Avoid the use of "magic numbers" (constant values that represent an arbitrary value, such as a determined appropriate buffer size, or a malleable concept such as the age a person is considered an adult, which could change in a different country) in code where it is possible. Rather, use appropriately named symbolic constants clarify the intent of the code. In addition, if a specific value needs to be changed reassigning a symbolic constant once is more efficient and less error prone then replacing every instance of the value to be changed.
Non Compliant Code Example
The meaning of the numeric literal 18 is not clear in this example.
/* ... */
if (age >= 18) {
/* Take action */
}
else {
/* Take a different action */
}
/* ... */
Compliant Solution
The compliant solution replaces 18 with the symbolic constant ADULT_AGE to clarify the meaning of the code.
When declaring immutable symbolic values, such as ADULT_AGE it is best to declare them as a constant in accordance with [[DCL00-A. Declare immutable values using const or enum]].
enum { ADULT_AGE=18 };
/* ... */
if (age >= ADULT_AGE) {
/* Take action */
}
else {
/* Take a different action */
}
/* ... */
Risk Assessment
Using numeric literals makes code more difficult to read and understand.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
DCL06-A |
1 (low) |
1 (unlikely) |
2 (medium) |
P2 |
L3 |
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
http://www.doc.ic.ac.uk/lab/cplus/c++.rules/chap10.html
[[ISO/IEC 9899-1999]] Section 6.7, "Declarations"