Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/trinculo-0.96+dfsg/src/chisq_cdf.h
Examining data/trinculo-0.96+dfsg/src/EstCovMat.h
Examining data/trinculo-0.96+dfsg/src/GenORs.h
Examining data/trinculo-0.96+dfsg/src/MultinomNewton.h
Examining data/trinculo-0.96+dfsg/src/PropOddsNewton.h
Examining data/trinculo-0.96+dfsg/src/readBed.h
Examining data/trinculo-0.96+dfsg/src/readCovar.h
Examining data/trinculo-0.96+dfsg/src/readDosage.h
Examining data/trinculo-0.96+dfsg/src/readPhenos.h
Examining data/trinculo-0.96+dfsg/src/readPriors.h
Examining data/trinculo-0.96+dfsg/src/sims.cpp
Examining data/trinculo-0.96+dfsg/src/trinculo.cpp
Examining data/trinculo-0.96+dfsg/src/trinculo.h
Examining data/trinculo-0.96+dfsg/src/inputparser.h
FINAL RESULTS:
data/trinculo-0.96+dfsg/src/sims.cpp:19:2: [3] (random) srand:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
srand(t1.tv_usec * t1.tv_sec);
data/trinculo-0.96+dfsg/src/inputparser.h:236:17: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
precision=atoi(*argv);
data/trinculo-0.96+dfsg/src/inputparser.h:278:15: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
fititer=atoi(*argv);
data/trinculo-0.96+dfsg/src/inputparser.h:370:15: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
threads=atoi(*argv);
data/trinculo-0.96+dfsg/src/readBed.h:118:7: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fam.open((string(inprefix) + ".fam").c_str());
data/trinculo-0.96+dfsg/src/readBed.h:156:7: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
bim.open((string(inprefix) + ".bim").c_str());
data/trinculo-0.96+dfsg/src/readBed.h:194:7: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
bed.open((string(inprefix) + ".bed").c_str(), ios::in|ios::binary|ios::ate);
data/trinculo-0.96+dfsg/src/readBed.h:264:7: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fam.open((string(inprefix) + ".fam").c_str());
data/trinculo-0.96+dfsg/src/readBed.h:273:7: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
bim.open((string(inprefix) + ".bim").c_str());
data/trinculo-0.96+dfsg/src/readBed.h:287:7: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
bed.open((string(inprefix) + ".bed").c_str(), ios::out|ios::binary);
data/trinculo-0.96+dfsg/src/readCovar.h:52:11: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
covfile.open(infile.c_str());
data/trinculo-0.96+dfsg/src/readDosage.h:56:10: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
dosage.open(infile.c_str());
data/trinculo-0.96+dfsg/src/readPhenos.h:45:13: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
phenofile.open(infile.c_str());
data/trinculo-0.96+dfsg/src/readPriors.h:45:13: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
priorfile.open(infile.c_str());
data/trinculo-0.96+dfsg/src/sims.cpp:44:11: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
input.open(argv[1]);
data/trinculo-0.96+dfsg/src/sims.cpp:56:45: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
if (splitline[0] == "Npheno:") {Npheno = atoi(splitline[1].c_str()); continue;}
data/trinculo-0.96+dfsg/src/sims.cpp:57:52: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
if (splitline[0] == "Ncovar:") {Ncovar = atoi(splitline[1].c_str()); continue;}
data/trinculo-0.96+dfsg/src/sims.cpp:58:48: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
if (splitline[0] == "Nvar:") {Nvar = atoi(splitline[1].c_str()); continue;}
data/trinculo-0.96+dfsg/src/sims.cpp:70:9: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
input.open(covFile.c_str());
data/trinculo-0.96+dfsg/src/sims.cpp:100:18: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
Ncounts[j] = atoi(conflines[i][1 + j].c_str());
data/trinculo-0.96+dfsg/src/sims.cpp:343:15: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
covarFILE.open((string(argv[2]) + ".covar").c_str());
data/trinculo-0.96+dfsg/src/sims.cpp:344:15: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
phenoFILE.open((string(argv[2]) + ".pheno").c_str());
data/trinculo-0.96+dfsg/src/trinculo.cpp:54:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[80];
data/trinculo-0.96+dfsg/src/trinculo.cpp:206:11: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
outfile.open((opts->outprefix + ".assoc.ordinal").c_str());
data/trinculo-0.96+dfsg/src/trinculo.cpp:322:11: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
outfile.open((opts->outprefix + ".assoc.multinom").c_str());
data/trinculo-0.96+dfsg/src/trinculo.cpp:323:37: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (opts->modelSelect) selectfile.open((opts->outprefix + ".select.multinom").c_str());
data/trinculo-0.96+dfsg/src/trinculo.cpp:324:33: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (opts->outputErrs) errfile.open((opts->outprefix + ".err.multinom").c_str());
data/trinculo-0.96+dfsg/src/trinculo.cpp:325:31: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (opts->PhenoPs) pvalfile.open((opts->outprefix + ".phenops.multinom").c_str());
data/trinculo-0.96+dfsg/src/trinculo.cpp:327:16: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fullerrfile.open((opts->outprefix + ".fullmd.errs").c_str());
data/trinculo-0.96+dfsg/src/trinculo.cpp:328:16: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fullparfile.open((opts->outprefix + ".fullmd.pars").c_str());
data/trinculo-0.96+dfsg/src/trinculo.cpp:331:11: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
sefile.open((opts->outprefix + ".ses.multinom").c_str());
data/trinculo-0.96+dfsg/src/trinculo.cpp:572:11: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
logfile.open((opts.outprefix + ".log").c_str());
data/trinculo-0.96+dfsg/src/trinculo.cpp:600:10: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
file.open(opts.conditionfile.c_str());
data/trinculo-0.96+dfsg/src/trinculo.cpp:656:13: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
outfile.open((opts.outprefix + ".prior").c_str());
data/trinculo-0.96+dfsg/src/readBed.h:200:11: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
bed.read (bedblock, size);
ANALYSIS SUMMARY:
Hits = 35
Lines analyzed = 3908 in approximately 0.14 seconds (28787 lines/second)
Physical Source Lines of Code (SLOC) = 2930
Hits@level = [0] 0 [1] 1 [2] 33 [3] 1 [4] 0 [5] 0
Hits@level+ = [0+] 35 [1+] 35 [2+] 34 [3+] 1 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 11.9454 [1+] 11.9454 [2+] 11.6041 [3+] 0.341297 [4+] 0 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.