Recommendations
STR00-A. Represent characters using an appropriate type
STR01-A. Use managed strings for development of new string manipulation code
STR02-A. Sanitize data passed to complex subsystems
STR03-A. Do not inadvertently truncate a null-terminated byte string
STR04-A. Use plain char for character data
STR05-A. Prefer making string literals const-qualified
STR06-A. Do not assume that strtok() leaves the parse string unchanged
STR07-A. Use TR 24731 for remediation of existing string manipulation code
Rules
STR30-C. Do not attempt to modify string literals
STR32-C. Null-terminate byte strings as required
STR33-C. Size wide character strings correctly
STR34-C. Cast characters to unsigned types before converting to larger integer sizes
STR35-C. Do not copy data from an unbounded source to a fixed-length array
Risk Assessment Summary
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
STR00-A |
medium |
probable |
low |
P12 |
L1 |
STR01-A |
high |
probable |
high |
P6 |
L2 |
STR02-A |
medium |
likely |
medium |
P12 |
L1 |
STR03-A |
low |
unlikely |
medium |
P2 |
L3 |
STR04-A |
low |
unlikely |
medium |
P2 |
L3 |
STR05-A |
low |
unlikely |
high |
P1 |
L3 |
STR06-A |
medium |
probable |
low |
P12 |
L1 |
STR07-A |
high |
probable |
medium |
P12 |
L1 |
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
STR30-C |
low |
likely |
low |
P9 |
L2 |
STR31-C |
high |
likely |
medium |
P18 |
L1 |
STR32-C |
high |
probable |
medium |
P12 |
L1 |
STR33-C |
high |
likely |
medium |
P18 |
L1 |
STR34-C |
medium |
probable |
medium |
P8 |
L2 |
STR35-C |
high |
likely |
medium |
P18 |
L1 |
Related Rules and Recommendations
ARR38-C. Do not add or subtract an integer to a pointer if the resulting value does not refer to an element within the array 06. Arrays (ARR) STR07-A. Use TR 24731 for remediation of existing string manipulation code