Assertions are a valuable diagnostic tool for finding and eliminating software defects that may result in vulnerabilities. (See see MSC11-C. Incorporate diagnostic tests using assertions). ) The runtime assert() macro has some limitations, however, in that it incurs a runtime overhead and because it calls abort(). Consequently, the runtime assert() macro is useful only for identifying incorrect assumptions and not for runtime error checking. As a result, runtime assertions are generally unsuitable for server programs or embedded systems.
...
Other uses of static assertion are shown in STR07-C. Use the bounds-checking interfaces for string manipulation and void FIO35FIO34-C. Use feof() and ferror() to detect end-of-file and file errors when sizeof(int) == sizeof(char)Distinguish between characters read from a file and EOF or WEOF.
Risk Assessment
Static assertion is a valuable diagnostic tool for finding and eliminating software defects that may result in vulnerabilities at compile time. The absence of static assertions, however, does not mean that code is incorrect.
...
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Clang |
| misc-static-assert | Checked by clang-tidy. | ||||||
| CodeSonar |
| (customization) | Users can implement a custom check that reports uses of the assert() macro. | ||||||
|
| Could detect violations of this rule merely by looking for calls to | |||||||
| ECLAIR |
| CC2.DCL03 | Fully implemented | ||||||
| 44 S | Fully implemented |
...