C-STAT® Static Analysis Guide
Total Page:16
File Type:pdf, Size:1020Kb
C-STAT® Static Analysis Guide CSTAT-12 COPYRIGHT NOTICE © 2015–2020 IAR Systems AB and Synopsys, Inc. No part of this document may be reproduced without the prior written consent of IAR Systems AB. The software described in this document is furnished under a license and may only be used or copied in accordance with the terms of such a license. This publication incorporates portions of the Technical Report, “SEI CERT C Coding Standard Rules for Developing Safe, Reliable, and Secure Systems 2016 Edition,” by CERT. © 2016 Carnegie Mellon University, with special permission from its Software Engineering Institute. DISCLAIMERS The information in this document is subject to change without notice and does not represent a commitment on any part of IAR Systems. While the information contained herein is assumed to be accurate, IAR Systems assumes no responsibility for any errors or omissions. In no event shall IAR Systems, its employees, its contractors, or the authors of this document be liable for special, direct, indirect, or consequential damage, losses, costs, charges, claims, demands, claim for lost profits, fees, or expenses of any nature or kind. Any material of Carnegie Mellon University and/or its software engineering institute contained herein is furnished on an “as-is” basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied, as to any matter including, but not limited to, warranty of fitness for purpose or merchantability, exclusivity, or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. This publication has not been reviewed nor is it endorsed by Carnegie Mellon University or its Software Engineering Institute. TRADEMARKS IAR Systems, IAR Embedded Workbench, Embedded Trust, IAR Connect, C-SPY, C-RUN, C-STAT, IAR Visual State, IAR KickStart Kit, I-jet, I-jet Trace, I-scope, IAR Academy, IAR, and the logotype of IAR Systems are trademarks or registered trademarks owned by IAR Systems AB. Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University. All other product names are trademarks or registered trademarks of their respective owners. EDITION NOTICE Twelfth edition: January 2020. Part number: CSTAT-12. This guide applies to version 7.0 and later of C-STAT. Internal reference: IJOA. 2 C-STAT® Static Analysis Guide AFE1_AFE2-1:1 Contents C-STAT for static analysis ............................................................................. 5 Introduction to C-STAT and static analysis ................................. 5 Briefly about C-STAT and the coding rules ........................................ 5 The checks and their documentation .................................................... 6 The scope of the C-STAT checks ........................................................ 8 Various ways to use C-STAT .............................................................. 8 Using C-STAT ............................................................................................ 9 Getting started analyzing using C-STAT ............................................. 9 Generating an analysis report ............................................................. 12 Performing regression testing ............................................................ 13 Performing an analysis from the command line ................................ 14 Reference information on the graphical environment ........... 17 C-STAT Messages window ............................................................... 17 C-STAT Static Analysis options ....................................................... 19 Extra Options ..................................................................................... 20 Select C-STAT Checks dialog box ................................................... 21 Descriptions of compiler extensions for C-STAT .................... 22 C-STAT directives in comments ........................................................ 22 cstat_disable ....................................................................................... 23 cstat_enable ........................................................................................ 24 cstat_restore ....................................................................................... 24 cstat_suppress ..................................................................................... 24 __CSTAT__ ...................................................................................... 25 Descriptions of C-STAT options ...................................................... 25 Rules for specifying a filename or directory as parameters ............... 26 --all ..................................................................................................... 26 --check ................................................................................................ 26 --checks .............................................................................................. 27 --db ..................................................................................................... 27 --default .............................................................................................. 28 --deterministic .................................................................................... 28 3 AFE1_AFE2-1:1 --exclude ............................................................................................. 28 --fpe .................................................................................................... 29 --full ................................................................................................... 30 --group ................................................................................................ 30 --output ............................................................................................... 30 --package ............................................................................................ 31 --parallel ............................................................................................. 31 --project .............................................................................................. 32 --timeout ............................................................................................. 32 --timeout_check ................................................................................. 33 Description of the C-STAT command line tools ...................... 33 The icstat tool ..................................................................................... 33 The ichecks tool ................................................................................. 35 The ireport tool ................................................................................... 36 C-STAT checks ................................................................................................. 37 Summary of checks ................................................................................ 37 Descriptions of checks .......................................................................... 91 Mapping of CERT rules to C-STAT checks .................................... 1225 Computer Emergency Response Team (CERT) .................. 1225 4 AFE1_AFE2-1:1 C-STAT for static analysis The following pages contain information about: ● Introduction to C-STAT and static analysis ● Using C-STAT ● Reference information on the graphical environment ● Descriptions of compiler extensions for C-STAT ● Descriptions of C-STAT options ● Description of the C-STAT command line tools Introduction to C-STAT and static analysis Learn more about: ● Briefly about C-STAT and the coding rules, page 5 ● The checks and their documentation, page 6 ● The scope of the C-STAT checks, page 8 ● Various ways to use C-STAT, page 8 BRIEFLY ABOUT C-STAT AND THE CODING RULES C-STAT is a static analysis tool that tries to find deviations from certain coding rules by performing one or more checks for the rule. The checks are grouped in packages. The various packages are: ● STDCHECKS Contains checks for rules that come from CWE, as well as checks specific to C-STAT. ● CERT Contains checks for CERT. In addition, some CERT rules and recommendations can be verified by checks for other standard rules, see Mapping of CERT rules to C-STAT checks, page 1225. ● SECURITY Contains checks for rules from SANS Top25, OWASP and CWE. 5 AFE1_AFE2-1:1 Introduction to C-STAT and static analysis ● MISRA C:2004 Contains checks for selected rules of the MISRA C:2004 standard. This standard identifies unsafe code constructs in the C89 standard. These checks can also be used for identifying unsafe C89 constructs in C18 or C11 code. ● MISRA C++:2008 Contains checks for selected rules of the MISRA C++:2008 standard. This standard identifies unsafe code constructs in the 1998 C++ standard. These checks can also be used for identifying unsafe 1998 C++ constructs in C++14 code. ● MISRA C:2012 Contains checks for selected rules of the MISRA C:2012 standard. This standard identifies unsafe code constructs in the C99 and C89 standards. These checks can also be used for identifying unsafe C89 and C99 constructs in C18 or C11 code. Each MISRA C rule is either mandatory, required, or advisory. The checks for the mandatory and required rules are by default on, whereas the checks for the advisory rules are by default off. Each rule specifies an unsafe code construct. Note: Some checks compute summary information per file that can