Page History

These checkers enforce the CERT C Secure Coding rules, and are freely available from their SourceForge project.

Running the ROSE CERT C Checkers

The ROSE CERT C Checkers are built into a program called 'diagnoserosecheckers'.
To run the diagnose rosecheckers program on a C or C++ file, simply pass the file as an argument:

diagnoserosecheckers hello.c

If the C file violates some secure coding rules, the diagnose rosecheckers program will print them out. If the diagnose rosecheckers program can not find any violations, it prints nothing.

Diagnose Rosecheckers actually takes the same arguments as gcc. So if your code has special flags that must be passed to the compiler, such as locations of include files, you can pass them to diagnose rosecheckers in the same manner as gcc. Likewise, if you have a makefile that indicates how your program is to be built, you can run ROSE on your source code merely by instructing to your make command to use diagnose rosecheckers as a drop-in replacement for gcc. One way to do this is:

make CC=diagnoserosecheckers

There are three ways to run the ROSE CERT C checkers. They are available on CMU's Andrew system. In addition you can run them using a downloadable VM. Finally, you can build the CERT checkers, as well as ROSE itself, from source.

...

To run these checkers, you must have an Andrew account at CMU. The diagnose rosecheckers program is available in:

/afs/andrew/usr/svoboda/public/c_rules

To run diagnoserosecheckers, you simply add this directory to your PATH environment variable.

...

To run these checkers, you must use a virtualization system such as VMWare. Contact David Svoboda in order to download the virtual machine containing the ROSE CERT C Checkers, as well as the VM's login userid and password.

You will need 7zip to uncompress the VM file, which is freely available from sourceforge.com. The command will look like this:

...

The Sourceforge project provides a free example VM.

Once extracted, the rosebud directory is a VM image that can be powered on by VMWare. After logging in, you'll need to enter your login password again when the system asks for a sudo password. This is so the VM image can generate a unique SSH key.

...

In the VM's home directory, there is a README file explaining what
software is available there. It includes both ROSE and the CERT Secure
Coding rule checkers.

Building

...

Rosecheckers

To build the rosecheckers

The source code was developed by the CERT Secure Coding Group, and is freely available.

If you wish to develop the code, and you have an Andrew account, we recommend you check the code out of Subversion on andrew. The repository is at:

file://localhost/afs/andrew.cmu.edu/usr/svoboda/public/repository/trunk/c_rules^{Image Removed}

You can access the repository from a non-Andrew machine using SSH:

svn+ssh://username@unix.andrew.cmu.edu/afs/andrew.cmu.edu/usr/svoboda/public/repository/trunk/c_rules

Replace username with your Andrew id.

This code has been developed and tested on an i386 workstation running Linux (2.6.16.60) and g++ (3.4.4). It depends on ROSE 0.9.3a, which is available for free download from http://rosecompiler.org^{Image Removed}

ROSE 0.9.3a also depends on the BOOST C++ library, version 1.3.5, which is available for free download from http://www.boost.org/^{Image Removed}

Both Boost and ROSE contain build instructions.

Building Diagnose

To build the diagnose program from the CERT C Checkers, first make sure that the ROSE environment variable points to the build directory of ROSE:

export ROSE=/usr/local/rose/compileTree

Then type:

make pgms

To test diagnose rosecheckers on the code samples from the CERT C Secure Coding Rules:

...

To clean documentation pages and build files:

make clean

Secure Coding Rules Enforced by

...

Rosecheckers

The C Secure Coding Rules are freely available.

Here is a breakdown of how thoroughly diagnose rosecheckers enforces the C Secure Coding Rules: