Cppcheck v2.0 released, a static analysis tool for C/C++ code
Cppcheck is a static analysis tool for C/C++ code. It provides a unique code analysis to detect bugs and focuses on detecting undefined behaviour and dangerous coding constructs. The goal is to detect only real errors in the code (i.e. have very few false positives).
Unique code analysis that detects various kinds of bugs in your code.
Both command line interface and graphical user interface are available.
Cppcheck has a strong focus on detecting undefined behaviour.
- Dead pointers
- Division by zero
- Integer Overflows
- Invalid bit shift operands
- Invalid conversions
- Invalid usage of STL
- Memory management
- Null pointer dereferences
- Out of bounds checking
- Uninitialized variables
- Writing const data
The most common types of security vulnerabilities in 2017 (CVE count) was:
|Category||Amount||Detected by Cppcheck|
|Buffer Errors||2530||A few|
|Improper Access Control||1366||A few (unintended backdoors)|
|Information Leak||1426||A few (unintended backdoors)|
|Permissions, Privileges, and Access Control||1196||A few (unintended backdoors)|
CVEs that was found using Cppcheck:
- CVE-2017-1000249: file : stack based buffer overflow
This was found by Thomas Jarosch using Cppcheck. The cause is a mistake in a condition.
- CVE-2013-6462: 23-year-old stack overflow in X.org that was found with Cppcheck.
This has been described in a few articles (link).
- CVE-2012-1147: readfilemap.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (file descriptor consumption) via a large number of crafted XML files.
The command line is not changed drastically. Your old cppcheck scripts should work as before.
Compiling: There is a new dependency Z3. When compiling with the Makefile it is highly recommended to use “USE_Z3=yes”.
Improved clang-tidy integration
Several fixes to;
- improve parsing
- detect more bugs with existing checks
- fix false alarms
Clang is a C/C++ compiler that has a very robust and well-made parser.
Cppcheck will always use its internal parser by default. However, there is now an option to use the Clang parser instead.
It is recommended that you use the default internal Cppcheck parser unless you notice that it fails to parse your code properly (syntax errors, strange false alarms).
There is a new “soundy” analysis in Cppcheck that should detect most bugs. You should expect false alarms, however the false alarms will not be overwhelming.
This new “soundy” analysis is not intended to replace normal Cppcheck analysis. There are use cases where false alarms can not be tolerated.
We have added 1 checker and that checks for division by zero:
- It detects all “integer division by zero” bugs in the Juliet test suite.
- It detects all “division by zero” bugs in the ITC test suite.
- There was 28 division by zero CVEs published in 2019 for C/C++ open source projects, and we could quickly see that 21 of the bugs are found by Cppcheck. There is no CVE bug that we know Cppcheck fails to diagnose. But there are 7 CVEs that would require additional investigation to establish if it is really detected or not.
You can read more about this analysis in the “Bug hunting” chapter in the manual.