...
| Tool | Version | Checker | Description |
|---|
| CodeSonar | | BADFUNC.*
(customization) | A number of CodeSonar's "Use of *" checks are for deprecated/obsolescent functions
CodeSonar also provides a mechanism for users to create custom checks for uses of specified functions |
ECLAIR | | CC2.MSC34
| Fully implemented |
| LDRA tool suite | | 44 S | Fully implemented |
| Parasoft C/C++test | 9.5 | MISRA2012-RULE-21_{7,8}, SECURITY-07, SECURITY-12 | |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...
| CERT C Secure Coding Standard | ERR07-C. Prefer functions that support error checking over equivalent functions that don't
INT05-C. Do not use input functions to convert character data if they cannot handle all possible inputs
INT06ERR34-C. Use strtol() or a related function to convert a string token to an integerDetect errors when converting a string to a number
STR06-C. Do not assume that strtok() leaves the parse string unchanged
STR07-C. Use the bounds-checking interfaces for string manipulation |
| ISO/IEC TR 24772 | Use of Libraries [TRJ] |
| MISRA C:2012 | Rule 21.3 (required) |
| MITRE CWE | CWE-20, Insufficient input validation
CWE-73, External control of file name or path
CWE-79, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-89, Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-91, XML Injection (aka Blind XPath Injection)
CWE-94, Improper Control of Generation of Code ('Code Injection')
CWE-114, Process Control
CWE-120, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-192, Integer coercion error
CWE-197, Numeric truncation error
CWE-367, Time-of-check, time-of-use race condition
CWE-464, Addition of data structure sentinel
CWE-601, URL Redirection to Untrusted Site ('Open Redirect')
CWE-676, Use of potentially dangerous function |
...
