Page History

...

Replacing secure functions with less secure functions is a very risky practice because developers can be easily fooled into trusting the function to perform a security check that is absent. This may be a concern, for example, as developers attempt to adopt more secure functions , such as the C11 Annex K functions, that might not be available on all platforms. (See VOID STR07-C. Use the bounds-checking interfaces for string manipulation.)

Recommendation	Severity	Likelihood	Detectable

Remediation Cost

Repairable	Priority	Level
PRE09-C	High	Likely	Yes

Medium

No

P18

L1

Automated Detection

Tool	Version	Checker	Description

PRQA QA-C Include PagePRQA QA-C_vPRQA QA-C_vSecondary analysisFully implemented

Astrée

Include Page

	Astrée_V
	Astrée_V

Supported, but no explicit checker

Axivion Bauhaus Suite

Include Page

	Axivion Bauhaus Suite_V
	Axivion Bauhaus Suite_V

CertC-PRE09

Cppcheck Premium

Include Page

	Cppcheck Premium_V
	Cppcheck Premium_V

premium-cert-pre09-c

Helix QAC

Include Page

	Helix QAC_V
	Helix QAC_V

C5003

Polyspace Bug Finder

Include Page

	Polyspace Bug Finder_V
	Polyspace Bug Finder_V

CERT C: Rec. PRE09-C

Checks for:

Use of dangerous standard function
Insufficient destination buffer size

Rec. fully covered.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++ Coding Standard	VOID PRE09-CPP. Do not replace secure functions with less secure functions
ISO/IEC TR 24772:2013	Executing or Loading Untrusted Code [XYS]
MITRE CWE	CWE-684, Failure to provide specified functionality

Bibliography

[IEEE Std 1003.1:2013]	XSH, System Interfaces, vsnprintf, `vsprintf`
[Seacord 2013]	Chapter 6, "Formatted Output"
[VU#654390]

...

Image Modified Image Modified Image Modified

Space shortcuts

Page tree

Versions Compared

Old Version 90

New Version Current

Key

Automated Detection

Related Vulnerabilities

Related Guidelines

Bibliography