Cppcheck 1.87 released, a static analysis tool for C/C++ code

Cppcheck is a static analysis tool for C/C++ code. It provides a unique code analysis to detect bugs and focuses on detecting undefined behaviour and dangerous coding constructs. The goal is to detect only real errors in the code (i.e. have very few false positives).


Unique code analysis that detects various kinds of bugs in your code.

Both command line interface and graphical user interface are available.

Cppcheck has a strong focus on detecting undefined behaviour.

Undefined behaviour

  • Dead pointers
  • Division by zero
  • Integer Overflows
  • Invalid bit shift operands
  • Invalid conversions
  • Invalid usage of STL
  • Memory management
  • Null pointer dereferences
  • Out of bounds checking
  • Uninitialized variables
  • Writing const data


The most common types of security vulnerabilities in 2017 (CVE count) was:

CategoryAmountDetected by Cppcheck
Buffer Errors2530A few
Improper Access Control1366A few (unintended backdoors)
Information Leak1426A few (unintended backdoors)
Permissions, Privileges, and Access Control1196A few (unintended backdoors)
Input Validation968No

CVEs that was found using Cppcheck:

  • CVE-2017-1000249: file : stack based buffer overflow
    This was found by Thomas Jarosch using Cppcheck. The cause is a mistake in a condition.
  • CVE-2013-6462: 23-year-old stack overflow in X.org that was found with Cppcheck.
    This has been described in a few articles (link).
  • CVE-2012-1147: readfilemap.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (file descriptor consumption) via a large number of crafted XML files.

Changelog v1.8.7

Command line interface:

  • –project can now import Cppcheck GUI projects.

New checks:

  • Condition is always true when array address is compared with 0.
  • function argument expression calculation has known result (#8830)


  • Better lifetime checking (using pointer/reference that points at deleted object)
  • Improved whole program analysis
  • Better handling of language extension var@address.
  • Many improvements in parser to handle templates, type aliases, etc better


  • new configuration for boost
  • much better wxwidgets configuration


  • New addon for checking naming conventions. Naming conventions are configured in json file.

According to daca@home Cppcheck-1.87 is in average 10% faster than Cppcheck-1.86.


Copyright (C) danmar

Source: https://github.com/danmar/