DATASHEET
CERT C Rule Enforcement
(2016 Edition plus website 28 April 2020)
POSIX Rules are listed separately
ENFORCEMENT FOR KW 2023.4
|
| Total |
|---|---|---|
a | Total Number of Rules | 103 |
b | Total Number of ‘Not Statically Enforceable’ Rules (Assisted/Unassisted) | 0 |
c | Total Number of Enforceable Rules (a-b) | 103 |
d | Total Number of Enforced Rules | 85 |
e | Total Number of Unenforced Rules | 18 |
f | Enforce Rules Percentage (d/c) | 83% |
g | Unenforced Rules Percentage (e/c) | 17% |
Rule ID | Description | Level | Enforced |
|---|---|---|---|
Rule 01. Preprocessors (PRE) | |||
PRE30-C | Do not create a universal character name through concatenation. | L3 | Yes |
PRE31-C | Avoid side effects in arguments to unsafe macros. | L3 | Yes |
PRE32-C | Do not use preprocessor directives in invocations of function-like macros. | L3 | Yes |
Rule 02. Declarations and Initialization(DCL) | |||
DCL30-C | Declare objects with appropriate storage durations. | L2 | Yes |
DCL31-C | Declare identifiers before using them. | L3 | Yes |
DCL36-C | Do not declare an identifier with conflicting linkage classifications. | L2 | Yes |
DCL37-C | Do not declare or define a reserved identifier. | L3 | Yes |
DCL38-C | Use the correct syntax when declaring a flexible array member. | L3 | Yes |
DCL39-C | Avoid information leakage when passing a structure across a trust boundary. | L3 | Yes |
DCL40-C | Do not create incompatible declarations of the same function or object. | L3 | Yes |
DCL41-C | Do not declare variables inside a switch statement before the first case label. | L3 | Yes |
Rule 03. Expressions (EXP) | |||
EXP30-C | Do not depend on the order of evaluation for side effects. | L2 | Yes |
EXP32-C | Do not access a volatile object through a nonvolatile reference. | L2 | Yes |
EXP33-C | Do not read uninitialized memory. | L1 | Yes |
EXP34-C | Do not dereference null pointers. | L1 | Yes |
EXP35-C | Do not modify objects with temporary lifetime. | L3 | No |
EXP36-C | Do not cast pointers into more strictly aligned pointer types. | L3 | Yes |
EXP37-C | Call functions with the correct number and type of arguments. | L3 | Yes |
EXP39-C | Do not access a variable through a pointer of an incompatible type. | L3 | Yes |
EXP40-C | Do not modify constant objects. | L3 | No |
EXP42-C | Do not compare padding data. | L2 | Yes |
EXP43-C | Avoid undefined behavior when using restrict-qualified pointers. | L3 | Yes |
EXP44-C | Do not rely on side effects in operands to sizeof, _Alignof, or _Generic. | L3 | Yes |
EXP45-C | Do not perform assignments in selection statements. | L2 | Yes |
EXP46-C | Do not use a bitwise operator with a Boolean-like operand. | L2 | Yes |
EXP47-C | Do not call va_arg with an argument of the incorrect type. | L2 | Yes |
Rule 04. Integers (INT) | |||
INT30-C | Ensure that unsigned integer operations do not wrap. | L2 | Yes |
INT31-C | Ensure that integer conversions do not result in lost or misinterpreted data. | L2 | Yes |
INT32-C | Ensure that operations on signed integers do not result in overflow. | L2 | Yes |
INT33-C | Ensure that division and remainder operations do not result in divide-by-zero errors. | L2 | Yes |
INT34-C | Do not shift an expression by a negative number of bits or by greater than or equal to the number of bits that exist in the operand. | L3 | Yes |
INT35-C | Use correct integer precisions. | L3 | No |
INT36-C | Converting a pointer to integer or integer to pointer. | L3 | Yes |
Rule 05. Floating Point (FLP) | |||
FLP30-C | Do not use floating-point variables as loop counters. | L2 | Yes |
FLP32-C | Prevent or detect domain and range errors in math functions. | L2 | No |
FLP34-C | Ensure that floating-point conversions are within range of the new type. | L3 | Yes |
FLP36-C | Preserve precision when converting integral values to floating-point type. | L3 | Yes |
FLP37-C | Do not use object representations to compare floating-point values. | L3 | Yes |
Rule 06. Arrays (ARR) | |||
ARR30-C | Do not form or use out-of-bounds pointers or array subscripts. | L2 | Yes |
ARR32-C | Ensure size arguments for variable length arrays are in a valid range. | L2 | Yes |
ARR36-C | Do not subtract or compare two pointers that do not refer to the same array. | L2 | Yes |
ARR37-C | Do not add or subtract an integer to a pointer to a non-array object. | L2 | Yes |
ARR38-C | Guarantee that library functions do not form invalid pointers. | L1 | Yes |
ARR39-C | Do not add or subtract a scaled integer to a pointer. | L2 | Yes |
Rule 07. Characters and String (STR) | |||
STR30-C | Do not attempt to modify string literals. | L2 | Yes |
STR31-C | Guarantee that storage for strings has sufficient space for character data and the null terminator. | L1 | Yes |
STR32-C | Do not pass a non-null-terminated character sequence to a library function that expects a string. | L1 | Yes |
STR34-C | Cast characters to unsigned char before converting to larger integer sizes. | L2 | Yes |
STR37-C | Arguments to character-handling functions must be representable as an unsigned char. | L3 | Yes |
STR38-C | Do not confuse narrow and wide character strings and functions. | L1 | Yes |
Rule 08. Memory Management (MEM) | |||
MEM30-C | Do not access freed memory. | L1 | Yes |
MEM31-C | Free dynamically allocated memory when no longer needed. | L2 | Yes |
MEM33-C | Allocate and copy structures containing a flexible array member dynamically. | L3 | Yes |
MEM34-C | Only free memory allocated dynamically. | L1 | Yes |
MEM35-C | Allocate sufficient memory for an object. | L2 | Yes |
MEM36-C | Do not modify the alignment of objects by calling realloc(). | L3 | Yes |
Rule 09. Input Output (FIO) | |||
FIO30-C | Exclude user input from format strings. | L1 | Yes |
FIO32-C | Do not perform operations on devices that are only appropriate for files. | L3 | No |
FIO34-C | Distinguish between characters read from a file and EOF or WEOF. | L1 | Yes |
FIO37-C | Do not assume that fgets() or fgetws() returns a nonempty string when successful. | L1 | No |
FIO38-C | Do not copy a FILE object. | L3 | Yes |
FIO39-C | Do not alternately input and output from a stream without an intervening flush or positioning call. | L2 | Yes |
FIO40-C | Reset strings on fgets() or fgetws() failure. | L3 | No |
FIO41-C | Do not call getc(), putc(), getwc(), or putwc() with a stream argument that has side effects. | L3 | No |
FIO42-C | Close files when they are no longer needed. | L3 | Yes |
FIO44-C | Only use values for fsetpos() that are returned from fgetpos(). | L3 | Yes |
FIO45-C | Avoid TOCTOU race conditions while accessing files. | L2 | Yes |
FIO46-C | Do not access a closed file. | L3 | Yes |
FIO47-C | Use valid format strings. | L2 | Yes |
Rule 10. Environment (ENV) | |||
ENV30-C | Do not modify the object referenced by the return value of certain functions. | L3 | Yes |
ENV31-C | Do not rely on an environment pointer following an operation that may invalidate it. | L3 | No |
ENV32-C | All exit handlers must return normally. | L1 | Yes |
ENV33-C | Do not call system(). | L1 | Yes |
ENV34-C | Do not store pointers returned by certain functions. | L3 | Yes |
Rule 11. Signals (SIG) | |||
SIG30-C | Call only asynchronous-safe functions within signal handlers. | L1 | No |
SIG31-C | Do not access shared objects in signal handlers. | L2 | No |
SIG34-C | Do not call signal() from within interruptible signal handlers. | L3 | Yes |
SIG35-C | Do not return from a computational exception signal handler. | L3 | Yes |
Rule 12. Error Handling (ERR) | |||
ERR30-C | Set errno to zero before calling a library function known to set errno, and check errno only after the function returns a value indicating failure. | L2 | Yes |
ERR32-C | Do not rely on indeterminate values of errno. | L3 | Yes |
ERR33-C | Detect and handle standard library errors. | L1 | Yes |
ERR34-C | Detect errors when converting a string to a number. | L3 | Yes |
Rule 14. Concurrency (CON) | |||
CON30-C | Clean up thread-specific storage. | L3 | No |
CON31-C | Do not destroy a mutex while it is locked. | L3 | No |
CON32-C | Prevent data races when accessing bit-fields from multiple threads. | L2 | No |
CON33-C | Avoid race conditions when using library functions. | L3 | Yes |
CON34-C | Declare objects shared between threads with appropriate storage durations. | L3 | No |
CON35-C | Avoid deadlock by locking in a predefined order. | L3 | Yes |
CON36-C | Wrap functions that can spuriously wake up in a loop. | L3 | Yes |
CON37-C | Do not call signal() in a multithreaded program. | L2 | Yes |
CON38-C | Preserve thread safety and liveness when using condition variables. | L3 | Yes |
CON39-C | Do not join or detach a thread that was previously joined or detached. | L2 | No |
CON40-C | Do not refer to an atomic variable twice in an expression. | L2 | Yes |
CON41-C | Wrap functions that can fail spuriously in a loop. | L3 | Yes |
CON43-C | Do not allow data races in multithreaded code. | L3 | No |
Rule 48. Miscellaneous (MISC) | |||
MSC30-C | Do not use the rand() function for generating pseudorandom numbers. | L2 | Yes |
MSC32-C | Properly seed pseudorandom number generators. | L1 | Yes |
MSC33-C | Do not pass invalid data to the asctime() function. | L1 | Yes |
MSC37-C | Ensure that control never reaches the end of a non-void function. | L2 | Yes |
MSC38-C | Do not treat a predefined identifier as an object if it might only be implemented as a macro. | L3 | No |
MSC39-C | Do not call va_arg() on a va_list that has an indeterminate value. | L3 | Yes |
MSC40-C | Do not violate constraints. | L3 | Yes |
MSC41-C | Never hard code sensitive information. | L1 | Yes |
POSIX
Rule ID | Description | Level | Enforced |
|---|---|---|---|
Rule 50. POSIX(POS) | |||
POS30-C | Use the readlink() function properly. | L1 | Yes |
POS34-C | Do not call putenv() with a pointer to an automatic variable as the argument. | L2 | Yes |
POS35-C | Avoid race conditions while checking for the existence of a symbolic link. | L1 | Yes |
POS36-C | Observe correct revocation order while relinquishing privileges. | L1 | Yes |
POS37-C | Ensure that privilege relinquishment is successful. | L1 | Yes |
POS38-C | Beware of race conditions when using fork and file descriptors. | L3 | No |
POS39-C | Use the correct byte ordering when transferring data between systems. | L1 | Yes |
POS44-C | Do not use signals to terminate threads. | L2 | Yes |
POS47-C | Do not use threads that can be canceled asynchronously. | L1 | Yes |
POS48-C | Do not unlock or destroy another POSIX thread's mutex. | L3 | No |
POS49-C | When data must be accessed by multiple threads, provide a mutex and guarantee no adjacent data is also accessed. | L2 | No |
POS50-C | Declare objects shared between POSIX threads with appropriate storage durations. | L3 | No |
POS51-C | Avoid deadlock with POSIX threads by locking in predefined order. | L3 | Yes |
POS52-C | Do not perform operations that can block while holding a POSIX lock. | L3 | Yes |
POS53-C | Do not use more than one mutex for concurrent waiting operations on a condition variable. | L3 | No |
POS54-C | Detect and handle POSIX library errors. | L1 | Yes |
Microsoft Windows
Rule ID | Description | Level | Enforced |
|---|---|---|---|
Rule 51. Microsoft Windows(WIN) | |||
WIN30-C | Properly pair allocation and deallocation functions | L2 | Yes |