FAQ

What is static analysis?

Static analysis finds potential issues in code by doing an analysis on the source code level. In addition to raising the code quality, the analysis also aids alignment with industry coding standards.

What kind of issues with my code can I find by using C-STAT?

C-STAT checks for a wide range of known issues in C/C++ code. The analysis finds such things as buffer overflows, memory leaks, and null pointer dereferences. In total, the tool includes hundreds of checks that maps to issues covered by CWE and CERT C/C++. C-STAT covers all rules in the different CERT C sections listed at the CERT C wiki as of January 2020, with the exception of the API, CON, POS and WIN sections which are not applicable to our products, yielding a total of 90 covered rules.

What is CWE and CERT C/C++?

CWE, the Common Weakness Enumeration, is a community-developed dictionary of software weakness types. CWE provides a unified, measurable set of software weaknesses in order to better understand and manage them and to enable efficient software security tools and services that can find them. Read more at cwe.mitre.org

The CERT C/C++ Secure Coding Standards are standards published by the Computer Emergency Response Team (CERT) providing rules and recommendations for secure coding in the C/C++ programming languages. More information is available at www.cert.org

Do I need to a full working build in order to run C-STAT or can I use it to analyze individual files?

You do not need a full build of your project to run C-STAT. In fact, you do not need to build your project at all before checking your code, since C-STAT operates on the source code level. C-STAT can be used to check files individually, in addition to analyzing the entire project.

Can I run C-STAT from the command line?

Yes.

Does C-STAT support both C and C++?

Yes.

Where can I find more information about all the checks that C-STAT performs?

This information is available in the user guide (PDF).