Contents
| Table of Contents |
|---|
Introduction
This coding standard consists of rules and recommendations, collectively referred to as guidelines. Rules are meant to provide normative requirements for code, whereas recommendations are meant to provide guidance that, when followed, should improve the safety, reliability, and security of software systems. However, a violation of a recommendation does not necessarily indicate the presence of a defect in the code.
...
- Violation of the guideline is likely to result in a defect that may adversely affect the safety, reliability, or security of a system, for example, by introducing a security flaw that may result in an exploitable vulnerability.
- The guideline does not rely on source - code annotations or assumptions.
- Conformance to the guideline can be determined through automated analysis (either static or dynamic), formal methods, or manual inspection techniques.
...
Recommendations are identified by the label recommendation. The CERT C++ Coding Standard does not currently expose any recommendations; all C++ recommendations have been temporarily removed.
Noncompliant Code Examples and Compliant Solutions
...
Noncompliant code examples are typically followed by compliant solutions, which show how the noncompliant code example can be modified recoded in a secure, compliant manner. Except where noted, noncompliant code examples should contain violations only of the guideline under discussion. Compliant solutions should comply with all of the secure coding rules but may on occasion fail to comply with a recommendation.
...
Any rule or recommendation may specify a small set of exceptions detailing the circumstances under which the guideline is not necessary to ensure the safety, reliability, or security of software. Exceptions are informative only and are not required to be followed.
Identifiers
Each rule and recommendation is given a unique identifier. These identifiers consist of three parts:
- A a three-letter mnemonic representing the section of the standardprefix that represents the topic the rule/recommendation belongs to
- a A two-digit numeric value in the range of 00 through -99
- The letters "CPP" indicating that this is a C++ language guideline
The three-letter mnemonic can be used to group similar coding practices and to indicate to which category a coding practice belongs.
- a suffix that represents the associated language or platform
The numeric value is used to give each coding practice a unique identifier. Numeric values in the range of 00 through -49 are reserved for recommendations, and while values in the range of 50 through -99 are reserved for rules. (The values used for C are different. It uses 00-29 for recommendations and 30-99 for rules.)
Supported Languages and Platforms
See the table below for a summary of supported languages and platforms:
Suffix | Language/Platform |
-A | Android |
-C | C |
-CPP | C++ |
-J | Java |
-P | Perl |
Examples
Here are some example identifiers with an explanation of each:
INT50-CPP Do not cast to an out-of-range enumeration value
This identifier indicates a recommendation
“INT” stands for the Integer category
“50” is the unique identifier
“-CPP” stands for the C++ language
EXP00-J Do not ignore values returned by methods
This identifier indicates a rule
“EXP” stands for the Expressions category
“00” is the unique identifier
“-J” stands for the Java language
INT02-A Do not act on malicious intents
“INT” stands for the Intent category
“02” is the unique identifier
“-A” stands for the Android platform
FLP00-C. Understand the limitations of floating-point numbers
This identifier indicates a recommendation
“FLP” stands for the Floating Point category
“00” is the unique identifier
“-C” stands for the C programming language
...