SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 154

changes.mady.by.user Will Snavely

Saved on

compared with

New Version Current

changes.mady.by.user Jill Britton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The following table summarizes some of the differences between const-qualified objects, enumeration constants, and object-like macro definitions.

Method

Evaluated At

Consumes Memory

Viewable by Debuggers

Type Checking

Compile-Time Constant Expression

Enumerations

Compile time

No

Yes

Yes

Yes

const-qualified

Runtime

Yes

Yes

Yes

No

Macros

Preprocessor

No

No

No

Yes

Noncompliant Code Example

...

Using numeric literals makes code more difficult to read and understand. Buffer overruns are frequently a consequence of a magic number being changed in one place (such as in an array declaration) but not elsewhere (such as in a loop through an array).

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

DCL06-C

Low

Unlikely

Medium

P2

L3

Automated Detection

Tool

Version

Checker

Description

Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-DCL06
Compass/ROSE

 

 



Could detect violations of this recommendation merely by searching for the use of "magic numbers" and magic strings in the code itself. That is, any number (except a few canonical numbers: −1, 0, 1, 2) that appears in the code anywhere besides where assigned to a variable is a magic number and should instead be assigned to a const integer, enum, or macro. Likewise, any string literal (except "" and individual characters) that appears in the code anywhere besides where assigned to a char* or char[] is a magic string

ECLAIR

Include Page
ECLAIR_V
ECLAIR_V

CC2.DCL06

Fully implemented

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C3120, C3121, C3122, C3123, C3131, C3132


LDRA tool suite
Include Page
LDRA_V
LDRA_V

201 S

Fully implemented

Parasoft C/C++test
9.5CODSTA-26
Include Page
Parasoft_V
Parasoft_V

CERT_C-DCL06-a

Use meaningful symbolic constants to represent literal values

Fully implemented

Polyspace Bug Finder
R2016a

Hard coded buffer size, Hard coded loop boundary

Size of memory buffer is a numerical value instead of symbolic constant

Loop boundary is a numerical value instead of symbolic constant

PRQA QA-C Include PagePRQA QA-C_vPRQA QA-C_v

3120
3121
3122
3123
3131
3132

Partially implemented

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. DCL06-C


Checks for:

  • Hard-coded buffer size
  • Hard-coded loop boundary

Rec. fully covered.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++ Coding StandardVOID DCL06-CPP. Use meaningful symbolic constants to represent literal values in program logic
MITRE CWECWE-547, Use of hard-coded, security-relevant constants

Bibliography

[Henricson 1992]Chapter 10, "Constants"
[Saks 2001a]
 

[Saks 2001b]
 

[Saks 2002]
 

[Summit 2005]Question 10.5b

...


...

Image Modified Image Modified Image Modified