Page History

These checkers enforce the CERT C Secure Coding rules, and are freely available from their SourceForge project. For questions regarding the CERT ROSE checkers, contact secure-coding at cert dot org.

Running Rosecheckers (the ROSE CERT C Checkers)

Checkers for CERT C secure coding rules/recommendations/guidelines are built into a tool called Rosecheckers, which uses the ROSE compiler. The program is run using all-lowercase 'rosecheckers'.
To run the Rosecheckers program on a C or C++ file, simply pass the file as an argument:

rosecheckers hello.c

If the C file violates some secure coding rules, the rosecheckers Rosecheckers program will print them out. If the rosecheckers Rosecheckers program can not find any violations, it prints nothing.

Rosecheckers actually takes the same arguments as gcc. So if your code has special flags that must be passed to the compiler, such as locations of include files, you can pass them to rosecheckers Rosecheckers in the same manner as gcc. Likewise, if you have a makefile that indicates how your program is to be built, you can run ROSE on your source code merely by instructing to your make command to use rosecheckers Rosecheckers as a drop-in replacement for gcc. One way to do this is:

make CC=rosecheckers

There are three ways to run Rosecheckers. You can run Rosecheckers using a downloadable virtual machine. You can build Rosecheckers, as well as ROSE itself, from source. Finally, Rosecheckers is available on Carnegie Mellon University's Andrew system to students, faculty, and staff.

Rosecheckers on a Virtual Machine

To run these checkers, you must use a virtualization system such as VMWare. The Sourceforge project provides a free example VM.

...

Here is a breakdown of how thoroughly rosecheckers Rosecheckers enforces the C Secure Coding Rules: