Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/unicycler-0.4.8+dfsg/unicycler/include/consensus_align.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/global_align.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/kmers.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/miniasm/asg.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/miniasm/eps.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/miniasm/kdq.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/miniasm/khash.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/miniasm/kseq.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/miniasm/ksort.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/miniasm/kvec.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/miniasm/miniasm.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/miniasm/paf.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/miniasm/sdict.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/miniasm/sys.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/miniasm_assembly.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/minimap/bseq.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/minimap/kdq.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/minimap/khash.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/minimap/kseq.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/minimap/ksort.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/minimap/kvec.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/minimap/minimap.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/minimap/sdust.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/minimap_align.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/nanoflann.hpp
Examining data/unicycler-0.4.8+dfsg/unicycler/include/overlap_align.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/path_align.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/random_alignments.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/ref_seqs.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/scoredalignment.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/scrub.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/semi_global_align.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/semi_global_align_exhaustive.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/settings.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/start_end_align.h
Examining data/unicycler-0.4.8+dfsg/unicycler/include/string_functions.h
Examining data/unicycler-0.4.8+dfsg/unicycler/src/consensus_align.cpp
Examining data/unicycler-0.4.8+dfsg/unicycler/src/global_align.cpp
Examining data/unicycler-0.4.8+dfsg/unicycler/src/kmers.cpp
Examining data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/asg.cpp
Examining data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/asm.cpp
Examining data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/dotter.cpp
Examining data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/hit.cpp
Examining data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/paf.cpp
Examining data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/sdict.cpp
Examining data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/sys.cpp
Examining data/unicycler-0.4.8+dfsg/unicycler/src/miniasm_assembly.cpp
Examining data/unicycler-0.4.8+dfsg/unicycler/src/minimap/bseq.cpp
Examining data/unicycler-0.4.8+dfsg/unicycler/src/minimap/index.cpp
Examining data/unicycler-0.4.8+dfsg/unicycler/src/minimap/kthread.cpp
Examining data/unicycler-0.4.8+dfsg/unicycler/src/minimap/map.cpp
Examining data/unicycler-0.4.8+dfsg/unicycler/src/minimap/misc.cpp
Examining data/unicycler-0.4.8+dfsg/unicycler/src/minimap/sdust.cpp
Examining data/unicycler-0.4.8+dfsg/unicycler/src/minimap/sketch.cpp
Examining data/unicycler-0.4.8+dfsg/unicycler/src/minimap_align.cpp
Examining data/unicycler-0.4.8+dfsg/unicycler/src/overlap_align.cpp
Examining data/unicycler-0.4.8+dfsg/unicycler/src/path_align.cpp
Examining data/unicycler-0.4.8+dfsg/unicycler/src/random_alignments.cpp
Examining data/unicycler-0.4.8+dfsg/unicycler/src/ref_seqs.cpp
Examining data/unicycler-0.4.8+dfsg/unicycler/src/scoredalignment.cpp
Examining data/unicycler-0.4.8+dfsg/unicycler/src/scrub.cpp
Examining data/unicycler-0.4.8+dfsg/unicycler/src/semi_global_align.cpp
Examining data/unicycler-0.4.8+dfsg/unicycler/src/semi_global_align_exhaustive.cpp
Examining data/unicycler-0.4.8+dfsg/unicycler/src/start_end_align.cpp
Examining data/unicycler-0.4.8+dfsg/unicycler/src/string_functions.cpp
FINAL RESULTS:
data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/dotter.cpp:71:14: [3] (buffer) getopt:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
while ((c = getopt(argc, argv, "m:i:s:w:f:Ld")) >= 0) {
data/unicycler-0.4.8+dfsg/unicycler/src/minimap/sdust.cpp:189:14: [3] (buffer) getopt:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
while ((c = getopt(argc, argv, "w:t:")) >= 0) {
data/unicycler-0.4.8+dfsg/unicycler/include/miniasm/eps.h:8:21: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
#define eps_open(s) fopen((s),"w+")
data/unicycler-0.4.8+dfsg/unicycler/include/miniasm/kseq.h:135:4: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(str->s + str->l, ks->buf + ks->begin, i - ks->begin); \
data/unicycler-0.4.8+dfsg/unicycler/include/miniasm/kvec.h:74:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy((v1).a, (v0).a, sizeof(type) * (v0).n); \
data/unicycler-0.4.8+dfsg/unicycler/include/minimap/kseq.h:127:4: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(str->s + str->l, ks->buf + ks->begin, i - ks->begin); \
data/unicycler-0.4.8+dfsg/unicycler/include/minimap/kvec.h:74:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy((v1).a, (v0).a, sizeof(type) * (v0).n); \
data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/asm.cpp:64:16: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
FILE *fp = fopen(graph_filename.c_str(), "w");
data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/asm.cpp:162:16: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
FILE *fp = fopen(graph_filename.c_str(), "w");
data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/asm.cpp:163:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char name[32];
data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/asm.cpp:166:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(name, "utg%.6d%c", i + 1, "lc"[p->circ]);
data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/dotter.cpp:72:29: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
if (c == 'm') min_match = atoi(optarg);
data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/dotter.cpp:74:33: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
else if (c == 's') min_span = atoi(optarg);
data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/dotter.cpp:75:30: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
else if (c == 'w') width = atoi(optarg);
data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/dotter.cpp:76:34: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
else if (c == 'f') font_size = atoi(optarg);
data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/hit.cpp:342:19: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
all_list_file.open(all_read_list);
data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/hit.cpp:404:15: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
list_file.open(contained_read_list);
data/unicycler-0.4.8+dfsg/unicycler/src/miniasm/sys.cpp:40:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char buf[256];
data/unicycler-0.4.8+dfsg/unicycler/src/miniasm_assembly.cpp:73:13: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
outFile.open(miniasm_output);
data/unicycler-0.4.8+dfsg/unicycler/src/minimap/bseq.cpp:10:17: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
extern unsigned char seq_nt4_table[256];
data/unicycler-0.4.8+dfsg/unicycler/src/minimap/index.cpp:316:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char magic[4];
data/unicycler-0.4.8+dfsg/unicycler/src/minimap/map.cpp:321:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(step->reg[i], regs, n_regs * sizeof(mm_reg1_t));
data/unicycler-0.4.8+dfsg/unicycler/src/minimap/sdust.cpp:25:10: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char seq_nt4_table[256] = {
data/unicycler-0.4.8+dfsg/unicycler/src/minimap/sdust.cpp:44:17: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
extern unsigned char seq_nt4_table[256];
data/unicycler-0.4.8+dfsg/unicycler/src/minimap/sdust.cpp:110:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(c, cv, SD_WTOT * sizeof(int));
data/unicycler-0.4.8+dfsg/unicycler/src/minimap/sdust.cpp:190:21: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
if (c == 'w') W = atoi(optarg);
data/unicycler-0.4.8+dfsg/unicycler/src/minimap/sdust.cpp:191:26: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
else if (c == 't') T = atoi(optarg);
data/unicycler-0.4.8+dfsg/unicycler/src/minimap/sketch.cpp:10:10: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char seq_nt4_table[256] = {
data/unicycler-0.4.8+dfsg/unicycler/src/semi_global_align.cpp:685:19: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
allPointsFile.open(filename);
data/unicycler-0.4.8+dfsg/unicycler/src/semi_global_align.cpp:698:22: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
chainedSeedsFile.open(filename);
data/unicycler-0.4.8+dfsg/unicycler/src/semi_global_align.cpp:721:19: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
traceDotsFile.open(filename);
data/unicycler-0.4.8+dfsg/unicycler/src/semi_global_align.cpp:729:22: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
filteredDataFile.open(filename);
data/unicycler-0.4.8+dfsg/unicycler/src/minimap/index.cpp:212:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
assert(strlen(s->seq[i].name) <= 254);
data/unicycler-0.4.8+dfsg/unicycler/src/minimap/index.cpp:290:8: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
l = strlen(mi->name[i]);
data/unicycler-0.4.8+dfsg/unicycler/src/minimap/sdust.cpp:143:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (l_seq < 0) l_seq = strlen((const char*)seq);
ANALYSIS SUMMARY:
Hits = 35
Lines analyzed = 10959 in approximately 0.35 seconds (31239 lines/second)
Physical Source Lines of Code (SLOC) = 7738
Hits@level = [0] 73 [1] 3 [2] 30 [3] 2 [4] 0 [5] 0
Hits@level+ = [0+] 108 [1+] 35 [2+] 32 [3+] 2 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 13.9571 [1+] 4.52313 [2+] 4.13544 [3+] 0.258465 [4+] 0 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.