The CERT Division's Rosecheckers tool performs static analysis on C/C++ source files. It is designed to enforce the rules in the CERT C Coding standard. Rosecheckers finds some C coding errors that other static analysis tools do not. However, it does not do a comprehensive test for secure and correct C coding, and it is only a prototype, so it cannot be used alone to fully analyze code security. Rosecheckers enforces CERT Secure Coding rules and is freely available pre-installed in a virtual machine from SourceForge. You can also get the rosecheckers code alone (no VM) from

If you install rosecheckers code from source, you should install ROSE first. Follow these steps after installing ROSE:

  • Clone the rosecheckers repository from github.
  • Set the ROSE environment variable to point to the directory for ROSE that has the bin, include, etc. for ROSE.
  • Build the Rosecheckers program from the CERT C Checkers by going into the rosecheckers/rosecheckers directory and typing make pgms

Test Rosecheckers on the code samples from the CERT C Secure Coding Rules by typing make tests

Build API documentation pages, you must install doxygen: make doc

Clean documentation pages and build files by typing make clean

To run the Rosecheckers program on a C or C++ file, pass the file as an argument: rosecheckers hello.c

If the C file violates any secure coding rules, the Rosecheckers program will print them. If the Rosecheckers program cannot find any violations, it doesn't print anything.

Rosecheckers actually takes the same arguments as gcc. Therefore, if your code has special flags that must be passed to the compiler, such as locations of include files, you can pass them to Rosecheckers in the same manner as gcc. Likewise, if you have a makefile that indicates how your program is to be built, you can run ROSE on your source code merely by instructing your make command to use Rosecheckers as a drop-in replacement for gcc. One way to do this is by typing make CC=rosecheckers

We invite the public to download the code, fork it under version control, and enhance it by adding checkers for any CERT C coding rules that it does not currently check. We welcome your contributions. Please contact us if you would like to contribute a new checker to Rosecheckers.

Contact us if you have questions about Rosecheckers, and visit the ROSE Compiler Infrastructure website to learn more about the ROSE compiler used by our tool.

Running Rosecheckers

Rosecheckers can be run on a C or C++ file. The Rosecheckers program displays the file's violations of the secure coding rules that it is programmed to check for. Rosecheckers takes the same arguments as gcc, so code that contains special flags that must be passed to the compiler can be passed to Rosecheckers in the same manner as gcc. The same is true for makefiles that indicate how your program is to be built; you can simply run Rosecheckers on your source code by instructing your make command to use Rosecheckers as a drop-in replacement for gcc. Refer to the Working with ROSE presentation for technical details that cover Rosecheckers too. Although some material in the presentation (such as tool downloads from school machines) is specific for Carnegie Mellon students, it has helpful information for anyone starting to use Rosecheckers.

Setting Up Rosecheckers

The recommended (simplest and speediest) method to start running Rosecheckers requires a virtualization system such as VMWare. The SourceForge project provides a free example VM. Alternatively, users can download the source and compile it without using a VM. However, that option requires building and installing Rosecheckers, which may take considerable time.

Additional Information

More information about downloading, using, and building Rosecheckers can be found on the Rosecheckers Tool Information wiki and on the ROSE Compiler Infrastructure website.