These checkers enforce the CERT C Secure Coding rules, and are freely available from their SourceForge project. For questions regarding the CERT ROSE checkers, contact secure-coding at cert dot org.
Running Rosecheckers (the ROSE CERT C Checkers)
The ROSE CERT C Checkers Checkers for CERT C secure coding rules/recommendations/guidelines are built into a program called tool called Rosecheckers, which uses the ROSE compiler. The program is run using all-lowercase 'rosecheckers'.
To run the rosecheckers Rosecheckers program on a C or C++ file, simply pass the file as an argument:
| Code Block |
|---|
rosecheckers hello.c
|
If the C file violates some secure coding rules, the rosecheckers program will print them out. If the rosecheckers program can not find any violations, it prints nothing.
Rosecheckers actually takes the same arguments as gcc. So if your code has special flags that must be passed to the compiler, such as locations of include files, you can pass them to rosecheckers in the same manner as gcc. Likewise, if you have a makefile that indicates how your program is to be built, you can run ROSE on your source code merely by instructing to your make command to use rosecheckers as a drop-in replacement for gcc. One way to do this is:
| Code Block |
|---|
make CC=rosecheckers
|
There are three ways to run the ROSE CERT C checkers. They are available on CMU's Andrew system. In addition you can run them Rosecheckers. You can run Rosecheckers using a downloadable VM. Finally, you virtual machine. You can build the CERT checkersRosecheckers, as well as ROSE itself, from source.
ROSE CERT C Checkers on Andrew
To run these checkers, you must have an Andrew account at CMU. The rosecheckers program is available in:
| Code Block |
|---|
/afs/andrew/usr/svoboda/public/c_rules
|
To run rosecheckers, you simply add this directory to your PATH environment variable.
...
Finally, Rosecheckers is available on Carnegie Mellon University's Andrew system to students, faculty, and staff.
Rosecheckers on a Virtual Machine
To run these checkers, you must use a virtualization system such as VMWare. The Sourceforge project provides a free example VM.
...
After that, you should be able to access the VM from your host machine remotely using SSH. You'll need the VM's IP address for this, which you can learn with this command from the VM:
| Code Block |
|---|
ip addr | grep /24
|
If it provides multiple IP addresses, select the one that begins
/192.168.../.
In the VM's home directory, there is a README file explaining what software is available there. It includes both ROSE and the CERT Secure Coding rule checkers.
Building Rosecheckers
To build the rosecheckers Rosecheckers program from the CERT C Checkers, type:
| Code Block |
|---|
make pgms
|
To test rosecheckers Rosecheckers on the code samples from the CERT C Secure Coding Rules:
| Code Block |
|---|
make tests
|
To build API documentation pages, you must have doxygen installed:
| Code Block |
|---|
make doc
|
To clean documentation pages and build files:
| Code Block |
|---|
make clean
|
Rosecheckers on Andrew
To run Rosecheckers this way, you must have an Andrew account at CMU, usually limited to faculty, students, and staff. The Rosecheckers program is available in:
| Code Block |
|---|
/afs/andrew/usr/svoboda/public/c_rules
|
To run Rosecheckers, you simply add this directory to your PATH environment variable.
Secure Coding Rules Enforced by Rosecheckers
The C Secure Coding Rules are freely available.
...