Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/spoa-3.4.0+ds/test/spoa_test.cpp
Examining data/spoa-3.4.0+ds/include/spoa/spoa.hpp
Examining data/spoa-3.4.0+ds/include/spoa/graph.hpp
Examining data/spoa-3.4.0+ds/include/spoa/architectures.hpp
Examining data/spoa-3.4.0+ds/include/spoa/alignment_engine.hpp
Examining data/spoa-3.4.0+ds/vendor/cpu_features/test/hwcaps_for_testing.cc
Examining data/spoa-3.4.0+ds/vendor/cpu_features/test/filesystem_for_testing.cc
Examining data/spoa-3.4.0+ds/vendor/cpu_features/test/cpuinfo_x86_test.cc
Examining data/spoa-3.4.0+ds/vendor/cpu_features/test/bit_utils_test.cc
Examining data/spoa-3.4.0+ds/vendor/cpu_features/test/hwcaps_for_testing.h
Examining data/spoa-3.4.0+ds/vendor/cpu_features/test/unix_features_aggregator_test.cc
Examining data/spoa-3.4.0+ds/vendor/cpu_features/test/stack_line_reader_test.cc
Examining data/spoa-3.4.0+ds/vendor/cpu_features/test/cpuinfo_mips_test.cc
Examining data/spoa-3.4.0+ds/vendor/cpu_features/test/filesystem_for_testing.h
Examining data/spoa-3.4.0+ds/vendor/cpu_features/test/cpuinfo_ppc_test.cc
Examining data/spoa-3.4.0+ds/vendor/cpu_features/test/cpuinfo_arm_test.cc
Examining data/spoa-3.4.0+ds/vendor/cpu_features/test/string_view_test.cc
Examining data/spoa-3.4.0+ds/vendor/cpu_features/test/cpuinfo_aarch64_test.cc
Examining data/spoa-3.4.0+ds/vendor/cpu_features/include/cpuinfo_mips.h
Examining data/spoa-3.4.0+ds/vendor/cpu_features/include/cpuinfo_x86.h
Examining data/spoa-3.4.0+ds/vendor/cpu_features/include/cpuinfo_aarch64.h
Examining data/spoa-3.4.0+ds/vendor/cpu_features/include/cpuinfo_arm.h
Examining data/spoa-3.4.0+ds/vendor/cpu_features/include/cpu_features_cache_info.h
Examining data/spoa-3.4.0+ds/vendor/cpu_features/include/internal/filesystem.h
Examining data/spoa-3.4.0+ds/vendor/cpu_features/include/internal/bit_utils.h
Examining data/spoa-3.4.0+ds/vendor/cpu_features/include/internal/unix_features_aggregator.h
Examining data/spoa-3.4.0+ds/vendor/cpu_features/include/internal/hwcaps.h
Examining data/spoa-3.4.0+ds/vendor/cpu_features/include/internal/stack_line_reader.h
Examining data/spoa-3.4.0+ds/vendor/cpu_features/include/internal/cpuid_x86.h
Examining data/spoa-3.4.0+ds/vendor/cpu_features/include/internal/string_view.h
Examining data/spoa-3.4.0+ds/vendor/cpu_features/include/cpuinfo_ppc.h
Examining data/spoa-3.4.0+ds/vendor/cpu_features/include/cpu_features_macros.h
Examining data/spoa-3.4.0+ds/vendor/cpu_features/ndk_compat/cpu-features.c
Examining data/spoa-3.4.0+ds/vendor/cpu_features/ndk_compat/cpu-features.h
Examining data/spoa-3.4.0+ds/vendor/cpu_features/ndk_compat/ndk-compat-test.c
Examining data/spoa-3.4.0+ds/vendor/cpu_features/src/unix_features_aggregator.c
Examining data/spoa-3.4.0+ds/vendor/cpu_features/src/utils/list_cpu_features.c
Examining data/spoa-3.4.0+ds/vendor/cpu_features/src/cpuinfo_arm.c
Examining data/spoa-3.4.0+ds/vendor/cpu_features/src/filesystem.c
Examining data/spoa-3.4.0+ds/vendor/cpu_features/src/cpuinfo_ppc.c
Examining data/spoa-3.4.0+ds/vendor/cpu_features/src/cpuinfo_x86.c
Examining data/spoa-3.4.0+ds/vendor/cpu_features/src/hwcaps.c
Examining data/spoa-3.4.0+ds/vendor/cpu_features/src/cpuinfo_aarch64.c
Examining data/spoa-3.4.0+ds/vendor/cpu_features/src/stack_line_reader.c
Examining data/spoa-3.4.0+ds/vendor/cpu_features/src/string_view.c
Examining data/spoa-3.4.0+ds/vendor/cpu_features/src/cpuinfo_mips.c
Examining data/spoa-3.4.0+ds/src/simd_alignment_engine.hpp
Examining data/spoa-3.4.0+ds/src/sequence.cpp
Examining data/spoa-3.4.0+ds/src/sisd_alignment_engine.cpp
Examining data/spoa-3.4.0+ds/src/simd_alignment_engine_dispatch.cpp
Examining data/spoa-3.4.0+ds/src/main.cpp
Examining data/spoa-3.4.0+ds/src/simd_alignment_engine_impl.hpp
Examining data/spoa-3.4.0+ds/src/sequence.hpp
Examining data/spoa-3.4.0+ds/src/graph.cpp
Examining data/spoa-3.4.0+ds/src/dispatcher.cpp
Examining data/spoa-3.4.0+ds/src/sisd_alignment_engine.hpp
Examining data/spoa-3.4.0+ds/src/alignment_engine.cpp
FINAL RESULTS:
data/spoa-3.4.0+ds/vendor/cpu_features/src/hwcaps.c:29:5: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
printf(__VA_ARGS__); \
data/spoa-3.4.0+ds/vendor/cpu_features/src/utils/list_cpu_features.c:142:23: [4] (format) vsnprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
const int written = vsnprintf(ptr, gBumpAllocator.size, format, arglist);
data/spoa-3.4.0+ds/src/main.cpp:45:19: [3] (buffer) getopt_long:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
while ((opt = getopt_long(argc, argv, "m:n:g:e:q:c:l:r:d:GCh", options, nullptr)) != -1) {
data/spoa-3.4.0+ds/src/main.cpp:47:27: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
case 'm': m = atoi(optarg); break;
data/spoa-3.4.0+ds/src/main.cpp:48:27: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
case 'n': n = atoi(optarg); break;
data/spoa-3.4.0+ds/src/main.cpp:49:27: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
case 'g': g = atoi(optarg); break;
data/spoa-3.4.0+ds/src/main.cpp:50:27: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
case 'e': e = atoi(optarg); break;
data/spoa-3.4.0+ds/src/main.cpp:51:27: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
case 'q': q = atoi(optarg); break;
data/spoa-3.4.0+ds/src/main.cpp:52:27: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
case 'c': c = atoi(optarg); break;
data/spoa-3.4.0+ds/src/main.cpp:53:35: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
case 'l': algorithm = atoi(optarg); break;
data/spoa-3.4.0+ds/src/main.cpp:54:32: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
case 'r': result = atoi(optarg); break;
data/spoa-3.4.0+ds/vendor/cpu_features/include/cpuinfo_ppc.h:78:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char platform[64]; // 0 terminated string
data/spoa-3.4.0+ds/vendor/cpu_features/include/cpuinfo_ppc.h:79:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char model[64]; // 0 terminated string
data/spoa-3.4.0+ds/vendor/cpu_features/include/cpuinfo_ppc.h:80:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char machine[64]; // 0 terminated string
data/spoa-3.4.0+ds/vendor/cpu_features/include/cpuinfo_ppc.h:81:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char cpu[64]; // 0 terminated string
data/spoa-3.4.0+ds/vendor/cpu_features/include/cpuinfo_x86.h:92:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char vendor[13]; // 0 terminated string
data/spoa-3.4.0+ds/vendor/cpu_features/include/cpuinfo_x86.h:140:25: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
void FillX86BrandString(char brand_string[49]);
data/spoa-3.4.0+ds/vendor/cpu_features/include/internal/hwcaps.h:155:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char platform[64]; // 0 terminated string
data/spoa-3.4.0+ds/vendor/cpu_features/include/internal/hwcaps.h:156:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char base_platform[64]; // 0 terminated string
data/spoa-3.4.0+ds/vendor/cpu_features/include/internal/stack_line_reader.h:28:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[STACK_LINE_READER_BUFFER_SIZE];
data/spoa-3.4.0+ds/vendor/cpu_features/src/cpuinfo_x86.c:1359:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buffer, &leaf, sizeof(Leaf));
data/spoa-3.4.0+ds/vendor/cpu_features/src/cpuinfo_x86.c:1362:25: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
void FillX86BrandString(char brand_string[49]) {
data/spoa-3.4.0+ds/vendor/cpu_features/src/filesystem.c:46:14: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
result = open(filename, O_RDONLY);
data/spoa-3.4.0+ds/vendor/cpu_features/src/string_view.c:141:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(dst, src.ptr, copy_size);
data/spoa-3.4.0+ds/vendor/cpu_features/src/utils/list_cpu_features.c:53:1: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char gGlobalBuffer[64 * 1024];
data/spoa-3.4.0+ds/vendor/cpu_features/src/utils/list_cpu_features.c:365:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char brand_string[49];
data/spoa-3.4.0+ds/vendor/cpu_features/test/cpuinfo_x86_test.cc:147:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char brand_string[49];
data/spoa-3.4.0+ds/vendor/cpu_features/test/cpuinfo_x86_test.cc:271:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char brand_string[49];
data/spoa-3.4.0+ds/vendor/cpu_features/test/filesystem_for_testing.cc:45:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buf, content_.data() + head_index_, read);
data/spoa-3.4.0+ds/vendor/cpu_features/test/string_view_test.cc:95:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[4];
data/spoa-3.4.0+ds/vendor/cpu_features/include/internal/string_view.h:46:66: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
static inline StringView str(const char* str) { return view(str, strlen(str)); }
data/spoa-3.4.0+ds/vendor/cpu_features/src/filesystem.c:57:14: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
result = read(file_descriptor, buffer, buffer_size);
data/spoa-3.4.0+ds/vendor/cpu_features/src/stack_line_reader.c:33:10: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
assert(read >= 0);
data/spoa-3.4.0+ds/vendor/cpu_features/src/stack_line_reader.c:35:23: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
reader->view.size = read;
data/spoa-3.4.0+ds/vendor/cpu_features/src/stack_line_reader.c:36:10: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
return read;
data/spoa-3.4.0+ds/vendor/cpu_features/src/stack_line_reader.c:44:10: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
assert(read >= 0);
data/spoa-3.4.0+ds/vendor/cpu_features/src/stack_line_reader.c:45:10: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
assert(read <= (int)size_to_read);
data/spoa-3.4.0+ds/vendor/cpu_features/src/stack_line_reader.c:46:24: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
reader->view.size += read;
data/spoa-3.4.0+ds/vendor/cpu_features/src/stack_line_reader.c:47:10: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
return read;
data/spoa-3.4.0+ds/vendor/cpu_features/test/filesystem_for_testing.cc:45:46: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
memcpy(buf, content_.data() + head_index_, read);
data/spoa-3.4.0+ds/vendor/cpu_features/test/filesystem_for_testing.cc:46:18: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
head_index_ += read;
data/spoa-3.4.0+ds/vendor/cpu_features/test/filesystem_for_testing.cc:47:10: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
assert(read < INT_MAX);
data/spoa-3.4.0+ds/vendor/cpu_features/test/filesystem_for_testing.cc:48:15: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
return (int)read;
ANALYSIS SUMMARY:
Hits = 43
Lines analyzed = 12503 in approximately 0.31 seconds (40019 lines/second)
Physical Source Lines of Code (SLOC) = 9384
Hits@level = [0] 11 [1] 13 [2] 27 [3] 1 [4] 2 [5] 0
Hits@level+ = [0+] 54 [1+] 43 [2+] 30 [3+] 3 [4+] 2 [5+] 0
Hits/KSLOC@level+ = [0+] 5.75448 [1+] 4.58227 [2+] 3.19693 [3+] 0.319693 [4+] 0.213129 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.