SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 73

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version 74

changes.mady.by.user Amy Gale

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Tool

Version

Checker

Description

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
(general)CodeSonar considers the possibility that fgets() and fgetws() may return empty strings; warnings of various classes may be triggered depending on subsequent operations on those strings. For example, the "Noncompliant Code Example" cited above would trigger a Buffer Underrun warning.
Compass/ROSE

 

 

Could detect some violations of this rule. In particular, it could detect the noncompliant code example by searching for fgets(), followed by strlen() - 1, which could be −1. The crux of this rule is that a string returned by fgets() could still be empty, because the first char is '\0'. There are probably other code examples that violate this guideline; they would need to be enumerated before ROSE could detect them

Fortify SCA

5.0

 

 

...

CERT C Secure Coding Standard FIO14-C. Understand the difference between text mode and binary mode with file streams
FIO20-C. Avoid unintentional truncation when using fgets() or fgetws()
CERT C++ Secure Coding StandardVOID FIO37-CPP. Do not assume character data has been read
MITRE CWECWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-241, Improper Handling of Unexpected Data Type

...