Cppcheck 1.88 released, a static analysis tool for C/C++ code
Cppcheck is a static analysis tool for C/C++ code. It provides a unique code analysis to detect bugs and focuses on detecting undefined behaviour and dangerous coding constructs. The goal is to detect only real errors in the code (i.e. have very few false positives).
Unique code analysis that detects various kinds of bugs in your code.
Both command line interface and graphical user interface are available.
Cppcheck has a strong focus on detecting undefined behaviour.
- Dead pointers
- Division by zero
- Integer Overflows
- Invalid bit shift operands
- Invalid conversions
- Invalid usage of STL
- Memory management
- Null pointer dereferences
- Out of bounds checking
- Uninitialized variables
- Writing const data
The most common types of security vulnerabilities in 2017 (CVE count) was:
|Category||Amount||Detected by Cppcheck|
|Buffer Errors||2530||A few|
|Improper Access Control||1366||A few (unintended backdoors)|
|Information Leak||1426||A few (unintended backdoors)|
|Permissions, Privileges, and Access Control||1196||A few (unintended backdoors)|
CVEs that was found using Cppcheck:
- CVE-2017-1000249: file : stack based buffer overflow
This was found by Thomas Jarosch using Cppcheck. The cause is a mistake in a condition.
- CVE-2013-6462: 23-year-old stack overflow in X.org that was found with Cppcheck.
This has been described in a few articles (link).
- CVE-2012-1147: readfilemap.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (file descriptor consumption) via a large number of crafted XML files.
- Comparing pointers that point to different objects
- Address of local variable ‘x’ is accessed at non-zero index
- STL usage: unnecessary search before insertion
- Duplicate expression for condition and assignment: if (x==3) x=3;
Added –library configuration files for:
Better handling of C++14 and C++17
- New command line option –addon used to run addons directly from Cppcheck.
- Some advanced options are only available in GUI:
- remove unused declarations in header files to speedup analysis
- remove unused templates to speedup analysis
- when checking visual studio project, only check 1 configuration
- max whole-program-analysis call stack depth
To get these features in command line tool, create a GUI project file and import that on command line using –project.
- started implementing theme support
Please use MATCHCOMPILER=yes instead of SRCDIR=build when compiling to enable the match compiler.
- add check exp15-c
- add check str03-c
- add check str05-c
- add check str07-c
- Add check 17.7
- Add check 20.7
- Add check 20.10