SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 127

changes.mady.by.user Amy Gale

Saved on

compared with

New Version 128

changes.mady.by.user Jill Britton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Tool

Version

Checker

Description

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

BADFUNC.PATH.SYSTEM

IO.INJ.COMMAND

Use of system

Command Injection

Compass/ROSE   

Klocwork

Include Page
Klocwork_V
Klocwork_V

SV.CODE_INJECTION.SHELL_EXEC
SV.TAINTED.INJECTION

 

LDRA tool suite

Include Page
LDRA_V
LDRA_V

588 S

Fully implemented
PRQA QA-C
Include Page
PRQA QA-C_Vv
PRQA QA-C_Vv
Warncall -wc systemPartially implemented

...

CERT C Secure Coding StandardENV03-C. Sanitize the environment when invoking external programs.
CERT C++ Secure Coding StandardENV04ENV02-CPP. Do not call system() if you do not need a command processor
CERT Oracle Secure Coding Standard for JavaIDS07-J. Do not pass Sanitize untrusted , unsanitized data passed to the Runtime.exec() method
ISO/IEC TR 24772:2013Unquoted Search Path or Element [XZQ]
ISO/IEC TS 17961:2013Calling system [syscall]
MITRE CWECWE-78, Improper Neutralization of Special Elements Used in an OS Command (aka "OS Command Injection")
CWE-88, Argument Injection or Modification

...