Page History

Assertions are a valuable diagnostic tool for finding and eliminating software defects that may result in vulnerabilities. (See see MSC11-C. Incorporate diagnostic tests using assertions). ) The runtime assert() macro has some limitations, however, in that it incurs a runtime overhead and because it calls abort(). Consequently, the runtime assert() macro is useful only for identifying incorrect assumptions and not for runtime error checking. As a result, runtime assertions are generally unsuitable for server programs or embedded systems.

...

Other uses of static assertion are shown in STR07-C. Use the bounds-checking interfaces for string manipulation and void FIO35FIO34-C. Use feof() and ferror() to detect end-of-file and file errors when sizeof(int) == sizeof(char)Distinguish between characters read from a file and EOF or WEOF.

Risk Assessment

Static assertion is a valuable diagnostic tool for finding and eliminating software defects that may result in vulnerabilities at compile time. The absence of static assertions, however, does not mean that code is incorrect.

Recommendation	Severity	Likelihood	Remediation Cost	Priority	Level
DCL03-C	Low	Unlikely	High	P1	L3

Automated Detection

Tool

Version

Checker

Description

Axivion Bauhaus Suite

Include Page

	Axivion Bauhaus Suite_V
	Axivion Bauhaus Suite_V

CertC-DCL03

Clang

Include Page

	Clang_V
	Clang_V

misc-static-assert

Checked by clang-tidy

CodeSonar

Include Page

	CodeSonar_V
	CodeSonar_V

(customization)

Users can implement a custom check that reports uses of the assert() macro

.

Compass/ROSE

Could detect violations of this rule merely by looking for calls to assert(), and if it can evaluate the assertion (due to all values being known at compile time), then the code should use static-assert instead; this assumes ROSE can recognize macro invocation

ECLAIR

Include Page