DATASHEET
CERT C Recommendations Enforcement
(Website 7 December 2023)
POSIX Recommendations are listed separately and not included in total
(Some Recommendations may not be statically enforceable)
ENFORCEMENT HELIX QAC 2024.2
|
| Total |
|---|---|---|
a | Total Number of Recommendations (not including POSIX and WIN) | 177 |
b | Total Number of Enforced Recommendations | 85 |
c | Total Number of Unenforced Recommendations | 92 |
d | Enforce Recommendations Percentage (b/a) | 48% |
e | Unenforced Recommendations Percentage (c/a) | 52% |
Rec ID | Description | Level | Enforced |
|---|---|---|---|
Rec 01. Preprocessors (PRE) | |||
PRE00-C | Prefer inline or static functions to function-like macros | L3 | Yes |
PRE01-C | Use parentheses within macros around parameter names | L1 | Yes |
PRE02-C | Macro replacement lists should be parenthesized | L1 | Yes |
PRE03-C | Prefer typedefs to defines for encoding non-pointer types | L3 | Yes |
PRE04-C | Do not reuse a standard header file name | L3 | Yes |
PRE05-C | Understand macro replacement when concatenating tokens or performing stringification | L3 | Yes |
PRE06-C | Enclose header files in an inclusion guard | L3 | Yes |
PRE07-C | Avoid using repeated question marks | L3 | Yes |
PRE08-C | Guarantee that header file names are unique | L3 | Yes |
PRE09-C | Do not replace secure functions with deprecated or obsolescent functions | L1 | Yes |
PRE10-C | Wrap multi-statement macros in a do-while loop | L1 | Yes |
PRE11-C | Do not conclude macro definitions with a semicolon | L1 | Yes |
PRE12-C | Do not define unsafe macros | L2 | Yes |
PRE13-C | Use the Standard predefined macros to test for versions and features. | L2 | No |
Rec 02. Declarations and Initialization(DCL) | |||
DCL00-C | Const-qualify immutable objects | L3 | Yes |
DCL01-C | Do not reuse variable names in subscopes | L3 | Yes |
DCL02-C | Use visually distinct identifiers | L3 | No |
DCL03-C | Use a static assertion to test the value of a constant expression | L3 | No |
DCL04-C | Do not declare more than one variable per declaration | L3 | No |
DCL05-C | Use typedefs of non-pointer types only | L3 | Yes |
DCL06-C | Use meaningful symbolic constants to represent literal values | L3 | Yes |
DCL07-C | Include the appropriate type information in function declarators | L3 | Yes |
DCL08-C | Properly encode relationships in constant definitions | L3 | No |
DCL09-C | Declare functions that return errno with a return type of errno_t | L3 | No |
DCL10-C | Maintain the contract between the writer and caller of variadic functions | L2 | Yes |
DCL11-C | Understand the type issues associated with variadic functions | L2 | Yes |
DCL12-C | Implement abstract data types using opaque types | L3 | No |
DCL13-C | Declare function parameters that are pointers to values not changed by the function as const | L3 | Yes |
DCL15-C | Declare file-scope objects or functions that do not need external linkage as static | L3 | Yes |
DCL16-C | Use 'L', not 'l', to indicate a long value | L3 | Yes |
DCL17-C | Beware of miscompiled volatile-qualified variables | L3 | No |
DCL18-C | Do not begin integer constants with 0 when specifying a decimal value | L3 | Yes |
DCL19-C | Minimize the scope of variables and functions | L3 | Yes |
DCL20-C | Explicitly specify void when a function accepts no arguments | L1 | Yes |
DCL21-C | Understand the storage of compound literals | L3 | Yes |
DCL22-C | Use volatile for data that cannot be cached | L3 | No |
DCL23-C | Guarantee that mutually visible identifiers are unique | L2 | Yes |
Rec 03. Expressions (EXP) | |||
EXP00-C | Use parentheses for precedence of operation | L3 | Yes |
EXP02-C | Be aware of the short-circuit behavior of the logical AND and OR operators | L3 | Yes |
EXP03-C | Do not assume the size of a structure is the sum of the sizes of its members | L3 | Yes |
EXP05-C | Do not cast away a const qualification | L2 | Yes |
EXP07-C | Do not diminish the benefits of constants by assuming their values in expressions | L3 | Yes |
EXP08-C | Ensure pointer arithmetic is used correctly | L2 | Yes |
EXP09-C | Use sizeof to determine the size of a type or variable | L2 | No |
EXP10-C | Do not depend on the order of evaluation of subexpressions or the order in which side effects take place | L2 | Yes |
EXP11-C | Do not make assumptions regarding the layout of structures with bit-fields | L2 | Yes |
EXP12-C | Do not ignore values returned by functions | L3 | Yes |
EXP13-C | Treat relational and equality operators as if they were nonassociative | L3 | Yes |
EXP14-C | Beware of integer promotion when performing bitwise operations on integer types smaller than int | L3 | No |
EXP15-C | Do not place a semicolon on the same line as an if, for, or while statement | L1 | Yes |
EXP16-C | Do not compare function pointers to constant values | L2 | Yes |
EXP19-C | Use braces for the body of an if, for, or while statement | L2 | Yes |
EXP20-C | Perform explicit tests to determine success, true and false, and equality | L1 | Yes |
Rec 04. Integers (INT) | |||
INT00-C | Understand the data model used by your implementation(s) | L3 | No |
INT01-C | Use rsize_t or size_t for all integer values representing the size of an object | L2 | No |
INT02-C | Understand integer conversion rules | L2 | Yes |
INT04-C | Enforce limits on integer values originating from tainted sources | L2 | Yes |
INT05-C | Do not use input functions to convert character data if they cannot handle all possible inputs | L3 | Yes |
INT07-C | Use only explicitly signed or unsigned char type for numeric values | L2 | Yes |
INT08-C | Verify that all integer values are in range | L3 | Yes |
INT09-C | Ensure enumeration constants map to unique values | L3 | Yes |
INT10-C | Do not assume a positive remainder when using the % operator | L3 | Yes |
INT12-C | Do not make assumptions about the type of a plain int bit-field when used in an expression | L3 | Yes |
INT13-C | Use bitwise operators only on unsigned operands | L2 | Yes |
INT14-C | Avoid performing bitwise and arithmetic operations on the same data | L3 | No |
INT15-C | Use intmax_t or uintmax_t for formatted IO on programmer-defined integer types | L2 | No |
INT16-C | Do not make assumptions about representation of signed integers | L3 | Yes |
INT17-C | Define integer constants in an implementation-independent manner | L1 | No |
INT18-C | Evaluate integer expressions in a larger size before comparing or assigning to that size | L1 | Yes |
Rec 05. Floating Point (FLP) | |||
FLP00-C | Understand the limitations of floating-point numbers | L3 | Yes |
FLP01-C | Take care in rearranging floating-point expressions | L3 | No |
FLP02-C | Avoid using floating-point numbers when precise computation is needed | L3 | Yes |
FLP03-C | Detect and handle floating-point errors | L3 | No |
FLP04-C | Check floating-point inputs for exceptional values | L3 | No |
FLP05-C | Do not use denormalized numbers | L3 | No |
FLP06-C | Convert integers to floating point for floating point operations | L2 | Yes |
FLP07-C | Cast the return value of a function that returns a floating-point type | L3 | No |
Rec 06. Arrays(ARR) | |||
ARR00-C | Understand how arrays work | L2 | No |
ARR01-C | Do not apply the sizeof operator to a pointer when taking the size of an array | L1 | No |
ARR02-C | Explicitly specify array bounds, even if implicitly defined by an initializer | L2 | Yes |
Rec 07. Characters and String (STR) | |||
STR00-C | Represent characters using an appropriate type | L1 | No |
STR01-C | Adopt and implement a consistent plan for managing strings | L3 | No |
STR02-C | Sanitize data passed to complex subsystems | L1 | No |
STR03-C | Do not inadvertently truncate a string | L2 | No |
STR04-C | Use plain char for characters in the basic character set | L3 | Yes |
STR05-C | Use pointers to const when referring to string literals | L3 | Yes |
STR06-C | Do not assume that strtok() leaves the parse string unchanged | L1 | Yes |
STR07-C | Use the bounds-checking interfaces for string manipulation | L1 | Yes |
STR08-C | Use managed strings for development of new string manipulation code | L2 | No |
STR09-C | Don't assume numeric values for expressions with type plain character | L3 | Yes |
STR10-C | Do not concatenate different type of string literals | L3 | Yes |
STR11-C | Do not specify the bound of a character array initialized with a string literal | L2 | Yes |
Rec 08. Memory management (MEM) | |||
MEM00-C | Allocate and free memory in the same module, at the same level of abstraction | L1 | No |
MEM01-C | Store a new value in pointers immediately after free() | L2 | No |
MEM02-C | Immediately cast the result of a memory allocation function call into a pointer to the allocated type | L3 | Yes |
MEM03-C | Clear sensitive information stored in reusable resources | L3 | Yes |
MEM04-C | Beware of zero-length allocations | L2 | No |
MEM05-C | Avoid large stack allocations | L2 | Yes |
MEM06-C | Ensure that sensitive data is not written out to disk | L3 | No |
MEM07-C | Ensure that the arguments to calloc(), when multiplied, do not wrap | L2 | No |
MEM10-C | Define and use a pointer validation function | L3 | No |
MEM11-C | Do not assume infinite heap space | L3 | No |
MEM12-C | Consider using a goto chain when leaving a function on error when using and releasing resources | L3 | No |
Rec 09. Input Output (FIO) | |||
FIO01-C | Be careful using functions that use file names for identification | L1 | Yes |
FIO02-C | Consider using a goto chain when leaving a function on error when using and releasing resources | L2 | No |
FIO03-C | Do not make assumptions about fopen() and file creation | L3 | Yes |
FIO05-C | Identify files using multiple file attributes | L2 | No |
FIO06-C | Create files with appropriate access permissions | L3 | Yes |
FIO08-C | Take care when calling remove() on an open file | L3 | Yes |
FIO09-C | Be careful with binary data when transferring data across systems | L3 | No |
FIO10-C | Take care when using the rename() function | L2 | Yes |
FIO11-C | Take care when specifying the mode parameter of fopen() | L2 | No |
FIO13-C | Never push back anything other than one read character | L3 | No |
FIO14-C | Understand the difference between text mode and binary mode with file streams | L3 | No |
FIO15-C | Ensure that file operations are performed in a secure directory | L3 | No |
FIO17-C | Do not rely on an ending null character when using fread() | L2 | No |
FIO18-C | Never expect fwrite() to terminate the writing process at a null character | L2 | No |
FIO19-C | Do not use fseek() and ftell() to compute the size of a regular file | L3 | No |
FIO20-C | Avoid unintentional truncation when using fgets() or fgetws() | L1 | No |
FIO21-C | Do not create temporary files in shared directories | L2 | Yes |
FIO22-C | Close files before spawning processes | L3 | No |
FIO23-C | Do not exit with unflushed data in stdout or stderr | L3 | No |
FIO24-C | Do not open a file that is already open | L3 | No |
Rec 10. Environment (ENV) | |||
ENV01-C | Do not make assumptions about the size of an environment variable | L1 | No |
ENV02-C | Beware of multiple environment variables with the same effective name | L3 | No |
ENV03-C | Sanitize the environment when invoking external programs | L2 | Yes |
Rec 11. Signals (SIG) | |||
SIG00-C | Mask signals handled by noninterruptible signal handlers | L2 | Yes |
SIG01-C | Understand implementation-specific details regarding signal handler persistence | L3 | Yes |
SIG02-C | Avoid using signals to implement normal functionality | L1 | No |
Rec 12. Error Handling (ERR) | |||
ERR00-C | Adopt and implement a consistent and comprehensive error-handling policy | L3 | No |
ERR01-C | Use ferror() rather than errno to check for FILE stream errors | L2 | No |
ERR02-C | Avoid in-band error indicators | L3 | No |
ERR03-C | Use runtime-constraint handlers when calling the bounds-checking interfaces | L3 | No |
ERR04-C | Choose an appropriate termination strategy | L3 | No |
ERR05-C | Application-independent code should provide error detection without dictating error handling | L3 | No |
ERR06-C | Understand the termination behavior of assert() and abort() | L3 | No |
ERR07-C | Prefer functions that support error checking over equivalent functions that don't | L2 | No |
Rec 13. Application Programming Interfaces (API) | |||
API00-C | Functions should validate their parameters | L3 | No |
API01-C | Avoid laying out strings in memory directly before sensitive data | L2 | No |
API02-C | Functions that read or write to or from an array should take an argument to specify the source or target size | L2 | No |
API03-C | Create consistent interfaces and capabilities across related functions | L3 | No |
API04-C | Provide a consistent and usable error-checking mechanism | L3 | No |
API05-C | Use conformant array parameters | L1 | No |
API07-C | Enforce type safety | L3 | No |
API09-C | Compatible values should have the same type | L3 | No |
API10-C | APIs should have security options enabled by default | L1 | No |
Rec 14. Concurrency (CON) | |||
CON01-C | Acquire and release synchronization primitives in the same module, at the same level of abstraction | L3 | No |
CON02-C | Do not use volatile as a synchronization primitive | L2 | No |
CON03-C | Ensure visibility when accessing shared variables | L2 | No |
CON04-C | Join or detach threads even if their exit status is unimportant | L3 | No |
CON05-C | Do not perform operations that can block while holding a lock | L3 | No |
CON06-C | Ensure that every mutex outlives the data it protects | L2 | No |
CON07-C | Ensure that compound operations on shared variables are atomic | L2 | No |
CON08-C | Do not assume that a group of calls to independently atomic methods is atomic | L3 | No |
CON09-C | Avoid the ABA problem when using lock-free algorithms | L3 | No |
Rec 48. Miscellaneous (MISC) | |||
MSC00-C | Compile cleanly at high warning levels | L2 | No |
MSC01-C | Strive for logical completeness | L2 | Yes |
MSC04-C | Use comments consistently and in a readable fashion | L3 | Yes |
MSC05-C | Do not manipulate time_t typed values directly | L3 | No |
MSC06-C | Beware of compiler optimizations | L2 | No |
MSC07-C | Detect and remove dead code | L3 | No |
MSC09-C | Character encoding: Use subset of ASCII for safety | L3 | Yes |
MSC10-C | Character encoding: UTF8-related issues | L3 | No |
MSC11-C | Incorporate diagnostic tests using assertions | L3 | No |
MSC12-C | Detect and remove code that has no effect or is never executed | L3 | Yes |
MSC13-C | Detect and remove unused values | L3 | Yes |
MSC14-C | Do not introduce unnecessary platform dependencies | L3 | Yes |
MSC15-C | Do not depend on undefined behavior | L1 | Yes |
MSC17-C | Finish every set of statements associated with a case label with a break statement | L1 | Yes |
MSC18-C | Be careful while handling sensitive data, such as passwords, in program code | L2 | No |
MSC19-C | For functions that return an array, prefer returning an empty array over a null value | L3 | No |
MSC20-C | Do not use a switch statement to transfer control into a complex block | L2 | Yes |
MSC21-C | Use robust loop termination conditions | L3 | No |
MSC22-C | Use the setjmp(), longjmp() facility securely | L3 | No |
MSC23-C | Beware of vendor-specific library and language differences | L1 | No |
MSC24-C | Do not use deprecated or obsolescent functions | L1 | No |
MSC25-C | Do not use insecure or weak cryptographic algorithms | L3 | No |
POSIX
Rule ID | Description | Level | Enforced |
|---|---|---|---|
Rec 50. POSIX (POS) | |||
POS01-C | Check for the existence of links when dealing with files | L2 | No |
POS02-C | Follow the principle of least privilege | L2 | No |
POS04-C | Avoid using PTHREAD_MUTEX_NORMAL type mutex locks | L3 | No |
POS05-C | Limit access to files by creating a jail | L3 | No |
Microsoft Windows
Rule ID | Description | Level | Enforced |
|---|---|---|---|
Rec 51. Microsoft Windows (WIN) | |||
WIN00-C | Be specific when dynamically loading libraries | L2 | No |
WIN01-C | Do not forcibly terminate execution | L2 | No |
WIN02-C | Restrict privileges when spawning child processes | L2 | No |
WIN03-C | Understand HANDLE inheritance | L2 | No |
WIN04-C | Consider encrypting function pointers | L2 | No |