These checkers enforce the CERT C Secure Coding rules. The code is available for free download by selecting 'Attachments' on this page.
The source code] was developed by the CERT Secure Coding Group, and is freely available.
This code has been developed and tested on an i386 workstation running Linux (2.6.16.60) and g++ (3.4.4)
This code depends on ROSE 0.9.3a, which is available for free download from:
ROSE 0.9.3a also depends on the BOOST C++ library, version 1.3.5, which is available for free download from:
First make sure that the ROSE environment variable points to the build directory of ROSE:
export ROSE=/usr/local/rose/compileTree |
To build the ROSE 'diagnose' program, which runs secure coding rules:
make pgms |
To test diagnose on the code samples from the CERT C Secure Coding Rules:
make tests |
To build API documentation pages, you must have doxygen installed:
make doc |
To clean documentation pages and build files:
make clean |
To run the diagnose program on a C file, simply pass the C file as an argument:
diagnose hello.c |
If the C file violates some secure coding rules, the diagnose program will print them out. If the diagnose program can not find any violations, it prints nothing.
The C Secure Coding Rules are freely available.
Here is a breakdown of how thoroughly diagnose enforces the C Secure Coding Rules:
Complete |
57 |
ROSE catches all violations of these rules |
Partial |
45 |
ROSE catches some, but not all violations of these rules |
false-positive |
9 |
These rules could be checked by diagnose, but they will also catch some false positives. |
Potential |
29 |
These rules are not checked by diagnose, but could be |
Undoable |
32 |
These rules could not be checked by ROSE due to various limitations in ROSE. |
Unenforceable |
48 |
These rules could not be checked by any tool that relies purely on unaided static analysis. |
TOTAL |
220 |