Mass filing of clang warnings

Albrecht Dreß albrecht.dress at arcor.de
Mon Mar 16 21:13:53 CET 2015


Am 16.03.15 18:56 schrieb(en) Hans-Christoph Steiner:
> I am sure there is a way to make cppcheck happy that makes sense in the code.  That way, GnuPG can gain the real benefits of automatic runs of cppcheck.

I think what you are basically requesting is a coding guideline...

Such guidelines are *very* common for safety-related applications.  E.g. they are explicitly required when writing C software according to IEC 61508 (Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems), or for automotive (ISO 26262, the coding guideline is MISRA [1]), or for aviation (DO-178C [2]), etc. etc.  A well-known freely available set of rules (with some overlap with MISRA) are the CERT Secure Coding Standards [3].

IMHO, a /security/ application could also benefit from using standards developed for /safety/ related stuff...

Unfortunately, cppcheck cannot validate (afaik) against the aforementioned standards.  At work I have to write software according to MISRA (for IEC 61508 compliance) and use Flexelint [4] for the validation, which not oss, but one of the cheaper tools available (compared to Eclair, LDRA, ...).  Needless to mention that it produces tons of false-positives, too...

Best,
Albrecht.


[1] <http://www.misra.org.uk/Publications/tabid/57/Default.aspx#label-c3>
[2] <http://www.rtca.org/store_product.asp?prodid=803>
[3] <https://www.securecoding.cert.org/confluence/display/c/CERT+C+Coding+Standard>
[4] <http://www.gimpel.com/html/flex.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: not available
URL: </pipermail/attachments/20150316/62d38adc/attachment-0001.sig>


More information about the Gnupg-devel mailing list