...
The deprecated and obsolescent functions enumerated in this guideline are commonly associated with software vulnerabilities.
Rule | Severity | Likelihood | Detectable | RepairableRemediation Cost | Priority | Level |
|---|
MSC24-C | High | Probable | Yes | MediumNo | P12 | L1 |
Automated Detection
| Tool | Version | Checker | Description |
|---|
| Astrée | | stdlib-use-ato stdlib-macro-ato stdlib-use-atoll stdlib-macro-atoll | Partially checked |
| Axivion Bauhaus Suite | | Include Page |
|---|
| Axivion Bauhaus Suite_V |
|---|
| Axivion Bauhaus Suite_V |
|---|
|
| CertC-MSC24 | Fully implemented |
| CodeSonar | | BADFUNC.*
PARSE.DE (customization) | A number of CodeSonar's "Use of *" checks are for deprecated/obsolescent functions
Deprecated Entity CodeSonar also provides a mechanism for users to create custom checks for uses of specified functions |
ECLAIR | | CC2.MSC34
| Fully implemented |
| Helix QAC | | C5039
C5040
C5041
C5042
C5043 |
|
| LDRA tool suite | | 44 S | Fully implemented |
| Parasoft C/C++test | | CERT_C-MSC24-a
CERT_C-MSC24-b
CERT_C-MSC24-c
CERT_C-MSC24-d | The 'atof', 'atoi', 'atol' and 'atoll' functions from the 'stdlib.h' or 'cstdlib' library should not be used
The 'getenv()' function from the 'stdlib.h' or 'cstdlib' library shall not be used
Avoid using unsafe string functions which may cause buffer overflows
Don't use unsafe C functions that do write to range-unchecked buffers |
| PC-lint Plus | | Include Page |
|---|
| PC-lint Plus_V |
|---|
| PC-lint Plus_V |
|---|
|
| 586 | Fully supported |
| Polyspace Bug Finder | | Include Page |
|---|
| Polyspace Bug Finder_V |
|---|
| Polyspace Bug Finder_V |
|---|
|
| CERT C: Rec. MSC24-C | Checks for use of obsolete standard function (rec. fully covered)
|
| PVS-Studio | | V513, V2001, V2002 |
|
| RuleChecker | | Include Page |
|---|
| RuleChecker_V |
|---|
| RuleChecker_V |
|---|
|
| stdlib-use-ato stdlib-macro-ato stdlib-use-atoll stdlib-macro-atoll | Partially checked |
| Security Reviewer - Static Reviewer | | Include Page |
|---|
| Security Reviewer - Static Reviewer_V |
|---|
| Security Reviewer - Static Reviewer_V |
|---|
|
| CuEV
CvariableScope
CWE395TEST_2_CPP
CWE561P25
CwPSPPE
CzDC
deallocret
integerOverflowCond
invalidContainer
invalidFunctionArg
leakUnsafeArgAlloc
memleak
memleakOnRealloc
noCopyConstructor
noOperatorEq
nullPointerRedundantCheck
| Fully implemented |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...
| CERT C Secure Coding Standard | ERR07-C. Prefer functions that support error checking over equivalent functions that don't
INT05-C. Do not use input functions to convert character data if they cannot handle all possible inputs
ERR34-C. Detect errors when converting a string to a number
STR06-C. Do not assume that strtok() leaves the parse string unchanged
VOID STR07-C. Use the bounds-checking interfaces for string manipulation |
| ISO/IEC TR 24772 | Use of Libraries [TRJ] |
| MISRA C:2012 | Rule 21.3 (required) |
| MITRE CWE | CWE-20, Insufficient input validation
CWE-73, External control of file name or path
CWE-79, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-89, Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-91, XML Injection (aka Blind XPath Injection)
CWE-94, Improper Control of Generation of Code ('Code Injection')
CWE-114, Process Control
CWE-120, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-192, Integer coercion error
CWE-197, Numeric truncation error
CWE-367, Time-of-check, time-of-use race condition
CWE-464, Addition of data structure sentinel
CWE-601, URL Redirection to Untrusted Site ('Open Redirect')
CWE-676, Use of potentially dangerous function |
...
