SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 87

changes.mady.by.user Will Snavely

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM Cost Reform

...

Code Block
bgColor#ccccff
langc
#include <string.h>
 
void func(void) {
  char s[10] = "abc";
  strcpy(&s[3], "def");
}

Risk Assessment

Recommendation

Severity

Likelihood

Remediation Cost

Detectable

Repairable

Priority

Level

STR11-C

Low

Probable

Low

Yes

Yes

P6

L2

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V

Supported: Astrée can detect subsequent code defects that this rule aims to prevent.
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V

 Supported, but no explicit checker

Axivion Bauhaus Suite_V

CertC-STR11
Compass/ROSE
 

 

 




ECLAIR

Include Page
ECLAIR_V
ECLAIR_V

CC2.STR36

Fully implemented

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C1312
LDRA tool suite
Include Page
LDRA_V
LDRA_V
404 SPartially implemented
Parasoft C/C++test
CODSTA-16CODSTA-16 Polyspace Bug FinderR2016a

Missing null in string array

String does not terminate with null character

PRQA QA-C Include PagePRQA QA-C_vPRQA QA-C_v1312,0690
Include Page
Parasoft_V
Parasoft_V

CERT_C-STR11-a

Do not specify the bound of a character array initialized with a string literal

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

784

Partially supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. STR11-C

Checks for missing null in string array (rec. partially covered)

Partially implemented

Splint
Include Page
Splint_V
Splint_V

 

 



Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C Secure Coding StandardARR02-C. Explicitly specify array bounds, even if implicitly defined by an initializer
STR32-C. Do not pass a non-null-terminated character sequence to a library function that expects a string
SEI CERT C++ Coding StandardVOID STR08-CPP. Do not specify the bound of a character array initialized with a string literal
ISO/IEC TR 24772:2013String Termination [CJM]

Bibliography

[ECTC 1998]Section A.8, "Character Array Initialization"
[ISO/IEC 9899:2011]Subclause 6.7.9, "Initialization"
[Seacord 2013]Chapter 2, "Strings"

...


...