Coverity Static Analysis Support for SEI CERT C, C++, and Java Coding Standards

PRE

3

3

100.0

DCL

8

8

100.0

EXP

15

15

100.0

INT

7

7

100.0

FLP

5

5

100.0

ARR

6

6

100.0

STR

6

6

100.0

MEM

6

6

100.0

FIO

13

13

100.0

ENV

5

5

100.0

SIG

4

4

100.0

ERR

4

4

100.0

CON

13

13

100.0

MSC

8

8

100.0

POS

14

17

82.4

WIN

1

1

100.0

Do not create a universal character name through concatenation.

Avoid side effects in arguments to unsafe macros.

Do not use preprocessor directives in invocations of function-like macros.

Declare objects with appropriate storage durations.

Declare identifiers before using them.

Do not declare an identifier with conflicting linkage classifications.

Do not declare or define a reserved identifier.

Use the correct syntax when declaring a flexible array member.

Avoid information leakage when passing a structure across a trust boundary.

Do not create incompatible declarations of the same function or object.

Do not declare variables inside a switch statement before the first case label.

Do not depend on order of evaluation for side effects.

Do not access a volatile object through a nonvolatile reference.

Do not read uninitialized memory.

Do not dereference null pointers.

Do not modify objects with temporary lifetime.

Do not cast pointers into more strictly aligned pointer types.

Call functions with the correct number and type of arguments.

Do not access a variable through a pointer of an incompatible type.

Do not modify constant objects.

Do not compare padding data.

Avoid undefined behavior when using restrict-qualified pointers.

Do not rely on side effects in operands to sizeof, _Alignof, or _Generic.

Do not perform assignments in selection statements.

Do not use a bitwise operator with a Boolean-like operand.

Do not call va_arg with an argument of the incorrect type.

Ensure that unsigned integer operations do not wrap.

Ensure that integer conversions do not result in lost or misinterpreted data.

Ensure that operations on signed integers do not result in overflow.

Ensure that division and remainder operations do not result in divide-by-zero errors.

Do not shift an expression by a negative number of bits or by greater than or equal to the number of bits that exist in the operand.

Use correct integer precisions.

Converting a pointer to integer or integer to pointer.

Do not use floating-point variables as loop counters.

Prevent or detect domain and range errors in math functions.

Ensure that floating-point conversions are within range of the new type.

Preserve precision when converting integral values to floating-point type.

Do not use object representations to compare floating-point values.

Do not form or use out of bounds pointers or array subscripts.

Ensure size arguments for variable length arrays are in a valid range.

Do not subtract or compare two pointers that do not refer to the same array.

Do not add or subtract an integer to a pointer to a non-array object.

Guarantee that library functions do not form invalid pointers.

Do not add or subtract a scaled integer to a pointer.

Do not attempt to modify string literals.

Guarantee that storage for strings has sufficient space for character data and the null terminator.

Do not pass a non-null-terminated character sequence to a library function that expects a string.

Cast characters to unsigned char before converting to larger integer sizes.

Arguments to character-handling functions must be representable as an unsigned char.

Do not confuse narrow and wide character strings and functions.

Do not access freed memory.

Free dynamically allocated memory when no longer needed.

Allocate and copy structures containing a flexible array member dynamically.

Only free memory allocated dynamically.

Allocate sufficient memory for an object.

Do not modify the alignment of objects by calling realloc().

Exclude user input from format strings.

Do not perform operations on devices that are only appropriate for files.

Distinguish between characters read from a file and EOF or WEOF.

Do not assume that fgets() or fgetws() returns a nonempty string when successful.

Do not copy a FILE object.

Do not alternately input and output from a stream without an intervening flush or positioning call.

Reset strings on fgets() or fgetws() failure.

Do not call getc(), putc(), getwc(), or putwc() with a stream argument that has side effects.

Close files when they are no longer needed.

Only use values for fsetpos() that are returned from fgetpos().

Avoid TOCTOU race conditions while accessing files.

Do not access a closed file.

Use valid format strings.

Do not modify the object referenced by the return value of certain functions.

Do not rely on an environment pointer following an operation that may invalidate it.

All exit handlers must return normally.

Do not call system().

Do not store pointers returned by certain functions.

Call only asynchronous-safe functions within signal handlers.

Do not access shared objects in signal handlers.

Do not call signal() from within interruptible signal handlers.

Do not return from a computational exception signal handler.

Set errno to zero before calling a library function known to set errno, and check errno only after the function returns a value indicating failure.

Do not rely on indeterminate values of errno.

Detect and handle standard library errors.

Detect errors when converting a string to a number.

Clean up thread-specific storage.

Do not destroy a mutex while it is locked.

Prevent data races when accessing bit-fields from multiple threads.

Avoid race conditions when using library functions.

Declare objects shared between threads with appropriate storage durations.

Avoid deadlock by locking in predefined order.

Wrap functions that can spuriously wake up in a loop.

Do not call signal() in a multithreaded program.

Preserve thread safety and liveness when using condition variables.

Do not join or detach a thread that was previously joined or detached.

Do not refer to an atomic variable twice in an expression.

Wrap functions that can fail spuriously in a loop.

Do not allow data races in multithreaded code.

Do not use the rand() function for generating pseudorandom numbers.

Properly seed pseudorandom number generators.

Do not pass invalid data to the asctime() function.

Ensure that control never reaches the end of a non-void function.

Do not treat a predefined identifier as an object if it might only be implemented as a macro.

Do not call va_arg() on a va_list that has an indeterminate value.

Do not violate constraints.

Never hard code sensitive information.

Use the readlink() function properly.

Do not use vfork().

Do not call putenv() with a pointer to an automatic variable as the argument.

Avoid race conditions while checking for the existence of a symbolic link.

Observe correct revocation order while relinquishing privileges.

Ensure that privilege relinquishment is successful.

Beware of race conditions when using fork and file descriptors.

Use the correct byte ordering when transferring data between systems.

Do not use signals to terminate threads.

Do not use threads that can be canceled asynchronously.

When data must be accessed by multiple threads, provide a mutex and guarantee no adjacent data is also accessed.

Declare objects shared between POSIX threads with appropriate storage durations.

Do not perform operations that can block while holding a POSIX lock.

Detect and handle POSIX library errors.

Properly pair allocation and deallocation functions.

DCL

11

11

100.0

EXP

14

14

100.0

INT

1

1

100.0

CTR

9

9

100.0

STR

4

4

100.0

MEM

8

8

100.0

FIO

2

2

100.0

ERR

13

13

100.0

OOP

9

9

100.0

CON

7

7

100.0

MSC

5

5

100.0

Do not define a C-style variadic function.

Do not declare or define a reserved identifier.

Never qualify a reference type with const or volatile.

Do not write syntactically ambiguous declarations.

Overload allocation and deallocation functions as a pair in the same scope.

Avoid information leakage when passing a class object across a trust boundary.

Avoid cycles during initialization of static objects.

Do not let exceptions escape from destructors or deallocation functions.

Do not modify the standard namespaces.

Do not define an unnamed namespace in a header file.

Obey the one-definition rule.

Do not depend on the order of evaluation for side effects.

Do not delete an array through a pointer of the incorrect type.

Do not rely on side effects in unevaluated operands.

Do not read uninitialized memory.

Do not access an object outside of its lifetime.

Do not access a cv-qualified object through a cv-unqualified type.

Do not call a function with a mismatched language linkage.

Do not cast or delete pointers to incomplete classes.

Pass an object of the correct type to va_start.

Use offsetof() on valid types and members.

Do not pass a nonstandard-layout type object across execution boundaries.

A lambda object must not outlive any of its reference captured objects.

Do not access the bits of an object representation that are not part of the object's value representation.

Do not rely on the value of a moved-from object.

Do not cast to an out-of-range enumeration value.

Guarantee that container indices and iterators are within the valid range.

Use valid references, pointers, and iterators to reference elements of a container.

Guarantee that library functions do not overflow.

Use valid iterator ranges.

Do not subtract iterators that do not refer to the same container.

Do not use an additive operator on an iterator if the result would overflow.

Do not use pointer arithmetic on polymorphic objects.

Provide a valid ordering predicate.

Predicate function objects should not be mutable.

Guarantee that storage for strings has sufficient space for character data and the null terminator.

Do not attempt to create a std::string from a null pointer.

Use valid references, pointers, and iterators to reference elements of a basic_string.

Range check element access.

Do not access freed memory.

Properly deallocate dynamically allocated resources.

Detect and handle memory allocation errors.

Explicitly construct and destruct objects when manually managing object lifetime.

Provide placement new with properly aligned pointers to sufficient storage capacity.

Honor replacement dynamic storage management requirements.

Do not store an already-owned pointer value in an unrelated smart pointer.

Avoid using default operator new for over-aligned types.

Do not alternately input and output from a file stream without an intervening positioning call.

Close files when they are no longer needed.

Do not abruptly terminate the program.

Handle all exceptions.

Do not use setjmp() or longjmp().

Do not reference base classes or class data members in a constructor or destructor function-try-block handler.

Catch handlers should order their parameter types from most derived to least derived.

Honor exception specifications.

Guarantee exception safety.

Do not leak resources when handling exceptions.

Handle all exceptions thrown before main() begins executing.

Do not throw an exception across execution boundaries.

Exception objects must be nothrow copy constructible.

Catch exceptions by lvalue reference.

Detect errors when converting a string to a number.

Do not invoke virtual functions from constructors or destructors.

Do not slice derived objects.

Do not delete a polymorphic object without a virtual destructor.

Write constructor member initializers in the canonical order.

Gracefully handle self-copy assignment.

Do not use pointer-to-member operators to access nonexistent members.

Honor replacement handler requirements.

Prefer special member functions and overloaded operators to C Standard Library functions.

Copy operations must not mutate the source object.

Do not destroy a mutex while it is locked.

Ensure actively held locks are released on exceptional conditions.

Prevent data races when accessing fields from multiple threads.

Avoid deadlocks by locking in a predefined order.

Wrap functions that can spuriously wake up in a loop.

Preserve thread safety and liveness when using condition variables.

Do not speculatively lock a non-recursive mutex that is already owned by the calling thread.

Do not use std::rand() for generating pseudorandom numbers.

Ensure your random number generator is properly seeded.

Value-returning functions must return a value from all exit paths.

Do not return from a function declared [[noreturn]].

A signal handler must be a plain old function.

PRE

7

14

50.0

DCL

14

23

60.9

EXP

11

16

68.8

INT

12

16

75.0

FLP

4

8

50.0

ARR

3

3

100.0

STR

6

12

50.0

MEM

10

17

58.8

FIO

7

20

35.0

ENV

1

3

33.3

SIG

2

3

66.7

ERR

2

8

25.0

API

4

9

44.4

CON

2

8

25.0

MSC

12

22

54.5

POS

3

4

75.0

WIN

3

5

60.0

Prefer inline or static functions to function-like macros.

Enclose header files in an include guard.

Avoid using repeated question marks.

Do not replace secure functions with deprecated or obsolescent functions.

Wrap multistatement macros in a do-while loop.

Do not conclude macro definitions with a semicolon.

Do not define unsafe macros.

Do not reuse variable names in subscopes.

Use visually distinct identifiers.

Use meaningful symbolic constants to represent literal values.

Include the appropriate type information in function declarators.

Maintain the contract between the writer and caller of variadic functions.

Understand the type issues associated with variadic functions.

Implement abstract data types using opaque types.

Declare function parameters that are pointers to values not changed by the function as const.

Declare file-scope objects or functions that do not need external linkage as static.

Use "L," not "l," to indicate a long value.

Do not begin integer constants with 0 when specifying a decimal value.

Minimize the scope of variables and functions.

Use volatile for data that cannot be cached.

Guarantee that mutually visible identifiers are unique.

Use parentheses for precedence of operation.

Do not cast away a const qualification.

Ensure pointer arithmetic is used correctly.

Use sizeof to determine the size of a type or variable.

Do not depend on the order of evaluation of subexpressions or the order in which side effects take place.

Do not ignore values returned by functions.

Treat relational and equality operators as if they were nonassociative.

Do not place a semicolon on the same line as an if, for, or while statement.

Do not compare function pointers to constant values.

Use braces for the body of an if, for, or while statement.

Perform explicit tests to determine success, true and false, and equality.

Understand the data model used by your implementation(s).

Understand integer conversion rules.

Enforce limits on integer values originating from tainted sources.

Use only explicitly signed or unsigned char type for numeric values.

Verify that all integer values are in range.

Ensure enumeration constants map to unique values.

Do not assume a positive remainder when using the % operator.

Do not make assumptions about the type of a plain int bit-field when used in an expression.

Use bitwise operators only on unsigned operands.

Avoid performing bitwise and arithmetic operations on the same data.

Define integer constants in an implementation-independent manner.

Evaluate integer expressions in a larger size before comparing or assigning to that size.

Understand the limitations of floating-point numbers.

Avoid using floating-point numbers when precise computation is needed.

Detect and handle floating-point errors.

Convert integers to floating point for floating-point operations.

Understand how arrays work.

Do not apply the sizeof operator to a pointer when taking the size of an array.

Explicitly specify array bounds, even if implicitly defined by an initializer.

Represent characters using an appropriate type.

Sanitize data passed to complex subsystems.

Do not inadvertently truncate a string.

Do not assume that strtok() leaves the parse string unchanged.

Use the bounds-checking interfaces for string manipulation.

Do not specify the bound of a character array initialized with a string literal.

Allocate and free memory in the same module, at the same level of abstraction.

Store a new value in pointers immediately after free().

Immediately cast the result of a memory allocation function call into a pointer to the allocated type.

Clear sensitive information stored in reusable resources.

Beware of zero-length allocations.

Avoid large stack allocations.

Ensure that sensitive data is not written out to disk.

Ensure that the arguments to calloc(), when multiplied, do not wrap.

Do not assume infinite heap space.

Consider using a goto chain when leaving a function on error when using and releasing resources.

Be careful using functions that use file names for identification.

Canonicalize path names originating from tainted sources.

Create files with appropriate access permissions.

Take care when specifying the mode parameter of fopen().

Avoid unintentional truncation when using fgets() or fgetws().

Do not create temporary files in shared directories.

Do not open a file that is already open.

Do not make assumptions about the size of an environment variable.

Mask signals handled by noninterruptible signal handlers.

Avoid using signals to implement normal functionality.

Adopt and implement a consistent and comprehensive error-handling policy.

Prefer functions that support error checking over equivalent functions that don't.

Functions that read or write to or from an array should take an argument to specify the source or target size.

Provide a consistent and usable error-checking mechanism.

Use conformant array parameters.

Compatible values should have the same type.

Acquire and release synchronization primitives in the same module, at the same level of abstraction.

Do not perform operations that can block while holding a lock.

Compile cleanly at high warning levels.

Strive for logical completeness.

Use comments consistently and in a readable fashion.

Detect and remove code that has no effect or is never executed.

Detect and remove unused values.

Do not depend on undefined behavior.

Finish every set of statements associated with a case label with a break statement.

Be careful while handling sensitive data, such as passwords, in program code.

Do not use a switch statement to transfer control into a complex block.

Use robust loop termination conditions.

Use the setjmp(), longjmp() facility securely.

Do not use deprecated or obsolescent functions.

Check for the existence of links when dealing with files.

Follow the principle of least privilege.

Limit access to files by creating a jail.

Be specific when dynamically loading libraries.

Do not forcibly terminate execution.

Restrict privileges when spawning child processes.

IDS

11

11

100.0

DCL

3

3

100.0

EXP

6

7

85.7

NUM

13

13

100.0

STR

5

5

100.0

OBJ

10

13

76.9

MET

12

14

85.7

ERR

10

10

100.0

VNA

6

6

100.0

LCK

12

12

100.0

THI

6

6

100.0

TPS

5

5

100.0

TSM

4

4

100.0

FIO

16

16

100.0

SER

12

13

92.3

SEC

8

8

100.0

ENV

3

7

42.9

JNI

2

5

40.0

MSC

9

12

75.0

DRD

0

30

0.0

Prevent SQL injection.

Normalize strings before validating them.

Do not log unsanitized user input.

Safely extract files from ZipInputStream.

Exclude unsanitized user input from format strings.

Sanitize untrusted data passed to the Runtime.exec() method.

Sanitize untrusted data included in a regular expression.

Perform any string modifications before validation.

Do not trust the contents of hidden form fields.

Prevent XML Injection.

Prevent XML External Entity Attacks.

Prevent class initialization cycles.

Do not reuse public identifiers from the Java Standard Library.

Do not modify the collection's elements during an enhanced for statement.

Do not ignore values returned by methods.

Do not use a null in a case where an object is required.

Do not use the Object.equals() method to compare two arrays.

Do not use the equality operators when comparing values of boxed primitives.

Do not follow a write by a subsequent write or read of the same object within an expression.

Expressions used in assertions must not produce side effects.

Detect or prevent integer overflow.

Do not perform bitwise and arithmetic operations on the same data.

Ensure that division and remainder operations do not result in divide-by-zero errors.

Use integer types that can fully represent the possible range of unsigned data.

Do not use floating-point numbers if precise computation is required.

Do not attempt comparisons with NaN.

Check floating-point inputs for exceptional values.

Do not use floating-point variables as loop counters.

Do not construct BigDecimal objects from floating-point literals.

Do not compare or inspect the string representation of floating-point values.

Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data.

Avoid loss of precision when converting primitive integers to floating-point.

Use shift operators correctly.

Don't form strings containing partial characters from variable-width encodings.

Do not assume that a Java char fully represents a Unicode code point.

Specify an appropriate locale when comparing locale-dependent data.

Do not encode noncharacter data as a string.

Use compatible character encodings when communicating string data between JVMs.

Limit accessibility of fields.

Provide mutable classes with copy functionality to safely allow passing instances to untrusted code.

Do not return references to private mutable class members.

Defensively copy mutable inputs and mutable internal components.

Sensitive classes must not let themselves be copied.

Do not expose private members of an outer class from within a nested class.

Compare classes and not class names.

Do not use public static nonfinal fields.

Be wary of letting constructors throw exceptions.

Ensure that references to mutable objects are not exposed.

Validate method arguments.

Never use assertions to validate method arguments.

Do not use deprecated or obsolete classes or methods.

Methods that perform a security check must be declared private or final.

Do not increase the accessibility of overridden or hidden methods.

Ensure that constructors do not call overridable methods.

Do not invoke overridable methods in clone().

Never declare a class method that hides a method declared in a superclass or superinterface.

Preserve the equality contract when overriding the equals() method.

Classes that define an equals() method must also define a hashCode() method.

Ensure that keys used in comparison operations are immutable.

Do not use finalizers.

Do not suppress or ignore checked exceptions.

Do not allow exceptions to expose sensitive information.

Prevent exceptions while logging data.

Restore prior object state on method failure.

Do not complete abruptly from a finally block.

Do not let checked exceptions escape from a finally block.

Do not throw undeclared checked exceptions.

Do not throw RuntimeException, Exception, or Throwable.

Do not catch NullPointerException or any of its ancestors.

Do not allow untrusted code to terminate the JVM.

Ensure visibility when accessing shared primitive variables.

Ensure visibility of shared references to immutable objects.

Ensure that compound operations on shared variables are atomic.

Do not assume that a group of calls to independently atomic methods is atomic.

Ensure that calls to chained methods are atomic.

Ensure atomicity when reading and writing 64-bit values.

Use private final lock objects to synchronize classes that may interact with untrusted code.

Do not synchronize on objects that may be reused.

Do not synchronize on the class object returned by getClass().

Do not synchronize on the intrinsic locks of high-level concurrency objects.

Do not synchronize on a collection view if the backing collection is accessible.

Synchronize access to static fields that can be modified by untrusted code.

Do not use an instance lock to protect shared static data.

Avoid deadlock by requesting and releasing locks in the same order.

Ensure actively held locks are released on exceptional conditions.

Do not perform operations that can block while holding a lock.

Use a correct form of the double-checked locking idiom.

Avoid client-side locking when using classes that do not commit to their locking strategy.

Do not invoke Thread.run().

Do not invoke ThreadGroup methods.

Notify all waiting threads rather than a single thread.

Always invoke wait() and await() methods inside a loop.

Ensure that threads performing blocking operations can be terminated.

Do not use Thread.stop() to terminate threads.

Use thread pools to enable graceful degradation of service during traffic bursts.

Do not execute interdependent tasks in a bounded thread pool.

Ensure that tasks submitted to a thread pool are interruptible.

Ensure that tasks executing in a thread pool do not fail silently.

Ensure ThreadLocal variables are reinitialized when using thread pools.

Do not override thread-safe methods with methods that are not thread-safe.

Do not let the this reference escape during object construction.

Do not use background threads during class initialization.

Do not publish partially initialized objects.

Do not operate on files in shared directories.

Create files with appropriate access permissions.

Detect and handle file-related errors.

Remove temporary files before termination.

Release resources when they are no longer needed.

Do not expose buffers or their backing arrays methods to untrusted code.

Do not create multiple buffered wrappers on a single byte or character stream.

Do not let external processes block on IO buffers.

Distinguish between characters or bytes read from a stream and -1.

Do not rely on the write() method to output integers outside the range 0 to 255.

Ensure the array is filled when using read() to fill an array.

Provide methods to read and write little-endian data.

Do not log sensitive information outside a trust boundary.

Perform proper cleanup at program termination.

Do not reset a servlet's output stream after committing it.

Canonicalize path names before validating them.

Enable serialization compatibility during class evolution.

Do not deviate from the proper signatures of serialization methods.

Sign then seal objects before sending them outside a trust boundary.

Do not allow serialization and deserialization to bypass the security manager.

Do not serialize instances of inner classes.

Make defensive copies of private mutable components during deserialization.

Do not use the default serialized form for classes with implementation-defined invariants.

Minimize privileges before deserializing from a privileged context.

Do not invoke overridable methods from the readObject() method.

Avoid memory and resource leaks during serialization.

Prevent overwriting of externalizable objects.

Prevent deserialization of untrusted data.

Do not allow privileged blocks to leak sensitive information across a trust boundary.

Do not allow tainted variables in privileged blocks.

Do not base security checks on untrusted sources.

Do not load trusted classes after allowing untrusted code to load arbitrary classes.

Protect sensitive operations with security manager checks.

Do not use reflection to increase accessibility of classes, methods, or fields.

Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar.

Call the superclass's getPermissions() method when writing a custom class loader.

Do not trust the values of environment variables.

Do not grant dangerous combinations of permissions.

Production code must not contain debugging entry points.

Define wrappers around native methods.

Safely invoke standard APIs that perform tasks using the immediate caller's class loader instance (loadLibrary).

Use SSLSocket rather than Socket for secure data exchange.

Do not use an empty infinite loop.

Generate strong random numbers.

Never hard code sensitive information.

Do not leak memory.

Do not exhaust heap space.

Do not modify the underlying collection when an iteration is in progress.

Prevent multiple instantiations of singleton objects.

Do not let session information leak within a servlet.