In this section:
Overview
Test configurations define how your code is analyzed and tested, including which static analysis rules are enabled, which tests to run, and other analysis parameters. C/C++test ships with built-in test configurations, but users can create and store their own test configurations in the DTP server (see the DTP documentation for details).
User-defined test configurations that are stored in DTP can be downloaded from the DTP server and stored in the [INSTALL_DIR]/configs/user directory as *.properties files.
Running a Test Configuration
You can specify which configuration will be run in one of the following ways:
Run
cpptestcliwith the-configswitch and specify a built-in, user-defined or DTP-hosted test configuration:-config "builtin://Recommended Rules" -config "user://Foo Configuration" -config "dtp://Foo Team Configuration" -config "dtp://FooTeamConfig.properties"
Alternatively, you can add the prefix of the Parasoft tool you are using to specify a DTP-hosted test configuration:-config "c++test.dtp://Foo Team Configuration"
You can also provide a path or URL to the test configuration .properties file:
-config "C:\Devel\Configs\FooConfig.properties" -config "http://foo.bar.com/configs/FoodConfig.properties"
For example, your command line may resemble the following:cpptestcli -config "builtin://Recommended Rules" -compiler gcc_3_4 -input cpptest.bdf
In the .properties file, specify the default configuration that will be run when the
-configoption is not used:cpptest.configuration=user://Configuration Name
Viewing Available Test Configurations
Use the -listconfigs switch to print the available test configurations.
Built-in Test Configurations
The following tables include the test configurations shipped in the [INSTALL]/configs/builtin directory.
Static Analysis
This group includes universal static analysis test configurations. See Compliance Packs for test configurations that enforce coding standards.
| Built-in Test Configuration | Description |
|---|---|
| Effective C++ | Checks rules from Scott Meyers’ "Effective C++" book. These rules check the efficiency of C++ programs. |
| Effective STL | Checks rules from Scott Meyers’ "Effective STL" book. |
| Find Duplicated Code | Applies static code analysis rules that report duplicate code. Duplicate code may indicate poor application design and lead to maintainability issues. |
| Find Unused Code | Includes rules for identifying unused/dead code. |
| Flow Analysis Standard | Detects complex runtime errors without requiring test cases or application execution. Defects detected include using uninitialized or invalid memory, null pointer dereferencing, array and buffer overflows, division by zero, memory and resource leaks, and dead code. This requires a special Flow Analysis license option. |
| Flow Analysis Aggressive | Includes rules for deep flow analysis of code. A significant amount of time may be required to run this configuration. |
| Flow Analysis Fast | Includes rules for shallow depth of flow analysis, which limits the number of potentially acceptable defects from being reported. |
| Global Analysis | Checks the Global Static Analysis rules. |
| Metrics | Computes values for several code metrics. |
| Modern C++ (11, 14 and 17) | Checks rules that enforce best practices for modern C++ standards (C++11, C++14, C++17). |
| Recommended Rules | The default configuration of recommended rules. Covers most Severity 1 and Severity 2 rules. Includes rules in the Flow Analysis Fast configuration. |
| Sutter-Alexandrescu | Checks rules based on the book "C++ Coding Standards," by Herb Sutter and Andrei Alexandrescu. |
| The Power of Ten | Checks rules based on Gerard J. Holzmann’s article "The Power of Ten - Rules for Developing Safety Critical Code." http://spinroot.com/gerard/pdf/Power_of_Ten.pdf |
Compliance Packs
Compliance Packs include test configurations tailored for particular compliance domains to help you enforce industry-specific compliance standards and practices. See Compliance Packs Rule Mapping for information how the standards are mapped to C/C++test's rules.
Aerospace Pack
| Built-in Test Configuration | Description |
|---|---|
Joint Strike Fighter | Checks rules that enforce the Joint Strike Fighter (JSF) program coding standards. |
Automotive Pack
| Built-in Test Configuration | Description |
|---|---|
| AUTOSAR C++14 Coding Guidelines | Checks rules that enforce the AUTOSAR C++ Coding Guidelines (Adaptive Platform, version 17-10).
|
| HIS Source Code Metrics | Checks metrics required by the Herstellerinitiative Software (HIS) group. |
| High Integrity C++ | Checks rules that enforce the High Integrity C++ Coding Standard. |
| MISRA C 1998 | Checks rules that enforce the MISRA C coding standards |
| MISRA C 2004 | Checks rules that enforce the MISRA C 2004 coding standard. |
| MISRA C 2012 | Checks rules that enforce the MISRA C 2012 coding standard.
|
| MISRA C++ 2008 | Checks rules that enforce the MISRA C++ 2008 coding standards. |
Medical Devices Pack
| Built-in Test Configuration | Description |
|---|---|
| Recommended Rules for FDA (C) | Checks rules recommended for complying with the FDA General Principles for Software Validation (test configuration for the C language). |
| Recommended Rules for FDA (C++) | Checks rules recommended for complying with the FDA General Principles for Software Validation (test configuration for the C++ language). |
Security Pack
| Built-in Test Configuration | Description |
|---|---|
CWE-SANS Top 25 Most Dangerous Programming Errors | Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE-SANS standard. |
| OWASP Top 10 2017 | Includes rules that find issues identified in OWASP’s Top 10 standard |
| Payment Card Industry Data Security Standard | Includes rules that find issues identified in PCI Data Security Standard |
| SEI CERT C Guidelines | Checks rules and recommendations for the SEI CERT C Coding Standard. This standard provides guidelines for secure coding. The goal is to facilitate the development of safe, reliable, and secure systems by, for example, eliminating undefined behaviors that can lead to undefined program behaviors and exploitable vulnerabilities. |
| SEI CERT C Rules | Checks rules for the SEI CERT C Coding Standard. This standard provides guidelines for secure coding. The goal is to facilitate the development of safe, reliable, and secure systems by, for example, eliminating undefined behaviors that can lead to undefined program behaviors and exploitable vulnerabilities.
|
| SEI CERT C++ Rules | Checks rules for the SEI CERT C++ Coding Standard. This standard provides guidelines for secure coding. The goal is to facilitate the development of safe, reliable, and secure systems by, for example, eliminating undefined behaviors that can lead to undefined program behaviors and exploitable vulnerabilities.
|
| Security Rules | General test configuration that finds security issues |
| UL 2900 | Includes rules that find issues identified in the UL-2900 standard. |
Runtime Analysis
| Built-in Test Configuration | Description |
|---|---|
| Coverage | Generates the code coverage report. |
| GoogleTest | Analyzes Google Test unit test results. |
| Unit Testing | Analyzes CppUnit or CppUTest test results collected with C/C++test's connector (see Integrating with CppUnit and CppUtest) |
Compliance Packs Rule Mapping
This section includes rule mapping for the OWASP and CWE standards. The mapping information for other standards is available in the PDF rule mapping files shipped with Compliance Packs.
OWASP Top 10 - 2017 Mapping
| OWASP Category | CWE ID | Parasoft Rule IDs |
|---|---|---|
| A1 Injection | CWE-77: Command Injection |
|
| A1 Injection | CWE-89: SQL Injection |
|
| A3 Sensitive Data Exposure | CWE-326: Weak Encryption |
|
| A3 Sensitive Data Exposure | CWE-327: Use of a Broken or Risky Cryptographic Algorithm |
|
| A5 Broken Access Control | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
| A6 Security Misconfiguration | CWE-391: Unchecked Error Condition |
|
| A6 Security Misconfiguration | CWE-396: Declaration of Catch for Generic Exception |
|
| A10 Insufficient Logging & Monitoring | CWE-223: Omission of Security-relevant Information |
|
2011 CWE/SANS Top 25 Most Dangerous Software Errors Mapping
| CWE ID | CWE Name | Parasoft ID |
|---|---|---|
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | BD-SECURITY-TDSQL |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | BD-SECURITY-TDCMD |
| CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | BD-PB-OVERFFM |
| BD-PB-OVERFNZT | ||
| BD-PB-OVERFWR | ||
| BD-SECURITY-OVERFWR | ||
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | BD-SECURITY-TDFNAMES |
| CWE-676 | Use of Potentially Dangerous Function | PB-37 |
| SECURITY-11 | ||
| SECURITY-12 | ||
| SECURITY-13 | ||
| SECURITY-14 | ||
| SECURITY-16 | ||
| SECURITY-22 | ||
| SECURITY-30 | ||
| SECURITY-31 | ||
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | SECURITY-02 |
| SECURITY-28 | ||
| SECURITY-37 | ||
| CWE-131 | Incorrect Calculation of Buffer Size | BD-PB-ARRAY |
| BD-PB-OVERFRD | ||
| BD-SECURITY-ARRAY | ||
| MRM-45 | ||
| CWE-134 | Uncontrolled Format String | SECURITY-05 |
| SECURITY-08 | ||
| CWE-190 | Integer Overflow or Wraparound | BD-SECURITY-INTOVERF |
| MISRA-051 |
Creating Custom Rules
Use RuleWizard to create custom rules. See the RuleWizard User Guide for information about RuleWizard capabilities and usage.
To use the rule, it needs to be enabled in a test configuration and the custom rule file must be located in the [INSTALL_DIR]\rules\user\ directory, or another user-specific directory.
