SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 61

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version 62

changes.mady.by.user Sandy Shrum

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

ToolVersionCheckerDescription
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

BADFUNC.*

(customization)

A number of CodeSonar's "Use of *" checks are for deprecated/obsolescent functions
CodeSonar also provides a mechanism for users to create custom checks for uses of specified functions

ECLAIR

Include Page
ECLAIR_V
ECLAIR_V

CC2.MSC34

Fully implemented

LDRA tool suite
Include Page
LDRA_V
LDRA_V
44 S

Fully implemented

...

CERT C Secure Coding Standard

ERR07-C. Prefer functions that support error checking over equivalent functions that don't
INT05-C. Do not use input functions to convert character data if they cannot handle all possible inputs
INT06-C. Use strtol() or a related function to convert a string token to an integer
STR06-C. Do not assume that strtok() leaves the parse string unchanged
STR07-C. Use the bounds-checking interfaces for string manipulation

ISO/IEC TR 24772 Use of Libraries [TRJ]
MISRA C:2012Rule 21.3 (required)
MITRE CWE

CWE-20, Insufficient input validation
CWE-73, External control of file name or path
CWE-79, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-89, Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-91, XML Injection (aka Blind XPath Injection)
CWE-94, Improper Control of Generation of Code ('Code Injection')
CWE-114, Process Control
CWE-120, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-192, Integer coercion error
CWE-197, Numeric truncation error
CWE-367, Time-of-check, time-of-use race condition
CWE-464, Addition of data structure sentinel
CWE-601, URL Redirection to Untrusted Site ('Open Redirect')
CWE-676, Use of potentially dangerous function

Bibliography

[Apple 2006]Apple Secure Coding Guide, "Avoiding Race Conditions and Insecure File Operations"
[Burch 2006]Specifications for Managed Strings, Second Edition
[Drepper 2006]Section 2.2.1 "Identification When Opening"
[IEEE Std 1003.1:2013]XSH, System Interfaces, open
ISO/IEC 23360-1:2006 
[ISO/IEC WG14 N1173]Rationale for TR 24731 Extensions to the C Library Part I: Bounds-checking interfaces
[Klein 2002]"Bullet Proof Integer Input Using strtol()"
[Linux 2008]strtok(3)
[Seacord 2013]Chapter 2, "Strings"
Chapter 8, "File I/O"
[Seacord 2005b]"Managed String Library for C, C/C++"

...