These checkers enforce the CERT C Secure Coding rules. The code is available for free download by selecting 'Attachments' on this page.
The
source code] was developed by the CERT Secure Coding Group, and is freely available.
This code has been developed and tested on an i386 workstation running
Linux (2.6.16.60) and g++ (3.4.4)
...
First make sure that the ROSE environment variable points to the build
directory of ROSE:
| Code Block |
|---|
export ROSE=/usr/local/rose/compileTree
|
...
To build the ROSE 'diagnose' program, which runs secure coding rules:
| Code Block |
|---|
make pgms
|
To test diagnose on the code samples from the CERT C Secure Coding
Rules:
| Code Block |
|---|
make tests
|
To build API documentation pages, you must have doxygen installed:
| Code Block |
|---|
make doc
|
To clean documentation pages and build files:
| Code Block |
|---|
make clean
|
Running Diagnose
To run the diagnose program on a C file, simply pass the C file as an
argument:
| Code Block |
|---|
diagnose hello.c
|
If the C file violates some secure coding rules, the diagnose program
will print them out. If the diagnose program can not find any
violations, it prints nothing.
Secure Coding Rules Enforced by Diagnose
The C Secure Coding Rules are available at: https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Secure+Coding+Standard
freely available.
Here is a breakdown of how thoroughly diagnose enforces the C Secure
Coding Rules:
Complete | 57 | ROSE catches all violations of these rules |
Partial | 45 | ROSE catches some, but not all violations of these rules |
false-positive | 9 | These rules could be checked by diagnose, but they will also catch |
...
some false positives. | ||
Potential | 29 | These rules are not checked by diagnose, but could be |
Undoable | 32 | These rules could not be checked by ROSE due to various limitations in |
...
ROSE. | ||
Unenforceable | 48 | These rules could not be checked by any tool that relies purely on |
...
unaided static analysis. | |
TOTAL | 220 |