Coverity Support for SEI CERT C, C++, and Java Coding Standards - Synopsys

Page created by Brittany Woods
 
CONTINUE READING
Coverity Support for SEI CERT C, C++, and Java
Coding Standards

Ensure the safety,          The SEI CERT C, C++, and Oracle Java Coding Standards are lists of rules and
                            recommendations for writing secure code in the C, C++, and Java programming
reliability, and security
                            languages They represent an important milestone in introducing best practices for
of software written in C,   ensuring the safety, reliability, security, and integrity of software written in C/C++ and
C++, and Java               Java Notably, the standards are designed to be enforceable by software code analyzers
                            using static analysis techniques This greatly reduces the cost of compliance by way of
                            automation

                            Adhering to coding standards is a crucial step in establishing best coding practices
                            Standards adherence is particularly important in safety-critical, high-impact industries,
                            such as automotive, medical, and networking Software defects in products coming
                            from these industries manifest themselves physically and tangibly—often with life-
                            threatening consequences

                            Synopsys provides a comprehensive solution for the SEI CERT C/C++ Coding
                            Standards rules, along with high-impact SEI CERT Oracle Java Coding Standards
                            (online version) rules and SEI CERT C Coding Standard recommendations (online
                            version) Coverity static analysis implements the Rules category within the CERT C/
                            C++ standards, high-impact CERT Java L1 rules, and methods for managing violations
                            and reporting on them Coverity also supports some of the best practices from the
                            Recommendations category for the CERT C standard

                            Acknowledgement
                            • This Publication incorporates portions of the rule identifiers, the rule descriptive
                              names (clauses) which follow the identifier, and rule level (from the risk assessment)
                              for each rule in the CERT C, CERT CPP, CERT C Recommendations and CERT
                              JAVA standards available at wikiseicmuedu/confluence/display/seccode/
                              SEI+CERT+Coding+Standards © 2020 Carnegie Mellon University, with special
                              permission from its Software Engineering Institute
                            • ANY MATERIAL OF CARNEGIE MELLON UNIVERSITY AND/OR ITS SOFTWARE
                              ENGINEERING INSTITUTE CONTAINED HEREIN IS FURNISHED ON AN “AS-IS” BASIS
                              CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER
                              EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO,
                              WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY,
                              OR RESULTS OBTAINED FROM USE OF THE MATERIAL CARNEGIE MELLON
                              UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO
                              FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT
                            • This publication has not been reviewed nor is it endorsed by Carnegie Mellon
                              University or its Software Engineering Institute
                            • Carnegie Mellon and CERT are registered trademarks of Carnegie Mellon University

                                                                                                | synopsys.com | 1
The “Level” column in the “supported rules” and “supported recommendations” tables below indicates the severity, remediation cost, and
likelihood of each vulnerability Level 1 vulnerabilities are the most severe, the least expensive to repair, and/or the most likely to be found
in code Meanwhile, Level 3 vulnerabilities are the least severe, the most expensive to repair, and/or the least likely to be found in code

SEI CERT C Coding Standard (2016 Edition)
The SEI CERT C Coding Standard was developed specifically for the following versions of the C language:

• ISO/IEC 9899:2011: Information Technology—Programming Languages—C, 3rd ed
• ISO/IEC 9899:2011/Cor 1:2012: Information Technology—Programming Languages—C Technical Corrigendum 1
These versions are commonly referred to as the C11 standard The CERT C rules may also be applied to earlier versions of the C language,
such as C99

The 2016 edition of the CERT C standard contains 99 coding rules There are additional CERT C rules available on the CERT Secure Coding
wiki, bringing the total number of rules to 120 as of July 10, 2020 The CERT Secure Coding wiki for C is here:

https://wwwsecurecodingcertorg/confluence/display/c/

The SEI CERT C Coding Standard (2016 Edition) is here:

https://wwwcertorg/secure-coding/products-services/secure-coding-downloadcfm

The CERT C wiki also documents 185 recommendations and two platform-specific annexes (POSIX and Windows) The recommendations
and annexes are not part of the core secure coding standard and may be useful for projects with stricter requirements

CERT C rule coverage
                                                                     Rules
              Section                                                                                                  % Coverage
                                               Supported                               All
                 All                               115                                121*                                 95.8
    PRE                               3                                3                                     100.0
    DCL                               8                                8                                     100.0
    EXP                               15                               15                                    100.0
    INT                               7                                7                                     100.0
    FLP                               5                                5                                     100.0
    ARR                               6                                6                                     100.0
    STR                               6                                6                                     100.0
    MEM                               6                                6                                     100.0
    FIO                               13                               13                                    100.0
    ENV                               5                                5                                     100.0
    SIG                               4                                4                                     100.0
    ERR                               4                                4                                     100.0
    CON                               12                               13                                    92.3
    MSC                               7                                8                                     87.5
    POS*                              14                               17*                                   82.4
    WIN                               0                                1                                     0.0
*
 As of July 10, 2020, POS33-C is moved to The Void: void POS33-C Do not use vfork(), reducing the total number of POS rules to 16 and
the number of CERT C rules to 120 Thus, percentage coverage is calculated as 115/120 = 95.8%

                                                                                                                           | synopsys.com | 2
CERT C supported rules
    Rule                                                     Description                                                 Level
PRE30-C     Do not create a universal character name through concatenation                                              L3
PRE31-C     Avoid side effects in arguments to unsafe macros                                                            L3
PRE32-C     Do not use preprocessor directives in invocations of function-like macros                                   L3
DCL30-C     Declare objects with appropriate storage durations                                                          L2
DCL31-C     Declare identifiers before using them                                                                       L3
DCL36-C     Do not declare an identifier with conflicting linkage classifications                                       L2
DCL37-C     Do not declare or define a reserved identifier                                                              L3
DCL38-C     Use the correct syntax when declaring a flexible array member                                               L3
DCL39-C     Avoid information leakage when passing a structure across a trust boundary                                  L3
DCL40-C     Do not create incompatible declarations of the same function or object                                      L3
DCL41-C     Do not declare variables inside a switch statement before the first case label                              L3
EXP30-C     Do not depend on order of evaluation for side effects                                                       L2
EXP32-C     Do not access a volatile object through a nonvolatile reference                                             L2
EXP33-C     Do not read uninitialized memory                                                                            L1
EXP34-C     Do not dereference null pointers                                                                            L1
EXP35-C     Do not modify objects with temporary lifetime                                                               L3
EXP36-C     Do not cast pointers into more strictly aligned pointer types                                               L3
EXP37-C     Call functions with the correct number and type of arguments                                                L3
EXP39-C     Do not access a variable through a pointer of an incompatible type                                          L3
EXP40-C     Do not modify constant objects                                                                              L3
EXP42-C     Do not compare padding data                                                                                 L2
EXP43-C     Avoid undefined behavior when using restrict-qualified pointers                                             L3
EXP44-C     Do not rely on side effects in operands to sizeof, _Alignof, or _Generic                                    L3
EXP45-C     Do not perform assignments in selection statements                                                          L2
EXP46-C     Do not use a bitwise operator with a Boolean-like operand                                                   L2
EXP47-C     Do not call va_arg with an argument of incorrect type                                                       L2
INT30-C     Ensure that unsigned integer operations do not wrap                                                         L2
INT31-C     Ensure that integer conversions do not result in lost or misinterpreted data                                L2
INT32-C     Ensure that operations on signed integers do not result in overflow                                         L2
INT33-C     Ensure that division and modulo operations do not result in divide-by-zero errors                           L2
INT34-C     Do not shift an expression by a negative number of bits or by greater than or equal to the number of bits   L3
            that exist in the operand
INT35-C     Use correct integer precisions                                                                              L3
INT36-C     Converting a pointer to integer or integer to pointer                                                       L3
FLP30-C     Do not use floating-point variables as loop counters                                                        L2
FLP32-C     Prevent or detect domain and range errors in math functions                                                 L2
FLP34-C     Ensure that floating-point conversions are within range of the new type                                     L3
FLP36-C     Preserve precision when converting integral values to floating-point type                                   L3
FLP37-C     Do not use object representations to compare floating-point values                                          L3
ARR30-C     Do not form or use out of bounds pointers or array subscripts                                               L2
ARR32-C     Ensure size arguments for variable length arrays are in a valid range                                       L2
ARR36-C     Do not subtract or compare two pointers that do not refer to the same array                                 L2

                                                                                                               | synopsys.com | 3
Rule                                                   Description                                                   Level
ARR37-C    Do not add or subtract an integer to a pointer to a non-array object                                        L2
ARR38-C    Guarantee that library functions do not form invalid pointers                                               L1
ARR39-C    Do not add or subtract a scaled integer to a pointer                                                        L2
STR30-C    Do not attempt to modify string literals                                                                    L2
STR31-C    Guarantee that storage for strings has sufficient space for character data and the null terminator          L1
STR32-C    Do not pass a non-null-terminated character sequence to a library function that expects a string            L1
STR34-C    Cast characters to unsigned char before converting to larger integer sizes                                  L2
STR37-C    Arguments to character-handling functions must be representable as an unsigned char                         L3
STR38-C    Do not confuse narrow and wide character strings and functions                                              L1
MEM30-C    Do not access freed memory                                                                                  L1
MEM31-C    Free dynamically allocated memory when no longer needed                                                     L2
MEM33-C    Allocate and copy structures containing a flexible array member dynamically                                 L3
MEM34-C    Only free memory allocated dynamically                                                                      L1
MEM35-C    Allocate sufficient memory for an object                                                                    L2
MEM36-C    Do not modify the alignment of objects by calling realloc()                                                 L3
FIO30-C    Exclude user input from format strings                                                                      L1
FIO32-C    Do not perform operations on devices that are only appropriate for files                                    L3
FIO34-C    Distinguish between characters read from a file and EOF or WEOF                                             L1
FIO37-C    Do not assume that fgets() or fgetws() returns a nonempty string when successful                            L1
FIO38-C    Do not copy a FILE object                                                                                   L3
FIO39-C    Do not alternately input and output from a stream without an intervening flush or positioning call          L2
FIO40-C    Reset strings on fgets() or fgetws() failure                                                                L3
FIO41-C    Do not call getc(), putc(), getwc(), or putwc() with a stream argument that has side effects                L3
FIO42-C    Close files when they are no longer needed                                                                  L3
FIO44-C    Only use values for fsetpos() that are returned from fgetpos()                                              L3
FIO45-C    Avoid TOCTOU race conditions while accessing files                                                          L2
FIO46-C    Do not access a closed file                                                                                 L3
FIO47-C    Use valid format strings                                                                                    L2
ENV30-C    Do not modify the object referenced by the return value of certain functions                                L3
ENV31-C    Do not rely on an environment pointer following an operation that may invalidate it                         L3
ENV32-C    All exit handlers must return normally                                                                      L1
ENV33-C    Do not call system()                                                                                        L1
ENV34-C    Do not store pointers returned by certain functions                                                         L3
SIG30-C    Call only asynchronous-safe functions within signal handlers                                                L1
SIG31-C    Do not access shared objects in signal handlers                                                             L2
SIG34-C    Do not call signal() from within interruptible signal handlers                                              L3
SIG35-C    Do not return from a computational exception signal handler                                                 L3
ERR30-C    Set errno to zero before calling a library function known to set errno, and check errno only after the      L2
           function returns a value indicating failure
ERR32-C    Do not rely on indeterminate values of errno                                                                L3
ERR33-C    Detect and handle standard library errors                                                                   L1
ERR34-C    Detect errors when converting a string to a number                                                          L3

                                                                                                                | synopsys.com | 4
Rule                                                        Description                                             Level
    CON30-C          Clean up thread-specific storage                                                                      L3
    CON31-C          Do not destroy a mutex while it is locked                                                             L3
    CON32-C          Prevent data races when accessing bit-fields from multiple threads                                    L2
    CON33-C          Avoid race conditions when using library functions                                                    L3
    CON34-C          Declare objects shared between threads with appropriate storage durations                             L3
    CON35-C          Avoid deadlock by locking in predefined order                                                         L3
    CON36-C          Wrap functions that can spuriously wake up in a loop                                                  L3
    CON37-C          Do not call signal() in a multithreaded program                                                       L2
    CON38-C          Preserve thread safety and liveness when using condition variables                                    L3
    CON39-C          Do not join or detach a thread that was previously joined or detached                                 L2
    CON40-C          Do not refer to an atomic variable twice in an expression                                             L2
    CON41-C          Wrap functions that can fail spuriously in a loop                                                     L3
    MSC30-C          Do not use the rand() function for generating pseudorandom numbers                                    L2
    MSC32-C          Properly seed pseudorandom number generators                                                          L1
    MSC33-C          Do not pass invalid data to the asctime() function                                                    L1
    MSC37-C          Ensure that control never reaches the end of a non-void function                                      L2
    MSC38-C          Do not treat a predefined identifier as an object if it might only be implemented as a macro          L3
    MSC39-C          Do not call va_arg() on a va_list that has an indeterminate value                                     L3
    MSC40-C          Do not violate constraints                                                                            L3
    POS30-C          Use the readlink() function properly                                                                  L1
    POS33-C$         Do not use vfork()                                                                                    L2
    POS34-C          Do not call putenv() with a pointer to an automatic variable as the argument                          L2
    POS35-C          Avoid race conditions while checking for the existence of a symbolic link                             L1
    POS36-C          Observe correct revocation order while relinquishing privileges                                       L1
    POS37-C          Ensure that privilege relinquishment is successful                                                    L1
    POS38-C          Beware of race conditions when using fork and file descriptors                                        L3
    POS39-C          Use the correct byte ordering when transferring data between systems                                  L1
    POS44-C          Do not use signals to terminate threads                                                               L2
    POS47-C          Do not use threads that can be canceled asynchronously                                                L1
    POS49-C          When data must be accessed by multiple threads, provide a mutex and guarantee no adjacent data is     L2
                     also accessed
    POS50-C          Declare objects shared between POSIX threads with appropriate storage durations                       L3
    POS52-C          Do not perform operations that can block while holding a POSIX lock                                   L3
    POS54-C          Detect and handle POSIX library errors                                                                L1

$
    As of July 10, 2020, POS33-C is moved to The Void: void POS33-C Do not use vfork()

                                                                                                                    | synopsys.com | 5
CERT C L1 recommendation coverage (online version)
                                                             Recommendations
             Section                                                                                                % Coverage
                                               Supported                                All
                All                                 21                                  25*                            84.0
 PRE                                 3                                  5                                   60.0
 DCL                                 0                                  1                                   0.0
 EXP                                 2                                  2                                   100.0
 INT                                 2                                  2                                   100.0
 ARR                                 1                                  1                                   100.0
 STR                                 4                                  4                                   100.0
 MEM                                 1                                  1                                   100.0
 FIO                                 2                                  2                                   100.0
 ENV                                 1                                  1                                   100.0
 SIG                                 1                                  1                                   100.0
 API                                 1                                  1*                                  100.0
 MSC                                 3                                  4                                   75.0
*There are 26 total CERT C L1 recommendations Apart from API10-C, which is incomplete, there are 25 validated recommendations
considered in this calculation

CERT C supported recommendations (online version)
   Recommendation                                                        Description                                             Level
 PRE09-C                    Do not replace secure functions with deprecated or obsolescent functions                          L1
 PRE10-C                    Wrap multistatement macros in a do-while loop                                                     L1
 PRE11-C                    Do not conclude macro definitions with a semicolon                                                L1
 PRE12-C                    Do not define unsafe macros                                                                       L2
 DCL11-C                    Understand the type issues associated with variadic functions                                     L2
 DCL23-C                    Guarantee that mutually visible identifiers are unique                                            L2
 EXP05-C                    Do not cast away a const qualification                                                            L2
 EXP08-C                    Ensure pointer arithmetic is used correctly                                                       L2
 EXP10-C                    Do not depend on the order of evaluation of subexpressions or the order in which side effects     L2
                            take place
 EXP15-C                    Do not place a semicolon on the same line as an if, for, or while statement                       L1
 EXP16-C                    Do not compare function pointers to constant values                                               L2
 EXP19-C                    Use braces for the body of an if, for, or while statement                                         L2
 EXP20-C                    Perform explicit tests to determine success, true and false, and equality                         L1
 INT02-C                    Understand integer conversion rules                                                               L2
 INT04-C                    Enforce limits on integer values originating from tainted sources                                 L2
 INT07-C                    Use only explicitly signed or unsigned char type for numeric values                               L2
 INT13-C                    Use bitwise operators only on unsigned operands                                                   L2
 INT17-C                    Define integer constants in an implementation-independent manner                                  L1
 INT18-C                    Evaluate integer expressions in a larger size before comparing or assigning to that size          L1
 ARR00-C                    Understand how arrays work                                                                        L2
 ARR01-C                    Do not apply the sizeof operator to a pointer when taking the size of an array                    L1
 ARR02-C                    Explicitly specify array bounds, even if implicitly defined by an initializer                     L2

                                                                                                                       | synopsys.com | 6
Recommendation                                               Description                                       Level
STR00-C           Represent characters using an appropriate type                                              L1
STR02-C           Sanitize data passed to complex subsystems                                                  L1
STR03-C           Do not inadvertently truncate a string                                                      L2
STR06-C           Do not assume that strtok() leaves the parse string unchanged                               L1
STR07-C           Use the bounds-checking interfaces for string manipulation                                  L1
STR11-C           Do not specify the bound of a character array initialized with a string literal             L2
MEM00-C           Allocate and free memory in the same module, at the same level of abstraction               L1
MEM01-C           Store a new value in pointers immediately after free()                                      L2
MEM05-C           Avoid large stack allocations                                                               L2
FIO01-C           Be careful using functions that use file names for identification                           L1
FIO20-C           Avoid unintentional truncation when using fgets() or fgetws()                               L1
ENV01-C           Do not make assumptions about the size of an environment variable                           L1
SIG02-C           Avoid using signals to implement normal functionality                                       L1
API05-C           Use conformant array parameters                                                             L1
MSC15-C           Do not depend on undefined behavior                                                         L1
MSC17-C           Finish every set of statements associated with a case label with a break statement          L1
MSC18-C           Be careful while handling sensitive data, such as passwords, in program code                L2
MSC24-C           Do not use deprecated or obsolescent functions                                              L1

                                                                                                       | synopsys.com | 7
SEI CERT C++ Coding Standard (2016 Edition)
The SEI CERT C++ Coding Standard was developed specifically for the following version of the C++ language:

• ISO/IEC 14882-2014: Information Technology---Programming Languages—C++, 4th ed
This version is commonly referred to as the C++14 standard

The CERT C++ rules may also be applied to earlier versions of the C++ language, such as C++11

The 2016 edition of the CERT C++ standard contains 83 coding rules

The CERT Secure Coding wiki for C++ is here:

https://wwwsecurecodingcertorg/confluence/display/cplusplus/

The SEI CERT C++ Coding Standard (2016 Edition) is here:

https://certorg/secure-coding/products-services/secure-coding-cpp-download-2016cfm

The CERT C++ wiki also documents some recommendations The recommendations are not part of the core secure coding standard

CERT C++ rule coverage
                                                                    Rules
              Section                                                                                        % Coverage
                                               Supported                         All
                All                               83                             83                            100.0
 DCL                                11                                   11                         100.0
 EXP                                14                                   14                         100.0
 INT                                1                                    1                          100.0
 CTR                                9                                    9                          100.0
 STR                                4                                    4                          100.0
 MEM                                8                                    8                          100.0
 FIO                                2                                    2                          100.0
 ERR                                13                                   13                         100.0
 OOP                                9                                    9                          100.0
 CON                                7                                    7                          100.0
 MSC                                5                                    5                          100.0

CERT C++ supported rules
       Rule                                                        Description                                            Level
 DCL50-CPP        Do not define a C-style variadic function                                                            L1
 DCL51-CPP        Do not declare or define a reserved identifier                                                       L3
 DCL52-CPP        Never qualify a reference type with const or volatile                                                L3
 DCL53-CPP        Do not write syntactically ambiguous declarations                                                    L3
 DCL54-CPP        Overload allocation and deallocation functions as a pair in the same scope                           L2
 DCL55-CPP        Avoid information leakage when passing a class object across a trust boundary                        L3
 DCL56-CPP        Avoid cycles during initialization of static objects                                                 L3
 DCL57-CPP        Do not let exceptions escape from destructors or deallocation functions                              L3
 DCL58-CPP        Do not modify the standard namespaces                                                                L2
 DCL59-CPP        Do not define an unnamed namespace in a header file                                                  L3
 DCL60-CPP        Obey the one-definition rule                                                                         L3
 EXP50-CPP        Do not depend on the order of evaluation for side effects                                            L2

                                                                                                               | synopsys.com | 8
Rule                                                      Description                                                 Level
EXP51-CPP   Do not delete an array through a pointer of the incorrect type                                              L3
EXP52-CPP   Do not rely on side effects in unevaluated operands                                                         L3
EXP53-CPP   Do not read uninitialized memory                                                                            L1
EXP54-CPP   Do not access an object outside of its lifetime                                                             L2
EXP55-CPP   Do not access a cv-qualified object through a cv-unqualified type                                           L2
EXP56-CPP   Do not call a function with a mismatched language linkage                                                   L3
EXP57-CPP   Do not cast or delete pointers to incomplete classes                                                        L3
EXP58-CPP   Pass an object of the correct type to va_start                                                              L3
EXP59-CPP   Use offsetof() on valid types and members                                                                   L3
EXP60-CPP   Do not pass a nonstandard-layout type object across execution boundaries                                    L1
EXP61-CPP   A lambda object must not outlive any of its reference captured objects                                      L2
EXP62-CPP   Do not access the bits of an object representation that are not part of the object's value representation   L2
EXP63-CPP   Do not rely on the value of a moved-from object                                                             L2
INT50-CPP   Do not cast to an out-of-range enumeration value                                                            L3
CTR50-CPP   Guarantee that container indices and iterators are within the valid range                                   L2
CTR51-CPP   Use valid references, pointers, and iterators to reference elements of a container                          L2
CTR52-CPP   Guarantee that library functions do not overflow                                                            L1
CTR53-CPP   Use valid iterator ranges                                                                                   L2
CTR54-CPP   Do not subtract iterators that do not refer to the same container                                           L2
CTR55-CPP   Do not use an additive operator on an iterator if the result would overflow                                 L1
CTR56-CPP   Do not use pointer arithmetic on polymorphic objects                                                        L2
CTR57-CPP   Provide a valid ordering predicate                                                                          L3
CTR58-CPP   Predicate function objects should not be mutable                                                            L3
STR50-CPP   Guarantee that storage for strings has sufficient space for character data and the null terminator          L1
STR51-CPP   Do not attempt to create a std::string from a null pointer                                                  L1
STR52-CPP   Use valid references, pointers, and iterators to reference elements of a basic_string                       L2
STR53-CPP   Range check element access                                                                                  L2
MEM50-CPP   Do not access freed memory                                                                                  L1
MEM51-CPP   Properly deallocate dynamically allocated resources                                                         L1
MEM52-CPP   Detect and handle memory allocation errors                                                                  L1
MEM53-CPP   Explicitly construct and destruct objects when manually managing object lifetime                            L1
MEM54-CPP   Provide placement new with properly aligned pointers to sufficient storage capacity                         L1
MEM55-CPP   Honor replacement dynamic storage management requirements                                                   L1
MEM56-CPP   Do not store an already-owned pointer value in an unrelated smart pointer                                   L1
MEM57-CPP   Avoid using default operator new for over-aligned types                                                     L2
FIO50-CPP   Do not alternately input and output from a file stream without an intervening positioning call              L2
FIO51-CPP   Close files when they are no longer needed                                                                  L3
ERR50-CPP   Do not abruptly terminate the program                                                                       L3
ERR51-CPP   Handle all exceptions                                                                                       L3
ERR52-CPP   Do not use setjmp() or longjmp()                                                                            L3
            Do not reference base classes or class data members in a constructor or destructor function-try-block
ERR53-CPP                                                                                                               L3
            handler
ERR54-CPP   Catch handlers should order their parameter types from most derived to least derived                        L1
ERR55-CPP   Honor exception specifications                                                                              L2

                                                                                                                 | synopsys.com | 9
Rule                                                    Description                                            Level
ERR56-CPP   Guarantee exception safety                                                                           L2
ERR57-CPP   Do not leak resources when handling exceptions                                                       L3
ERR58-CPP   Handle all exceptions thrown before main() begins executing                                          L2
ERR59-CPP   Do not throw an exception across execution boundaries                                                L1
ERR60-CPP   Exception objects must be nothrow copy constructible                                                 L3
ERR61-CPP   Catch exceptions by lvalue reference                                                                 L3
ERR62-CPP   Detect errors when converting a string to a number                                                   L3
OOP50-CPP   Do not invoke virtual functions from constructors or destructors                                     L3
OOP51-CPP   Do not slice derived objects                                                                         L3
OOP52-CPP   Do not delete a polymorphic object without a virtual destructor                                      L2
OOP53-CPP   Write constructor member initializers in the canonical order                                         L3
OOP54-CPP   Gracefully handle self-copy assignment                                                               L3
OOP55-CPP   Do not use pointer-to-member operators to access nonexistent members                                 L2
OOP56-CPP   Honor replacement handler requirements                                                               L3
OOP57-CPP   Prefer special member functions and overloaded operators to C Standard Library functions             L2
OOP58-CPP   Copy operations must not mutate the source object                                                    L2
CON50-CPP   Do not destroy a mutex while it is locked                                                            L3
CON51-CPP   Ensure actively held locks are released on exceptional conditions                                    L2
CON52-CPP   Prevent data races when accessing bit-fields from multiple threads                                   L2
CON53-CPP   Avoid deadlock by locking in a predefined order                                                      L3
CON54-CPP   Wrap functions that can spuriously wake up in a loop                                                 L3
CON55-CPP   Preserve thread safety and liveness when using condition variables                                   L3
CON56-CPP   Do no speculatively lock a non-recursive mutex that is already owned by the calling thread           L3
MSC50-CPP   Do not use std::rand() for generating pseudorandom numbers                                           L2
MSC51-CPP   Ensure your random number generator is properly seeded                                               L1
MSC52-CPP   Value-returning functions must return a value from all exit paths                                    L2
MSC53-CPP   Do not return from a function declared [[noreturn]]                                                  L3
MSC54-CPP   A signal handler must be a plain old function                                                        L2

                                                                                                         | synopsys.com | 10
SEI CERT Oracle Secure Coding Standard for Java (online version)
The SEI CERT Oracle Secure Coding Standard for Java was developed primarily referring to the following version of the Java language:

• The Java Language Specification (3rd Edition)
The SEI CERT Oracle Secure Coding Standard for Java focuses on the following Java platforms:

• The Java Standard Edition 6 Platform (Java SE 6)
• The Java Standard Edition 7 platform (Java SE 7)
The SEI CERT Oracle Secure Coding Standard for Java wiki contains 182 coding rules, of which 38 are Level L1, 48 are Level L2, and 96
are Level L3.

The CERT Secure Coding wiki for Java is here:

https://wwwsecurecodingcertorg/confluence/display/java/

The SEI CERT Oracle Secure Coding Standard for Java (Standard Edition 6) is here:

https://wwwinformitcom/store/cert-oracle-secure-coding-standard-for-java-9780321803955

The SEI CERT Oracle Secure Coding Standard for Java wiki also documents some recommendations The recommendations are not part
of the core secure coding standard

CERT Java L1 and L2 rule coverage (online version)
                                                                     Rules
             Section                                                                                                  % Coverage
                                                  Supported                              All
                All                                  61                                  74*                             82.4
 IDS                                 7                                   8                                    87.5
 EXP                                 3                                   4                                    75.0
 NUM                                 4                                   4                                    100.0
 STR                                 1                                   1                                    100.0
 OBJ                                 6                                   9*                                   66.7
 MET                                 5                                   7*                                   71.4
 ERR                                 3                                   3                                    100.0
 VNA                                 0                                   2                                    0.0
 LCK                                 5                                   5                                    100.0
 TSM                                 0                                   1                                    0.0
 FIO                                 5                                   5                                    100.0
 SER                                 6                                   7*                                   85.7
 SEC                                 8                                   8                                    100.0
 ENV                                 3                                   5*                                   60.0
 JNI                                 1                                   1*                                   100.0
 MSC                                 4                                   4                                    100.0
* There are 38 total CERT Java L1 and 48 total CERT Java L2 rules. Apart from five stub L1 rules (SEC08-J, SEC09-J, SEC10-J, JNI03-J,
and MSC10-J), and two nonautomated L1 rules (ENV04-J and ENV05-J), there are 31 validated L1 rules considered in this calculation.
Similarly, apart from two deprecated L2 rules (IDS09-J and SER13-J), three stub L2 rules (IDS15-J, OBJ14-J, and MET13-J), there are 43
validated L2 rules considered in this calculation.

                                                                                                                     | synopsys.com | 11
CERT Java supported rules (online version)
    Rule                                                     Description                                             Level
IDS00-J      Prevent SQL injection                                                                                 L1
IDS01-J      Normalize strings before validating them                                                              L1
IDS03-J      Do not log unsanitized user input                                                                     L2
IDS07-J      Sanitize untrusted data passed to the Runtimeexec() method                                            L1
IDS08-J      Sanitize untrusted data included in a regular expression                                              L3
IDS11-J      Perform any string modifications before validation                                                    L1
IDS16-J      Prevent XML Injection                                                                                 L1
IDS17-J      Prevent XML External Entity Attacks                                                                   L2
ERR02-J      Prevent exceptions while logging data                                                                 L2
ERR04-J      Do not complete abruptly from a finally block                                                         L3
ERR07-J      Do not throw RuntimeException, Exception, or Throwable                                                L2
ERR08-J      Do not catch NullPointerException or any of its ancestors                                             L1
EXP00-J      Do not ignore values returned by methods                                                              L2
EXP01-J      Do not use a null in a case where an object is required                                               L3
EXP02-J      Do not use the Object.equals() method to compare two arrays                                           L2
EXP03-J      Do not use the equality operators when comparing values of boxed primitives                           L2
NUM00-J      Detect or prevent integer overflow                                                                    L3
NUM02-J      Ensure that division and remainder operations do not result in divide-by-zero errors                  L2
NUM07-J      Do not attempt comparisons with NaN                                                                   L3
NUM09-J      Do not use floating-point variables as loop counters                                                  L2
NUM10-J      Do not construct BigDecimal objects from floating-point literals                                      L2
NUM11-J      Do not compare or inspect the string representation of floating-point values                          L2
OBJ01-J      Limit accessibility of fields                                                                         L1
OBJ05-J      Do not return references to private mutable class members                                             L1
OBJ09-J      Compare classes and not class names                                                                   L2
OBJ10-J      Do not use public static nonfinal fields                                                              L2
OBJ11-J      Be wary of letting constructors throw exceptions                                                      L1
OBJ13-J      Ensure that references to mutable objects are not exposed                                             L1
MET00-J      Validate method arguments                                                                             L2
MET01-J      Never use assertions to validate method arguments                                                     L2
MET02-J      Do not use deprecated or obsolete classes or methods                                                  L3
MET04-J      Do not increase the accessibility of overridden or hidden methods                                     L2
MET05-J      Ensure that constructors do not call overridable methods                                              L2
MET06-J      Do not invoke overridable methods in clone()                                                          L1
MET07-J      Never declare a class method that hides a method declared in a superclass or superinterface           L3
MET09-J      Classes that define an equals() method must also define a hashCode() method                           L3
LCK00-J      Use private final lock objects to synchronize classes that may interact with untrusted code           L3
LCK01-J      Do not synchronize on objects that may be reused                                                      L2
LCK02-J      Do not synchronize on the class object returned by getClass()                                         L2
LCK03-J      Do not synchronize on the intrinsic locks of high-level concurrency objects                           L2
LCK06-J      Do not use an instance lock to protect shared static data                                             L2
LCK08-J      Ensure actively held locks are released on exceptional conditions                                     L2

                                                                                                           | synopsys.com | 12
Rule                                                          Description                                                 Level
 FIO02-J             Detect and handle file-related errors                                                                      L2
 FIO03-J             Remove temporary files before termination                                                                  L2
 FIO05-J             Do not expose buffers or their backing arrays methods to untrusted code                                    L1
 FIO08-J             Do not expose buffers or their backing arrays methods to untrusted code                                    L1
 FIO14-J             Perform proper cleanup at program termination                                                              L1
 SEC00-J             Do not allow privileged blocks to leak sensitive information across a trust boundary                       L2
 SEC01-J             Do not allow tainted variables in privileged blocks                                                        L1
 SEC02-J             Do not base security checks on untrusted sources                                                           L1
 SEC03-J             Do not load trusted classes after allowing untrusted code to load arbitrary classes                        L1
 SEC04-J             Protect sensitive operations with security manager checks                                                  L1
 SEC05-J             Do not use reflection to increase accessibility of classes, methods, or fields                             L1
 SEC06-J             Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar   L1
 SEC07-J             Call the superclass’s getPermissions() method when writing a custom class loader                           L1
 SER01-J             Do not deviate from the proper signatures of serialization methods                                         L1
 SER04-J             Do not allow serialization and deserialization to bypass the security manager                              L2
 SER05-J             Do not serialize instances of inner classes                                                                L1
 SER08-J             Minimize privileges before deserializing from a privileged context                                         L1
 SER09-J             Do not invoke overridable methods from the readObject() method                                             L3
 SER11-J             Prevent overwriting of externalizable objects                                                              L2
 SER12-J             Prevent deserialization of untrusted data                                                                  L2
 STR02-J             Specify an appropriate locale when comparing locale-dependent data                                         L2
 ENV02-J             Do not trust the values of environment variables                                                           L2
 ENV03-J             Do not grant dangerous combinations of permissions                                                         L1
 ENV06-J             Production code must not contain debugging entry points                                                    L1
 JNI01-J             Safely invoke standard APIs that perform tasks using the immediate caller’s class loader instance          L1
                     (loadLibrary)
 MSC00-J             Use SSLSocket rather than Socket for secure data exchange                                                  L2
 MSC01-J             Do not use an empty infinite loop                                                                          L3
 MSC02-J             Generate strong random numbers                                                                             L1
 MSC03-J             Never hard code sensitive information                                                                      L1
 MSC07-J             Prevent multiple instantiations of singleton objects                                                       L3
 MSC11-J             Do not let session information leak within a servlet                                                       L2

This datasheet applies to Coverity 2021.9.0 and later releases.

                                                                                                                       | synopsys.com | 13
The Synopsys difference

Synopsys helps development teams build secure, high-quality software, minimizing risks while
maximizing speed and productivity. Synopsys, a recognized leader in application security,
provides static analysis, software composition analysis, and dynamic analysis solutions that
enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source
components, and application behavior. With a combination of industry-leading tools, services,
and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps
and throughout the software development life cycle.

For more information, go to www.synopsys.com/software.

Synopsys, Inc.
690 E Middlefield Road
Mountain View, CA 94043 USA

Contact us:
U.S. Sales: 800.873.8193
International Sales: +1 415.321.5237
Email: sig-info@synopsys.com

©2021 Synopsys, Inc. All rights reserved. Synopsys is a trademark of Synopsys, Inc. in the United States and other countries. A list of Synopsys trademarks is available at www.
synopsys.com/copyright.html . All other names mentioned herein are trademarks or registered trademarks of their respective owners. September 2021

                                                                                                                                                     | synopsys.com | 14
You can also read