Search code examples
c++bashstatic-analysiscppcheck

Can Cppcheck static code analyzer actually detect not very common warnings like "Relative Path Traversal (CWE-23)" or "Buffer Under-read(CWE-127)"?

I am working on Juliet Test Suite for my research and I am applying some Static Analyzer on these codes to generate warnings. After running cppcheck, I found out that it couldn't detect many errors mentioned in the manifest.xml file (metadata). Am I failing to run this software properly or cppcheck just can't detect these warnings/ errors? Have you faced them before?

I used cppchecker on the Juliet Test Suite till now. I am gonna use Clang, Veracode and Flawfinder on it as I failed on my first attempt.

This is the command I used. 

cppcheck --enable=all -q --xml -I testcasesupport/ testcases/ 2>out.xml

In the given metadata manifest.xml file, some sample errors are - 

<?xml version="1.0" encoding="utf-8"?>
<container>
   <testcase>
     <file path="CWE127_Buffer_Underread__CWE839_connect_socket_01.c">
       <flaw line="111" name="CWE-127: Buffer Under-read"/>
     </file>
   </testcase>
   <testcase>
     <file path="CWE114_Process_Control__w32_char_connect_socket_03.c">
       <flaw line="124" name="CWE-114: Process Control"/>
     </file>
   </testcase>
   .
   .
   .
</container>

But my output.xml file generated by cppchecker doesn't have most of these errors. Most errors in output.xml file belongs to 'CWE-398' error which is a style error. But cppcheck can detect common errors like 'array-out-of-bound' or similar errors.

Is it that cppcheck doesn't cover these uncommon errors of Juliet Test Suite? If it is, what could be some other Static Analyzer that could detect them properly?

Solution

  • cppcheck is fairly simplistic and far from perfect. It can detect some issues some of the time. But not all issues all of the time. Which goes for more or less any tool. But try out clang-tidy and the various sanitizers (asan, tsan, ubsan etc) in addition to cppcheck.

    Clang-tidy is pretty good and free (see the list of checks).

    Coverity is the best I've ever used, but it's fairly expensive.

    For runtime checking, Address Sanitizer , Thread sanitizer and Undefined Behaviour Sanitizer are all amazing.

    And of course, always enable as many warnings as you can from your compiler and build both with and without optimizations enabled to catch different bugs.