SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 273

changes.mady.by.user Amy Gale

Saved on

compared with

New Version 274

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM Cost Reform

...

Recommendation

Severity

Likelihood

Detectable

RepairableRemediation Cost

Priority

Level

FIO02-C

Medium

Probable

No

NoMedium

P8P4

L2L3

Automated Detection

Tool

Version

Checker

Description

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
IO.TAINT.FNAME

Tainted Filename

Compass/ROSE



Could catch violations of this rule by enforcing that any call to open() or fopen() is preceded by a canonicalization routine—that is, a call to realpath() or canonicalize_file_name(). This call will catch some false positives, as ROSE cannot tell when canonicalization is warranted. False positives can be reduced (but not eliminated) by only reporting instances of fopen() or open() where the file name string has some other processing done to it. This reflects the fact that canonicalization is only necessary for doing verification based on the file name string

Klocwork
Include Page
Klocwork_V
Klocwork_V

SV.DLLPRELOAD.NONABSOLUTE.DLL
SV.TOCTOU.FILE_ACCESS


LDRA tool suite
Include Page
LDRA_V
LDRA_V

85 D

Partially implemented

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. FIO02-C

Checks for vulnerable path manipulation (rule fully covered)

...