Skip to main content
assistive.skiplink.to.breadcrumbs
assistive.skiplink.to.header.menu
assistive.skiplink.to.action.menu
assistive.skiplink.to.quick.search
Log in
Confluence
Spaces
Hit enter to search
Help
Online Help
Keyboard Shortcuts
Feed Builder
What’s new
Available Gadgets
About Confluence
Log in
SEI CERT C++ Coding Standard
Pages
Boards
Space shortcuts
Dashboard
Secure Coding Home
Android
C
C++
Java
Perl
Page tree
Browse pages
Configure
Space tools
View Page
A
t
tachments (7)
Page History
Page Information
View in Hierarchy
View Source
Export to PDF
Export to Word
Pages
SEI CERT C++ Coding Standard
Page Information
Title:
SEI CERT C++ Coding Standard
Author:
Admin
Jul 18, 2006
Last Changed by:
Robert Schiela
Feb 14, 2024
Tiny Link:
(useful for email)
https://wiki.sei.cmu.edu/confluence/x/Wnw-BQ
Export As:
Word
·
PDF
Incoming Links
SEI CERT C++ Coding Standard (87)
Page:
ERR54-CPP. Catch handlers should order their parameter types from most derived to least derived
Page:
Rule 09. Object Oriented Programming (OOP)
Page:
FIO51-CPP. Close files when they are no longer needed
Page:
FIO50-CPP. Do not alternately input and output from a file stream without an intervening positioning call
Page:
DCL59-CPP. Do not define an unnamed namespace in a header file
Page:
MEM56-CPP. Do not store an already-owned pointer value in an unrelated smart pointer
Page:
Rule 08. Exceptions and Error Handling (ERR)
Page:
OOP55-CPP. Do not use pointer-to-member operators to access nonexistent members
Page:
Rule 07. Input Output (FIO)
Page:
EXP50-CPP. Do not depend on the order of evaluation for side effects
Page:
CTR53-CPP. Use valid iterator ranges
Page:
EXP51-CPP. Do not delete an array through a pointer of the incorrect type
Page:
CTR52-CPP. Guarantee that library functions do not overflow
Page:
EXP52-CPP. Do not rely on side effects in unevaluated operands
Page:
DCL58-CPP. Do not modify the standard namespaces
Page:
Rule 05. Characters and Strings (STR)
Page:
EXP62-CPP. Do not access the bits of an object representation that are not part of the object's value representation
Page:
OOP58-CPP. Copy operations must not mutate the source object
Page:
EXP55-CPP. Do not access a cv-qualified object through a cv-unqualified type
Page:
OOP51-CPP. Do not slice derived objects
Page:
OOP50-CPP. Do not invoke virtual functions from constructors or destructors
Page:
STR50-CPP. Guarantee that storage for strings has sufficient space for character data and the null terminator
Page:
STR52-CPP. Use valid references, pointers, and iterators to reference elements of a basic_string
Page:
ERR58-CPP. Handle all exceptions thrown before main() begins executing
Page:
ERR52-CPP. Do not use setjmp() or longjmp()
Page:
EXP53-CPP. Do not read uninitialized memory
Page:
INT50-CPP. Do not cast to an out-of-range enumeration value
Page:
ERR56-CPP. Guarantee exception safety
Page:
EXP57-CPP. Do not cast or delete pointers to incomplete classes
Page:
ERR62-CPP. Detect errors when converting a string to a number
Page:
ERR61-CPP. Catch exceptions by lvalue reference
Page:
Rule 49. Miscellaneous (MSC)
Page:
Rule 10. Concurrency (CON)
Page:
EXP63-CPP. Do not rely on the value of a moved-from object
Page:
MSC54-CPP. A signal handler must be a plain old function
Page:
MEM52-CPP. Detect and handle memory allocation errors
Page:
MSC51-CPP. Ensure your random number generator is properly seeded
Page:
CTR50-CPP. Guarantee that container indices and iterators are within the valid range
Page:
OOP56-CPP. Honor replacement handler requirements
Page:
DCL60-CPP. Obey the one-definition rule
Page:
CTR56-CPP. Do not use pointer arithmetic on polymorphic objects
Page:
DCL52-CPP. Never qualify a reference type with const or volatile
Page:
ERR55-CPP. Honor exception specifications
Page:
CTR58-CPP. Predicate function objects should not be mutable
Page:
OOP57-CPP. Prefer special member functions and overloaded operators to C Standard Library functions
Page:
OOP54-CPP. Gracefully handle self-copy assignment
Page:
EXP58-CPP. Pass an object of the correct type to va_start
Page:
STR51-CPP. Do not attempt to create a std::string from a null pointer
Page:
ERR51-CPP. Handle all exceptions
Page:
CTR55-CPP. Do not use an additive operator on an iterator if the result would overflow
Page:
DCL56-CPP. Avoid cycles during initialization of static objects
Page:
MSC53-CPP. Do not return from a function declared [[noreturn]]
Page:
EXP60-CPP. Do not pass a nonstandard-layout type object across execution boundaries
Page:
DCL50-CPP. Do not define a C-style variadic function
Page:
Rule 03. Integers (INT)
Page:
ERR60-CPP. Exception objects must be nothrow copy constructible
Page:
DCL55-CPP. Avoid information leakage when passing a class object across a trust boundary
Page:
DCL51-CPP. Do not declare or define a reserved identifier
Page:
DCL57-CPP. Do not let exceptions escape from destructors or deallocation functions
Page:
MEM57-CPP. Avoid using default operator new for over-aligned types
Page:
EXP61-CPP. A lambda object must not outlive any of its reference captured objects
Page:
ERR57-CPP. Do not leak resources when handling exceptions
Page:
EXP56-CPP. Do not call a function with a mismatched language linkage
Page:
CTR57-CPP. Provide a valid ordering predicate
Page:
ERR53-CPP. Do not reference base classes or class data members in a constructor or destructor function-try-block handler
Page:
Rule 01. Declarations and Initialization (DCL)
Page:
MEM51-CPP. Properly deallocate dynamically allocated resources
Page:
CTR51-CPP. Use valid references, pointers, and iterators to reference elements of a container
Page:
ERR50-CPP. Do not abruptly terminate the program
Page:
DCL53-CPP. Do not write syntactically ambiguous declarations
Page:
MEM55-CPP. Honor replacement dynamic storage management requirements
Page:
CTR54-CPP. Do not subtract iterators that do not refer to the same container
Page:
MSC52-CPP. Value-returning functions must return a value from all exit paths
Page:
OOP53-CPP. Write constructor member initializers in the canonical order
Page:
Rule 04. Containers (CTR)
Page:
MEM54-CPP. Provide placement new with properly aligned pointers to sufficient storage capacity
Page:
MEM50-CPP. Do not access freed memory
Page:
STR53-CPP. Range check element access
Page:
ERR59-CPP. Do not throw an exception across execution boundaries
Page:
MSC50-CPP. Do not use std::rand() for generating pseudorandom numbers
Page:
Rule 06. Memory Management (MEM)
Page:
EXP59-CPP. Use offsetof() on valid types and members
Page:
Rule 02. Expressions (EXP)
Page:
DCL54-CPP. Overload allocation and deallocation functions as a pair in the same scope
Page:
MEM53-CPP. Explicitly construct and destruct objects when manually managing object lifetime
Page:
EXP54-CPP. Do not access an object outside of its lifetime
Page:
OOP52-CPP. Do not delete a polymorphic object without a virtual destructor
SEI CERT Perl Coding Standard (12)
Page:
FIO01-PL. Do not operate on files that can be modified by untrusted users
Page:
IDS34-PL. Do not pass untrusted, unsanitized data to a command interpreter
Page:
IDS30-PL. Exclude user input from format strings
Page:
EXP03-PL. Do not diminish the benefits of constants by assuming their values in expressions
Page:
MSC01-PL. Detect and remove unused variables
Page:
EXP32-PL. Do not ignore function return values
Page:
MSC00-PL. Detect and remove dead code
Page:
IDS00-PL. Canonicalize path names before validating them
Page:
DCL31-PL. Do not overload reserved keywords or subroutines
Page:
IDS33-PL. Sanitize untrusted data passed across a trust boundary
Page:
DCL01-PL. Do not reuse variable names in subscopes
Page:
MSC02-PL. Run programs with full warnings and strict checking
SEI CERT Oracle Coding Standard for Java (27)
Page:
OBJ05-J. Do not return references to private mutable class members
Page:
Rule: Contents and Organization
Page:
IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method
Page:
EXP05-J. Do not follow a write by a subsequent write or read of the same object within an expression
Page:
ERR01-J. Do not allow exceptions to expose sensitive information
Page:
MET10-J. Follow the general contract when implementing the compareTo() method
Page:
IDS50-J. Use conservative file naming conventions
Page:
NUM53-J. Use the strictfp modifier for floating-point calculation consistency across platforms
Page:
OBJ01-J. Limit accessibility of fields
Page:
IDS16-J. Prevent XML Injection
Page:
NUM08-J. Check floating-point inputs for exceptional values
Page:
FIO16-J. Canonicalize path names before validating them
Page:
IDS17-J. Prevent XML External Entity Attacks
Page:
FIO03-J. Remove temporary files before termination
Page:
EXP00-J. Do not ignore values returned by methods
Page:
MSC05-J. Do not exhaust heap space
Page:
FIO01-J. Create files with appropriate access permissions
Page:
DCL00-J. Prevent class initialization cycles
Page:
FIO02-J. Detect and handle file-related errors
Page:
IDS00-J. Prevent SQL injection
Page:
NUM01-J. Do not perform bitwise and arithmetic operations on the same data
Page:
FIO08-J. Distinguish between characters or bytes read from a stream and -1
Page:
MSC02-J. Generate strong random numbers
Page:
DCL01-J. Do not reuse public identifiers from the Java Standard Library
Page:
FIO14-J. Perform proper cleanup at program termination
Page:
NUM04-J. Do not use floating-point numbers if precise computation is required
Page:
FIO04-J. Release resources when they are no longer needed
SEI CERT C Coding Standard (122)
Page:
FIO18-C. Never expect fwrite() to terminate the writing process at a null character
Page:
EXP10-C. Do not depend on the order of evaluation of subexpressions or the order in which side effects take place
Page:
FIO17-C. Do not rely on an ending null character when using fread()
Page:
STR02-C. Sanitize data passed to complex subsystems
Page:
EXP02-C. Be aware of the short-circuit behavior of the logical AND and OR operators
Page:
DCL16-C. Use "L," not "l," to indicate a long value
Page:
FIO15-C. Ensure that file operations are performed in a secure directory
Page:
INT10-C. Do not assume a positive remainder when using the % operator
Page:
FIO05-C. Identify files using multiple file attributes
Page:
FLP02-C. Avoid using floating-point numbers when precise computation is needed
Page:
MSC00-C. Compile cleanly at high warning levels
Page:
STR03-C. Do not inadvertently truncate a string
Page:
PRE04-C. Do not reuse a standard header file name
Page:
SIG01-C. Understand implementation-specific details regarding signal handler persistence
Page:
EXP09-C. Use sizeof to determine the size of a type or variable
Page:
EXP05-C. Do not cast away a const qualification
Page:
MEM07-C. Ensure that the arguments to calloc(), when multiplied, do not wrap
Page:
EXP08-C. Ensure pointer arithmetic is used correctly
Page:
DCL22-C. Use volatile for data that cannot be cached
Page:
STR11-C. Do not specify the bound of a character array initialized with a string literal
Page:
STR06-C. Do not assume that strtok() leaves the parse string unchanged
Page:
MSC12-C. Detect and remove code that has no effect or is never executed
Page:
MEM01-C. Store a new value in pointers immediately after free()
Page:
DCL06-C. Use meaningful symbolic constants to represent literal values
Page:
MSC17-C. Finish every set of statements associated with a case label with a break statement
Page:
DCL08-C. Properly encode relationships in constant definitions
Page:
STR09-C. Don't assume numeric values for expressions with type plain character
Page:
MSC01-C. Strive for logical completeness
Page:
STR01-C. Adopt and implement a consistent plan for managing strings
Page:
EXP07-C. Do not diminish the benefits of constants by assuming their values in expressions
Page:
INT05-C. Do not use input functions to convert character data if they cannot handle all possible inputs
Page:
DCL09-C. Declare functions that return errno with a return type of errno_t
Page:
MSC15-C. Do not depend on undefined behavior
Page:
INT07-C. Use only explicitly signed or unsigned char type for numeric values
Page:
FIO08-C. Take care when calling remove() on an open file
Page:
MSC13-C. Detect and remove unused values
Page:
FIO03-C. Do not make assumptions about fopen() and file creation
Page:
FIO06-C. Create files with appropriate access permissions
Page:
MSC05-C. Do not manipulate time_t typed values directly
Page:
INT08-C. Verify that all integer values are in range
Page:
INT15-C. Use intmax_t or uintmax_t for formatted IO on programmer-defined integer types
Page:
PRE09-C. Do not replace secure functions with deprecated or obsolescent functions
Page:
INT18-C. Evaluate integer expressions in a larger size before comparing or assigning to that size
Page:
PRE02-C. Macro replacement lists should be parenthesized
Page:
EXP03-C. Do not assume the size of a structure is the sum of the sizes of its members
Page:
MSC09-C. Character encoding: Use subset of ASCII for safety
Page:
MEM02-C. Immediately cast the result of a memory allocation function call into a pointer to the allocated type
Page:
ERR02-C. Avoid in-band error indicators
Page:
FIO01-C. Be careful using functions that use file names for identification
Page:
SIG00-C. Mask signals handled by noninterruptible signal handlers
Page:
DCL01-C. Do not reuse variable names in subscopes
Page:
DCL02-C. Use visually distinct identifiers
Page:
FIO22-C. Close files before spawning processes
Page:
FLP03-C. Detect and handle floating-point errors
Page:
MSC06-C. Beware of compiler optimizations
Page:
FLP06-C. Convert integers to floating point for floating-point operations
Page:
DCL04-C. Do not declare more than one variable per declaration
Page:
EXP11-C. Do not make assumptions regarding the layout of structures with bit-fields
Page:
FLP00-C. Understand the limitations of floating-point numbers
Page:
MEM10-C. Define and use a pointer validation function
Page:
EXP13-C. Treat relational and equality operators as if they were nonassociative
Page:
PRE03-C. Prefer typedefs to defines for encoding non-pointer types
Page:
FIO21-C. Do not create temporary files in shared directories
Page:
DCL13-C. Declare function parameters that are pointers to values not changed by the function as const
Page:
WIN30-C. Properly pair allocation and deallocation functions
Page:
FLP04-C. Check floating-point inputs for exceptional values
Page:
FLP01-C. Take care in rearranging floating-point expressions
Page:
EXP16-C. Do not compare function pointers to constant values
Page:
PRE07-C. Avoid using repeated question marks
Page:
INT17-C. Define integer constants in an implementation-independent manner
Page:
PRE01-C. Use parentheses within macros around parameter names
Page:
DCL19-C. Minimize the scope of variables and functions
Page:
MEM11-C. Do not assume infinite heap space
Page:
DCL05-C. Use typedefs of non-pointer types only
Page:
ENV03-C. Sanitize the environment when invoking external programs
Page:
ERR01-C. Use ferror() rather than errno to check for FILE stream errors
Page:
STR04-C. Use plain char for characters in the basic character set
Page:
FIO02-C. Canonicalize path names originating from tainted sources
Page:
EXP14-C. Beware of integer promotion when performing bitwise operations on integer types smaller than int
Page:
DCL15-C. Declare file-scope objects or functions that do not need external linkage as static
Page:
ENV02-C. Beware of multiple environment variables with the same effective name
Page:
INT01-C. Use rsize_t or size_t for all integer values representing the size of an object
Page:
INT12-C. Do not make assumptions about the type of a plain int bit-field when used in an expression
Page:
DCL00-C. Const-qualify immutable objects
Page:
INT00-C. Understand the data model used by your implementation(s)
Page:
INT04-C. Enforce limits on integer values originating from tainted sources
Page:
MSC14-C. Do not introduce unnecessary platform dependencies
Page:
MSC20-C. Do not use a switch statement to transfer control into a complex block
Page:
INT14-C. Avoid performing bitwise and arithmetic operations on the same data
Page:
FIO11-C. Take care when specifying the mode parameter of fopen()
Page:
STR00-C. Represent characters using an appropriate type
Page:
PRE05-C. Understand macro replacement when concatenating tokens or performing stringification
Page:
FIO24-C. Do not open a file that is already open
Page:
MEM05-C. Avoid large stack allocations
Page:
MSC04-C. Use comments consistently and in a readable fashion
Page:
EXP12-C. Do not ignore values returned by functions
Page:
SIG02-C. Avoid using signals to implement normal functionality
Page:
MSC11-C. Incorporate diagnostic tests using assertions
Page:
FIO14-C. Understand the difference between text mode and binary mode with file streams
Page:
INT09-C. Ensure enumeration constants map to unique values
Page:
EXP00-C. Use parentheses for precedence of operation
Page:
MSC10-C. Character encoding: UTF8-related issues
Page:
ERR04-C. Choose an appropriate termination strategy
Page:
FIO10-C. Take care when using the rename() function
Page:
MEM06-C. Ensure that sensitive data is not written out to disk
Page:
PRE00-C. Prefer inline or static functions to function-like macros
Page:
How this Coding Standard is Organized
Page:
MEM00-C. Allocate and free memory in the same module, at the same level of abstraction
Page:
ERR05-C. Application-independent code should provide error detection without dictating error handling
Page:
MSC21-C. Use robust loop termination conditions
Page:
ERR03-C. Use runtime-constraint handlers when calling the bounds-checking interfaces
Page:
PRE06-C. Enclose header files in an include guard
Page:
PRE11-C. Do not conclude macro definitions with a semicolon
Page:
INT02-C. Understand integer conversion rules
Page:
PRE12-C. Do not define unsafe macros
Page:
PRE08-C. Guarantee that header file names are unique
Page:
INT13-C. Use bitwise operators only on unsigned operands
Page:
WIN04-C. Consider encrypting function pointers
Page:
MSC07-C. Detect and remove dead code
Page:
MEM04-C. Beware of zero-length allocations
Page:
ERR06-C. Understand the termination behavior of assert() and abort()
Page:
FIO09-C. Be careful with binary data when transferring data across systems
CERT Secure Coding (1)
Home page:
SEI CERT Coding Standards
Hierarchy
Children (4)
Page:
1 Front Matter
Page:
2 Rules
Page:
3 Back Matter
Page:
4 Admin
Labels
Global Labels (1)
wikimain
Recent Changes
Time
Editor
Feb 14, 2024 11:41
Robert Schiela
View Changes
Updated Coding Standard download links.
Sep 05, 2023 11:34
Robert Schiela
View Changes
updated message about requesting an account.
Sep 05, 2023 11:32
Robert Schiela
View Changes
cleanup white space
May 29, 2020 16:40
Robert Schiela
View Changes
Corrected "errata" links.
May 06, 2020 23:26
Admin
View Page History
Outgoing Links
External Links (5)
https://resources.sei.cmu.edu/library/asset-view.cfm?assetI…
www.informit.com/store/secure-coding-in-c-and-c-plus-plus-9…
https://resources.sei.cmu.edu/library/asset-view.cfm?assetI…
https://www.securecoding.cert.org/confluence/display/seccod…
www.cert.org/secure-coding/contact.cfm
SEI CERT C++ Coding Standard (2)
Page:
Errata for SEI CERT C++ Coding Standard (2016 Edition)
Home page:
SEI CERT C++ Coding Standard
CERT Secure Coding (2)
Page:
Secure Coding Space Homepage Notices
Page:
Understand the Difference Between Rules and Recommendations
SEI CERT C Coding Standard (2)
Home page:
SEI CERT C Coding Standard
Page:
Errata for SEI CERT C Coding Standard (2016 Edition)
Overview
Content Tools
{"serverDuration": 6310, "requestCorrelationId": "95cb5bc84d4984d4"}