SEI CERT C++ Coding Standard

Space shortcuts

Page tree

Title: SEI CERT C++ Coding Standard  
Author: Admin Jul 18, 2006
Last Changed by: Robert Schiela Feb 14, 2024
Tiny Link: (useful for email) https://wiki.sei.cmu.edu/confluence/x/Wnw-BQ
Export As: Word · PDF  
Incoming Links
SEI CERT C++ Coding Standard (87)
    Page: ERR54-CPP. Catch handlers should order their parameter types from most derived to least derived
    Page: Rule 09. Object Oriented Programming (OOP)
    Page: FIO51-CPP. Close files when they are no longer needed
    Page: FIO50-CPP. Do not alternately input and output from a file stream without an intervening positioning call
    Page: DCL59-CPP. Do not define an unnamed namespace in a header file
    Page: MEM56-CPP. Do not store an already-owned pointer value in an unrelated smart pointer
    Page: Rule 08. Exceptions and Error Handling (ERR)
    Page: OOP55-CPP. Do not use pointer-to-member operators to access nonexistent members
    Page: Rule 07. Input Output (FIO)
    Page: EXP50-CPP. Do not depend on the order of evaluation for side effects
    Page: CTR53-CPP. Use valid iterator ranges
    Page: EXP51-CPP. Do not delete an array through a pointer of the incorrect type
    Page: CTR52-CPP. Guarantee that library functions do not overflow
    Page: EXP52-CPP. Do not rely on side effects in unevaluated operands
    Page: DCL58-CPP. Do not modify the standard namespaces
    Page: Rule 05. Characters and Strings (STR)
    Page: EXP62-CPP. Do not access the bits of an object representation that are not part of the object's value representation
    Page: OOP58-CPP. Copy operations must not mutate the source object
    Page: EXP55-CPP. Do not access a cv-qualified object through a cv-unqualified type
    Page: OOP51-CPP. Do not slice derived objects
    Page: OOP50-CPP. Do not invoke virtual functions from constructors or destructors
    Page: STR50-CPP. Guarantee that storage for strings has sufficient space for character data and the null terminator
    Page: STR52-CPP. Use valid references, pointers, and iterators to reference elements of a basic_string
    Page: ERR58-CPP. Handle all exceptions thrown before main() begins executing
    Page: ERR52-CPP. Do not use setjmp() or longjmp()
    Page: EXP53-CPP. Do not read uninitialized memory
    Page: INT50-CPP. Do not cast to an out-of-range enumeration value
    Page: ERR56-CPP. Guarantee exception safety
    Page: EXP57-CPP. Do not cast or delete pointers to incomplete classes
    Page: ERR62-CPP. Detect errors when converting a string to a number
    Page: ERR61-CPP. Catch exceptions by lvalue reference
    Page: Rule 49. Miscellaneous (MSC)
    Page: Rule 10. Concurrency (CON)
    Page: EXP63-CPP. Do not rely on the value of a moved-from object
    Page: MSC54-CPP. A signal handler must be a plain old function
    Page: MEM52-CPP. Detect and handle memory allocation errors
    Page: MSC51-CPP. Ensure your random number generator is properly seeded
    Page: CTR50-CPP. Guarantee that container indices and iterators are within the valid range
    Page: OOP56-CPP. Honor replacement handler requirements
    Page: DCL60-CPP. Obey the one-definition rule
    Page: CTR56-CPP. Do not use pointer arithmetic on polymorphic objects
    Page: DCL52-CPP. Never qualify a reference type with const or volatile
    Page: ERR55-CPP. Honor exception specifications
    Page: CTR58-CPP. Predicate function objects should not be mutable
    Page: OOP57-CPP. Prefer special member functions and overloaded operators to C Standard Library functions
    Page: OOP54-CPP. Gracefully handle self-copy assignment
    Page: EXP58-CPP. Pass an object of the correct type to va_start
    Page: STR51-CPP. Do not attempt to create a std::string from a null pointer
    Page: ERR51-CPP. Handle all exceptions
    Page: CTR55-CPP. Do not use an additive operator on an iterator if the result would overflow
    Page: DCL56-CPP. Avoid cycles during initialization of static objects
    Page: MSC53-CPP. Do not return from a function declared [[noreturn]]
    Page: EXP60-CPP. Do not pass a nonstandard-layout type object across execution boundaries
    Page: DCL50-CPP. Do not define a C-style variadic function
    Page: Rule 03. Integers (INT)
    Page: ERR60-CPP. Exception objects must be nothrow copy constructible
    Page: DCL55-CPP. Avoid information leakage when passing a class object across a trust boundary
    Page: DCL51-CPP. Do not declare or define a reserved identifier
    Page: DCL57-CPP. Do not let exceptions escape from destructors or deallocation functions
    Page: MEM57-CPP. Avoid using default operator new for over-aligned types
    Page: EXP61-CPP. A lambda object must not outlive any of its reference captured objects
    Page: ERR57-CPP. Do not leak resources when handling exceptions
    Page: EXP56-CPP. Do not call a function with a mismatched language linkage
    Page: CTR57-CPP. Provide a valid ordering predicate
    Page: ERR53-CPP. Do not reference base classes or class data members in a constructor or destructor function-try-block handler
    Page: Rule 01. Declarations and Initialization (DCL)
    Page: MEM51-CPP. Properly deallocate dynamically allocated resources
    Page: CTR51-CPP. Use valid references, pointers, and iterators to reference elements of a container
    Page: ERR50-CPP. Do not abruptly terminate the program
    Page: DCL53-CPP. Do not write syntactically ambiguous declarations
    Page: MEM55-CPP. Honor replacement dynamic storage management requirements
    Page: CTR54-CPP. Do not subtract iterators that do not refer to the same container
    Page: MSC52-CPP. Value-returning functions must return a value from all exit paths
    Page: OOP53-CPP. Write constructor member initializers in the canonical order
    Page: Rule 04. Containers (CTR)
    Page: MEM54-CPP. Provide placement new with properly aligned pointers to sufficient storage capacity
    Page: MEM50-CPP. Do not access freed memory
    Page: STR53-CPP. Range check element access
    Page: ERR59-CPP. Do not throw an exception across execution boundaries
    Page: MSC50-CPP. Do not use std::rand() for generating pseudorandom numbers
    Page: Rule 06. Memory Management (MEM)
    Page: EXP59-CPP. Use offsetof() on valid types and members
    Page: Rule 02. Expressions (EXP)
    Page: DCL54-CPP. Overload allocation and deallocation functions as a pair in the same scope
    Page: MEM53-CPP. Explicitly construct and destruct objects when manually managing object lifetime
    Page: EXP54-CPP. Do not access an object outside of its lifetime
    Page: OOP52-CPP. Do not delete a polymorphic object without a virtual destructor
SEI CERT Perl Coding Standard (12)
    Page: FIO01-PL. Do not operate on files that can be modified by untrusted users
    Page: IDS34-PL. Do not pass untrusted, unsanitized data to a command interpreter
    Page: IDS30-PL. Exclude user input from format strings
    Page: EXP03-PL. Do not diminish the benefits of constants by assuming their values in expressions
    Page: MSC01-PL. Detect and remove unused variables
    Page: EXP32-PL. Do not ignore function return values
    Page: MSC00-PL. Detect and remove dead code
    Page: IDS00-PL. Canonicalize path names before validating them
    Page: DCL31-PL. Do not overload reserved keywords or subroutines
    Page: IDS33-PL. Sanitize untrusted data passed across a trust boundary
    Page: DCL01-PL. Do not reuse variable names in subscopes
    Page: MSC02-PL. Run programs with full warnings and strict checking
SEI CERT Oracle Coding Standard for Java (27)
    Page: OBJ05-J. Do not return references to private mutable class members
    Page: Rule: Contents and Organization
    Page: IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method
    Page: EXP05-J. Do not follow a write by a subsequent write or read of the same object within an expression
    Page: ERR01-J. Do not allow exceptions to expose sensitive information
    Page: MET10-J. Follow the general contract when implementing the compareTo() method
    Page: IDS50-J. Use conservative file naming conventions
    Page: NUM53-J. Use the strictfp modifier for floating-point calculation consistency across platforms
    Page: OBJ01-J. Limit accessibility of fields
    Page: IDS16-J. Prevent XML Injection
    Page: NUM08-J. Check floating-point inputs for exceptional values
    Page: FIO16-J. Canonicalize path names before validating them
    Page: IDS17-J. Prevent XML External Entity Attacks
    Page: FIO03-J. Remove temporary files before termination
    Page: EXP00-J. Do not ignore values returned by methods
    Page: MSC05-J. Do not exhaust heap space
    Page: FIO01-J. Create files with appropriate access permissions
    Page: DCL00-J. Prevent class initialization cycles
    Page: FIO02-J. Detect and handle file-related errors
    Page: IDS00-J. Prevent SQL injection
    Page: NUM01-J. Do not perform bitwise and arithmetic operations on the same data
    Page: FIO08-J. Distinguish between characters or bytes read from a stream and -1
    Page: MSC02-J. Generate strong random numbers
    Page: DCL01-J. Do not reuse public identifiers from the Java Standard Library
    Page: FIO14-J. Perform proper cleanup at program termination
    Page: NUM04-J. Do not use floating-point numbers if precise computation is required
    Page: FIO04-J. Release resources when they are no longer needed
SEI CERT C Coding Standard (122)
    Page: FIO18-C. Never expect fwrite() to terminate the writing process at a null character
    Page: EXP10-C. Do not depend on the order of evaluation of subexpressions or the order in which side effects take place
    Page: FIO17-C. Do not rely on an ending null character when using fread()
    Page: STR02-C. Sanitize data passed to complex subsystems
    Page: EXP02-C. Be aware of the short-circuit behavior of the logical AND and OR operators
    Page: DCL16-C. Use "L," not "l," to indicate a long value
    Page: FIO15-C. Ensure that file operations are performed in a secure directory
    Page: INT10-C. Do not assume a positive remainder when using the % operator
    Page: FIO05-C. Identify files using multiple file attributes
    Page: FLP02-C. Avoid using floating-point numbers when precise computation is needed
    Page: MSC00-C. Compile cleanly at high warning levels
    Page: STR03-C. Do not inadvertently truncate a string
    Page: PRE04-C. Do not reuse a standard header file name
    Page: SIG01-C. Understand implementation-specific details regarding signal handler persistence
    Page: EXP09-C. Use sizeof to determine the size of a type or variable
    Page: EXP05-C. Do not cast away a const qualification
    Page: MEM07-C. Ensure that the arguments to calloc(), when multiplied, do not wrap
    Page: EXP08-C. Ensure pointer arithmetic is used correctly
    Page: DCL22-C. Use volatile for data that cannot be cached
    Page: STR11-C. Do not specify the bound of a character array initialized with a string literal
    Page: STR06-C. Do not assume that strtok() leaves the parse string unchanged
    Page: MSC12-C. Detect and remove code that has no effect or is never executed
    Page: MEM01-C. Store a new value in pointers immediately after free()
    Page: DCL06-C. Use meaningful symbolic constants to represent literal values
    Page: MSC17-C. Finish every set of statements associated with a case label with a break statement
    Page: DCL08-C. Properly encode relationships in constant definitions
    Page: STR09-C. Don't assume numeric values for expressions with type plain character
    Page: MSC01-C. Strive for logical completeness
    Page: STR01-C. Adopt and implement a consistent plan for managing strings
    Page: EXP07-C. Do not diminish the benefits of constants by assuming their values in expressions
    Page: INT05-C. Do not use input functions to convert character data if they cannot handle all possible inputs
    Page: DCL09-C. Declare functions that return errno with a return type of errno_t
    Page: MSC15-C. Do not depend on undefined behavior
    Page: INT07-C. Use only explicitly signed or unsigned char type for numeric values
    Page: FIO08-C. Take care when calling remove() on an open file
    Page: MSC13-C. Detect and remove unused values
    Page: FIO03-C. Do not make assumptions about fopen() and file creation
    Page: FIO06-C. Create files with appropriate access permissions
    Page: MSC05-C. Do not manipulate time_t typed values directly
    Page: INT08-C. Verify that all integer values are in range
    Page: INT15-C. Use intmax_t or uintmax_t for formatted IO on programmer-defined integer types
    Page: PRE09-C. Do not replace secure functions with deprecated or obsolescent functions
    Page: INT18-C. Evaluate integer expressions in a larger size before comparing or assigning to that size
    Page: PRE02-C. Macro replacement lists should be parenthesized
    Page: EXP03-C. Do not assume the size of a structure is the sum of the sizes of its members
    Page: MSC09-C. Character encoding: Use subset of ASCII for safety
    Page: MEM02-C. Immediately cast the result of a memory allocation function call into a pointer to the allocated type
    Page: ERR02-C. Avoid in-band error indicators
    Page: FIO01-C. Be careful using functions that use file names for identification
    Page: SIG00-C. Mask signals handled by noninterruptible signal handlers
    Page: DCL01-C. Do not reuse variable names in subscopes
    Page: DCL02-C. Use visually distinct identifiers
    Page: FIO22-C. Close files before spawning processes
    Page: FLP03-C. Detect and handle floating-point errors
    Page: MSC06-C. Beware of compiler optimizations
    Page: FLP06-C. Convert integers to floating point for floating-point operations
    Page: DCL04-C. Do not declare more than one variable per declaration
    Page: EXP11-C. Do not make assumptions regarding the layout of structures with bit-fields
    Page: FLP00-C. Understand the limitations of floating-point numbers
    Page: MEM10-C. Define and use a pointer validation function
    Page: EXP13-C. Treat relational and equality operators as if they were nonassociative
    Page: PRE03-C. Prefer typedefs to defines for encoding non-pointer types
    Page: FIO21-C. Do not create temporary files in shared directories
    Page: DCL13-C. Declare function parameters that are pointers to values not changed by the function as const
    Page: WIN30-C. Properly pair allocation and deallocation functions
    Page: FLP04-C. Check floating-point inputs for exceptional values
    Page: FLP01-C. Take care in rearranging floating-point expressions
    Page: EXP16-C. Do not compare function pointers to constant values
    Page: PRE07-C. Avoid using repeated question marks
    Page: INT17-C. Define integer constants in an implementation-independent manner
    Page: PRE01-C. Use parentheses within macros around parameter names
    Page: DCL19-C. Minimize the scope of variables and functions
    Page: MEM11-C. Do not assume infinite heap space
    Page: DCL05-C. Use typedefs of non-pointer types only
    Page: ENV03-C. Sanitize the environment when invoking external programs
    Page: ERR01-C. Use ferror() rather than errno to check for FILE stream errors
    Page: STR04-C. Use plain char for characters in the basic character set
    Page: FIO02-C. Canonicalize path names originating from tainted sources
    Page: EXP14-C. Beware of integer promotion when performing bitwise operations on integer types smaller than int
    Page: DCL15-C. Declare file-scope objects or functions that do not need external linkage as static
    Page: ENV02-C. Beware of multiple environment variables with the same effective name
    Page: INT01-C. Use rsize_t or size_t for all integer values representing the size of an object
    Page: INT12-C. Do not make assumptions about the type of a plain int bit-field when used in an expression
    Page: DCL00-C. Const-qualify immutable objects
    Page: INT00-C. Understand the data model used by your implementation(s)
    Page: INT04-C. Enforce limits on integer values originating from tainted sources
    Page: MSC14-C. Do not introduce unnecessary platform dependencies
    Page: MSC20-C. Do not use a switch statement to transfer control into a complex block
    Page: INT14-C. Avoid performing bitwise and arithmetic operations on the same data
    Page: FIO11-C. Take care when specifying the mode parameter of fopen()
    Page: STR00-C. Represent characters using an appropriate type
    Page: PRE05-C. Understand macro replacement when concatenating tokens or performing stringification
    Page: FIO24-C. Do not open a file that is already open
    Page: MEM05-C. Avoid large stack allocations
    Page: MSC04-C. Use comments consistently and in a readable fashion
    Page: EXP12-C. Do not ignore values returned by functions
    Page: SIG02-C. Avoid using signals to implement normal functionality
    Page: MSC11-C. Incorporate diagnostic tests using assertions
    Page: FIO14-C. Understand the difference between text mode and binary mode with file streams
    Page: INT09-C. Ensure enumeration constants map to unique values
    Page: EXP00-C. Use parentheses for precedence of operation
    Page: MSC10-C. Character encoding: UTF8-related issues
    Page: ERR04-C. Choose an appropriate termination strategy
    Page: FIO10-C. Take care when using the rename() function
    Page: MEM06-C. Ensure that sensitive data is not written out to disk
    Page: PRE00-C. Prefer inline or static functions to function-like macros
    Page: How this Coding Standard is Organized
    Page: MEM00-C. Allocate and free memory in the same module, at the same level of abstraction
    Page: ERR05-C. Application-independent code should provide error detection without dictating error handling
    Page: MSC21-C. Use robust loop termination conditions
    Page: ERR03-C. Use runtime-constraint handlers when calling the bounds-checking interfaces
    Page: PRE06-C. Enclose header files in an include guard
    Page: PRE11-C. Do not conclude macro definitions with a semicolon
    Page: INT02-C. Understand integer conversion rules
    Page: PRE12-C. Do not define unsafe macros
    Page: PRE08-C. Guarantee that header file names are unique
    Page: INT13-C. Use bitwise operators only on unsigned operands
    Page: WIN04-C. Consider encrypting function pointers
    Page: MSC07-C. Detect and remove dead code
    Page: MEM04-C. Beware of zero-length allocations
    Page: ERR06-C. Understand the termination behavior of assert() and abort()
    Page: FIO09-C. Be careful with binary data when transferring data across systems
CERT Secure Coding (1)
    Home page: SEI CERT Coding Standards
Hierarchy
Children (4)
    Page: 1 Front Matter
    Page: 2 Rules
    Page: 3 Back Matter
    Page: 4 Admin
Labels
Global Labels (1)
Recent Changes
Time Editor  
Feb 14, 2024 11:41 Robert Schiela View Changes
Updated Coding Standard download links.
Sep 05, 2023 11:34 Robert Schiela View Changes
updated message about requesting an account.
Sep 05, 2023 11:32 Robert Schiela View Changes
cleanup white space
May 29, 2020 16:40 Robert Schiela View Changes
Corrected "errata" links.
May 06, 2020 23:26 Admin  
Outgoing Links
External Links (5)
    https://resources.sei.cmu.edu/library/asset-view.cfm?assetI…
    www.informit.com/store/secure-coding-in-c-and-c-plus-plus-9…
    https://resources.sei.cmu.edu/library/asset-view.cfm?assetI…
    https://www.securecoding.cert.org/confluence/display/seccod…
    www.cert.org/secure-coding/contact.cfm
SEI CERT C++ Coding Standard (2)     Page: Errata for SEI CERT C++ Coding Standard (2016 Edition)
    Home page: SEI CERT C++ Coding Standard
CERT Secure Coding (2)     Page: Secure Coding Space Homepage Notices
    Page: Understand the Difference Between Rules and Recommendations
SEI CERT C Coding Standard (2)     Home page: SEI CERT C Coding Standard
    Page: Errata for SEI CERT C Coding Standard (2016 Edition)