpp Examining data/proftmb-1.1.12/src/Eval.cpp Examining data/proftmb-1.1.12/src/ExpectA.cpp Examining data/proftmb-1.1.12/src/ExpectC.cpp Examining data/proftmb-1.1.12/src/Forward.cpp Examining data/proftmb-1.1.12/src/GradientDescent.cpp Examining data/proftmb-1.1.12/src/HMMEval.cpp Examining data/proftmb-1.1.12/src/HMMOutput.cpp Examining data/proftmb-1.1.12/src/HTools.cpp Examining data/proftmb-1.1.12/src/Krogh1Best.cpp Examining data/proftmb-1.1.12/src/Load.cpp Examining data/proftmb-1.1.12/src/Output.cpp Examining data/proftmb-1.1.12/src/Par.cpp Examining data/proftmb-1.1.12/src/Params.cpp Examining data/proftmb-1.1.12/src/Posterior.cpp Examining data/proftmb-1.1.12/src/Regularization.cpp Examining data/proftmb-1.1.12/src/Seq.cpp Examining data/proftmb-1.1.12/src/Sov.cpp Examining data/proftmb-1.1.12/src/structs.cpp Examining data/proftmb-1.1.12/src/Tally.cpp Examining data/proftmb-1.1.12/src/Tools.cpp Examining data/proftmb-1.1.12/src/TrainSeq.cpp Examining data/proftmb-1.1.12/src/Viterbi.cpp Examining data/proftmb-1.1.12/src/Zscore.cpp Examining data/proftmb-1.1.12/src/proftmb.cpp FINAL RESULTS: data/proftmb-1.1.12/src/Tools.cpp:230:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(full,root); data/proftmb-1.1.12/src/Tools.cpp:233:2: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(full,rel); data/proftmb-1.1.12/src/Par.cpp:241:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char line[100]; data/proftmb-1.1.12/src/Par.cpp:279:8: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). cfile.open(cf); data/proftmb-1.1.12/src/Par.cpp:752:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char line[100]; data/proftmb-1.1.12/src/Par.cpp:775:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char line[200]; data/proftmb-1.1.12/src/Seq.cpp:118:9: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). dig = atoi(digit.c_str()); data/proftmb-1.1.12/src/Seq.cpp:181:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char line[1000],A[20],QueryAmino; //we expect to take in 20 amino data/proftmb-1.1.12/src/Seq.cpp:253:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char num[256],amino; data/proftmb-1.1.12/src/Seq.cpp:402:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char num[256],amino; data/proftmb-1.1.12/src/Serialize.h:54:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char c1[1000], c2[1000]; data/proftmb-1.1.12/src/Serialize.h:55:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[1000]; data/proftmb-1.1.12/src/Serialize.h:85:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[1000]; data/proftmb-1.1.12/src/Serialize.h:154:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char c1[1000], c2[1000]; data/proftmb-1.1.12/src/Serialize.h:156:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[1000]; data/proftmb-1.1.12/src/Serialize.h:191:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[1000]; data/proftmb-1.1.12/src/Serialize.h:220:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char c1[1000], c2[1000]; data/proftmb-1.1.12/src/Serialize.h:222:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[1000]; data/proftmb-1.1.12/src/Serialize.h:275:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char line[1000]; data/proftmb-1.1.12/src/Sov.cpp:21:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char s1, s2, sse[3]; data/proftmb-1.1.12/src/Sov.h:12:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char fname[80]; data/proftmb-1.1.12/src/proftmb.cpp:97:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char fReduxDecode[256],fReduxReport[256], data/proftmb-1.1.12/src/proftmb.cpp:130:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char line[256]; data/proftmb-1.1.12/src/proftmb.cpp:134:9: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fQList.open(TestQList); data/proftmb-1.1.12/src/proftmb.cpp:176:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char Datfile[1000] = "/dev/null"; Datfile[9] = 0; Datfile[999] = 0; data/proftmb-1.1.12/src/proftmb.cpp:197:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char Path[300]; Path[299] = 0; //for constructing the path data/proftmb-1.1.12/src/proftmb.cpp:339:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char **myargv,*mybuf[2]; data/proftmb-1.1.12/src/structs.h:18:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char cln[2]; data/proftmb-1.1.12/src/Tools.cpp:231:12: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (root[strlen(root)-1] != '/') strcat(full,"/"); data/proftmb-1.1.12/src/Tools.cpp:231:36: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. if (root[strlen(root)-1] != '/') strcat(full,"/"); data/proftmb-1.1.12/src/proftmb.cpp:178:17: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). if( *OutDat ) strncpy( Datfile, OutDat, 999 ); data/proftmb-1.1.12/src/proftmb.cpp:181:3: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(Datfile,FileName.str().c_str(), 999); data/proftmb-1.1.12/src/proftmb.cpp:223:4: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(Path,sspath.str().c_str(), 299 ); ANALYSIS SUMMARY: Hits = 33 Lines analyzed = 7147 in approximately 0.22 seconds (32757 lines/second) Physical Source Lines of Code (SLOC) = 5038 Hits@level = [0] 11 [1] 5 [2] 26 [3] 0 [4] 2 [5] 0 Hits@level+ = [0+] 44 [1+] 33 [2+] 28 [3+] 2 [4+] 2 [5+] 0 Hits/KSLOC@level+ = [0+] 8.73362 [1+] 6.55022 [2+] 5.55776 [3+] 0.396983 [4+] 0.396983 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.