DATASHEET

CERT C Recommendations Enforcement

(Website 7 December 2023)
POSIX Recommendations are listed separately and not included in total
(Some Recommendations may not be statically enforceable)

ENFORCEMENT HELIX QAC 2023.4

 

 

Total

a

Total Number of Recommendations (not including POSIX)

167

b

Total Number of Enforced Recommendations

85

c

Total Number of Unenforced Recommendations

82

d

Enforce Recommendations Percentage (b/a)

51%

e

Unenforced Recommendations Percentage (c/a)

49%

Rule ID

Description

Enforced

Rule 01. Preprocessors (PRE)

  

PRE00-C

Prefer inline or static functions to function-like macros

Yes

PRE01-C

Use parentheses within macros around parameter names

Yes

PRE02-C

Macro replacement lists should be parenthesized

Yes

PRE03-C

Prefer typedefs to defines for encoding non-pointer types

Yes

PRE04-C

Do not reuse a standard header file name

Yes

PRE05-C

Understand macro replacement when concatenating tokens or performing stringification

Yes

PRE06-C

Enclose header files in an inclusion guard

Yes

PRE07-C

Avoid using repeated question marks

Yes

PRE08-C

Guarantee that header file names are unique

Yes

PRE09-C

Do not replace secure functions with deprecated or obsolescent functions

Yes

PRE10-C

Wrap multi-statement macros in a do-while loop

Yes

PRE11-C

Do not conclude macro definitions with a semicolon

Yes

PRE12-C

Do not define unsafe macros

Yes

PRE13-C

Use the Standard predefined macros to test for versions and features.

No

Rule 02. Declarations and Initialization (DCL)

  

DCL00-C

Const-qualify immutable objects

Yes

DCL01-C

Do not reuse variable names in subscopes

Yes

DCL02-C

Use visually distinct identifiers

No

DCL03-C

Use a static assertion to test the value of a constant expression

No

DCL04-C

Do not declare more than one variable per declaration

No

DCL05-C

Use typedefs of non-pointer types only

Yes

DCL06-C

Use meaningful symbolic constants to represent literal values

Yes

DCL07-C

Include the appropriate type information in function declarators

Yes

DCL08-C

Properly encode relationships in constant definitions

No

DCL09-C

Declare functions that return errno with a return type of errno_t

No

DCL10-C

Maintain the contract between the writer and caller of variadic functions

Yes

DCL11-C

Understand the type issues associated with variadic functions

Yes

DCL12-C

Implement abstract data types using opaque types

No

DCL13-C

Declare function parameters that are pointers to values not changed by the function as const

Yes

DCL15-C

Declare file-scope objects or functions that do not need external linkage as static

Yes

DCL16-C

Use 'L', not 'l', to indicate a long value

Yes

DCL17-C

Beware of miscompiled volatile-qualified variables

No

DCL18-C

Do not begin integer constants with 0 when specifying a decimal value

Yes

DCL19-C

Minimize the scope of variables and functions

Yes

DCL20-C

Explicitly specify void when a function accepts no arguments

Yes

DCL21-C

Understand the storage of compound literals

Yes

DCL22-C

Use volatile for data that cannot be cached

No

DCL23-C

Guarantee that mutually visible identifiers are unique

Yes

Rule 03. Expressions (EXP)

  

EXP00-C

Use parentheses for precedence of operation

Yes

EXP02-C

Be aware of the short-circuit behavior of the logical AND and OR operators

Yes

EXP03-C

Do not assume the size of a structure is the sum of the sizes of its members

Yes

EXP05-C

Do not cast away a const qualification

Yes

EXP07-C

Do not diminish the benefits of constants by assuming their values in expressions

Yes

EXP08-C

Ensure pointer arithmetic is used correctly

Yes

EXP09-C

Use sizeof to determine the size of a type or variable

No

EXP10-C

Do not depend on the order of evaluation of subexpressions or the order in which side effects take place

Yes

EXP11-C

Do not make assumptions regarding the layout of structures with bit-fields

Yes

EXP12-C

Do not ignore values returned by functions

Yes

EXP13-C

Treat relational and equality operators as if they were nonassociative

Yes

EXP14-C

Beware of integer promotion when performing bitwise operations on integer types smaller than int

No

EXP15-C

Do not place a semicolon on the same line as an if, for, or while statement

Yes

EXP16-C

Do not compare function pointers to constant values

Yes

EXP19-C

Use braces for the body of an if, for, or while statement

Yes

EXP20-C

Perform explicit tests to determine success, true and false, and equality

Yes

Rule 04. Integers (INT)

  

INT00-C

Understand the data model used by your implementation(s)

No

INT01-C

Use rsize_t or size_t for all integer values representing the size of an object

No

INT02-C

Understand integer conversion rules

Yes

INT04-C

Enforce limits on integer values originating from tainted sources

Yes

INT05-C

Do not use input functions to convert character data if they cannot handle all possible inputs

Yes

INT07-C

Use only explicitly signed or unsigned char type for numeric values

Yes

INT08-C

Verify that all integer values are in range

Yes

INT09-C

Ensure enumeration constants map to unique values

Yes

INT10-C

Do not assume a positive remainder when using the % operator

Yes

INT12-C

Do not make assumptions about the type of a plain int bit-field when used in an expression

Yes

INT13-C

Use bitwise operators only on unsigned operands

Yes

INT14-C

Avoid performing bitwise and arithmetic operations on the same data

No

INT15-C

Use intmax_t or uintmax_t for formatted IO on programmer-defined integer types

No

INT16-C

Do not make assumptions about representation of signed integers

Yes

INT17-C

Define integer constants in an implementation-independent manner

No

INT18-C

Evaluate integer expressions in a larger size before comparing or assigning to that size

Yes

Rule 05. Floating Point (FLP)

  

FLP00-C

Understand the limitations of floating-point numbers

Yes

FLP01-C

Take care in rearranging floating-point expressions

No

FLP02-C

Avoid using floating-point numbers when precise computation is needed

Yes

FLP03-C

Detect and handle floating-point errors

No

FLP04-C

Check floating-point inputs for exceptional values

No

FLP05-C

Do not use denormalized numbers

No

FLP06-C

Convert integers to floating point for floating point operations

Yes

FLP07-C

Cast the return value of a function that returns a floating-point type

No

Rule 06. Arrays (ARR)

  

ARR00-C

Understand how arrays work

No

ARR01-C

Do not apply the sizeof operator to a pointer when taking the size of an array

No

ARR02-C

Explicitly specify array bounds, even if implicitly defined by an initializer

Yes

Rule 07. Characters and String (STR)

  

STR00-C

Represent characters using an appropriate type

No

STR01-C

Adopt and implement a consistent plan for managing strings

No

STR02-C

Sanitize data passed to complex subsystems

No

STR03-C

Do not inadvertently truncate a string

No

STR04-C

Use plain char for characters in the basic character set

Yes

STR05-C

Use pointers to const when referring to string literals

Yes

STR06-C

Do not assume that strtok() leaves the parse string unchanged

Yes

STR07-C

Use the bounds-checking interfaces for string manipulation

Yes

STR08-C

Use managed strings for development of new string manipulation code

No

STR09-C

Don't assume numeric values for expressions with type plain character

Yes

STR10-C

Do not concatenate different type of string literals

Yes

STR11-C

Do not specify the bound of a character array initialized with a string literal

Yes

Rule 08. Memory management (MEM)

  

MEM00-C

Allocate and free memory in the same module, at the same level of abstraction

No

MEM01-C

Store a new value in pointers immediately after free()

No

MEM02-C

Immediately cast the result of a memory allocation function call into a pointer to the allocated type

Yes

MEM03-C

Clear sensitive information stored in reusable resources

Yes

MEM04-C

Beware of zero-length allocations

No

MEM05-C

Avoid large stack allocations

Yes

MEM06-C

Ensure that sensitive data is not written out to disk

No

MEM07-C

Ensure that the arguments to calloc(), when multiplied, do not wrap

No

MEM10-C

Define and use a pointer validation function

No

MEM11-C

Do not assume infinite heap space

No

MEM12-C

Consider using a goto chain when leaving a function on error when using and releasing resources

No

Rule 09. Input Output (FIO)

  

FIO01-C

Be careful using functions that use file names for identification

Yes

FIO02-C

Consider using a goto chain when leaving a function on error when using and releasing resources

No

FIO03-C

Do not make assumptions about fopen() and file creation

Yes

FIO05-C

Identify files using multiple file attributes

No

FIO06-C

Create files with appropriate access permissions

Yes

FIO08-C

Take care when calling remove() on an open file

Yes

FIO09-C

Be careful with binary data when transferring data across systems

No

FIO10-C

Take care when using the rename() function

Yes

FIO11-C

Take care when specifying the mode parameter of fopen()

No

FIO13-C

Never push back anything other than one read character

No

FIO14-C

Understand the difference between text mode and binary mode with file streams

No

FIO15-C

Ensure that file operations are performed in a secure directory

No

FIO17-C

Do not rely on an ending null character when using fread()

No

FIO18-C

Never expect fwrite() to terminate the writing process at a null character

No

FIO19-C

Do not use fseek() and ftell() to compute the size of a regular file

No

FIO20-C

Avoid unintentional truncation when using fgets() or fgetws()

No

FIO21-C

Do not create temporary files in shared directories

Yes

FIO22-C

Close files before spawning processes

No

FIO23-C

Do not exit with unflushed data in stdout or stderr

No

FIO24-C

Do not open a file that is already open

No

Rule 10. Environment (ENV)

  

ENV01-C

Do not make assumptions about the size of an environment variable

No

ENV02-C

Beware of multiple environment variables with the same effective name

No

ENV03-C

Sanitize the environment when invoking external programs

Yes

Rule 11. Signals (SIG)

  

SIG00-C

Mask signals handled by noninterruptible signal handlers

Yes

SIG01-C

Understand implementation-specific details regarding signal handler persistence

Yes

SIG02-C

Avoid using signals to implement normal functionality

No

Rule 12. Error Handling (ERR)

  

ERR00-C

Adopt and implement a consistent and comprehensive error-handling policy

No

ERR01-C

Use ferror() rather than errno to check for FILE stream errors

No

ERR02-C

Avoid in-band error indicators

No

ERR03-C

Use runtime-constraint handlers when calling the bounds-checking interfaces

No

ERR04-C

Choose an appropriate termination strategy

No

ERR05-C

Application-independent code should provide error detection without dictating error handling

No

ERR06-C

Understand the termination behavior of assert() and abort()

No

ERR07-C

Prefer functions that support error checking over equivalent functions that don't

No

ERR08-C

Restore prior data state when recovering from a failed operation

No

Rule 14. Concurrency (CON)

  

CON01-C

Acquire and release synchronization primitives in the same module, at the same level of abstraction

No

CON02-C

Do not use volatile as a synchronization primitive

No

CON03-C

Ensure visibility when accessing shared variables

No

CON04-C

Join or detach threads even if their exit status is unimportant

No

CON05-C

Do not perform operations that can block while holding a lock

No

CON06-C

Ensure that every mutex outlives the data it protects

No

CON07-C

Ensure that compound operations on shared variables are atomic

No

CON08-C

Do not assume that a group of calls to independently atomic methods is atomic

No

CON09-C

Avoid the ABA problem when using lock-free algorithms

No

Rule 48. Miscellaneous (MISC)

  

MSC00-C

Compile cleanly at high warning levels

No

MSC01-C

Strive for logical completeness

Yes

MSC04-C

Use comments consistently and in a readable fashion

Yes

MSC05-C

Do not manipulate time_t typed values directly

No

MSC06-C

Beware of compiler optimizations

No

MSC07-C

Detect and remove dead code

No

MSC09-C

Character encoding: Use subset of ASCII for safety

Yes

MSC10-C

Character encoding: UTF8-related issues

No

MSC11-C

Incorporate diagnostic tests using assertions

No

MSC12-C

Detect and remove code that has no effect or is never executed

Yes

MSC13-C

Detect and remove unused values

Yes

MSC14-C

Do not introduce unnecessary platform dependencies

Yes

MSC15-C

Do not depend on undefined behavior

Yes

MSC17-C

Finish every set of statements associated with a case label with a break statement

Yes

MSC20-C

Do not use a switch statement to transfer control into a complex block

Yes

MSC21-C

Use robust loop termination conditions

No

MSC22-C

Use the setjmp(), longjmp() facility securely

No

MSC23-C

Beware of vendor-specific library and language differences

No

MSC24-C

Do not use deprecated or obsolescent functions

No

MSC25-C

Do not use insecure or weak cryptographic algorithms

No

 

POSIX

Rule ID

Description

Enforced

Rule 50. POSIX(POS)

  

POS01-C

Check for the existence of links when dealing with files

No

POS02-C

Follow the principle of least privilege

No

POS04-C

Avoid using PTHREAD_MUTEX_NORMAL type mutex locks

No

POS05-C

Limit access to files by creating a jail

No