SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 175

changes.mady.by.user Jill Britton

Saved on

compared with

New Version 176

changes.mady.by.user Jill Britton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Helix QAC

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V

Supported via stubbing/taint analysis
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-FIO30Partially implemented
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

IO.INJ.FMT
MISC.FMT

Format string injection
Format string

Compass/ROSE



Coverity
Include Page
Coverity_V
Coverity_V

TAINTED_STRING

Implemented
GCC
Include Page
GCC_V
GCC_V

Can detect violations of this rule when the -Wformat-security flag is used

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V



Klocwork
Include Page
Klocwork_V
Klocwork_V

SV.FMTSTR.GENERIC
SV.TAINTED.FMTSTR


LDRA tool suite
Include Page
LDRA_V
LDRA_V

86 D

Partially Implemented
Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-FIO30-a
CERT_C-FIO30-b
CERT_C-FIO30-c

Avoid calling functions printf/wprintf with only one argument other than string constant
Avoid using functions fprintf/fwprintf with only two parameters, when second parameter is a variable
Never use unfiltered data from an untrusted user as the format parameter

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

592

Partially supported: reports non-literal format strings

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule FIO30-C

Checks for tainted string format (rule partially covered)

PRQA QA-C

Include Page
PRQA QA-C_v
PRQA QA-C_v

4916, 4917, 4918


PRQA QA-C++

 

Include Page
cplusplus:PRQA QA-C++_V
cplusplus:PRQA QA-C++_V

4916, 4917, 4918
PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V618
Splint
Include Page
Splint_V
Splint_V
Helix QAC
Include Page
Helix QAC_V
_V


Related Vulnerabilities

Two examples of format-string vulnerabilities resulting from a violation of this rule include Ettercap and Samba.

...