The CERT Division's Rosecheckers tool performs static analysis on C/C++ source files. It is designed to enforce the rules in the CERT C Coding standard. Rosecheckers finds some C coding errors that other static analysis tools do not. However, it does not do a comprehensive test for secure and correct C coding, and it is only a prototype, so it cannot be used alone to fully analyze code security. Rosecheckers enforces CERT Secure Coding rules and is freely available from SourceForge.

We recently developed a proposal to add more checkers to Rosecheckers to support new rules in the new CERT C coding standard. We also invite the public to download the code, fork it under version control, and enhance it by adding checkers for any CERT C coding rules that it does not currently check. We welcome your contributions. Please contact us if you would like to contribute a new checker to Rosecheckers.

Contact us if you have questions about Rosecheckers, and visit the ROSE Compiler Infrastructure website to learn more about the ROSE compiler used by our tool.

Running Rosecheckers

Rosecheckers can be run on a C or C++ file. The Rosecheckers program displays the file's violations of the secure coding rules that it is programmed to check for. Rosecheckers takes the same arguments as gcc, so code that contains special flags that must be passed to the compiler can be passed to Rosecheckers in the same manner as gcc. The same is true for makefiles that indicate how your program is to be built; you can simply run Rosecheckers on your source code by instructing your make command to use Rosecheckers as a drop-in replacement for gcc. Refer to the Working with ROSE presentation for technical details that cover Rosecheckers too. Although some material in the presentation (such as tool downloads from school machines) is specific for Carnegie Mellon students, it has helpful information for anyone starting to use Rosecheckers.

Setting Up Rosecheckers

The recommended (simplest and speediest) method to start running Rosecheckers requires a virtualization system such as VMWare. The SourceForge project provides a free example VM. Alternatively, users can download the source and compile it without using a VM. However, that option requires building and installing Rosecheckers, which may take considerable time.

Additional Information

More information about downloading, using, and building Rosecheckers can be found on the Rosecheckers Tool Information wiki and on the ROSE Compiler Infrastructure website.