Coverity Support for SEI CERT , C++, and Java Coding Standards

Ensure the safety, The SEI CERT C, C++, and Oracle Java Coding Standards are lists of rules and reliability, and security recommendations for writing secure code in the C, C++, and Java programming languages They represent an important milestone in introducing best practices for of software written in C, ensuring the safety, reliability, security, and integrity of software written in C/C++ and C++, and Java Java Notably, the standards are designed to be enforceable by software code analyzers using static analysis techniques This greatly reduces the cost of compliance by way of automation

Adhering to coding standards is a crucial step in establishing best coding practices Standards adherence is particularly important in safety-critical, high-impact industries, such as automotive, medical, and networking Software defects in products coming from these industries manifest themselves physically and tangibly—often with life- threatening consequences

Synopsys provides a comprehensive solution for the SEI CERT C/C++ Coding Standards rules, along with high-impact SEI CERT Oracle Java Coding Standards (online version) rules and SEI CERT C Coding Standard recommendations (online version) Coverity static analysis implements the Rules category within the CERT C/ C++ standards, high-impact CERT Java L1 rules, and methods for managing violations and reporting on them Coverity also supports some of the best practices from the Recommendations category for the CERT C standard

Acknowledgement • This Publication incorporates portions of the rule identifiers, the rule descriptive names (clauses) which follow the identifier, and rule level (from the risk assessment) for each rule in the CERT C, CERT CPP, CERT C Recommendations and CERT JAVA standards available at wikiseicmuedu/confluence/display/seccode/ SEI+CERT+Coding+Standards © 2020 Carnegie Mellon University, with special permission from its Software Engineering Institute • ANY MATERIAL OF CARNEGIE MELLON UNIVERSITY AND/OR ITS SOFTWARE ENGINEERING INSTITUTE CONTAINED HEREIN IS FURNISHED ON AN “AS-IS” BASIS CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT • This publication has not been reviewed nor is it endorsed by Carnegie Mellon University or its Software Engineering Institute • Carnegie Mellon and CERT are registered trademarks of Carnegie Mellon University

| synopsys.com | 1 The “Level” column in the “supported rules” and “supported recommendations” tables below indicates the severity, remediation cost, and likelihood of each vulnerability Level 1 vulnerabilities are the most severe, the least expensive to repair, and/or the most likely to be found in code Meanwhile, Level 3 vulnerabilities are the least severe, the most expensive to repair, and/or the least likely to be found in code

SEI CERT C Coding Standard (2016 Edition) The SEI CERT C Coding Standard was developed specifically for the following versions of the C language: • ISO/IEC 9899:2011: Information Technology—Programming Languages—C, 3rd ed • ISO/IEC 9899:2011/Cor 1:2012: Information Technology—Programming Languages—C Technical Corrigendum 1 These versions are commonly referred to as the C11 standard The CERT C rules may also be applied to earlier versions of the C language, such as

The 2016 edition of the CERT C standard contains 99 coding rules There are additional CERT C rules available on the CERT Secure Coding wiki, bringing the total number of rules to 120 as of July 10, 2020 The CERT Secure Coding wiki for C is here: https://wwwsecurecodingcertorg/confluence/display/c/

The SEI CERT C Coding Standard (2016 Edition) is here: https://wwwcertorg/secure-coding/products-services/secure-coding-downloadcfm

The CERT C wiki also documents 185 recommendations and two platform-specific annexes (POSIX and Windows) The recommendations and annexes are not part of the core secure coding standard and may be useful for projects with stricter requirements

CERT C rule coverage Rules Section % Coverage Supported All All 115 121* 95.8 PRE 3 3 100.0 DCL 8 8 100.0 EXP 15 15 100.0 INT 7 7 100.0 FLP 5 5 100.0 ARR 6 6 100.0 STR 6 6 100.0 MEM 6 6 100.0 FIO 13 13 100.0 ENV 5 5 100.0 SIG 4 4 100.0 ERR 4 4 100.0 CON 12 13 92.3 MSC 7 8 87.5 POS* 14 17* 82.4 WIN 0 1 0.0 * As of July 10, 2020, POS33-C is moved to The Void: void POS33-C Do not use vfork(), reducing the total number of POS rules to 16 and the number of CERT C rules to 120 Thus, percentage coverage is calculated as 115/120 = 95.8%

| synopsys.com | 2 CERT C supported rules Rule Description Level PRE30-C Do not create a universal character name through concatenation L3 PRE31-C Avoid side effects in arguments to unsafe macros L3 PRE32-C Do not use preprocessor directives in invocations of function-like macros L3 DCL30-C Declare objects with appropriate storage durations L2 DCL31-C Declare identifiers before using them L3 DCL36-C Do not declare an identifier with conflicting linkage classifications L2 DCL37-C Do not declare or define a reserved identifier L3 DCL38-C Use the correct syntax when declaring a flexible array member L3 DCL39-C Avoid information leakage when passing a structure across a trust boundary L3 DCL40-C Do not create incompatible declarations of the same function or object L3 DCL41-C Do not declare variables inside a switch statement before the first case label L3 EXP30-C Do not depend on order of evaluation for side effects L2 EXP32-C Do not access a volatile object through a nonvolatile reference L2 EXP33-C Do not read uninitialized memory L1 EXP34-C Do not dereference null pointers L1 EXP35-C Do not modify objects with temporary lifetime L3 EXP36-C Do not cast pointers into more strictly aligned pointer types L3 EXP37-C Call functions with the correct number and type of arguments L3 EXP39-C Do not access a variable through a pointer of an incompatible type L3 EXP40-C Do not modify constant objects L3 EXP42-C Do not compare padding data L2 EXP43-C Avoid undefined behavior when using restrict-qualified pointers L3 EXP44-C Do not rely on side effects in operands to sizeof, _Alignof, or _Generic L3 EXP45-C Do not perform assignments in selection statements L2 EXP46-C Do not use a bitwise operator with a Boolean-like operand L2 EXP47-C Do not call va_arg with an argument of incorrect type L2 INT30-C Ensure that unsigned integer operations do not wrap L2 INT31-C Ensure that integer conversions do not result in lost or misinterpreted data L2 INT32-C Ensure that operations on signed integers do not result in overflow L2 INT33-C Ensure that division and modulo operations do not result in divide-by-zero errors L2 INT34-C Do not shift an expression by a negative number of bits or by greater than or equal to the number of bits L3 that exist in the operand INT35-C Use correct integer precisions L3 INT36-C Converting a pointer to integer or integer to pointer L3 FLP30-C Do not use floating-point variables as loop counters L2 FLP32-C Prevent or detect domain and range errors in math functions L2 FLP34-C Ensure that floating-point conversions are within range of the new type L3 FLP36-C Preserve precision when converting integral values to floating-point type L3 FLP37-C Do not use object representations to compare floating-point values L3 ARR30-C Do not form or use out of bounds pointers or array subscripts L2 ARR32-C Ensure size arguments for variable length arrays are in a valid range L2 ARR36-C Do not subtract or compare two pointers that do not refer to the same array L2

| synopsys.com | 3 Rule Description Level ARR37-C Do not add or subtract an integer to a pointer to a non-array object L2 ARR38-C Guarantee that library functions do not form invalid pointers L1 ARR39-C Do not add or subtract a scaled integer to a pointer L2 STR30-C Do not attempt to modify string literals L2 STR31-C Guarantee that storage for strings has sufficient space for character data and the null terminator L1 STR32-C Do not pass a non-null-terminated character sequence to a library function that expects a string L1 STR34-C Cast characters to unsigned char before converting to larger integer sizes L2 STR37-C Arguments to character-handling functions must be representable as an unsigned char L3 STR38-C Do not confuse narrow and wide character strings and functions L1 MEM30-C Do not access freed memory L1 MEM31-C Free dynamically allocated memory when no longer needed L2 MEM33-C Allocate and copy structures containing a flexible array member dynamically L3 MEM34-C Only free memory allocated dynamically L1 MEM35-C Allocate sufficient memory for an object L2 MEM36-C Do not modify the alignment of objects by calling realloc() L3 FIO30-C Exclude user input from format strings L1 FIO32-C Do not perform operations on devices that are only appropriate for files L3 FIO34-C Distinguish between characters read from a file and EOF or WEOF L1 FIO37-C Do not assume that fgets() or fgetws() returns a nonempty string when successful L1 FIO38-C Do not copy a FILE object L3 FIO39-C Do not alternately input and output from a stream without an intervening flush or positioning call L2 FIO40-C Reset strings on fgets() or fgetws() failure L3 FIO41-C Do not call getc(), putc(), getwc(), or putwc() with a stream argument that has side effects L3 FIO42-C Close files when they are no longer needed L3 FIO44-C Only use values for fsetpos() that are returned from fgetpos() L3 FIO45-C Avoid TOCTOU race conditions while accessing files L2 FIO46-C Do not access a closed file L3 FIO47-C Use valid format strings L2 ENV30-C Do not modify the object referenced by the return value of certain functions L3 ENV31-C Do not rely on an environment pointer following an operation that may invalidate it L3 ENV32-C All exit handlers must return normally L1 ENV33-C Do not call system() L1 ENV34-C Do not store pointers returned by certain functions L3 SIG30-C Call only asynchronous-safe functions within signal handlers L1 SIG31-C Do not access shared objects in signal handlers L2 SIG34-C Do not call signal() from within interruptible signal handlers L3 SIG35-C Do not return from a computational exception signal handler L3 ERR30-C Set errno to zero before calling a library function known to set errno, and check errno only after the L2 function returns a value indicating failure ERR32-C Do not rely on indeterminate values of errno L3 ERR33-C Detect and handle standard library errors L1 ERR34-C Detect errors when converting a string to a number L3

| synopsys.com | 4 Rule Description Level CON30-C Clean up thread-specific storage L3 CON31-C Do not destroy a mutex while it is locked L3 CON32-C Prevent data races when accessing bit-fields from multiple threads L2 CON33-C Avoid race conditions when using library functions L3 CON34-C Declare objects shared between threads with appropriate storage durations L3 CON35-C Avoid deadlock by locking in predefined order L3 CON36-C Wrap functions that can spuriously wake up in a loop L3 CON37-C Do not call signal() in a multithreaded program L2 CON38-C Preserve thread safety and liveness when using condition variables L3 CON39-C Do not join or detach a thread that was previously joined or detached L2 CON40-C Do not refer to an atomic variable twice in an expression L2 CON41-C Wrap functions that can fail spuriously in a loop L3 MSC30-C Do not use the rand() function for generating pseudorandom numbers L2 MSC32-C Properly seed pseudorandom number generators L1 MSC33-C Do not pass invalid data to the asctime() function L1 MSC37-C Ensure that control never reaches the end of a non-void function L2 MSC38-C Do not treat a predefined identifier as an object if it might only be implemented as a macro L3 MSC39-C Do not call va_arg() on a va_list that has an indeterminate value L3 MSC40-C Do not violate constraints L3 POS30-C Use the readlink() function properly L1 POS33-C$ Do not use vfork() L2 POS34-C Do not call putenv() with a pointer to an automatic variable as the argument L2 POS35-C Avoid race conditions while checking for the existence of a symbolic link L1 POS36-C Observe correct revocation order while relinquishing privileges L1 POS37-C Ensure that privilege relinquishment is successful L1 POS38-C Beware of race conditions when using fork and file descriptors L3 POS39-C Use the correct byte ordering when transferring data between systems L1 POS44-C Do not use signals to terminate threads L2 POS47-C Do not use threads that can be canceled asynchronously L1 POS49-C When data must be accessed by multiple threads, provide a mutex and guarantee no adjacent data is L2 also accessed POS50-C Declare objects shared between POSIX threads with appropriate storage durations L3 POS52-C Do not perform operations that can block while holding a POSIX lock L3 POS54-C Detect and handle POSIX library errors L1

$ As of July 10, 2020, POS33-C is moved to The Void: void POS33-C Do not use vfork()

| synopsys.com | 5 CERT C L1 recommendation coverage (online version) Recommendations Section % Coverage Supported All All 21 25* 84.0 PRE 3 5 60.0 DCL 0 1 0.0 EXP 2 2 100.0 INT 2 2 100.0 ARR 1 1 100.0 STR 4 4 100.0 MEM 1 1 100.0 FIO 2 2 100.0 ENV 1 1 100.0 SIG 1 1 100.0 API 1 1* 100.0 MSC 3 4 75.0 *There are 26 total CERT C L1 recommendations Apart from API10-C, which is incomplete, there are 25 validated recommendations considered in this calculation

CERT C supported recommendations (online version) Recommendation Description Level PRE09-C Do not replace secure functions with deprecated or obsolescent functions L1 PRE10-C Wrap multistatement macros in a do-while loop L1 PRE11-C Do not conclude macro definitions with a semicolon L1 PRE12-C Do not define unsafe macros L2 DCL11-C Understand the type issues associated with variadic functions L2 DCL23-C Guarantee that mutually visible identifiers are unique L2 EXP05-C Do not cast away a const qualification L2 EXP08-C Ensure pointer arithmetic is used correctly L2 EXP10-C Do not depend on the order of evaluation of subexpressions or the order in which side effects L2 take place EXP15-C Do not place a semicolon on the same line as an if, for, or while statement L1 EXP16-C Do not compare function pointers to constant values L2 EXP19-C Use braces for the body of an if, for, or while statement L2 EXP20-C Perform explicit tests to determine success, true and false, and equality L1 INT02-C Understand integer conversion rules L2 INT04-C Enforce limits on integer values originating from tainted sources L2 INT07-C Use only explicitly signed or unsigned char type for numeric values L2 INT13-C Use bitwise operators only on unsigned operands L2 INT17-C Define integer constants in an implementation-independent manner L1 INT18-C Evaluate integer expressions in a larger size before comparing or assigning to that size L1 ARR00-C Understand how arrays work L2 ARR01-C Do not apply the sizeof operator to a pointer when taking the size of an array L1 ARR02-C Explicitly specify array bounds, even if implicitly defined by an initializer L2

| synopsys.com | 6 Recommendation Description Level STR00-C Represent characters using an appropriate type L1 STR02-C Sanitize data passed to complex subsystems L1 STR03-C Do not inadvertently truncate a string L2 STR06-C Do not assume that strtok() leaves the parse string unchanged L1 STR07-C Use the bounds-checking interfaces for string manipulation L1 STR11-C Do not specify the bound of a character array initialized with a string literal L2 MEM00-C Allocate and free memory in the same module, at the same level of abstraction L1 MEM01-C Store a new value in pointers immediately after free() L2 MEM05-C Avoid large stack allocations L2 FIO01-C Be careful using functions that use file names for identification L1 FIO20-C Avoid unintentional truncation when using fgets() or fgetws() L1 ENV01-C Do not make assumptions about the size of an environment variable L1 SIG02-C Avoid using signals to implement normal functionality L1 API05-C Use conformant array parameters L1 MSC15-C Do not depend on undefined behavior L1 MSC17-C Finish every set of statements associated with a case label with a break statement L1 MSC18-C Be careful while handling sensitive data, such as passwords, in program code L2 MSC24-C Do not use deprecated or obsolescent functions L1

| synopsys.com | 7 SEI CERT C++ Coding Standard (2016 Edition) The SEI CERT C++ Coding Standard was developed specifically for the following version of the C++ language: • ISO/IEC 14882-2014: Information Technology---Programming Languages—C++, 4th ed This version is commonly referred to as the C++14 standard

The CERT C++ rules may also be applied to earlier versions of the C++ language, such as C++11

The 2016 edition of the CERT C++ standard contains 83 coding rules

The CERT Secure Coding wiki for C++ is here: https://wwwsecurecodingcertorg/confluence/display/cplusplus/

The SEI CERT C++ Coding Standard (2016 Edition) is here: https://certorg/secure-coding/products-services/secure-coding-cpp-download-2016cfm

The CERT C++ wiki also documents some recommendations The recommendations are not part of the core secure coding standard

CERT C++ rule coverage Rules Section % Coverage Supported All All 83 83 100.0 DCL 11 11 100.0 EXP 14 14 100.0 INT 1 1 100.0 CTR 9 9 100.0 STR 4 4 100.0 MEM 8 8 100.0 FIO 2 2 100.0 ERR 13 13 100.0 OOP 9 9 100.0 CON 7 7 100.0 MSC 5 5 100.0

CERT C++ supported rules Rule Description Level DCL50-CPP Do not define a C-style variadic function L1 DCL51-CPP Do not declare or define a reserved identifier L3 DCL52-CPP Never qualify a reference type with const or volatile L3 DCL53-CPP Do not write syntactically ambiguous declarations L3 DCL54-CPP Overload allocation and deallocation functions as a pair in the same scope L2 DCL55-CPP Avoid information leakage when passing a class object across a trust boundary L3 DCL56-CPP Avoid cycles during initialization of static objects L3 DCL57-CPP Do not let exceptions escape from destructors or deallocation functions L3 DCL58-CPP Do not modify the standard namespaces L2 DCL59-CPP Do not define an unnamed namespace in a header file L3 DCL60-CPP Obey the one-definition rule L3 EXP50-CPP Do not depend on the order of evaluation for side effects L2

| synopsys.com | 8 Rule Description Level EXP51-CPP Do not delete an array through a pointer of the incorrect type L3 EXP52-CPP Do not rely on side effects in unevaluated operands L3 EXP53-CPP Do not read uninitialized memory L1 EXP54-CPP Do not access an object outside of its lifetime L2 EXP55-CPP Do not access a cv-qualified object through a cv-unqualified type L2 EXP56-CPP Do not call a function with a mismatched language linkage L3 EXP57-CPP Do not cast or delete pointers to incomplete classes L3 EXP58-CPP Pass an object of the correct type to va_start L3 EXP59-CPP Use offsetof() on valid types and members L3 EXP60-CPP Do not pass a nonstandard-layout type object across execution boundaries L1 EXP61-CPP A lambda object must not outlive any of its reference captured objects L2 EXP62-CPP Do not access the bits of an object representation that are not part of the object's value representation L2 EXP63-CPP Do not rely on the value of a moved-from object L2 INT50-CPP Do not cast to an out-of-range enumeration value L3 CTR50-CPP Guarantee that container indices and iterators are within the valid range L2 CTR51-CPP Use valid references, pointers, and iterators to reference elements of a container L2 CTR52-CPP Guarantee that library functions do not overflow L1 CTR53-CPP Use valid iterator ranges L2 CTR54-CPP Do not subtract iterators that do not refer to the same container L2 CTR55-CPP Do not use an additive operator on an iterator if the result would overflow L1 CTR56-CPP Do not use pointer arithmetic on polymorphic objects L2 CTR57-CPP Provide a valid ordering predicate L3 CTR58-CPP Predicate function objects should not be mutable L3 STR50-CPP Guarantee that storage for strings has sufficient space for character data and the null terminator L1 STR51-CPP Do not attempt to create a std::string from a null pointer L1 STR52-CPP Use valid references, pointers, and iterators to reference elements of a basic_string L2 STR53-CPP Range check element access L2 MEM50-CPP Do not access freed memory L1 MEM51-CPP Properly deallocate dynamically allocated resources L1 MEM52-CPP Detect and handle memory allocation errors L1 MEM53-CPP Explicitly construct and destruct objects when manually managing object lifetime L1 MEM54-CPP Provide placement new with properly aligned pointers to sufficient storage capacity L1 MEM55-CPP Honor replacement dynamic storage management requirements L1 MEM56-CPP Do not store an already-owned pointer value in an unrelated smart pointer L1 MEM57-CPP Avoid using default operator new for over-aligned types L2 FIO50-CPP Do not alternately input and output from a file stream without an intervening positioning call L2 FIO51-CPP Close files when they are no longer needed L3 ERR50-CPP Do not abruptly terminate the program L3 ERR51-CPP Handle all exceptions L3 ERR52-CPP Do not use setjmp() or longjmp() L3 Do not reference base classes or class data members in a constructor or destructor function-try-block ERR53-CPP L3 handler ERR54-CPP Catch handlers should order their parameter types from most derived to least derived L1 ERR55-CPP Honor exception specifications L2

| synopsys.com | 9 Rule Description Level ERR56-CPP Guarantee exception safety L2 ERR57-CPP Do not leak resources when handling exceptions L3 ERR58-CPP Handle all exceptions thrown before main() begins executing L2 ERR59-CPP Do not throw an exception across execution boundaries L1 ERR60-CPP Exception objects must be nothrow copy constructible L3 ERR61-CPP Catch exceptions by lvalue reference L3 ERR62-CPP Detect errors when converting a string to a number L3 OOP50-CPP Do not invoke virtual functions from constructors or destructors L3 OOP51-CPP Do not slice derived objects L3 OOP52-CPP Do not delete a polymorphic object without a virtual destructor L2 OOP53-CPP Write constructor member initializers in the canonical order L3 OOP54-CPP Gracefully handle self-copy assignment L3 OOP55-CPP Do not use pointer-to-member operators to access nonexistent members L2 OOP56-CPP Honor replacement handler requirements L3 OOP57-CPP Prefer special member functions and overloaded operators to functions L2 OOP58-CPP Copy operations must not mutate the source object L2 CON50-CPP Do not destroy a mutex while it is locked L3 CON51-CPP Ensure actively held locks are released on exceptional conditions L2 CON52-CPP Prevent data races when accessing bit-fields from multiple threads L2 CON53-CPP Avoid deadlock by locking in a predefined order L3 CON54-CPP Wrap functions that can spuriously wake up in a loop L3 CON55-CPP Preserve thread safety and liveness when using condition variables L3 CON56-CPP Do no speculatively lock a non-recursive mutex that is already owned by the calling thread L3 MSC50-CPP Do not use std::rand() for generating pseudorandom numbers L2 MSC51-CPP Ensure your random number generator is properly seeded L1 MSC52-CPP Value-returning functions must return a value from all exit paths L2 MSC53-CPP Do not return from a function declared [[noreturn]] L3 MSC54-CPP A signal handler must be a plain old function L2

| synopsys.com | 10 SEI CERT Oracle Secure Coding Standard for Java (online version) The SEI CERT Oracle Secure Coding Standard for Java was developed primarily referring to the following version of the Java language: • The Java Language Specification (3rd Edition) The SEI CERT Oracle Secure Coding Standard for Java focuses on the following Java platforms: • The Java Standard Edition 6 Platform (Java SE 6) • The Java Standard Edition 7 platform (Java SE 7) The SEI CERT Oracle Secure Coding Standard for Java wiki contains 182 coding rules, of which 38 are Level L1, 48 are Level L2, and 96 are Level L3.

The CERT Secure Coding wiki for Java is here: https://wwwsecurecodingcertorg/confluence/display/java/

The SEI CERT Oracle Secure Coding Standard for Java (Standard Edition 6) is here: https://wwwinformitcom/store/cert-oracle-secure-coding-standard-for-java-9780321803955

The SEI CERT Oracle Secure Coding Standard for Java wiki also documents some recommendations The recommendations are not part of the core secure coding standard

CERT Java L1 and L2 rule coverage (online version) Rules Section % Coverage Supported All All 61 74* 82.4 IDS 7 8 87.5 EXP 3 4 75.0 NUM 4 4 100.0 STR 1 1 100.0 OBJ 6 9* 66.7 MET 5 7* 71.4 ERR 3 3 100.0 VNA 0 2 0.0 LCK 5 5 100.0 TSM 0 1 0.0 FIO 5 5 100.0 SER 6 7* 85.7 SEC 8 8 100.0 ENV 3 5* 60.0 JNI 1 1* 100.0 MSC 4 4 100.0 * There are 38 total CERT Java L1 and 48 total CERT Java L2 rules. Apart from five stub L1 rules (SEC08-J, SEC09-J, SEC10-J, JNI03-J, and MSC10-J), and two nonautomated L1 rules (ENV04-J and ENV05-J), there are 31 validated L1 rules considered in this calculation. Similarly, apart from two deprecated L2 rules (IDS09-J and SER13-J), three stub L2 rules (IDS15-J, OBJ14-J, and MET13-J), there are 43 validated L2 rules considered in this calculation.

| synopsys.com | 11 CERT Java supported rules (online version) Rule Description Level IDS00-J Prevent SQL injection L1 IDS01-J Normalize strings before validating them L1 IDS03-J Do not log unsanitized user input L2 IDS07-J Sanitize untrusted data passed to the Runtimeexec() method L1 IDS08-J Sanitize untrusted data included in a regular expression L3 IDS11-J Perform any string modifications before validation L1 IDS16-J Prevent XML Injection L1 IDS17-J Prevent XML External Entity Attacks L2 ERR02-J Prevent exceptions while logging data L2 ERR04-J Do not complete abruptly from a finally block L3 ERR07-J Do not throw RuntimeException, Exception, or Throwable L2 ERR08-J Do not catch NullPointerException or any of its ancestors L1 EXP00-J Do not ignore values returned by methods L2 EXP01-J Do not use a null in a case where an object is required L3 EXP02-J Do not use the Object.equals() method to compare two arrays L2 EXP03-J Do not use the equality operators when comparing values of boxed primitives L2 NUM00-J Detect or prevent L3 NUM02-J Ensure that division and remainder operations do not result in divide-by-zero errors L2 NUM07-J Do not attempt comparisons with NaN L3 NUM09-J Do not use floating-point variables as loop counters L2 NUM10-J Do not construct BigDecimal objects from floating-point literals L2 NUM11-J Do not compare or inspect the string representation of floating-point values L2 OBJ01-J Limit accessibility of fields L1 OBJ05-J Do not return references to private mutable class members L1 OBJ09-J Compare classes and not class names L2 OBJ10-J Do not use public static nonfinal fields L2 OBJ11-J Be wary of letting constructors throw exceptions L1 OBJ13-J Ensure that references to mutable objects are not exposed L1 MET00-J Validate method arguments L2 MET01-J Never use assertions to validate method arguments L2 MET02-J Do not use deprecated or obsolete classes or methods L3 MET04-J Do not increase the accessibility of overridden or hidden methods L2 MET05-J Ensure that constructors do not call overridable methods L2 MET06-J Do not invoke overridable methods in clone() L1 MET07-J Never declare a class method that hides a method declared in a superclass or superinterface L3 MET09-J Classes that define an equals() method must also define a hashCode() method L3 LCK00-J Use private final lock objects to synchronize classes that may interact with untrusted code L3 LCK01-J Do not synchronize on objects that may be reused L2 LCK02-J Do not synchronize on the class object returned by getClass() L2 LCK03-J Do not synchronize on the intrinsic locks of high-level concurrency objects L2 LCK06-J Do not use an instance lock to protect shared static data L2 LCK08-J Ensure actively held locks are released on exceptional conditions L2

| synopsys.com | 12 Rule Description Level FIO02-J Detect and handle file-related errors L2 FIO03-J Remove temporary files before termination L2 FIO05-J Do not expose buffers or their backing arrays methods to untrusted code L1 FIO08-J Do not expose buffers or their backing arrays methods to untrusted code L1 FIO14-J Perform proper cleanup at program termination L1 SEC00-J Do not allow privileged blocks to leak sensitive information across a trust boundary L2 SEC01-J Do not allow tainted variables in privileged blocks L1 SEC02-J Do not base security checks on untrusted sources L1 SEC03-J Do not load trusted classes after allowing untrusted code to load arbitrary classes L1 SEC04-J Protect sensitive operations with security manager checks L1 SEC05-J Do not use reflection to increase accessibility of classes, methods, or fields L1 SEC06-J Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar L1 SEC07-J Call the superclass’s getPermissions() method when writing a custom class loader L1 SER01-J Do not deviate from the proper signatures of serialization methods L1 SER04-J Do not allow serialization and deserialization to bypass the security manager L2 SER05-J Do not serialize instances of inner classes L1 SER08-J Minimize privileges before deserializing from a privileged context L1 SER09-J Do not invoke overridable methods from the readObject() method L3 SER11-J Prevent overwriting of externalizable objects L2 SER12-J Prevent deserialization of untrusted data L2 STR02-J Specify an appropriate locale when comparing locale-dependent data L2 ENV02-J Do not trust the values of environment variables L2 ENV03-J Do not grant dangerous combinations of permissions L1 ENV06-J Production code must not contain debugging entry points L1 JNI01-J Safely invoke standard APIs that perform tasks using the immediate caller’s class loader instance L1 (loadLibrary) MSC00-J Use SSLSocket rather than Socket for secure data exchange L2 MSC01-J Do not use an empty infinite loop L3 MSC02-J Generate strong random numbers L1 MSC03-J Never hard code sensitive information L1 MSC07-J Prevent multiple instantiations of singleton objects L3 MSC11-J Do not let session information leak within a servlet L2

This datasheet applies to Coverity 2021.9.0 and later releases.

| synopsys.com | 13 The Synopsys difference

Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the life cycle.

For more information, go to www.synopsys.com/software.

Synopsys, Inc. 690 E Middlefield Road Mountain View, CA 94043 USA

Contact us: U.S. Sales: 800.873.8193 International Sales: +1 415.321.5237 Email: [email protected]

©2021 Synopsys, Inc. All rights reserved. Synopsys is a trademark of Synopsys, Inc. in the United States and other countries. A list of Synopsys trademarks is available at www. synopsys.com/copyright.html . All other names mentioned herein are trademarks or registered trademarks of their respective owners. September 2021

| synopsys.com | 14