CERT-C:2014 Standards Model Summary for C CERT-C

CERT-C:2014 Standards Model Summary for C

The LDRA tool suite® is developed and certified to BS EN ISO 9001:2000 and SGS-TÜV Saar.

This information is applicable to version 9.7.1 of the LDRA tool suite®. It is correct as of 25th September 2017.

Further information is available at http://www.securecoding.cert.org

Enhanced Fully Partially Not yet Not statically Classification Total Enforcement Implemented Implemented Implemented Checkable Rule 16 34 34 14 19 117 Recommendation 32 47 43 20 27 169 Total 48 81 77 34 46 286

CERT-C:2014 Standards Model Compliance for C

LDRA LDRA Rule Classification Rule Description Standard Standard Description

ARR00-C Recommendation Understand how arrays work

Use of sizeof Do not apply the sizeof operator to a pointer ARR01-C Recommendation 401 S on an array when taking the size of an array parameter.

LDRA Ltd. reserves the right to change any specifications contained within this document without prior notice. The document was deemed correct at time of distribution. Version 9.7.1 Copyright © 2017 LDRA Ltd. Copies of this document are not to be made or distributed.

Array has no 127 S bounds specified. Array initialisation Explicitly specify array bounds, even if 397 S has ARR02-C Recommendation implicitly defined by an initializer insufficient items. Array initialisation 404 S has too many items. Pointer not checked for 45 D null before use. Array bound 47 S exceeded. Array index 476 S not unsigned. Insufficient 489 S space for operation. Array bound 64 X exceeded at call. Insufficient 66 X array space at Do not form or use out-of-bounds pointers call. ARR30-C Rule or array subscripts Parameter 68 X indexing array too big at call. Global array bound 69 X exceeded at use.

Array has 70 X insufficient space. Insufficient 71 X space for copy. Size mismatch in 79 X memcpy/mem set.

Variable- Ensure size arguments for variable length ARR32-C Rule 621 S length array arrays are in a valid range declared.

< > <= >= used on 437 S different object pointers. Do not subtract or compare two pointers ARR36-C Rule that do not refer to the same array Pointer subtraction not 438 S addressing one array.

Pointer Do not add or subtract an integer to a ARR37-C Rule 567 S arithmetic is pointer to a non-array object not on array.

Array bound 64 X exceeded at call.

Insufficient 66 X array space at call. Parameter 68 X indexing array too big at call. Global array bound Guarantee that library functions do not form 69 X ARR38-C Rule exceeded at invalid pointers use. Array has 70 X insufficient space. Insufficient 71 X space for copy. Size mismatch in 79 X memcpy/mem set. Array bound 47 S exceeded. Insufficient 489 S space for operation. Pointer 567 S arithmetic is not on array. Array bound 64 X exceeded at call. Insufficient 66 X array space at Do not add or subtract a scaled integer to a ARR39-C Rule call. pointer

pointer Parameter 68 X indexing array too big at call. Global array bound 69 X exceeded at use. Array has 70 X insufficient space. Insufficient 71 X space for copy.

CON00-C Recommendation Avoid race conditions with multiple threads

Acquire and release synchronization CON01-C Recommendation primitives in the same module, at the same level of abstraction

Do not use volatile as a synchronization CON02-C Recommendation primitive

Ensure visibility when accessing shared CON03-C Recommendation variables

Join or detach threads even if their exit CON04-C Recommendation status is unimportant

Do not perform operations that can block CON05-C Recommendation while holding a lock

Ensure that every mutex outlives the data it CON06-C Recommendation protects

Ensure that compound operations on CON07-C Recommendation shared variables are atomic

Do not assume that a group of calls to CON08-C Recommendation independently atomic methods is atomic

Avoid the ABA problem when using lock- CON09-C Recommendation free algorithms

CON30-C Rule Clean up thread-specific storage

CON31-C Rule Do not destroy a mutex while it is locked

Prevent data races when accessing bit- CON32-C Rule fields from multiple threads

Use of banned Avoid race conditions when using library CON33-C Rule 44 S function, type functions or variable.

Declare objects shared between threads CON34-C Rule with appropriate storage duration

Avoid deadlock by locking in a predefined CON35-C Rule order

Wrap functions that can spuriously wake up CON36-C Rule in a loop

Use of banned Do not call signal() in a multithreaded CON37-C Rule 44 S function, type program or variable.

Preserve thread safety and liveness when CON38-C Rule using condition variables

Do not join or detach a thread that was CON39-C Rule previously joined or detached

Do not refer to an atomic variable twice in CON40-C Rule an expression

Wrap functions that can fail spuriously in a CON41-C Rule loop

Global variable 78 D should be declared const. Local variable DCL00-C Recommendation const-qualify immutable objects should be 93 D declared const. Define used 200 S for numeric constant.

Name reused DCL01-C Recommendation Do not reuse variable names in subscopes 131 S in inner scope.

Identifier is DCL02-C RecommendationUse visually distinct identifiers 67 X typographicall y ambiguous.

Use of banned Use a static assertion to test the value of a DCL03-C Recommendation 44 S function, type constant expression or variable.

More than one Do not declare more than one variable per DCL04-C Recommendation 579 S variable per declaration declaration.

Pointer to function DCL05-C Recommendation Use typedefs of non-pointer types only 299 S declared without typedef.

Use of Use meaningful symbolic constants to DCL06-C Recommendation 201 S numeric literal represent literal values in program logic in expression.

Number of parameters 21 S does not match. Include the appropriate type information in Parameter list DCL07-C Recommendation 135 S function declarators is KR. Procedure call has no 170 S prototype and no defn.

Properly encode relationships in constant DCL08-C Recommendation definitions

Function Declare functions that return an errno error DCL09-C Recommendation 643 S return type is code with a return type of errno_t not errno_t.

Ellipsis used in Maintain the contract between the writer DCL10-C Recommendation 41 S procedure and caller of variadic functions parameter list.

Ellipsis used in 41 S procedure Understand the type issues associated with parameter list. DCL11-C Recommendation variadic functions Format is not 589 S appropriate type. Structure Implement abstract data types using DCL12-C Recommendation 104 D implementatio opaque types n not hidden.

Pointer param Declare function parameters that are should be DCL13-C Recommendation pointers to values not changed by the 120 D declared function as const pointer to const.

Variable should be 27 D declared static. Procedure Declare file-scope objects or functions that DCL15-C Recommendation should be do not need external linkage as static 61 D declared static.

Function and 553 S proto should both be static. Lower case DCL16-C Recommendation Use "L," not "l," to indicate a long value 252 S suffix to literal number. Volatile Beware of miscompiled volatile-qualified variable in DCL17-C Recommendation 134 S variables complex expression.

Do not begin integer constants with 0 when Octal number DCL18-C Recommendation 83 S specifying a decimal value found.

Scope of 25 D variable could be reduced. Procedure Minimize the scope of variables and should be DCL19-C Recommendation 61 D functions declared static. Loop index is 40 S not declared locally. Empty parameter list Explicitly specify void when a function DCL20-C Recommendation 63 S to accepts no arguments procedure/fun ction.

Understand the storage of compound DCL21-C Recommendation literals

DD data flow DCL22-C Recommendation Use volatile for data that cannot be cached 8 D anomalies found. Identifier not 17 D unique within *** characters. Variables not Guarantee that mutually visible identifiers DCL23-C Recommendation 355 S unique within are unique *** characters. Identifier 61 X match in *** chars. Local pointer 42 D returned in function result.

Local structure Declare objects with appropriate storage 77 D returned in DCL30-C Rule durations function result.

Pointer 71 S assignment to wider scope. Assignment to 565 S wider scope. Procedure definition has 24 D no associated prototype.

Procedure call has no 41 D prototype declared. DCL31-C Rule Declare identifiers before using them Parameter not 20 S declared explicitly. Declaration is 326 S missing type. Function call 496 S with no prior declaration. Identifier with 461 S ambiguous linkage. Linkage differs Do not declare an identifier with conflicting DCL36-C Rule 575 S from previous linkage classifications declaration. Ambiguous 2 X declaration of variable. Attempt to 86 S define reserved word. Name is used 218 S in standard libraries. Do not declare or define a reserved User name DCL37-C Rule identifier 219 S starts with underscore. Macro redefinition 580 S without using #undef.

#define of 626 S keyword.

Deprecated Use the correct syntax when declaring DCL38-C Rule 648 S form of flexible flexible array members array.

DCL39-C Rule Avoid information leak in structure padding

Identifier not 17 D unique within *** characters. Do not create incompatible declarations of DCL40-C Rule Declaration the same function or object types do not 1 X match across a system.

MISRA switch Do not declare variables inside a switch statement DCL41-C Rule 385 S statement before the first case label syntax violation.

Do not make assumptions about the size of ENV01-C Recommendation an environment variable

Beware of multiple environment variables ENV02-C Recommendation with the same effective name

Sanitize the environment when invoking Use of system ENV03-C Recommendation 588 S external programs function.

Attempt to Do not modify the object referenced by the change ENV30-C Rule 107 D return value of certain functions system call capture string.

main must be Do not rely on an environment pointer ENV31-C Rule 118 S int (void) or int following an operation that may invalidate it (int,char*[]).

Jump out of 7 S procedure. ENV32-C Rule All exit handlers must return normally Use of abort, 122 S exit, etc. Use of system ENV33-C Rule Do not call system() 588 S function.

Pointer from system Do not store pointers returned by certain function used ENV34-C Rule 133 D functions after subsequent call.

Adopt and implement a consistent and ERR00-C Recommendation comprehensive error-handling policy

Use of banned Use ferror() rather than errno to check for ERR01-C Recommendation 44 S function, type FILE stream errors or variable.

ERR02-C Recommendation Avoid in-band error indicators

Use runtime-constraint handlers when ERR03-C Recommendation calling functions defined by TR31-1

ERR04-C Recommendation Choose an appropriate termination strategy

Application-independent code should ERR05-C Recommendation provide error detection without dictating error handling

Use of banned Understand the termination behavior of ERR06-C Recommendation 44 S function, type assert() and abort() or variable.

Use of banned 44 S function, type or variable. Prefer functions that support error checking Use fseek() ERR07-C Recommendation over equivalent functions that don't 593 S rather than rewind(). Use setvbuf() 594 S rather than setbuf(). errno checked without having 111 D been set for errno setting fn. errno neither set nor 121 D checked for errno setting function.

errno not Set errno to zero before calling a library checked after function known to set errno, and check ERR30-C Rule 122 D being set for errno only after the function returns a value errno setting indicating failure fn. errno checked after call to 132 D non-errno setting function. errno not checked 134 D before subsequent function call. Use of banned ERR32-C Rule Do not rely on indeterminate values of errno 44 S function, type or variable. Potentially unused 80 D function- modified value. Var set by std lib func return 124 D not checked ERR33-C Rule Detect and handle standard library errors before use. Global set by std lib func 130 D return not checked before use. (void) missing 382 S for discarded return value.

Logical 49 S conjunctions Use parentheses for precedence of need brackets. EXP00-C Recommendation operation Expression 361 S needs brackets. Expression 35 D has side effects. Call has execution 1 Q order dependant side effects. Assignment Be aware of the short-circuit behavior of the operator in EXP02-C Recommendation 133 S logical AND and OR operators RHS of && or ||. Use of ++ or -- 406 S on RHS of && or || operator. Volatile variable 408 S accessed on RHS of && or ||.

Sizeof used in Do not assume the size of a structure is the EXP03-C Recommendation 578 S arithmetic sum of the sizes of its members expression.

Cast on a EXP05-C Recommendation Do not cast away a const qualification 203 S constant value.

Use of Do not diminish the benefits of constants by EXP07-C Recommendation 201 S numeric literal assuming their values in expressions in expression.

Pointer not checked for 45 D null before use. Attempt to use 53 D uninitialised pointer. Unsafe use of function 54 D EXP08-C Recommendation Ensure pointer arithmetic is used correctly pointer variable. Pointer subtraction not 438 S addressing one array. Function 576 S pointer is of wrong type. Use of Use sizeof to determine the size of a type or EXP09-C Recommendation 201 S numeric literal variable in expression. Expression 35 D has side effects.

Potential side 72 D effect problem in expression. Do not depend on the order of evaluation of Call has EXP10-C Recommendation subexpressions or the order in which side execution effects take place 1 Q order dependant side effects. Volatile variable in 134 S complex expression.

Cast to an Do not make assumptions regarding the EXP11-C Recommendation 554 S unrelated layout of structures with bit-fields type.

(void) missing EXP12-C Recommendation Do not ignore values returned by functions 382 S for discarded return value.

Type Treat relational and equality operators as if EXP13-C Recommendation 433 S conversion they were nonassociative without cast.

No brackets to loop body 11 S (added by Testbed).

No brackets to Do not place a semicolon on the same line EXP15-C Recommendation then/else as an if, for, or while statement 12 S (added by Testbed). No {} for 428 S switch (added by Testbed).

Do not compare function pointers to Function use EXP16-C Recommendation 99 S constant values is not a call.

No brackets to loop body 11 S (added by Testbed). No brackets to Use braces for the body of an if, for, or EXP19-C Recommendation then/else while statement 12 S (added by Testbed). No {} for 428 S switch (added by Testbed).

Perform explicit tests to determine success, Expression is EXP20-C Recommendation 114 S true and false, and equality not Boolean.

Expression 35 D has side effects.

Call has execution 1 Q order dependant side effects. Assignment Do not depend on order of evaluation EXP30-C Rule 9 S operation in between sequence points expression. Deprecated usage of ++ or 30 S -- operators found. Volatile variable in 134 S complex expression.

Do not access a volatile object through a Cast on EXP32-C Rule 344 S nonvolatile reference volatile value.

Attempt to use 53 D uninitialised pointer. UR anomaly, variable used 69 D before assignment. EXP33-C Rule Do not read uninitialized memory Declaration 631 S not reachable. Object created by malloc 652 S used before initialisation.

Pointer not checked for 45 D null before use. File pointer not checked 123 D for null before use. Global pointer not checked 128 D within this procedure. Global file pointer not 129 D checked within EXP34-C Rule Do not dereference null pointers this procedure. Pointer assigned to 135 D NULL may be dereferenced. Global pointer assigned to 136 D NULL may be dereferenced. Object created by malloc 652 S used before initialisation. Function return type 642 S with array field.

Local pointer Do not modify objects with temporary 42 D returned in EXP35-C Rule lifetime function result.

Local structure 77 D returned in function result.

Casting 94 S operation on a Do not convert pointers into more strictly pointer. EXP36-C Rule aligned pointer types Cast involving 606 S function pointer. Procedure call has no 41 D prototype declared. Number of parameters 21 S does not match. Actual and formal 98 S parameters Call functions with the correct number and EXP37-C Rule inconsistent type of arguments (MR). Procedure call has no 170 S prototype and no defn. Function call 496 S with no prior declaration.

Function 576 S pointer is of wrong type. Casting 94 S operation on a Do not access a variable through a pointer pointer. EXP39-C Rule of an incompatible type Cast to an 554 S unrelated type. const object EXP40-C Rule Do not modify constant objects 582 S reassigned. Use of memcmp EXP42-C Rule Do not compare padding data 618 S between structures. String function params 480 S access same variable. Avoid undefined behaviors when using EXP43-C Rule Insufficient restrict-qualified pointers 489 S space for operation. Use of restrict 613 S keyword. Sizeof 54 S operator with side effects. Do not rely on side effects in operands to EXP44-C Rule Apparent side sizeof, _Alignof, or _Generic effects in 653 S _Generic or _Alignof. Expression is 114 S not Boolean. Do not perform assignments in selection

Do not perform assignments in selection Assignment EXP45-C Rule statements operator in 132 S boolean expression.

Bit operator Do not use a bitwise operator with a EXP46-C Rule 136 S with boolean Boolean-like operand operand.

Use of Be careful using functions that use file filename FIO01-C Recommendation 592 S names for identification based functions.

Filename not Canonicalize path names originating from FIO02-C Recommendation 85 D verified before untrusted sources fopen.

Use of banned Do not make assumptions about fopen() FIO03-C Recommendation 44 S function, type and file creation or variable.

Use of banned FIO05-C Recommendation Identify files using multiple file attributes 44 S function, type or variable.

Use of banned Create files with appropriate access FIO06-C Recommendation 44 S function, type permissions or variable.

Attempt to Take care when calling remove() on an FIO08-C Recommendation 81 D remove an open file open file.

Use of banned Be careful with binary data when FIO09-C Recommendation 44 S function, type transferring data across systems or variable.

Use of Take care when using the rename() filename FIO10-C Recommendation 592 S function based functions.

Take care when specifying the mode Mode fault in FIO11-C Recommendation 590 S parameter of fopen() fopen.

Potentially Never push back anything other than one FIO13-C Recommendation 83 D repeated call read character to ungetc.

Understand the difference between text FIO14-C Recommendation mode and binary mode with file streams

Ensure that file operations are performed in FIO15-C Recommendation a secure directory

Use of banned Do not rely on an ending null character FIO17-C Recommendation 44 S function, type when using fread() or variable.

Use of banned Never expect fwrite() to terminate the FIO18-C Recommendation 44 S function, type writing process at a null character or variable.

Use of banned Do not use fseek() and ftell() to compute FIO19-C Recommendation 44 S function, type the size of a regular file or variable.

Use of banned Avoid unintentional truncation when using FIO20-C Recommendation 44 S function, type fgets() or fgetws() or variable.

Use of banned Do not create temporary files in shared FIO21-C Recommendation 44 S function, type directories or variable.

File pointer FIO22-C Recommendation Close files before spawning processes 49 D not closed on exit.

Do not exit with unflushed data in stdout or FIO23-C Recommendation stderr

User input not FIO30-C Rule Exclude user input from format strings 86 D checked before use. Attempt to open file FIO31-C Rule Do not open a file that is already open 75 D pointer more than once.

Do not perform operations on devices that FIO32-C Rule are only appropriate for files

EOF Distinguish between characters read from a FIO34-C Rule 662 S compared with file and EOF or WEOF char.

Use of banned Do not assume that fgets() or fgetws() FIO37-C Rule 44 S function, type returns a nonempty string when successful or variable.

Inappropriate FIO38-C Rule Do not copy a FILE object 591 S use of file pointer.

Do not alternately input and output from a No fseek or FIO39-C Rule stream without an intervening flush or 84 D flush before positioning call I/O.

Use of banned FIO40-C Rule Reset strings on fgets() or fgetws() failure 44 S function, type or variable. Expression 35 D has side effects. Call has execution 1 Q order dependant side effects. Do not call getc(), putc(), getwc(), or putwc() Assignment FIO41-C Rule with stream arguments that have side 9 S operation in effects expression. Deprecated usage of ++ or 30 S -- operators found. Volatile variable in 134 S complex expression. File pointer FIO42-C Rule Close files when they are no longer needed 49 D not closed on exit.

fsetpos values Only use values for fsetpos() that are FIO44-C Rule 82 D not generated returned from fgetpos() by fgetpos.

Attempt to Avoid TOCTOU race conditions while open file FIO45-C Rule 75 D accessing files pointer more than once.

Attempt to FIO46-C Rule Do not access a closed file 48 D write to unopened file. Incorrect number of 486 S formats in output FIO47-C Rule Use valid format strings function. Format is not 589 S appropriate type.

Understand the limitations of floating-point FLP00-C Recommendation numbers

Take care in rearranging floating-point FLP01-C Recommendation expressions

Equality Avoid using floating-point numbers when FLP02-C Recommendation 56 S comparison of precise computation is needed floating point.

Divide by zero FLP03-C Recommendation Detect and handle floating-point errors 43 D found.

Check floating-point inputs for exceptional FLP04-C Recommendation values

FLP05-C Recommendation Don't use denormalized numbers

Float/integer Convert integers to floating point for floating- FLP06-C Recommendation 435 S conversion point operations without cast.

Cast the return value of a function that FLP07-C Recommendation returns a floating-point type

Unsuitable Do not use floating-point variables as loop FLP30-C Rule 39 S type for loop counters variable.

Prevent or detect domain and range errors FLP32-C Rule in math functions

Value is not of 93 S appropriate Ensure that floating-point conversions are type. FLP34-C Rule within range of the new type Float/integer 435 S conversion without cast.

Float/integer Preserve precision when converting integral FLP36-C Rule 435 S conversion values to floating-point type without cast.

Use of Do not use object representations to memcmp FLP37-C Rule 618 S compare floating-point values between structures.

Understand the data model used by your INT00-C Recommendation implementation(s)

Use rsize_t or size_t for all integer values INT01-C Recommendation representing the size of an object

Unsigned 52 S expression negated. Value is not of 93 S appropriate type. Use of mixed 96 S mode arithmetic. Function 101 S return type inconsistent. Type mismatch in 107 S ternary expression. Widening cast on complex 332 S integer expression (MR). No cast when ~ or << 334 S applied to INT02-C Recommendation Understand integer conversion rules small types (MR). Type 433 S conversion without cast. Signed/unsign 434 S ed conversion without cast. Narrower int 446 S conversion without cast.

No cast for widening 452 S complex int expression (MR). Implicit int widening for 457 S function return (MR). Implicit conversion: 458 S actual to formal param (MR).

Enforce limits on integer values originating INT04-C Recommendation from tainted sources

Do not use input functions to convert Use of banned INT05-C Recommendation character data if they cannot handle all 44 S function, type possible inputs or variable.

Use of banned Use strtol() or a related function to convert a INT06-C Recommendation 44 S function, type string token to an integer or variable.

Value is not of 93 S appropriate type. Use of mixed 96 S mode arithmetic. Function 101 S return type inconsistent. Use only explicitly signed or unsigned char Operation not INT07-C Recommendation type for numeric values 329 S appropriate to plain char. Inappropriate 432 S type - should be plain char. Implicit conversion: 458 S actual to formal param (MR). Value outside range of 488 S underlying INT08-C Recommendation Verify that all integer values are in range type. Numeric 493 S overflow. Incomplete 85 S initialisation of Ensure enumeration constants map to enumerator. INT09-C Recommendation unique values Duplicated 630 S enumeration value.

Remainder of Do not assume a positive remainder when INT10-C Recommendation 584 S % op could be using the % operator negative.

Do not make assumptions about the type of Bit field not INT12-C Recommendation a plain int bit-field when used in an 73 S signed or expression unsigned int.

Use of shift 50 S operator on signed type. Use of bit 120 S operator on Use bitwise operators only on unsigned signed type. INT13-C Recommendation operands Bit operator 136 S with boolean operand. Literal value 331 S requires a U suffix.

Bitwise and Avoid performing bitwise and arithmetic arith INT14-C Recommendation 585 S operations on the same data operations on same data.

Format is not Use intmax_t or uintmax_t for formatted I/O INT15-C Recommendation 586 S %j for user on programmer-defined integer types defined type.

Use of shift 50 S operator on Do not make assumptions about signed type. INT16-C Recommendation representation of signed integers Use of bit 120 S operator on signed type.

Define integer constants in an INT17-C Recommendation implementation-independent manner

No cast for Evaluate integer expressions in a larger widening INT18-C Recommendation size before comparing or assigning to that 452 S complex int size expression (MR).

Numeric 493 S Ensure that unsigned integer operations do overflow. INT30-C Rule not wrap Numeric 494 S underflow. Value is not of 93 S appropriate type.

Type Ensure that integer conversions do not INT31-C Rule 433 S conversion result in lost or misinterpreted data without cast. Signed/unsign 434 S ed conversion without cast. Numeric 493 S Ensure that operations on signed integers overflow. INT32-C Rule do not result in overflow Numeric 494 S underflow. Divide by zero 43 D found. Local or member 127 D denominator not checked before use. Global denominator 131 D not checked within this procedure. Ensure that division and modulo operations INT33-C Rule Parameter do not result in divide-by-zero errors used as 137 D denominator not checked before use. Divide by zero in 248 S preprocessor directive. Divide by zero 629 S found. Divide by zero 80 X found.

Shifting value 51 S too far. Negative (or Do not shift a negative number of bits or INT34-C Rule 403 S potentially more bits than exist in the operand negative) shift. Right shift 479 S loses all bits.

INT35-C Rule Use correct integer precisions

Cast from 439 S pointer to Converting a pointer to integer or integer to integral type. INT36-C Rule pointer Cast from 440 S integral type to pointer. Memory not 50 D freed after last reference. Free called Allocate and free memory in the same MEM00-C Recommendation 112 D twice on same module at the same level of abstraction variable. Attempt to use 484 S already freed object. Free called 112 D twice on same Store a new value in pointers immediately variable. MEM01-C Recommendation after free() Attempt to use 484 S already freed object.

Immediately cast the result of a memory MEM02-C Recommendation allocation function call into a pointer to the allocated type

Use of banned Clear sensitive information stored in MEM03-C Recommendation 44 S function, type reusable resources returned for reuse or variable.

MEM04-C Recommendation Do not perform zero-length allocations

Procedure 5 C contains infinite loop. Recursion in 6 D procedure calls found. Potentially 28 D infinite loop found. Loop control expression MEM05-C Recommendation Avoid large stack allocations 26 S may not terminate loop.

Infeasible loop 140 S condition found. Variable- 621 S length array declared. Inter-file 1 U recursion found.

Ensure that sensitive data is not written out MEM06-C Recommendation to disk

Ensure that the arguments to calloc(), when MEM07-C Recommendation multiplied, do not wrap

Comparing MEM10-C Recommendation Define and use a pointer validation function 159 S pointer with zero or NULL. Procedure 5 C contains infinite loop. Recursion in 6 D procedure calls found. Potentially 28 D infinite loop found.

Loop control MEM11-C Recommendation Do not assume infinite heap space expression 26 S may not terminate loop. Infeasible loop 140 S condition found. Inter-file 1 U recursion found.

Consider using a goto chain when leaving a Memory not MEM12-C Recommendation function on error when using and releasing 50 D freed after last resources reference.

Attempt to 51 D read from freed memory. Free called MEM30-C Rule Do not access freed memory 112 D twice on same variable. Attempt to use 484 S already freed object.

Memory not Free dynamically allocated memory when MEM31-C Rule 50 D freed after last no longer needed reference.

Use of 649 S unallocated Allocate and copy structures containing a flexible array. MEM33-C Rule flexible array member dynamically Flexible array 650 S copy ignores last member. free used on 407 S string. Freed 483 S parameter is not heap item. realloc ptr does not 644 S originate from allocation MEM34-C Rule Only free memory allocated dynamically function. realloc ptr type does not 645 S match target type. free called on variable with 125 D no allocated space. Use of sizeof 400 S on a type. Insufficient 487 S space MEM35-C Rule Allocate sufficient memory for an object allocated. Copy length parameter not 115 D checked before use.

Use of banned Do not modify the alignment of objects by MEM36-C Rule 44 S function, type calling realloc() or variable.

MSC00-C Recommendation Compile cleanly at high warning levels

No default 48 S case in switch statement. MSC01-C Recommendation Strive for logical completeness Else 59 S alternative missing in if. Nested 119 S comment found. Comment Use comments consistently and in a MSC04-C Recommendation 302 S possibly readable fashion contains code. Line splice 611 S used in // comment. Use of mixed 96 S mode arithmetic. Function 101 S return type inconsistent. Type mismatch in 107 S Do not manipulate time_t typed values ternary MSC05-C Recommendation directly expression. Type 433 S conversion without cast.

Implicit conversion: 458 S actual to formal param (MR). DD data flow 8 D anomalies found. Void function 65 D has no side effects. Procedure is not called or 76 D referenced in code analysed. DU anomaly dead code, 105 D var value is MSC06-C Recommendation Beware of compiler optimizations unused on all paths. Unreachable 1 J Code found. All internal 3 J linkage calls unreachable. Static procedure is 35 S not explicitly called in code analysed. Statement 57 S with no side effect.

Non standard Character encoding: use subset of ASCII MSC09-C Recommendation 113 S character in for safety source.

Non standard escape 176 S sequence in MSC10-C Recommendation Character encoding: UTF-8-related issues source. Use of octal 376 S escape sequence.

Incorporate diagnostic tests using MSC11-C Recommendation assertions

DD data flow 8 D anomalies found. Void function 65 D has no side effects. DU anomaly dead code, 105 D var value is unused on all paths. Detect and remove code that has no effect MSC12-C Recommendation Statement or is never executed 57 S with no side effect. Construct leads to 139 S infeasible code.

Infeasible loop 140 S condition found. Unreachable 1 J Code found. Unused 1 D procedure parameter. DD data flow 8 D anomalies found. Unused 15 D procedural parameter. MSC13-C Recommendation Detect and remove unused values Named variable 94 D declared but not used in code. DU anomaly dead code, 105 D var value is unused on all paths. Identifier not 17 D unique within *** characters. Do not introduce unnecessary platform Use of bit field MSC14-C Recommendation dependencies 42 S in structure declaration. #pragma 69 S used. No definition in system for 63 D prototyped procedure.

No fseek or 84 D flush before I/O. File closed 113 D more than once. File does not 5 Q end with new line. Void procedure 64 S used in expression. Void variable 65 S passed as parameter. #include filename is 100 S non conformant. Array 109 S subscript is not integral. Use of 'defined' 156 S keyword in macro body. Function 296 S declared at block scope. Macro call has 324 S wrong number of parameters.

Operator defined 335 S contains illegal items. #if expansion contains 336 S define MSC15-C Recommendation Do not depend on undefined behavior operator. #include 339 S directive with illegal items. Undefined 412 S behaviour, \ before E-O-F. Filename in 427 S #include not in < > or " ". Struct/union 465 S not completely specified. Incomplete 482 S structure referenced. Type is incomplete in 497 S translation unit. Assignment of 545 S overlapping storage. Const local variable not 587 S immediately initialised.

Use of explicitly 608 S undefined language feature. Overlapping 647 S data items in memcpy. Function prototype/defn 62 X return type mismatch (MR). Function prototype/defn 63 X param type mismatch (MR).

Switch case Finish every set of statements associated MSC17-C Recommendation 62 S not terminated with a case label with a break statement with break.

Be careful while handling sensitive data, MSC18-C Recommendation such as passwords, in program code

For functions that return an array, prefer MSC19-C Recommendation returning an empty array over a null value

Case Do not use a switch statement to transfer MSC20-C Recommendation 245 S statement in control into a complex block nested block.

Loop counter increment and MSC21-C Recommendation Use robust loop termination conditions 510 S operator defect.

Use of MSC22-C Recommendation Use the setjmp(), longjmp() facility securely 43 S setjmp/longjm p.

Beware of vendor-specific library and MSC23-C Recommendation language differences

Use of banned Do not use deprecated or obsolescent MSC24-C Recommendation 44 S function, type functions or variable.

Use of banned Do not use the rand() function for MSC30-C Rule 44 S function, type generating pseudorandom numbers or variable.

Properly seed pseudorandom number MSC32-C Rule generators

Use of banned Do not pass invalid data to the asctime() MSC33-C Rule 44 S function, type function or variable. Function does not return a 2 D value on all paths. Ensure that control never reaches the end Function has MSC37-C Rule of a non-void function 36 S no return statement. Function with 66 S empty return expression.

Do not treat a predefined identifier as an MSC38-C Rule object if it might only be implemented as a macro

Do not call va_arg() on a va_list that has an MSC39-C Rule indeterminate value

Number of parameters 21 S does not match. #if has invalid 145 S expression. Switch has 323 S more than one default case. Bit operator 345 S with floating point operand. Enum init not integer- 387 S constant- expression. Array initialisation 404 S has too many MSC40-C Rule Do not violate constraints items. Array with no 481 S bounds in struct. Macro redefinition 580 S without using #undef.

inline function should be 612 S declared static. Conditional operator has 615 S incompatible types. Struct initialisation 646 S has too many items.

Check for the existence of links when POS01-C Recommendation dealing with files

POS02-C Recommendation Follow the principle of least privilege

Avoid using PTHREAD_MUTEX_NORMAL POS04-C Recommendation type mutex locks

POS05-C Recommendation Limit access to files by creating a jail

POS30-C Rule Use the readlink() function properly

Use of banned POS33-C Rule Do not use vfork() 44 S function, type or variable.

Do not call putenv() with a pointer to an POS34-C Rule automatic variable as the argument

Avoid race conditions while checking for the POS35-C Rule existence of a symbolic link

Observe correct revocation order while POS36-C Rule relinquishing privileges

Ensure that privilege relinquishment is POS37-C Rule successful

Beware of race conditions when using fork POS38-C Rule and file descriptors

Use the correct byte ordering when POS39-C Rule transferring data between systems

POS44-C Rule Do not use signals to terminate threads

Do not use threads that can be canceled POS47-C Rule asynchronously

Do not unlock or destroy another POSIX POS48-C Rule thread's mutex

When data must be accessed by multiple POS49-C Rule threads, provide a mutex and guarantee no adjacent data is also accessed

Declare objects shared between POSIX POS50-C Rule threads with appropriate storage durations

Avoid deadlock with POSIX threads by POS51-C Rule locking in predefined order

Do not perform operations that can block POS52-C Rule while holding a POSIX lock

Do not use more than one mutex for POS53-C Rule concurrent waiting operations on a condition variable

Potentially unused POS54-C Rule Detect and handle POSIX library errors 80 D function- modified value.

Use of Prefer inline or static functions to function- PRE00-C Recommendation 340 S function like like macros macro.

Macro Use parentheses within macros around PRE01-C Recommendation 78 S parameter not parameter names in brackets.

Macro Macro replacement lists should be replacement PRE02-C Recommendation 77 S parenthesized list needs parentheses. Macro Prefer type definitions to defines for contains PRE03-C Recommendation 79 S encoding types unacceptable items. #include "filename" PRE04-C Recommendation Do not reuse a standard header file name 568 S uses standard library name. More than one 76 S of # or ## in a macro. Understand macro replacement when Use of ## or # PRE05-C Recommendation concatenating tokens or performing 125 S in a macro. stringification # operand 637 S followed by ##. Included file PRE06-C Recommendation Enclose header files in an inclusion guard 243 S not protected with #define.

Use of PRE07-C Recommendation Avoid using repeated question marks 81 S trigraph.

Guarantee that header file names are PRE08-C Recommendation unique

Do not replace secure functions with less PRE09-C Recommendation secure functions

Macro Wrap multistatement macros in a do-while contains PRE10-C Recommendation 79 S loop unacceptable items.

Macro Do not conclude macro definitions with a contains PRE11-C Recommendation 79 S semicolon unacceptable items.

Expression 35 D has side effects. Call has execution 1 Q order PRE12-C Recommendation Do not define unsafe macros dependant side effects. Use of ++,-- or 562 S = in macro parameters. Side effect in 572 S assert.

Use the Standard predefined macros to test PRE13-C Recommendation for versions and features.

Macro Do not create a universal character name concatenation PRE30-C Rule 573 S through concatenation of uni char names. Expression 35 D has side effects. Call has execution 1 Q order dependant Avoid side effects in arguments to unsafe side effects. PRE31-C Rule macros Assignment 9 S operation in expression. Use of ++,-- or 562 S = in macro parameters. Side effect in 572 S assert.

Preprocessor Do not use preprocessor directives in construct as PRE32-C Rule 341 S invocations of function-like macros macro parameter.

Use of banned Mask signals handled by noninterruptible SIG00-C Recommendation 44 S function, type signal handlers or variable.

Signal called Understand implementation-specific details SIG01-C Recommendation 97 D from within regarding signal handler persistence signal handler.

Use of banned Avoid using signals to implement normal SIG02-C Recommendation 44 S function, type functionality or variable.

Illegal use of 88 D longjmp in Call only asynchronous-safe functions signal handler. SIG30-C Rule within signal handlers Illegal use of 89 D raise in signal handler.

Illegal shared Do not access shared objects in signal SIG31-C Rule 87 D object in handlers signal handler.

Signal called Do not call signal() from within interruptible SIG34-C Rule 97 D from within signal handlers signal handler.

Use of banned Do not return from a computational SIG35-C Rule 44 S function, type exception signal handler or variable.

Operation not 329 S appropriate to Represent characters using an appropriate plain char. STR00-C Recommendation type Inappropriate 432 S type - should be plain char.

Adopt and implement a consistent plan for STR01-C Recommendation managing strings

Tainted argument to 108 D unprototyped Sanitize data passed to complex func ptr. STR02-C Recommendation subsystems Tainted argument to 109 D formatted i/o function. Use of banned 44 S function, type Do not inadvertently truncate a null- or variable. STR03-C Recommendation terminated byte string String 115 S incorrectly terminated. Value is not of 93 S appropriate type.

Function 101 S return type inconsistent. Operation not 329 S appropriate to Use plain char for characters in the basic STR04-C Recommendation plain char. character set Inappropriate 432 S type - should be plain char. Implicit conversion: 458 S actual to formal param (MR). String Use pointers to const when referring to assigned to STR05-C Recommendation 623 S string literals non const object.

strtok may Do not assume that strtok() leaves the STR06-C Recommendation 602 S change the parse string unchanged parse string.

Use of banned Use the bounds-checking interfaces for STR07-C Recommendation 44 S function, type string manipulation or variable.

Operation not Don't assume numeric values for STR09-C Recommendation 329 S appropriate to expressions with type plain character plain char.

Wide string Do not concatenate different type of string STR10-C Recommendation 450 S and string literals concatenated.

Array Do not specify the bound of a character initialisation STR11-C Recommendation 404 S array initialized with a string literal has too many items.

Modification of STR30-C Rule Do not attempt to modify string literals 157 S string literal.

Tainted argument to 109 D formatted i/o function. Insufficient 489 S space for operation. Guarantee that storage for strings has Insufficient STR31-C Rule sufficient space for character data and the 66 X array space at null terminator call. Array has 70 X insufficient space. Insufficient 71 X space for copy. Array initialisation 404 S Do not pass a non-null-terminated character has too many STR32-C Rule sequence to a library function that expects items. a string

a string Argument of 600 S strlen is unterminated.

Type Cast characters to unsigned types before STR34-C Rule 433 S conversion converting to larger integer sizes without cast.

Invalid value may be Arguments to character-handling functions STR37-C Rule 663 S passed to must be representable as an unsigned char function in .

Do not confuse narrow and wide character STR38-C Rule strings and functions

CERT-C:2014 Standards Model Compliance for C

LDRA Rule Classification Rule Description LDRA Standard Description Standard ARR00-C Recommendation Understand how arrays work Do not apply the sizeof operator to a pointer when ARR01-C Recommendation 401 S Use of sizeof on an array parameter. taking the size of an array 127 S Array has no bounds specified. Explicitly specify array bounds, even if implicitly ARR02-C Recommendation 397 S Array initialisation has insufficient items. defined by an initializer 404 S Array initialisation has too many items. 45 D Pointer not checked for null before use. 47 S Array bound exceeded. 476 S Array index not unsigned. 489 S Insufficient space for operation. 64 X Array bound exceeded at call. Do not form or use out-of-bounds pointers or array ARR30-C Rule 66 X Insufficient array space at call. subscripts 68 X Parameter indexing array too big at call. 69 X Global array bound exceeded at use. 70 X Array has insufficient space. 71 X Insufficient space for copy. 79 X Size mismatch in memcpy/memset. Ensure size arguments for variable length arrays ARR32-C Rule 621 S Variable-length array declared. are in a valid range Do not subtract or compare two pointers that do not 437 S < > <= >= used on different object pointers. ARR36-C Rule refer to the same array 438 S Pointer subtraction not addressing one array. Do not add or subtract an integer to a pointer to a ARR37-C Rule 567 S Pointer arithmetic is not on array. non-array object 64 X Array bound exceeded at call. 66 X Insufficient array space at call. 68 X Parameter indexing array too big at call. Guarantee that library functions do not form invalid ARR38-C Rule 69 X Global array bound exceeded at use. pointers 70 X Array has insufficient space. 71 X Insufficient space for copy. 79 X Size mismatch in memcpy/memset. 47 S Array bound exceeded. 489 S Insufficient space for operation.

CERT-C:2014 Standards Model Compliance for C

LDRA Rule Classification Rule Description LDRA Standard Description Standard 567 S Pointer arithmetic is not on array. 64 X Array bound exceeded at call. ARR39-C Rule Do not add or subtract a scaled integer to a pointer 66 X Insufficient array space at call. 68 X Parameter indexing array too big at call. 69 X Global array bound exceeded at use. 70 X Array has insufficient space. 71 X Insufficient space for copy. CON00-C Recommendation Avoid race conditions with multiple threads Acquire and release synchronization primitives in CON01-C Recommendation the same module, at the same level of abstraction CON02-C Recommendation Do not use volatile as a synchronization primitive CON03-C Recommendation Ensure visibility when accessing shared variables Join or detach threads even if their exit status is CON04-C Recommendation unimportant Do not perform operations that can block while CON05-C Recommendation holding a lock Ensure that every mutex outlives the data it CON06-C Recommendation protects Ensure that compound operations on shared CON07-C Recommendation variables are atomic Do not assume that a group of calls to CON08-C Recommendation independently atomic methods is atomic Avoid the ABA problem when using lock-free CON09-C Recommendation algorithms CON30-C Rule Clean up thread-specific storage CON31-C Rule Do not destroy a mutex while it is locked Prevent data races when accessing bit-fields from CON32-C Rule multiple threads CON33-C Rule Avoid race conditions when using library functions 44 S Use of banned function, type or variable. Declare objects shared between threads with CON34-C Rule appropriate storage duration CON35-C Rule Avoid deadlock by locking in a predefined order

CERT-C:2014 Standards Model Compliance for C

LDRA Rule Classification Rule Description LDRA Standard Description Standard Wrap functions that can spuriously wake up in a CON36-C Rule loop CON37-C Rule Do not call signal() in a multithreaded program 44 S Use of banned function, type or variable. Preserve thread safety and liveness when using CON38-C Rule condition variables Do not join or detach a thread that was previously CON39-C Rule joined or detached Do not refer to an atomic variable twice in an CON40-C Rule expression CON41-C Rule Wrap functions that can fail spuriously in a loop 78 D Global variable should be declared const. DCL00-C Recommendation const-qualify immutable objects 93 D Local variable should be declared const. 200 S Define used for numeric constant. DCL01-C Recommendation Do not reuse variable names in subscopes 131 S Name reused in inner scope. DCL02-C Recommendation Use visually distinct identifiers 67 X Identifier is typographically ambiguous. Use a static assertion to test the value of a DCL03-C Recommendation 44 S Use of banned function, type or variable. constant expression Do not declare more than one variable per DCL04-C Recommendation 579 S More than one variable per declaration. declaration DCL05-C Recommendation Use typedefs of non-pointer types only 299 S Pointer to function declared without typedef. Use meaningful symbolic constants to represent DCL06-C Recommendation 201 S Use of numeric literal in expression. literal values in program logic 21 S Number of parameters does not match. Include the appropriate type information in function DCL07-C Recommendation 135 S Parameter list is KR. declarators 170 S Procedure call has no prototype and no defn. Properly encode relationships in constant DCL08-C Recommendation definitions Declare functions that return an errno error code DCL09-C Recommendation 643 S Function return type is not errno_t. with a return type of errno_t Maintain the contract between the writer and caller DCL10-C Recommendation 41 S Ellipsis used in procedure parameter list. of variadic functions Understand the type issues associated with 41 S Ellipsis used in procedure parameter list. DCL11-C Recommendation

CERT-C:2014 Standards Model Compliance for C

LDRA Rule Classification Rule Description LDRA Standard Description Standard DCL11-C Recommendation variadic functions 589 S Format is not appropriate type. DCL12-C Recommendation Implement abstract data types using opaque types 104 D Structure implementation not hidden. Declare function parameters that are pointers to DCL13-C Recommendation 120 D Pointer param should be declared pointer to const. values not changed by the function as const 27 D Variable should be declared static. Declare file-scope objects or functions that do not DCL15-C Recommendation 61 D Procedure should be declared static. need external linkage as static 553 S Function and proto should both be static. DCL16-C Recommendation Use "L," not "l," to indicate a long value 252 S Lower case suffix to literal number. DCL17-C Recommendation Beware of miscompiled volatile-qualified variables 134 S Volatile variable in complex expression. Do not begin integer constants with 0 when DCL18-C Recommendation 83 S Octal number found. specifying a decimal value 25 D Scope of variable could be reduced. DCL19-C Recommendation Minimize the scope of variables and functions 61 D Procedure should be declared static. 40 S Loop index is not declared locally. Explicitly specify void when a function accepts no DCL20-C Recommendation 63 S Empty parameter list to procedure/function. arguments DCL21-C Recommendation Understand the storage of compound literals DCL22-C Recommendation Use volatile for data that cannot be cached 8 D DD data flow anomalies found. 17 D Identifier not unique within *** characters. Guarantee that mutually visible identifiers are DCL23-C Recommendation 355 S Variables not unique within *** characters. unique 61 X Identifier match in *** chars. 42 D Local pointer returned in function result. 77 D Local structure returned in function result. DCL30-C Rule Declare objects with appropriate storage durations 71 S Pointer assignment to wider scope. 565 S Assignment to wider scope. 24 D Procedure definition has no associated prototype. 41 D Procedure call has no prototype declared. DCL31-C Rule Declare identifiers before using them 20 S Parameter not declared explicitly. 326 S Declaration is missing type. 496 S Function call with no prior declaration. 461 S Identifier with ambiguous linkage. Do not declare an identifier with conflicting linkage DCL36-C Rule 575 S Linkage differs from previous declaration. classifications

CERT-C:2014 Standards Model Compliance for C

LDRA Rule Classification Rule Description LDRA Standard Description Standard classifications 2 X Ambiguous declaration of variable. 86 S Attempt to define reserved word. 218 S Name is used in standard libraries. DCL37-C Rule Do not declare or define a reserved identifier 219 S User name starts with underscore. 580 S Macro redefinition without using #undef. 626 S #define of keyword. Use the correct syntax when declaring flexible DCL38-C Rule 648 S Deprecated form of flexible array. array members DCL39-C Rule Avoid information leak in structure padding Do not create incompatible declarations of the 17 D Identifier not unique within *** characters. DCL40-C Rule same function or object 1 X Declaration types do not match across a system. Do not declare variables inside a switch statement DCL41-C Rule 385 S MISRA switch statement syntax violation. before the first case label Do not make assumptions about the size of an ENV01-C Recommendation environment variable Beware of multiple environment variables with the ENV02-C Recommendation same effective name Sanitize the environment when invoking external ENV03-C Recommendation 588 S Use of system function. programs Do not modify the object referenced by the return ENV30-C Rule 107 D Attempt to change system call capture string. value of certain functions Do not rely on an environment pointer following an ENV31-C Rule 118 S main must be int (void) or int (int,char*[]). operation that may invalidate it 7 S Jump out of procedure. ENV32-C Rule All exit handlers must return normally 122 S Use of abort, exit, etc. ENV33-C Rule Do not call system() 588 S Use of system function. Pointer from system function used after ENV34-C Rule Do not store pointers returned by certain functions 133 D subsequent call. Adopt and implement a consistent and ERR00-C Recommendation comprehensive error-handling policy Use ferror() rather than errno to check for FILE ERR01-C Recommendation 44 S Use of banned function, type or variable. stream errors

CERT-C:2014 Standards Model Compliance for C

LDRA Rule Classification Rule Description LDRA Standard Description Standard ERR02-C Recommendation Avoid in-band error indicators Use runtime-constraint handlers when calling ERR03-C Recommendation functions defined by TR31-1 ERR04-C Recommendation Choose an appropriate termination strategy Application-independent code should provide error ERR05-C Recommendation detection without dictating error handling Understand the termination behavior of assert() ERR06-C Recommendation 44 S Use of banned function, type or variable. and abort() 44 S Use of banned function, type or variable. Prefer functions that support error checking over ERR07-C Recommendation 593 S Use fseek() rather than rewind(). equivalent functions that don't 594 S Use setvbuf() rather than setbuf(). errno checked without having been set for errno 111 D setting fn. errno neither set nor checked for errno setting 121 D function. Set errno to zero before calling a library function errno not checked after being set for errno setting ERR30-C Rule known to set errno, and check errno only after the 122 D fn. function returns a value indicating failure errno checked after call to non-errno setting 132 D function. 134 D errno not checked before subsequent function call. ERR32-C Rule Do not rely on indeterminate values of errno 44 S Use of banned function, type or variable. 80 D Potentially unused function-modified value. Var set by std lib func return not checked before 124 D use. ERR33-C Rule Detect and handle standard library errors Global set by std lib func return not checked before 130 D use. 382 S (void) missing for discarded return value. 49 S Logical conjunctions need brackets. EXP00-C Recommendation Use parentheses for precedence of operation 361 S Expression needs brackets. 35 D Expression has side effects. 1 Q Call has execution order dependant side effects. Be aware of the short-circuit behavior of the logical

CERT-C:2014 Standards Model Compliance for C

LDRA Rule Classification Rule Description LDRA Standard Description Standard Be aware of the short-circuit behavior of the logical EXP02-C Recommendation 133 S Assignment operator in RHS of && or ||. AND and OR operators 406 S Use of ++ or -- on RHS of && or || operator. 408 S Volatile variable accessed on RHS of && or ||. Do not assume the size of a structure is the sum of EXP03-C Recommendation 578 S Sizeof used in arithmetic expression. the sizes of its members EXP05-C Recommendation Do not cast away a const qualification 203 S Cast on a constant value. Do not diminish the benefits of constants by EXP07-C Recommendation 201 S Use of numeric literal in expression. assuming their values in expressions 45 D Pointer not checked for null before use. 53 D Attempt to use uninitialised pointer. EXP08-C Recommendation Ensure pointer arithmetic is used correctly 54 D Unsafe use of function pointer variable. 438 S Pointer subtraction not addressing one array. 576 S Function pointer is of wrong type. Use sizeof to determine the size of a type or EXP09-C Recommendation 201 S Use of numeric literal in expression. variable 35 D Expression has side effects. Do not depend on the order of evaluation of 72 D Potential side effect problem in expression. EXP10-C Recommendation subexpressions or the order in which side effects 1 Q Call has execution order dependant side effects. take place 134 S Volatile variable in complex expression. Do not make assumptions regarding the layout of EXP11-C Recommendation 554 S Cast to an unrelated type. structures with bit-fields EXP12-C Recommendation Do not ignore values returned by functions 382 S (void) missing for discarded return value. Treat relational and equality operators as if they EXP13-C Recommendation 433 S Type conversion without cast. were nonassociative 11 S No brackets to loop body (added by Testbed). Do not place a semicolon on the same line as an if, EXP15-C Recommendation 12 S No brackets to then/else (added by Testbed). for, or while statement 428 S No {} for switch (added by Testbed). Do not compare function pointers to constant EXP16-C Recommendation 99 S Function use is not a call. values 11 S No brackets to loop body (added by Testbed). Use braces for the body of an if, for, or while EXP19-C Recommendation 12 S No brackets to then/else (added by Testbed). statement 428 S No {} for switch (added by Testbed).

CERT-C:2014 Standards Model Compliance for C

LDRA Rule Classification Rule Description LDRA Standard Description Standard Perform explicit tests to determine success, true EXP20-C Recommendation 114 S Expression is not Boolean. and false, and equality 35 D Expression has side effects. 1 Q Call has execution order dependant side effects. Do not depend on order of evaluation between EXP30-C Rule 9 S Assignment operation in expression. sequence points 30 S Deprecated usage of ++ or -- operators found. 134 S Volatile variable in complex expression. Do not access a volatile object through a EXP32-C Rule 344 S Cast on volatile value. nonvolatile reference 53 D Attempt to use uninitialised pointer. 69 D UR anomaly, variable used before assignment. EXP33-C Rule Do not read uninitialized memory 631 S Declaration not reachable. 652 S Object created by malloc used before initialisation. 45 D Pointer not checked for null before use. 123 D File pointer not checked for null before use. 128 D Global pointer not checked within this procedure. Global file pointer not checked within this 129 D EXP34-C Rule Do not dereference null pointers procedure. 135 D Pointer assigned to NULL may be dereferenced. Global pointer assigned to NULL may be 136 D dereferenced. 652 S Object created by malloc used before initialisation. 642 S Function return type with array field. EXP35-C Rule Do not modify objects with temporary lifetime 42 D Local pointer returned in function result. 77 D Local structure returned in function result. Do not convert pointers into more strictly aligned 94 S Casting operation on a pointer. EXP36-C Rule pointer types 606 S Cast involving function pointer. 41 D Procedure call has no prototype declared. 21 S Number of parameters does not match. Call functions with the correct number and type of 98 S Actual and formal parameters inconsistent (MR). EXP37-C Rule arguments 170 S Procedure call has no prototype and no defn. 496 S Function call with no prior declaration.

CERT-C:2014 Standards Model Compliance for C

LDRA Rule Classification Rule Description LDRA Standard Description Standard 576 S Function pointer is of wrong type. Do not access a variable through a pointer of an 94 S Casting operation on a pointer. EXP39-C Rule incompatible type 554 S Cast to an unrelated type. EXP40-C Rule Do not modify constant objects 582 S const object reassigned. EXP42-C Rule Do not compare padding data 618 S Use of memcmp between structures. 480 S String function params access same variable. Avoid undefined behaviors when using restrict- EXP43-C Rule 489 S Insufficient space for operation. qualified pointers 613 S Use of restrict keyword. Do not rely on side effects in operands to sizeof, 54 S Sizeof operator with side effects. EXP44-C Rule _Alignof, or _Generic 653 S Apparent side effects in _Generic or _Alignof. Do not perform assignments in selection 114 S Expression is not Boolean. EXP45-C Rule statements 132 S Assignment operator in boolean expression. Do not use a bitwise operator with a Boolean-like EXP46-C Rule 136 S Bit operator with boolean operand. operand Be careful using functions that use file names for FIO01-C Recommendation 592 S Use of filename based functions. identification Canonicalize path names originating from FIO02-C Recommendation 85 D Filename not verified before fopen. untrusted sources Do not make assumptions about fopen() and file FIO03-C Recommendation 44 S Use of banned function, type or variable. creation FIO05-C Recommendation Identify files using multiple file attributes 44 S Use of banned function, type or variable. FIO06-C Recommendation Create files with appropriate access permissions 44 S Use of banned function, type or variable. FIO08-C Recommendation Take care when calling remove() on an open file 81 D Attempt to remove an open file. Be careful with binary data when transferring data FIO09-C Recommendation 44 S Use of banned function, type or variable. across systems FIO10-C Recommendation Take care when using the rename() function 592 S Use of filename based functions. Take care when specifying the mode parameter of FIO11-C Recommendation 590 S Mode fault in fopen. fopen() Never push back anything other than one read FIO13-C Recommendation 83 D Potentially repeated call to ungetc. character Understand the difference between text mode and FIO14-C Recommendation binary mode with file streams

CERT-C:2014 Standards Model Compliance for C

LDRA Rule Classification Rule Description LDRA Standard Description Standard Ensure that file operations are performed in a FIO15-C Recommendation secure directory Do not rely on an ending null character when using FIO17-C Recommendation 44 S Use of banned function, type or variable. fread() Never expect fwrite() to terminate the writing FIO18-C Recommendation 44 S Use of banned function, type or variable. process at a null character Do not use fseek() and ftell() to compute the size of FIO19-C Recommendation 44 S Use of banned function, type or variable. a regular file Avoid unintentional truncation when using fgets() or FIO20-C Recommendation 44 S Use of banned function, type or variable. fgetws() FIO21-C Recommendation Do not create temporary files in shared directories 44 S Use of banned function, type or variable. FIO22-C Recommendation Close files before spawning processes 49 D File pointer not closed on exit. FIO23-C Recommendation Do not exit with unflushed data in stdout or stderr FIO30-C Rule Exclude user input from format strings 86 D User input not checked before use. FIO31-C Rule Do not open a file that is already open 75 D Attempt to open file pointer more than once. Do not perform operations on devices that are only FIO32-C Rule appropriate for files Distinguish between characters read from a file and FIO34-C Rule 662 S EOF compared with char. EOF or WEOF Do not assume that fgets() or fgetws() returns a FIO37-C Rule 44 S Use of banned function, type or variable. nonempty string when successful FIO38-C Rule Do not copy a FILE object 591 S Inappropriate use of file pointer. Do not alternately input and output from a stream FIO39-C Rule 84 D No fseek or flush before I/O. without an intervening flush or positioning call FIO40-C Rule Reset strings on fgets() or fgetws() failure 44 S Use of banned function, type or variable. 35 D Expression has side effects. 1 Q Call has execution order dependant side effects. Do not call getc(), putc(), getwc(), or putwc() with FIO41-C Rule 9 S Assignment operation in expression. stream arguments that have side effects 30 S Deprecated usage of ++ or -- operators found. 134 S Volatile variable in complex expression. FIO42-C Rule Close files when they are no longer needed 49 D File pointer not closed on exit.

CERT-C:2014 Standards Model Compliance for C

LDRA Rule Classification Rule Description LDRA Standard Description Standard Only use values for fsetpos() that are returned from FIO44-C Rule 82 D fsetpos values not generated by fgetpos. fgetpos() Avoid TOCTOU race conditions while accessing FIO45-C Rule 75 D Attempt to open file pointer more than once. files FIO46-C Rule Do not access a closed file 48 D Attempt to write to unopened file. 486 S Incorrect number of formats in output function. FIO47-C Rule Use valid format strings 589 S Format is not appropriate type. Understand the limitations of floating-point FLP00-C Recommendation numbers FLP01-C Recommendation Take care in rearranging floating-point expressions Avoid using floating-point numbers when precise FLP02-C Recommendation 56 S Equality comparison of floating point. computation is needed FLP03-C Recommendation Detect and handle floating-point errors 43 D Divide by zero found. FLP04-C Recommendation Check floating-point inputs for exceptional values FLP05-C Recommendation Don't use denormalized numbers Convert integers to floating point for floating-point FLP06-C Recommendation 435 S Float/integer conversion without cast. operations Cast the return value of a function that returns a FLP07-C Recommendation floating-point type FLP30-C Rule Do not use floating-point variables as loop counters 39 S Unsuitable type for loop variable. Prevent or detect domain and range errors in math FLP32-C Rule functions Ensure that floating-point conversions are within 93 S Value is not of appropriate type. FLP34-C Rule range of the new type 435 S Float/integer conversion without cast. Preserve precision when converting integral values FLP36-C Rule 435 S Float/integer conversion without cast. to floating-point type Do not use object representations to compare FLP37-C Rule 618 S Use of memcmp between structures. floating-point values Understand the data model used by your INT00-C Recommendation implementation(s)

CERT-C:2014 Standards Model Compliance for C

LDRA Rule Classification Rule Description LDRA Standard Description Standard Use rsize_t or size_t for all integer values INT01-C Recommendation representing the size of an object 52 S Unsigned expression negated. 93 S Value is not of appropriate type. 96 S Use of mixed mode arithmetic. 101 S Function return type inconsistent. 107 S Type mismatch in ternary expression. Widening cast on complex integer expression 332 S (MR). INT02-C Recommendation Understand integer conversion rules 334 S No cast when ~ or << applied to small types (MR). 433 S Type conversion without cast. 434 S Signed/unsigned conversion without cast. 446 S Narrower int conversion without cast. 452 S No cast for widening complex int expression (MR). 457 S Implicit int widening for function return (MR). 458 S Implicit conversion: actual to formal param (MR). Enforce limits on integer values originating from INT04-C Recommendation tainted sources Do not use input functions to convert character INT05-C Recommendation 44 S Use of banned function, type or variable. data if they cannot handle all possible inputs Use strtol() or a related function to convert a string INT06-C Recommendation 44 S Use of banned function, type or variable. token to an integer 93 S Value is not of appropriate type. 96 S Use of mixed mode arithmetic. Use only explicitly signed or unsigned char type for 101 S Function return type inconsistent. INT07-C Recommendation numeric values 329 S Operation not appropriate to plain char. 432 S Inappropriate type - should be plain char. 458 S Implicit conversion: actual to formal param (MR). 488 S Value outside range of underlying type. INT08-C Recommendation Verify that all integer values are in range 493 S Numeric overflow. Ensure enumeration constants map to unique 85 S Incomplete initialisation of enumerator. INT09-C Recommendation values 630 S Duplicated enumeration value.

CERT-C:2014 Standards Model Compliance for C

LDRA Rule Classification Rule Description LDRA Standard Description Standard Do not assume a positive remainder when using INT10-C Recommendation 584 S Remainder of % op could be negative. the % operator Do not make assumptions about the type of a plain INT12-C Recommendation 73 S Bit field not signed or unsigned int. int bit-field when used in an expression 50 S Use of shift operator on signed type. 120 S Use of bit operator on signed type. INT13-C Recommendation Use bitwise operators only on unsigned operands 136 S Bit operator with boolean operand. 331 S Literal value requires a U suffix. Avoid performing bitwise and arithmetic operations INT14-C Recommendation 585 S Bitwise and arith operations on same data. on the same data Use intmax_t or uintmax_t for formatted I/O on INT15-C Recommendation 586 S Format is not %j for user defined type. programmer-defined integer types Do not make assumptions about representation of 50 S Use of shift operator on signed type. INT16-C Recommendation signed integers 120 S Use of bit operator on signed type. Define integer constants in an implementation- INT17-C Recommendation independent manner Evaluate integer expressions in a larger size before INT18-C Recommendation 452 S No cast for widening complex int expression (MR). comparing or assigning to that size Ensure that unsigned integer operations do not 493 S Numeric overflow. INT30-C Rule wrap 494 S Numeric underflow. 93 S Value is not of appropriate type. Ensure that integer conversions do not result in lost INT31-C Rule 433 S Type conversion without cast. or misinterpreted data 434 S Signed/unsigned conversion without cast. Ensure that operations on signed integers do not 493 S Numeric overflow. INT32-C Rule result in overflow 494 S Numeric underflow. 43 D Divide by zero found. Local or member denominator not checked before 127 D use. Global denominator not checked within this 131 D Ensure that division and modulo operations do not procedure. INT33-C Rule result in divide-by-zero errors Parameter used as denominator not checked 137 D before use.

CERT-C:2014 Standards Model Compliance for C

LDRA Rule Classification Rule Description LDRA Standard Description Standard 248 S Divide by zero in preprocessor directive. 629 S Divide by zero found. 80 X Divide by zero found. 51 S Shifting value too far. Do not shift a negative number of bits or more bits INT34-C Rule 403 S Negative (or potentially negative) shift. than exist in the operand 479 S Right shift loses all bits. INT35-C Rule Use correct integer precisions 439 S Cast from pointer to integral type. INT36-C Rule Converting a pointer to integer or integer to pointer 440 S Cast from integral type to pointer. 50 D Memory not freed after last reference. Allocate and free memory in the same module at MEM00-C Recommendation 112 D Free called twice on same variable. the same level of abstraction 484 S Attempt to use already freed object. Store a new value in pointers immediately after 112 D Free called twice on same variable. MEM01-C Recommendation free() 484 S Attempt to use already freed object. Immediately cast the result of a memory allocation MEM02-C Recommendation function call into a pointer to the allocated type Clear sensitive information stored in reusable MEM03-C Recommendation 44 S Use of banned function, type or variable. resources returned for reuse MEM04-C Recommendation Do not perform zero-length allocations 5 C Procedure contains infinite loop. 6 D Recursion in procedure calls found. 28 D Potentially infinite loop found. MEM05-C Recommendation Avoid large stack allocations 26 S Loop control expression may not terminate loop. 140 S Infeasible loop condition found. 621 S Variable-length array declared. 1 U Inter-file recursion found. MEM06-C Recommendation Ensure that sensitive data is not written out to disk Ensure that the arguments to calloc(), when MEM07-C Recommendation multiplied, do not wrap MEM10-C Recommendation Define and use a pointer validation function 159 S Comparing pointer with zero or NULL. 5 C Procedure contains infinite loop. 6 D Recursion in procedure calls found.

CERT-C:2014 Standards Model Compliance for C

LDRA Rule Classification Rule Description LDRA Standard Description Standard 28 D Potentially infinite loop found. MEM11-C Recommendation Do not assume infinite heap space 26 S Loop control expression may not terminate loop. 140 S Infeasible loop condition found. 1 U Inter-file recursion found. Consider using a goto chain when leaving a MEM12-C Recommendation function on error when using and releasing 50 D Memory not freed after last reference. resources 51 D Attempt to read from freed memory. MEM30-C Rule Do not access freed memory 112 D Free called twice on same variable. 484 S Attempt to use already freed object. Free dynamically allocated memory when no longer MEM31-C Rule 50 D Memory not freed after last reference. needed Allocate and copy structures containing a flexible 649 S Use of unallocated flexible array. MEM33-C Rule array member dynamically 650 S Flexible array copy ignores last member. 407 S free used on string. 483 S Freed parameter is not heap item. realloc ptr does not originate from allocation MEM34-C Rule Only free memory allocated dynamically 644 S function. 645 S realloc ptr type does not match target type. 125 D free called on variable with no allocated space. 400 S Use of sizeof on a type. MEM35-C Rule Allocate sufficient memory for an object 487 S Insufficient space allocated. 115 D Copy length parameter not checked before use. Do not modify the alignment of objects by calling MEM36-C Rule 44 S Use of banned function, type or variable. realloc() MSC00-C Recommendation Compile cleanly at high warning levels 48 S No default case in switch statement. MSC01-C Recommendation Strive for logical completeness 59 S Else alternative missing in if. 119 S Nested comment found. Use comments consistently and in a readable MSC04-C Recommendation 302 S Comment possibly contains code. fashion 611 S Line splice used in // comment. 96 S Use of mixed mode arithmetic.

CERT-C:2014 Standards Model Compliance for C

LDRA Rule Classification Rule Description LDRA Standard Description Standard 101 S Function return type inconsistent. MSC05-C Recommendation Do not manipulate time_t typed values directly 107 S Type mismatch in ternary expression. 433 S Type conversion without cast. 458 S Implicit conversion: actual to formal param (MR). 8 D DD data flow anomalies found. 65 D Void function has no side effects. Procedure is not called or referenced in code 76 D analysed. DU anomaly dead code, var value is unused on all 105 D MSC06-C Recommendation Beware of compiler optimizations paths. 1 J Unreachable Code found. 3 J All internal linkage calls unreachable. Static procedure is not explicitly called in code 35 S analysed. 57 S Statement with no side effect. MSC09-C Recommendation Character encoding: use subset of ASCII for safety 113 S Non standard character in source. 176 S Non standard escape sequence in source. MSC10-C Recommendation Character encoding: UTF-8-related issues 376 S Use of octal escape sequence. MSC11-C Recommendation Incorporate diagnostic tests using assertions 8 D DD data flow anomalies found. 65 D Void function has no side effects. DU anomaly dead code, var value is unused on all 105 D Detect and remove code that has no effect or is paths. MSC12-C Recommendation never executed 57 S Statement with no side effect. 139 S Construct leads to infeasible code. 140 S Infeasible loop condition found. 1 J Unreachable Code found. 1 D Unused procedure parameter. 8 D DD data flow anomalies found. 15 D Unused procedural parameter. MSC13-C Recommendation Detect and remove unused values 94 D Named variable declared but not used in code.

CERT-C:2014 Standards Model Compliance for C

LDRA Rule Classification Rule Description LDRA Standard Description Standard DU anomaly dead code, var value is unused on all 105 D paths. 17 D Identifier not unique within *** characters. Do not introduce unnecessary platform MSC14-C Recommendation 42 S Use of bit field in structure declaration. dependencies 69 S #pragma used. 63 D No definition in system for prototyped procedure. 84 D No fseek or flush before I/O. 113 D File closed more than once. 5 Q File does not end with new line. 64 S Void procedure used in expression. 65 S Void variable passed as parameter. 100 S #include filename is non conformant. 109 S Array subscript is not integral. 156 S Use of 'defined' keyword in macro body. 296 S Function declared at block scope. 324 S Macro call has wrong number of parameters. 335 S Operator defined contains illegal items. 336 S #if expansion contains define operator. MSC15-C Recommendation Do not depend on undefined behavior 339 S #include directive with illegal items. 412 S Undefined behaviour, \ before E-O-F. 427 S Filename in #include not in < > or " ". 465 S Struct/union not completely specified. 482 S Incomplete structure referenced. 497 S Type is incomplete in translation unit. 545 S Assignment of overlapping storage. 587 S Const local variable not immediately initialised. 608 S Use of explicitly undefined language feature. 647 S Overlapping data items in memcpy. Function prototype/defn return type mismatch 62 X (MR). Function prototype/defn param type mismatch 63 X (MR).

CERT-C:2014 Standards Model Compliance for C

LDRA Rule Classification Rule Description LDRA Standard Description Standard Finish every set of statements associated with a MSC17-C Recommendation 62 S Switch case not terminated with break. case label with a break statement Be careful while handling sensitive data, such as MSC18-C Recommendation passwords, in program code For functions that return an array, prefer returning MSC19-C Recommendation an empty array over a null value Do not use a switch statement to transfer control MSC20-C Recommendation 245 S Case statement in nested block. into a complex block MSC21-C Recommendation Use robust loop termination conditions 510 S Loop counter increment and operator defect. MSC22-C Recommendation Use the setjmp(), longjmp() facility securely 43 S Use of setjmp/longjmp. Beware of vendor-specific library and language MSC23-C Recommendation differences MSC24-C Recommendation Do not use deprecated or obsolescent functions 44 S Use of banned function, type or variable. Do not use the rand() function for generating MSC30-C Rule 44 S Use of banned function, type or variable. pseudorandom numbers MSC32-C Rule Properly seed pseudorandom number generators MSC33-C Rule Do not pass invalid data to the asctime() function 44 S Use of banned function, type or variable. 2 D Function does not return a value on all paths. Ensure that control never reaches the end of a non- MSC37-C Rule 36 S Function has no return statement. void function 66 S Function with empty return expression. Do not treat a predefined identifier as an object if it MSC38-C Rule might only be implemented as a macro Do not call va_arg() on a va_list that has an MSC39-C Rule indeterminate value 21 S Number of parameters does not match. 145 S #if has invalid expression. 323 S Switch has more than one default case. 345 S Bit operator with floating point operand. 387 S Enum init not integer-constant-expression. MSC40-C Rule Do not violate constraints 404 S Array initialisation has too many items. 481 S Array with no bounds in struct. 580 S Macro redefinition without using #undef.

CERT-C:2014 Standards Model Compliance for C

LDRA Rule Classification Rule Description LDRA Standard Description Standard 612 S inline function should be declared static. 615 S Conditional operator has incompatible types. 646 S Struct initialisation has too many items. Check for the existence of links when dealing with POS01-C Recommendation files POS02-C Recommendation Follow the principle of least privilege Avoid using PTHREAD_MUTEX_NORMAL type POS04-C Recommendation mutex locks POS05-C Recommendation Limit access to files by creating a jail POS30-C Rule Use the readlink() function properly POS33-C Rule Do not use vfork() 44 S Use of banned function, type or variable. Do not call putenv() with a pointer to an automatic POS34-C Rule variable as the argument Avoid race conditions while checking for the POS35-C Rule existence of a symbolic link Observe correct revocation order while POS36-C Rule relinquishing privileges POS37-C Rule Ensure that privilege relinquishment is successful Beware of race conditions when using fork and file POS38-C Rule descriptors Use the correct byte ordering when transferring POS39-C Rule data between systems POS44-C Rule Do not use signals to terminate threads Do not use threads that can be canceled POS47-C Rule asynchronously Do not unlock or destroy another POSIX thread's POS48-C Rule mutex When data must be accessed by multiple threads, POS49-C Rule provide a mutex and guarantee no adjacent data is also accessed Declare objects shared between POSIX threads POS50-C Rule with appropriate storage durations

CERT-C:2014 Standards Model Compliance for C

LDRA Rule Classification Rule Description LDRA Standard Description Standard Avoid deadlock with POSIX threads by locking in POS51-C Rule predefined order Do not perform operations that can block while POS52-C Rule holding a POSIX lock Do not use more than one mutex for concurrent POS53-C Rule waiting operations on a condition variable POS54-C Rule Detect and handle POSIX library errors 80 D Potentially unused function-modified value. Prefer inline or static functions to function-like PRE00-C Recommendation 340 S Use of function like macro. macros Use parentheses within macros around parameter PRE01-C Recommendation 78 S Macro parameter not in brackets. names PRE02-C Recommendation Macro replacement lists should be parenthesized 77 S Macro replacement list needs parentheses. PRE03-C Recommendation Prefer type definitions to defines for encoding types 79 S Macro contains unacceptable items. PRE04-C Recommendation Do not reuse a standard header file name 568 S #include "filename" uses standard library name. 76 S More than one of # or ## in a macro. Understand macro replacement when PRE05-C Recommendation 125 S Use of ## or # in a macro. concatenating tokens or performing stringification 637 S # operand followed by ##. PRE06-C Recommendation Enclose header files in an inclusion guard 243 S Included file not protected with #define. PRE07-C Recommendation Avoid using repeated question marks 81 S Use of trigraph. PRE08-C Recommendation Guarantee that header file names are unique Do not replace secure functions with less secure PRE09-C Recommendation functions PRE10-C Recommendation Wrap multistatement macros in a do-while loop 79 S Macro contains unacceptable items. PRE11-C Recommendation Do not conclude macro definitions with a semicolon 79 S Macro contains unacceptable items. 35 D Expression has side effects. 1 Q Call has execution order dependant side effects. PRE12-C Recommendation Do not define unsafe macros 562 S Use of ++,-- or = in macro parameters. 572 S Side effect in assert. Use the Standard predefined macros to test for PRE13-C Recommendation versions and features.

CERT-C:2014 Standards Model Compliance for C

LDRA Rule Classification Rule Description LDRA Standard Description Standard Do not create a universal character name through PRE30-C Rule 573 S Macro concatenation of uni char names. concatenation 35 D Expression has side effects. 1 Q Call has execution order dependant side effects. PRE31-C Rule Avoid side effects in arguments to unsafe macros 9 S Assignment operation in expression. 562 S Use of ++,-- or = in macro parameters. 572 S Side effect in assert. Do not use preprocessor directives in invocations PRE32-C Rule 341 S Preprocessor construct as macro parameter. of function-like macros Mask signals handled by noninterruptible signal SIG00-C Recommendation 44 S Use of banned function, type or variable. handlers Understand implementation-specific details SIG01-C Recommendation 97 D Signal called from within signal handler. regarding signal handler persistence Avoid using signals to implement normal SIG02-C Recommendation 44 S Use of banned function, type or variable. functionality Call only asynchronous-safe functions within signal 88 D Illegal use of longjmp in signal handler. SIG30-C Rule handlers 89 D Illegal use of raise in signal handler. SIG31-C Rule Do not access shared objects in signal handlers 87 D Illegal shared object in signal handler. Do not call signal() from within interruptible signal SIG34-C Rule 97 D Signal called from within signal handler. handlers Do not return from a computational exception SIG35-C Rule 44 S Use of banned function, type or variable. signal handler 329 S Operation not appropriate to plain char. STR00-C Recommendation Represent characters using an appropriate type 432 S Inappropriate type - should be plain char. Adopt and implement a consistent plan for STR01-C Recommendation managing strings 108 D Tainted argument to unprototyped func ptr. STR02-C Recommendation Sanitize data passed to complex subsystems 109 D Tainted argument to formatted i/o function. Do not inadvertently truncate a null-terminated byte 44 S Use of banned function, type or variable. STR03-C Recommendation string 115 S String incorrectly terminated. 93 S Value is not of appropriate type. 101 S Function return type inconsistent. Use plain char for characters in the basic character

CERT-C:2014 Standards Model Compliance for C

LDRA Rule Classification Rule Description LDRA Standard Description Standard Use plain char for characters in the basic character STR04-C Recommendation 329 S Operation not appropriate to plain char. set 432 S Inappropriate type - should be plain char. 458 S Implicit conversion: actual to formal param (MR). Use pointers to const when referring to string STR05-C Recommendation 623 S String assigned to non const object. literals Do not assume that strtok() leaves the parse string STR06-C Recommendation 602 S strtok may change the parse string. unchanged Use the bounds-checking interfaces for string STR07-C Recommendation 44 S Use of banned function, type or variable. manipulation Don't assume numeric values for expressions with STR09-C Recommendation 329 S Operation not appropriate to plain char. type plain character STR10-C Recommendation Do not concatenate different type of string literals 450 S Wide string and string concatenated. Do not specify the bound of a character array STR11-C Recommendation 404 S Array initialisation has too many items. initialized with a string literal STR30-C Rule Do not attempt to modify string literals 157 S Modification of string literal. 109 D Tainted argument to formatted i/o function. 489 S Insufficient space for operation. Guarantee that storage for strings has sufficient STR31-C Rule 66 X Insufficient array space at call. space for character data and the null terminator 70 X Array has insufficient space. 71 X Insufficient space for copy. Do not pass a non-null-terminated character 404 S Array initialisation has too many items. STR32-C Rule sequence to a library function that expects a string 600 S Argument of strlen is unterminated. Cast characters to unsigned types before STR34-C Rule 433 S Type conversion without cast. converting to larger integer sizes Arguments to character-handling functions must be Invalid value may be passed to function in STR37-C Rule 663 S representable as an unsigned char . Do not confuse narrow and wide character strings STR38-C Rule and functions

General Compliance Notes

Enhanced Enforcement: LDRA checks additional cases to those specified by the mapped rule for enhanced safety and security. Fully Implemented: LDRA checks all statically checkable aspects of the mapped rule. Partially Implemented: LDRA checks certain aspects of the rule.

The assessment of whether a rule is fully or partially implemented is based on whether the mapped LDRA standards cover all statically checkable aspects of the rule with a high level of coverage or only cover certain statically checkable aspects of the rule. If a rule is undecidable then this assessment is based on what it is deemed reasonable for a static analysis tool to check.

LDRA Ltd. reserves the right to change any specifications contained within this document without prior notice. The document was deemed correct at time of distribution.