Recommendations

Sections

• Rec. 01. Preprocessor (PRE)
• Rec. 02. Declarations and Initialization (DCL)
• Rec. 03. Expressions (EXP)
• Rec. 04. Integers (INT)
• Rec. 05. Floating Point (FLP)
• Rec. 06. Arrays (ARR)
• Rec. 07. Characters and Strings (STR)
• Rec. 08. Memory Management (MEM)
• Rec. 09. Input Output (FIO)
• Rec. 10. Environment (ENV)
• Rec. 11. Signals (SIG)
• Rec. 12. Error Handling (ERR)
• Rec. 13. Application Programming Interfaces (API)
• Rec. 14. Concurrency (CON)
• Rec. 48. Miscellaneous (MSC)
• Rec. 50. POSIX (POS)
• Rec. 51. Microsoft Windows (WIN)

Recommendation Listing

• API00-C. Functions should validate their parameters
• API01-C. Avoid laying out strings in memory directly before sensitive data
• API02-C. Functions that read or write to or from an array should take an argument to specify the source or target size
• API03-C. Create consistent interfaces and capabilities across related functions
• API04-C. Provide a consistent and usable error-checking mechanism
• API05-C. Use conformant array parameters
• API07-C. Enforce type safety
• API09-C. Compatible values should have the same type
• API10-C. APIs should have security options enabled by default
• ARR00-C. Understand how arrays work
• ARR01-C. Do not apply the sizeof operator to a pointer when taking the size of an array
• ARR02-C. Explicitly specify array bounds, even if implicitly defined by an initializer
• CON01-C. Acquire and release synchronization primitives in the same module, at the same level of abstraction
• CON02-C. Do not use volatile as a synchronization primitive
• CON03-C. Ensure visibility when accessing shared variables
• CON04-C. Join or detach threads even if their exit status is unimportant
• CON05-C. Do not perform operations that can block while holding a lock
• CON06-C. Ensure that every mutex outlives the data it protects
• CON07-C. Ensure that compound operations on shared variables are atomic
• CON08-C. Do not assume that a group of calls to independently atomic methods is atomic
• CON09-C. Avoid the ABA problem when using lock-free algorithms
• DCL00-C. Const-qualify immutable objects
• DCL01-C. Do not reuse variable names in subscopes
• DCL02-C. Use visually distinct identifiers
• DCL03-C. Use a static assertion to test the value of a constant expression
• DCL04-C. Do not declare more than one variable per declaration
• DCL05-C. Use typedefs of non-pointer types only
• DCL06-C. Use meaningful symbolic constants to represent literal values
• DCL07-C. Include the appropriate type information in function declarators
• DCL08-C. Properly encode relationships in constant definitions
• DCL09-C. Declare functions that return errno with a return type of errno_t
• DCL10-C. Maintain the contract between the writer and caller of variadic functions
• DCL11-C. Understand the type issues associated with variadic functions
• DCL12-C. Implement abstract data types using opaque types
• DCL13-C. Declare function parameters that are pointers to values not changed by the function as const
• DCL15-C. Declare file-scope objects or functions that do not need external linkage as static
• DCL16-C. Use "L," not "l," to indicate a long value
• DCL17-C. Beware of miscompiled volatile-qualified variables
• DCL18-C. Do not begin integer constants with 0 when specifying a decimal value
• DCL19-C. Minimize the scope of variables and functions
• DCL20-C. Explicitly specify void when a function accepts no arguments
• DCL21-C. Understand the storage of compound literals
• DCL22-C. Use volatile for data that cannot be cached
• DCL23-C. Guarantee that mutually visible identifiers are unique
• ENV01-C. Do not make assumptions about the size of an environment variable
• ENV02-C. Beware of multiple environment variables with the same effective name
• ENV03-C. Sanitize the environment when invoking external programs
• ERR00-C. Adopt and implement a consistent and comprehensive error-handling policy
• ERR01-C. Use ferror() rather than errno to check for FILE stream errors
• ERR02-C. Avoid in-band error indicators
• ERR04-C. Choose an appropriate termination strategy
• ERR05-C. Application-independent code should provide error detection without dictating error handling
• ERR06-C. Understand the termination behavior of assert() and abort()
• ERR07-C. Prefer functions that support error checking over equivalent functions that don't
• EXP00-C. Use parentheses for precedence of operation
• EXP02-C. Be aware of the short-circuit behavior of the logical AND and OR operators
• EXP03-C. Do not assume the size of a structure is the sum of the sizes of its members
• EXP05-C. Do not cast away a const qualification
• EXP07-C. Do not diminish the benefits of constants by assuming their values in expressions
• EXP08-C. Ensure pointer arithmetic is used correctly
• EXP09-C. Use sizeof to determine the size of a type or variable
• EXP10-C. Do not depend on the order of evaluation of subexpressions or the order in which side effects take place
• EXP11-C. Do not make assumptions regarding the layout of structures with bit-fields
• EXP12-C. Do not ignore values returned by functions
• EXP13-C. Treat relational and equality operators as if they were nonassociative
• EXP14-C. Beware of integer promotion when performing bitwise operations on integer types smaller than int
• EXP15-C. Do not place a semicolon on the same line as an if, for, or while statement
• EXP16-C. Do not compare function pointers to constant values
• EXP19-C. Use braces for the body of an if, for, or while statement
• EXP20-C. Perform explicit tests to determine success, true and false, and equality
• FIO01-C. Be careful using functions that use file names for identification
• FIO02-C. Canonicalize path names originating from tainted sources
• FIO03-C. Do not make assumptions about fopen() and file creation
• FIO05-C. Identify files using multiple file attributes
• FIO06-C. Create files with appropriate access permissions
• FIO08-C. Take care when calling remove() on an open file
• FIO09-C. Be careful with binary data when transferring data across systems
• FIO10-C. Take care when using the rename() function
• FIO11-C. Take care when specifying the mode parameter of fopen()
• FIO13-C. Never push back anything other than one read character
• FIO14-C. Understand the difference between text mode and binary mode with file streams
• FIO15-C. Ensure that file operations are performed in a secure directory
• FIO17-C. Do not rely on an ending null character when using fread()
• FIO18-C. Never expect fwrite() to terminate the writing process at a null character
• FIO19-C. Do not use fseek() and ftell() to compute the size of a regular file
• FIO20-C. Avoid unintentional truncation when using fgets() or fgetws()
• FIO21-C. Do not create temporary files in shared directories
• FIO22-C. Close files before spawning processes
• FIO23-C. Do not exit with unflushed data in stdout or stderr
• FIO24-C. Do not open a file that is already open
• FLP00-C. Understand the limitations of floating-point numbers
• FLP01-C. Take care in rearranging floating-point expressions
• FLP02-C. Avoid using floating-point numbers when precise computation is needed
• FLP03-C. Detect and handle floating-point errors
• FLP04-C. Check floating-point inputs for exceptional values
• FLP05-C. Do not use denormalized numbers
• FLP06-C. Convert integers to floating point for floating-point operations
• FLP07-C. Cast the return value of a function that returns a floating-point type
• INT00-C. Understand the data model used by your implementation(s)
• INT01-C. Use size_t or rsize_t for all integer values representing the size of an object
• INT02-C. Understand integer conversion rules
• INT04-C. Enforce limits on integer values originating from tainted sources
• INT05-C. Do not use input functions to convert character data if they cannot handle all possible inputs
• INT07-C. Use only explicitly signed or unsigned char type for numeric values
• INT08-C. Verify that all integer values are in range
• INT09-C. Ensure enumeration constants map to unique values
• INT10-C. Do not assume a positive remainder when using the % operator
• INT12-C. Do not make assumptions about the type of a plain int bit-field when used in an expression
• INT13-C. Use bitwise operators only on unsigned operands
• INT14-C. Avoid performing bitwise and arithmetic operations on the same data
• INT15-C. Use intmax_t or uintmax_t for formatted IO on programmer-defined integer types
• INT16-C. Do not make assumptions about representation of signed integers
• INT17-C. Define integer constants in an implementation-independent manner
• INT18-C. Evaluate integer expressions in a larger size before comparing or assigning to that size
• MEM00-C. Allocate and free memory in the same module, at the same level of abstraction
• MEM01-C. Store a new value in pointers immediately after free()
• MEM02-C. Immediately cast the result of a memory allocation function call into a pointer to the allocated type
• MEM03-C. Clear sensitive information stored in reusable resources
• MEM04-C. Beware of zero-length allocations
• MEM05-C. Avoid large stack allocations
• MEM06-C. Ensure that sensitive data is not written out to disk
• MEM07-C. Ensure that the arguments to calloc(), when multiplied, do not wrap
• MEM10-C. Define and use a pointer validation function
• MEM11-C. Do not assume infinite heap space
• MEM12-C. Consider using a goto chain when leaving a function on error when using and releasing resources
• MSC00-C. Compile cleanly at high warning levels
• MSC01-C. Strive for logical completeness
• MSC04-C. Use comments consistently and in a readable fashion
• MSC05-C. Do not manipulate time_t typed values directly
• MSC06-C. Beware of compiler optimizations
• MSC07-C. Detect and remove dead code
• MSC09-C. Character encoding: Use subset of ASCII for safety
• MSC10-C. Character encoding: UTF8-related issues
• MSC11-C. Incorporate diagnostic tests using assertions
• MSC12-C. Detect and remove code that has no effect or is never executed
• MSC13-C. Detect and remove unused values
• MSC14-C. Do not introduce unnecessary platform dependencies
• MSC15-C. Do not depend on undefined behavior
• MSC17-C. Finish every set of statements associated with a case label with a break statement
• MSC18-C. Be careful while handling sensitive data, such as passwords, in program code
• MSC19-C. For functions that return an array, prefer returning an empty array over a null value
• MSC20-C. Do not use a switch statement to transfer control into a complex block
• MSC21-C. Use robust loop termination conditions
• MSC22-C. Use the setjmp(), longjmp() facility securely
• MSC23-C. Beware of vendor-specific library and language differences
• MSC24-C. Do not use deprecated or obsolescent functions
• MSC25-C. Do not use insecure or weak cryptographic algorithms
• POS01-C. Check for the existence of links when dealing with files
• POS02-C. Follow the principle of least privilege
• POS04-C. Avoid using PTHREAD_MUTEX_NORMAL type mutex locks
• POS05-C. Limit access to files by creating a jail
• PRE00-C. Prefer inline or static functions to function-like macros
• PRE01-C. Use parentheses within macros around parameter names
• PRE02-C. Macro replacement lists should be parenthesized
• PRE04-C. Do not reuse a standard header file name
• PRE05-C. Understand macro replacement when concatenating tokens or performing stringification
• PRE06-C. Enclose header files in an include guard
• PRE07-C. Avoid using repeated question marks
• PRE08-C. Guarantee that header file names are unique
• PRE09-C. Do not replace secure functions with deprecated or obsolescent functions
• PRE10-C. Wrap multistatement macros in a do-while loop
• PRE11-C. Do not conclude macro definitions with a semicolon
• PRE12-C. Do not define unsafe macros
• PRE13-C. Use the Standard predefined macros to test for versions and features.
• Rules versus Recommendations
• SIG00-C. Mask signals handled by noninterruptible signal handlers
• SIG01-C. Understand implementation-specific details regarding signal handler persistence
• SIG02-C. Avoid using signals to implement normal functionality
• STR00-C. Represent characters using an appropriate type
• STR01-C. Adopt and implement a consistent plan for managing strings
• STR02-C. Sanitize data passed to complex subsystems
• STR03-C. Do not inadvertently truncate a string
• STR04-C. Use plain char for characters in the basic character set
• STR05-C. Use pointers to const when referring to string literals
• STR06-C. Do not assume that strtok() leaves the parse string unchanged
• STR09-C. Don't assume numeric values for expressions with type plain character
• STR10-C. Do not concatenate different type of string literals
• STR11-C. Do not specify the bound of a character array initialized with a string literal
• WIN00-C. Be specific when dynamically loading libraries
• WIN01-C. Do not forcibly terminate execution
• WIN02-C. Restrict privileges when spawning child processes
• WIN03-C. Understand HANDLE inheritance
• WIN04-C. Consider encrypting function pointers