...
Compass/ROSE does not currently detect violations of this recommendation. While the rule recommendation in general cannot be automated, due to the difficulty in enforcing contracts between a variadic function and its invokers, it would be fairly easy to enforce type correctness on arguments to the printf() family of functions.
...
Search for vulnerabilities resulting from the violation of this rule recommendation on the CERT website.
References
...