...
Fortify SCA Version 5.0 can detect violations of this rule.
The tool Compass/ROSE should could detect some violations of this rule, by ensuring that every fopen() call with a variable as the file name . This rule only applies to untrusted filename strings, and ROSE can't tell which strings are 'trusted' or not. The best heuristic is to note if there is any verification of the filename before or after the fopen() call. If there is any verification, then the file opening should be preceded by an lstat() call, and succeeded by an lstatfstat() call. While that doesn't enforce the rule completely, that does indicate that the coder is aware of the lstat-fopen-fstat idiom. I don't think this applies to file opens where the filename is a constant.
...