These checkers enforce the CERT C Secure Coding rules. The code is available for free download by selecting 'Attachments' on this page.
The
source code] was developed by the CERT Secure Coding Group, and is freely available.
This code has been developed and tested on an i386 workstation running
Linux (2.6.16.60) and g++ (3.4.4)
This code depends on ROSE 0.9.3a, which is available for free download
from:
ROSE 0.9.3a also depends on the BOOST C++ library, version 1.3.5,
which is available for free download from:
...
First make sure that the ROSE environment variable points to the build
directory of ROSE:
| Code Block |
|---|
export ROSE=/usr/local/rose/compileTree |
...
To test diagnose on the code samples from the CERT C Secure Coding
Rules:
| Code Block |
|---|
make tests |
...
To run the diagnose program on a C file, simply pass the C file as an
argument:
| Code Block |
|---|
diagnose hello.c |
If the C file violates some secure coding rules, the diagnose program
will print them out. If the diagnose program can not find any
violations, it prints nothing.
...
Here is a breakdown of how thoroughly diagnose enforces the C Secure
Coding Rules:
Complete | 57 | ROSE catches all violations of these rules |
Partial | 45 | ROSE catches some, but not all violations of these rules |
false-positive | 9 | These rules could be checked by diagnose, but they will also catch some false positives. |
Potential | 29 | These rules are not checked by diagnose, but could be |
Undoable | 32 | These rules could not be checked by ROSE due to various limitations in ROSE. |
Unenforceable | 48 | These rules could not be checked by any tool that relies purely on unaided static analysis. |
TOTAL | 220 |