...
Compass/ROSE could detect some violations of this rule. In particular, it could detect the NCCE by searching for fgets() or gets(), followed by "strlen() - 1", which could be -1. The crux of this rule is that a string returned by fgets() or gets() could still be empty, because the first char is '\0'. There are probably other code examples that violate this guideline; we would need to enumerate them before ROSE could detect them.
...