DATASHEET

CERT C Recommendations Enforcement

(Website 7 December 2023)
POSIX and Win Recommendations are listed separately as they are not part of the core standard and not included in total coverage

ENFORCEMENT KW 2024.2

 

 

Total

a

Total Number of Recommendations (not including POSIX)

177

b

Total Number of Enforced Recommendations

47

c

Total Number of Unenforced Recommendations

130

d

Enforce Recommendations Percentage (b/a)

27%

e

Unenforced Recommendations Percentage (c/a)

73%

Rec ID

Description

Level

Enforced

Rec 01. Preprocessors (PRE)

   

PRE00-C

Prefer inline or static functions to function-like macros

L3

Yes

PRE01-C

Use parentheses within macros around parameter names

L1

Yes

PRE02-C

Macro replacement lists should be parenthesized

L1

Yes

PRE03-C

Prefer typedefs to defines for encoding non-pointer types

L3

No

PRE04-C

Do not reuse a standard header file name

L3

No

PRE05-C

Understand macro replacement when concatenating tokens or performing stringification

L3

Yes

PRE06-C

Enclose header files in an inclusion guard

L3

Yes

PRE07-C

Avoid using repeated question marks

L3

No

PRE08-C

Guarantee that header file names are unique

L3

No

PRE09-C

Do not replace secure functions with deprecated or obsolescent functions

L1

No

PRE10-C

Wrap multi-statement macros in a do-while loop

L1

Yes

PRE11-C

Do not conclude macro definitions with a semicolon

L1

No

PRE12-C

Do not define unsafe macros

L2

No

PRE13-C

Use the Standard predefined macros to test for versions and features.

L2

No

Rec 02. Declarations and Initialization(DCL)

   

DCL00-C

Const-qualify immutable objects

L3

No

DCL01-C

Do not reuse variable names in subscopes

L3

Yes

DCL02-C

Use visually distinct identifiers

L3

No

DCL03-C

Use a static assertion to test the value of a constant expression

L3

No

DCL04-C

Do not declare more than one variable per declaration

L3

No

DCL05-C

Use typedefs of non-pointer types only

L3

No

DCL06-C

Use meaningful symbolic constants to represent literal values

L3

No

DCL07-C

Include the appropriate type information in function declarators

L3

Yes

DCL08-C

Properly encode relationships in constant definitions

L3

No

DCL09-C

Declare functions that return errno with a return type of errno_t

L3

No

DCL10-C

Maintain the contract between the writer and caller of variadic functions

L2

Yes

DCL11-C

Understand the type issues associated with variadic functions

L2

Yes

DCL12-C

Implement abstract data types using opaque types

L3

No

DCL13-C

Declare function parameters that are pointers to values not changed by the function as const

L3

Yes

DCL15-C

Declare file-scope objects or functions that do not need external linkage as static

L3

No

DCL16-C

Use 'L', not 'l', to indicate a long value

L3

No

DCL17-C

Beware of miscompiled volatile-qualified variables

L3

No

DCL18-C

Do not begin integer constants with 0 when specifying a decimal value

L3

Yes

DCL19-C

Minimize the scope of variables and functions

L3

Yes

DCL20-C

Explicitly specify void when a function accepts no arguments

L1

Yes

DCL21-C

Understand the storage of compound literals

L3

No

DCL22-C

Use volatile for data that cannot be cached

L3

No

DCL23-C

Guarantee that mutually visible identifiers are unique

L2

Yes

Rec 03. Expressions (EXP)

   

EXP00-C

Use parentheses for precedence of operation

L3

Yes

EXP02-C

Be aware of the short-circuit behavior of the logical AND and OR operators

L3

Yes

EXP03-C

Do not assume the size of a structure is the sum of the sizes of its members

L3

No

EXP05-C

Do not cast away a const qualification

L2

No

EXP07-C

Do not diminish the benefits of constants by assuming their values in expressions

L3

No

EXP08-C

Ensure pointer arithmetic is used correctly

L2

Yes

EXP09-C

Use sizeof to determine the size of a type or variable

L2

No

EXP10-C

Do not depend on the order of evaluation of subexpressions or the order in which side effects take place

L2

No

EXP11-C

Do not make assumptions regarding the layout of structures with bit-fields

L2

No

EXP12-C

Do not ignore values returned by functions

L3

Yes

EXP13-C

Treat relational and equality operators as if they were nonassociative

L3

No

EXP14-C

Beware of integer promotion when performing bitwise operations on integer types smaller than int

L3

No

EXP15-C

Do not place a semicolon on the same line as an if, for, or while statement

L1

Yes

EXP16-C

Do not compare function pointers to constant values

L2

Yes

EXP19-C

Use braces for the body of an if, for, or while statement

L2

Yes

EXP20-C

Perform explicit tests to determine success, true and false, and equality

L1

No

Rec 04. Integers (INT)

   

INT00-C

Understand the data model used by your implementation(s)

L3

No

INT01-C

Use rsize_t or size_t for all integer values representing the size of an object

L2

No

INT02-C

Understand integer conversion rules

L2

Yes

INT04-C

Enforce limits on integer values originating from tainted sources

L2

Yes

INT05-C

Do not use input functions to convert character data if they cannot handle all possible inputs

L3

No

INT07-C

Use only explicitly signed or unsigned char type for numeric values

L2

Yes

INT08-C

Verify that all integer values are in range

L3

No

INT09-C

Ensure enumeration constants map to unique values

L3

Yes

INT10-C

Do not assume a positive remainder when using the % operator

L3

No

INT12-C

Do not make assumptions about the type of a plain int bit-field when used in an expression

L3

Yes

INT13-C

Use bitwise operators only on unsigned operands

L2

Yes

INT14-C

Avoid performing bitwise and arithmetic operations on the same data

L3

No

INT15-C

Use intmax_t or uintmax_t for formatted IO on programmer-defined integer types

L2

No

INT16-C

Do not make assumptions about representation of signed integers

L3

No

INT17-C

Define integer constants in an implementation-independent manner

L1

No

INT18-C

Evaluate integer expressions in a larger size before comparing or assigning to that size

L1

Yes

Rec 05. Floating Point (FLP)

   

FLP00-C

Understand the limitations of floating-point numbers

L3

No

FLP01-C

Take care in rearranging floating-point expressions

L3

No

FLP02-C

Avoid using floating-point numbers when precise computation is needed

L3

No

FLP03-C

Detect and handle floating-point errors

L3

No

FLP04-C

Check floating-point inputs for exceptional values

L3

No

FLP05-C

Do not use denormalized numbers

L3

No

FLP06-C

Convert integers to floating point for floating point operations

L2

No

FLP07-C

Cast the return value of a function that returns a floating-point type

L3

No

Rec 06. Arrays (ARR)

   

ARR00-C

Understand how arrays work

L2

Yes

ARR01-C

Do not apply the sizeof operator to a pointer when taking the size of an array

L1

Yes

ARR02-C

Explicitly specify array bounds, even if implicitly defined by an initializer

L2

No

Rec 07. Characters and String (STR)

   

STR00-C

Represent characters using an appropriate type

L1

No

STR01-C

Adopt and implement a consistent plan for managing strings

L3

No

STR02-C

Sanitize data passed to complex subsystems

L1

Yes

STR03-C

Do not inadvertently truncate a string

L2

Yes

STR04-C

Use plain char for characters in the basic character set

L3

No

STR05-C

Use pointers to const when referring to string literals

L3

Yes

STR06-C

Do not assume that strtok() leaves the parse string unchanged

L1

No

STR07-C

Use the bounds-checking interfaces for string manipulation

L1

No

STR08-C

Use managed strings for development of new string manipulation code

L2

No

STR09-C

Don't assume numeric values for expressions with type plain character

L3

No

STR10-C

Do not concatenate different type of string literals

L3

No

STR11-C

Do not specify the bound of a character array initialized with a string literal

L2

No

Rec 08. Memory management (MEM)

   

MEM00-C

Allocate and free memory in the same module, at the same level of abstraction

L1

Yes

MEM01-C

Store a new value in pointers immediately after free()

L2

No

MEM02-C

Immediately cast the result of a memory allocation function call into a pointer to the allocated type

L3

No

MEM03-C

Clear sensitive information stored in reusable resources

L3

No

MEM04-C

Beware of zero-length allocations

L2

No

MEM05-C

Avoid large stack allocations

L2

Yes

MEM06-C

Ensure that sensitive data is not written out to disk

L3

No

MEM07-C

Ensure that the arguments to calloc(), when multiplied, do not wrap

L2

No

MEM10-C

Define and use a pointer validation function

L3

No

MEM11-C

Do not assume infinite heap space

L3

No

MEM12-C

Consider using a goto chain when leaving a function on error when using and releasing resources

L3

Yes

Rec 09. Input Output (FIO)

   

FIO01-C

Be careful using functions that use file names for identification

L1

Yes

FIO02-C

Consider using a goto chain when leaving a function on error when using and releasing resources

L2

Yes

FIO03-C

Do not make assumptions about fopen() and file creation

L3

No

FIO05-C

Identify files using multiple file attributes

L2

No

FIO06-C

Create files with appropriate access permissions

L3

No

FIO08-C

Take care when calling remove() on an open file

L3

No

FIO09-C

Be careful with binary data when transferring data across systems

L3

No

FIO10-C

Take care when using the rename() function

L2

No

FIO11-C

Take care when specifying the mode parameter of fopen()

L2

No

FIO13-C

Never push back anything other than one read character

L3

No

FIO14-C

Understand the difference between text mode and binary mode with file streams

L3

No

FIO15-C

Ensure that file operations are performed in a secure directory

L3

No

FIO17-C

Do not rely on an ending null character when using fread()

L2

No

FIO18-C

Never expect fwrite() to terminate the writing process at a null character

L2

No

FIO19-C

Do not use fseek() and ftell() to compute the size of a regular file

L3

No

FIO20-C

Avoid unintentional truncation when using fgets() or fgetws()

L1

No

FIO21-C

Do not create temporary files in shared directories

L2

No

FIO22-C

Close files before spawning processes

L3

Yes

FIO23-C

Do not exit with unflushed data in stdout or stderr

L3

No

FIO24-C

Do not open a file that is already open

L3

No

Rec 10. Environment (ENV)

   

ENV01-C

Do not make assumptions about the size of an environment variable

L1

Yes

ENV02-C

Beware of multiple environment variables with the same effective name

L3

No

ENV03-C

Sanitize the environment when invoking external programs

L2

No

Rec 11. Signals (SIG)

   

SIG00-C

Mask signals handled by noninterruptible signal handlers

L2

No

SIG01-C

Understand implementation-specific details regarding signal handler persistence

L3

No

SIG02-C

Avoid using signals to implement normal functionality

L1

No

Rec 12. Error Handling (ERR)

   

ERR00-C

Adopt and implement a consistent and comprehensive error-handling policy

L3

No

ERR01-C

Use ferror() rather than errno to check for FILE stream errors

L2

No

ERR02-C

Avoid in-band error indicators

L3

No

ERR03-C

Use runtime-constraint handlers when calling the bounds-checking interfaces

L3

No

ERR04-C

Choose an appropriate termination strategy

L3

No

ERR05-C

Application-independent code should provide error detection without dictating error handling

L3

No

ERR06-C

Understand the termination behavior of assert() and abort()

L3

No

ERR07-C

Prefer functions that support error checking over equivalent functions that don't

L2

No

Rec 13. Application Programming Interfaces (API)

   

API00-C

Functions should validate their parameters

L3

No

API01-C

Avoid laying out strings in memory directly before sensitive data

L2

No

API02-C

Functions that read or write to or from an array should take an argument to specify the source or target size

L2

No

API03-C

Create consistent interfaces and capabilities across related functions

L3

No

API04-C

Provide a consistent and usable error-checking mechanism

L3

No

API05-C

Use conformant array parameters

L1

No

API07-C

Enforce type safety

L3

No

API09-C

Compatible values should have the same type

L3

No

API10-C

APIs should have security options enabled by default

L1

No

Rec 14. Concurrency (CON)

   

CON01-C

Acquire and release synchronization primitives in the same module, at the same level of abstraction

L3

No

CON02-C

Do not use volatile as a synchronization primitive

L2

No

CON03-C

Ensure visibility when accessing shared variables

L2

No

CON04-C

Join or detach threads even if their exit status is unimportant

L3

No

CON05-C

Do not perform operations that can block while holding a lock

L3

Yes

CON06-C

Ensure that every mutex outlives the data it protects

L2

No

CON07-C

Ensure that compound operations on shared variables are atomic

L2

No

CON08-C

Do not assume that a group of calls to independently atomic methods is atomic

L3

No

CON09-C

Avoid the ABA problem when using lock-free algorithms

L3

No

Rec 48. Miscellaneous (MISC)

   

MSC00-C

Compile cleanly at high warning levels

L2

No

MSC01-C

Strive for logical completeness

L2

Yes

MSC04-C

Use comments consistently and in a readable fashion

L3

No

MSC05-C

Do not manipulate time_t typed values directly

L3

No

MSC06-C

Beware of compiler optimizations

L2

No

MSC07-C

Detect and remove dead code

L3

Yes

MSC09-C

Character encoding: Use subset of ASCII for safety

L3

No

MSC10-C

Character encoding: UTF8-related issues

L3

No

MSC11-C

Incorporate diagnostic tests using assertions

L3

No

MSC12-C

Detect and remove code that has no effect or is never executed

L3

Yes

MSC13-C

Detect and remove unused values

L3

Yes

MSC14-C

Do not introduce unnecessary platform dependencies

L3

No

MSC15-C

Do not depend on undefined behavior

L1

No

MSC17-C

Finish every set of statements associated with a case label with a break statement

L1

Yes

MSC18-C

Be careful while handling sensitive data, such as passwords, in program code

L2

No

MSC19-C

For functions that return an array, prefer returning an empty array over a null value

L3

No

MSC20-C

Do not use a switch statement to transfer control into a complex block

L2

No

MSC21-C

Use robust loop termination conditions

L3

No

MSC22-C

Use the setjmp(), longjmp() facility securely

L3

No

MSC23-C

Beware of vendor-specific library and language differences

L1

No

MSC24-C

Do not use deprecated or obsolescent functions

L1

No

MSC25-C

Do not use insecure or weak cryptographic algorithms

L3

No

 

POSIX

Rec ID

Description

Level

Enforced

Rec 50. POSIX(POS)

   

POS01-C

Check for the existence of links when dealing with files

L2

No

POS02-C

Follow the principle of least privilege

L2

Yes

POS04-C

Avoid using PTHREAD_MUTEX_NORMAL type mutex locks

L3

No

POS05-C

Limit access to files by creating a jail

L3

No

 

Microsoft Windows

Rec ID

Description

Level

Enforced

Rec 51. Microsoft Windows(WIN)

   

WIN00-C

Be specific when dynamically loading libraries

L2

No

WIN01-C

Do not forcibly terminate execution

L2

No

WIN02-C

Restrict privileges when spawning child processes

L2

No

WIN03-C

Understand HANDLE inheritance

L2

No

WIN04-C

Consider encrypting function pointers

L2

No