...
Noncompliant code examples are typically followed by compliant solutions, which show how the noncompliant code example can be recoded in a secure, compliant manner. Except where noted, noncompliant code examples should contain violations only of the guideline under discussion. Compliant solutions should comply with all of the secure coding rules but may on occasion fail to comply with a recommendation.
Coding Conventions
Unless otherwise specified, all code should compile on a reasonably modern compiler, when it is following compliance with the standard. For example, you can require GCC's g++
to conform to the C++11 standard with the parameter --std=c++11
.
Code that is only expected to run on a particular subset of platforms should have those platforms mentioned in the code's section header, e.g.: Compliant Solution (POSIX). Likewise, code that is only expected to run on more modern versions of C++ should indicate the oldest standard that supports them, e.g.: Compliant Solution (C++14).
In order to compile the code, you will need to include appropriate header files. For example, if the code invokes malloc()
, you may need to include the cstdlib
header.
Many code examples will contain ellipsis in comments. This indicates that the comment may be replaced by arbitrary code that satisfies the comment. A comment with only ellipsis suggests that the code may do anything.
Proper error handling is a controversial subject, and many applications and libraries provide their own idiosyncratic error handling mechanisms. See Rule 08. Exceptions and Error Handling (ERR) for our guidelines on handling errors. When our code detects that an error condition might have occurred, and handling that error condition is not endemic to the guideline itself, we will use the comment: /* Handle Error */
. This comment implies that the error is somehow addressed, so that the code does not fall through. The code may abort, or fix the error somehow. For example:
Code Block | ||||
---|---|---|---|---|
| ||||
char *str = malloc(10);
if (str == NULL) {
/* Handle Error */
}
/* ... str can not be NULL here. Work with str... */ |
Exceptions
Any rule or recommendation may specify a small set of exceptions detailing the circumstances under which the guideline is not necessary to ensure the safety, reliability, or security of software. Exceptions are informative only and are not required to be followed.
...
Severity—How serious are the consequences of the rule being ignored?
Value | Meaning | Examples of Vulnerability |
---|---|---|
1 | Low | Denial-of-service attack, abnormal termination |
2 | Medium | Data integrity violation, unintentional information disclosure |
3 | High | Run arbitrary code |
Likelihood—How likely is it that a flaw introduced by ignoring the rule can lead to an exploitable vulnerability?
Value | Meaning |
---|---|
1 | Unlikely |
2 | Probable |
3 | Likely |
Remediation Cost—How expensive is it to comply with the rule?
Value | Meaning | Detection | Correction |
---|---|---|---|
1 | High | Manual | Manual |
2 | Medium | Automatic | Manual |
3 | Low | Automatic | Automatic |
The three values are then multiplied together for each rule. This product provides a measure that can be used in prioritizing the application of the rules. The products range from 1 to 27, although only the following 10 distinct values are possible: 1, 2, 3, 4, 6, 8, 9, 12, 18, and 27. Rules and recommendations with a priority in the range of 1 to 4 are Level 3 rules, 6 to 9 are Level 2 , and 12 to 27 are Level 1 . The following are possible interpretations of the priorities and levels.
Priorities and Levels
Level | Priorities | Possible Interpretation |
---|---|---|
L1 | 12 , 18 , 27 | High severity, likely, inexpensive to repair |
L2 | 6 , 8 , 9 | Medium severity, probable, medium cost to repair |
L3 | 1 , 2 , 3 , 4 | Low severity, unlikely, expensive to repair |
Specific projects may begin remediation by implementing all rules at a particular level before proceeding to the lower priority rules, as shown in the following illustration:
Recommendations are not compulsory and are provided for information purposes only.
...
The related guidelines sections contain links to guidelines in related standards, technical specifications, and guideline collections such as Information Technology—Programming Languages, Their Environments and System Software Interfaces—C Secure Coding Rules [ISO/IEC TS 17961:2013]; Information Technology—Programming Languages —Guidance to Avoiding Vulnerabilities in Programming Languages through Language Selection and Use [ISO/IEC TR 24772:2013]; MISRA C++ 2008: Guidelines for the Use of the C++ Language in Critical Systems [MISRA C++:2008]; and CWE IDs in MITRE’s Common Weakness Enumeration (CWE) [MITRE 2010].
You can create a unique URL to get more information on CWEs by appending the relevant ID to the end of a fixed string. For example, to find more information about "CWE-192: Integer Coercion Error," you can append 192.html to http://cwe.mitre.org/data/definitions/ and enter the resulting URL in your browser: http://cwe.mitre.org/data/definitions/192.html.
...
Most guidelines have a small bibliography section that lists documents and sections in those documents that provide information relevant to the guideline.