These checkers enforce the CERT C Secure Coding rules, and are freely available from their SourceForge project. For questions regarding the CERT ROSE checkers, contact secure-coding at cert dot org.
Running Rosecheckers (the ROSE CERT C Checkers)
Checkers for CERT C secure coding rules/recommendations/guidelines are built into a tool called Rosecheckers, which uses the ROSE compiler. The program is run using all-lowercase 'rosecheckers'.
To run the Rosecheckers program on a C or C++ file, simply pass the file as an argument:
rosecheckers hello.c
If the C file violates some secure coding rules, the Rosecheckers program will print them out. If the Rosecheckers program can not find any violations, it prints nothing.
Rosecheckers actually takes the same arguments as gcc. So if your code has special flags that must be passed to the compiler, such as locations of include files, you can pass them to Rosecheckers in the same manner as gcc. Likewise, if you have a makefile that indicates how your program is to be built, you can run ROSE on your source code merely by instructing to your make command to use Rosecheckers as a drop-in replacement for gcc. One way to do this is:
make CC=rosecheckers
There are three ways to run Rosecheckers. You can run Rosecheckers using a downloadable virtual machine. You can build Rosecheckers, as well as ROSE itself, from source. Finally, Rosecheckers is available on Carnegie Mellon University's Andrew system to students, faculty, and staff.
Getting Rosecheckers code from source
You can get the rosecheckers code from source (no VM) from https://github.com/coruus/rosecheckers
If you install rosecheckers code from source, you will should install ROSE first. After installing ROSE:
- Clone the rosecheckers repository from github
- Set the
ROSEenvironment variable to point to the directory for ROSE that has thebin,include, etc. for ROSE - To build the Rosecheckers program from the CERT C Checkers, go into the
rosecheckers/rosecheckersdirectory and type:make pgms
Rosecheckers on a Virtual Machine
To run these checkers, you must use a virtualization system such as VMWare. The Sourceforge project provides a free example VM, which we call "Rosebud" (the Rosecheckers VM).
Once extracted, the rosebud directory is a VM image that can be powered on by VMWare. After logging in, you'll need to enter your login password again when the system asks for a sudo password. This is so the VM image can generate a unique SSH key.
After that, you should be able to access the VM from your host machine remotely using SSH. You'll need the VM's IP address for this, which you can learn with this command from the VM:
ip addr | grep /24
If it provides multiple IP addresses, select the one that begins
/192.168.../.
In the VM's home directory, there is a README file explaining what software is available there. It includes both ROSE and the CERT Secure Coding rule checkers.
Building Rosecheckers
To build the Rosecheckers program from the CERT C Checkers, type:
make pgms
To test Rosecheckers on the code samples from the CERT C Secure Coding Rules:
make tests
To build API documentation pages, you must have doxygen installed:
make doc
To clean documentation pages and build files:
make clean
Secure Coding Rules Enforced by Rosecheckers
The SEI CERT C Secure Coding Standard is freely available.
Here is a breakdown of how thoroughly Rosecheckers enforces the C Secure Coding Rules and Recommendations:
Complete | 57 | Rosecheckers catches all violations of these rules |
Partial | 45 | Rosecheckers catches some, but not all violations of these rules |
false-positive | 9 | These rules could be checked by Rosecheckers, but they will also catch some false positives. |
Potential | 29 | These rules are not checked by Rosecheckers, but could be |
Undoable | 32 | These rules could not be checked by Rosecheckers due to various limitations in ROSE. |
Unenforceable | 48 | These rules could not be checked by any tool that relies purely on unaided static analysis. |
TOTAL | 220 |