This topic describes test configurations shipped with C/C++test, which represent the most common scenarios. See Configuring Test Configurations and Rules for Policies for details about creating custom test configurations and deploying test configurations across the team.
Built-in test configurations are organized into the following categories:
Static Analysis
This group includes universal static analysis test configurations. See Compliance Packs for test configurations that enforce coding standards
Test Configuration | Description |
---|---|
Recommended Rules | The default configuration of recommended rules. Covers most Severity 1 and Severity 2 rules. Includes rules in the Flow Analysis Fast configuration. |
Flow Analysis Standard | Detects complex runtime errors without requiring test cases or application execution. Defects detected include using uninitialized or invalid memory, null pointer dereferencing, array and buffer overflows, division by zero, memory and resource leaks, and dead code. This requires a special Flow Analysis license option. See Introducing Built-in Flow Analysis Test Configurations for more details on Flow Analysis Test Configurations. |
Flow Analysis Fast | The fast configuration uses "Shallowest" depth of analysis and runs faster than the standard and aggressive configurations. The fast configuration finds a moderate amount of problems and prevents violation number explosion. See Introducing Built-in Flow Analysis Test Configurations for more details on Flow Analysis Test Configurations. |
Flow Analysis Aggressive | The aggressive option reports any suspicious code as a violation. See Introducing Built-in Flow Analysis Test Configurations for more details on Flow Analysis Test Configurations. |
Effective C++ | Checks rules from Scott Meyers’ "Effective C++" book. These rules check the efficiency of C++ programs. |
Effective STL | Checks rules from Scott Meyers’ "Effective STL" book. |
Modern C++ (11, 14 and 17) | Checks rules that enforce best practices for modern C++ standards (C++11, C++14, C++17). |
Find Duplicated Code | Detects duplicated functions, code fragments, string literals, and #include directives. |
Find Unused Code | Includes rules for identifying unused/dead code. |
Metrics | Reports metrics statistics and detects metric values out of acceptable ranges. |
Global Analysis | Checks the Global Static Analysis rules. |
Sutter-Alexandrescu | Checks rules based on the book "C++ Coding Standards," by Herb Sutter and Andrei Alexandrescu. |
The Power of Ten | Checks rules based on Gerard J. Holzmann’s article "The Power of Ten - Rules for Developing Safety Critical Code." (http://spinroot.com/gerard/pdf/Power_of_Ten.pdf) |
Compliance Packs
Compliance Packs include test configurations tailored for particular compliance domains to help you enforce industry-specific compliance standards and practices. See Compliance Packs Rule Mapping for information how the standards are mapped to C/C++test's rules.
Aerospace Pack
Test Configuration | Description |
---|---|
Joint Strike Fighter | Checks rules that enforce the Joint Strike Fighter (JSF) program coding standards. |
DO178C Software Level A Unit Testing | Executes unit tests with appropriate configuration of coverage metrics and reporting settings for DO178C Software Level A |
DO178C Software Level B Unit Testing | Executes unit tests with appropriate configuration of coverage metrics and reporting settings for DO178C Software Level B |
DO178C Software Level C and D Unit Testing | Executes unit tests with appropriate configuration of coverage metrics and reporting settings for DO178C Software Level C and D |
Automotive Pack
Test Configuration | Description |
---|---|
AUTOSAR C++14 Coding Guidelines | Checks rules that enforce the AUTOSAR C++ Coding Guidelines (Adaptive Platform, version 19.03). This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. It requires dedicated license features to be activated. Contact your Parasoft representative for details. |
High Integrity C++ | Checks rules that enforce the High Integrity C++ Coding Standard. |
HIS Source Code Metrics | Checks metrics required by the Herstellerinitiative Software (HIS) group. |
MISRA C 1998 | Checks rules that enforce the MISRA C coding standards. |
MISRA C 2004 | Checks rules that enforce the MISRA C 2004 coding standards. |
MISRA C++ 2008 | Checks rules that enforce the MISRA C++ 2008 coding standards. |
MISRA C 2023 (MISRA C 2012) | Checks rules that enforce the MISRA C:2023 / MISRA C:2012 Amendment 4 guidelines. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. It requires dedicated license features to be activated. Contact your Parasoft representative for details. |
MISRA C++ 202X | Checks rules that enforce selected MISRA C++ 202X coding guidelines. This preview configuration covers a selection of guidelines from the "Public Review Draft of MISRA C++:202X" document. |
ISO26262 ASIL A Unit Testing | Executes unit tests with appropriate configuration of coverage metrics and reporting settings for ISO26262 ASIL A |
ISO26262 ASIL B and C Unit Testing | Executes unit tests with appropriate configuration of coverage metrics and reporting settings for ISO26262 ASIL B and C |
ISO26262 ASIL D Unit Testing | Executes unit tests with appropriate configuration of coverage metrics and reporting settings for ISO26262 ASIL D |
Medical Devices Pack
Test Configuration | Description |
---|---|
Recommended Rules for FDA (C) | Checks rules recommended for complying with the FDA General Principles for Software Validation (test configuration for the C language). |
Recommended Rules for FDA (C++) | Checks rules recommended for complying with the FDA General Principles for Software Validation (test configuration for the C++ language). |
Security Pack
Test Configuration | Description |
---|---|
CWE Top 25 2022 | Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard v.2022. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
CWE Top 25 2019 | Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard v.2019. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
CWE Top 25 2022 + On the Cusp | Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard or included on the CWE Weaknesses On the Cusp list v.2022. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
CWE Top 25 2019 + On the Cusp | Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard or included on the CWE Weaknesses On the Cusp list v.2019. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
DISA-ASD-STIG | Includes rules that find issues identified in Application Security and Development STIG (Security Technical Implementation Guide) provided by Defense Information Systems Agency. |
OWASP API Security Top 10 2019 | Includes rules that find issues identified in OWASP’s API Security Top 10 standard. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. It requires dedicated license features to be activated. Contact your Parasoft representative for details. |
OWASP Top 10 2017 | Includes rules that find web application security risks identified in the OWASP Top 10 - 2017. |
OWASP Top 10 2021 | Includes rules that find web application security risks identified in the OWASP Top 10 - 2021. This is a preview version of the test configuration. |
Payment Card Industry Data Security Standard | Checks rules for the security issues referenced in section 6 of the Payment Card Industry Data Security Standard (PCI DSS) (https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml) Issues detected include input validation (to prevent cross-site scripting, injection flaws, malicious file execution, etc.) and validation of proper error handling. |
Security Rules | Checks rules designed to prevent or identify security vulnerabilities. |
SEI CERT C Coding Guidelines | Checks rules and recommendations for the SEI CERT C Coding Standard. This standard provides guidelines for secure coding. The goal is to facilitate the development of safe, reliable, and secure systems by, for example, eliminating undefined behaviors that can lead to undefined program behaviors and exploitable vulnerabilities. |
SEI CERT C Rules | Checks rules for the SEI CERT C Coding Standard. This standard provides guidelines for secure coding. The goal is to facilitate the development of safe, reliable, and secure systems by, for example, eliminating undefined behaviors that can lead to undefined program behaviors and exploitable vulnerabilities. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. It requires dedicated license features to be activated. Contact your Parasoft representative for details. |
SEI CERT C++ Rules | Checks rules for the SEI CERT C++ Coding Standard. This standard provides guidelines for secure coding. The goal is to facilitate the development of safe, reliable, and secure systems by, for example, eliminating undefined behaviors that can lead to undefined program behaviors and exploitable vulnerabilities. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. It requires dedicated license features to be activated. Contact your Parasoft representative for details. |
UL 2900 | Includes rules that find issues identified in the UL-2900 standard. |
Unit Testing
Test Configuration | Description |
---|---|
File Scope> Build Test Executable (File Scope) | Builds test executable for "trial builds." Only the selected file(s) will be instrumented. |
File Scope> Collect Stub Information (File Scope) | Collects symbols data to populate the Stubs view. Only the selected file(s) will be instrumented. |
File Scope> Debug Unit Tests (File Scope) | Executes unit tests under the debugger. Only the selected file(s) will be instrumented. |
File Scope> Generate Stubs (File Scope) | Generates stubs for missing function and variable definitions. Only the selected file(s) will be instrumented. |
File Scope> Run Unit Tests | Executes the available test cases. Only the selected file(s) will be instrumented. |
Build Test Executable | Builds test executable for "trial builds." All project files will be instrumented. |
Collect Stub Information | Collects symbols data to populate the Stubs view. All project files will be instrumented. |
Debug Unit Tests | Executes unit tests under the debugger. All project files will be instrumented. |
Generate Regression Base | Generates a baseline test suite that captures the project code’s current functionality; to detect changes from this baseline, you run your evolving code base against this test suite on a regular basis. Outcomes are automatically verified. |
Generate Stubs | Generates stubs for missing function and variable definitions. All project files will be instrumented. |
Generate Test Suites | Generates test suites (without generating test cases) for the selected resources. |
Generate Unit Tests | Generates unit tests for the selected resources. |
Run Unit Tests | Executes the available test cases. All project files will be instrumented. |
Run Unit Tests with Memory Monitoring | Executes the available test cases and collects information about memory problems. All project files will be instrumented. |
Application Monitoring
Test Configuration | Description |
---|---|
Build Application with Coverage Monitoring | Builds the tested application with coverage monitoring enabled. |
Build Application with Full Monitoring | Builds the tested application with coverage and memory monitoring enabled. |
Build Application with Memory Monitoring | Builds the tested application with memory monitoring enabled. |
Build and Run Application with Coverage Monitoring | Builds and executes the tested application with coverage monitoring enabled. |
Build and Run Application with Full Monitoring | Builds and executes the tested application with coverage and memory monitoring enabled. |
Build and Run Application with Memory Monitoring | Builds and executes the tested application with memory monitoring enabled. |
Utilities
Test Configuration | Description |
---|---|
Load Test Results (File) | Collects test results via the file channel. By default, this configuration assumes that logs are located inside |
Load Test Results (Sockets) | Collects "on the fly" test results sent through TCP/IP sockets. It starts a java utility program to listen to and capture test results. You can customize the port numbers for test and coverage results. Port numbers are defined with the results_port and coverage_port properties. |
Extract Library Symbols | Extracts a list of symbols from external libraries (or object files). It should be used whenever C++test’s standard algorithm for collecting information about symbols from binaries is not sufficient. For example if you use a Wind River DKM type of project, you may want to have all symbols from the VxWorks image collected in this way. You will probably need to enter the location of the binaries you want to extract symbols from, as well as the name of the nm-like utility that can be used to dump the content of library/object file. |
Generate Stubs Using External Library Symbols | Generates stubs after the "Extract Library Symbols" Test Configuration has been run. It assumes that a file with a list of symbols from external libraries is stored in the project temporary data. |
Load Application Coverage | Imports the coverage data collected with the cpptestcc coverage tool into your IDE; see Collecting Application Coverage with cpptestcc. |
Load Archived Results | Loads the archived results into C/C++test; see Merging Results from Multiple Test Runs. |
Integrations
Test Configuration | Description |
---|---|
Lattix Architect> Export Code Dependency Data | Exports code dependency data for Lattix Architect. See Integrating with Lattix Architect for details. |
Compliance Packs Rule Mapping
This section includes rule mapping for the CWE standard. The mapping information for other standards is available in the PDF rule mapping files shipped with Compliance Packs.
CWE Top 25 2022 Mapping
CWE ID | CWE Name | Parasoft rule ID(s) |
---|---|---|
CWE-787 | Out-of-bounds Write |
|
CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | N/A |
CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
CWE-20 | Improper Input Validation |
|
CWE-125 | Out-of-bounds Read |
|
CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
CWE-416 | Use After Free |
|
CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
CWE-352 | Cross-Site Request Forgery (CSRF) | N/A |
CWE-434 | Unrestricted Upload of File with Dangerous Type | N/A |
CWE-476 | NULL Pointer Dereference |
|
CWE-502 | Deserialization of Untrusted Data | N/A |
CWE-190 | Integer Overflow or Wraparound |
|
CWE-287 | Improper Authentication |
|
CWE-798 | Use of Hard-coded Credentials |
|
CWE-862 | Missing Authorization | N/A |
CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
|
CWE-306 | Missing Authentication for Critical Function | N/A |
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
CWE-276 | Incorrect Default Permissions | N/A |
CWE-918 | Server-Side Request Forgery (SSRF) | N/A |
CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
|
CWE-400 | Uncontrolled Resource Consumption |
|
CWE-611 | Improper Restriction of XML External Entity Reference |
|
CWE-94 | Improper Control of Generation of Code ('Code Injection') | N/A |
CWE Weaknesses On the Cusp 2022 Mapping
CWE ID | CWE Name | Parasoft rule ID(s) |
---|---|---|
CWE-295 | Improper Certificate Validation | N/A |
CWE-427 | Uncontrolled Search Path Element |
|
CWE-863 | Incorrect Authorization |
|
CWE-269 | Improper Privilege Management |
|
CWE-732 | Incorrect Permission Assignment for Critical Resource |
|
CWE-843 | Access of Resource Using Incompatible Type ('Type Confusion') |
|
CWE-668 | Exposure of Resource to Wrong Sphere |
|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
|
CWE-1321 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | N/A |
CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | N/A |
CWE-401 | Missing Release of Memory after Effective Lifetime |
|
CWE-59 | Improper Link Resolution Before File Access ('Link Following') |
|
CWE-522 | Insufficiently Protected Credentials | N/A |
CWE-319 | Cleartext Transmission of Sensitive Information | N/A |
CWE-312 | Cleartext Storage of Sensitive Information |
|
CWE Top 25 2019 Mapping
CWE ID | CWE Name | Parasoft rule ID(s) |
---|---|---|
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | N/A |
CWE-20 | Improper Input Validation |
|
CWE-200 | Information Exposure |
|
CWE-125 | Out-of-bounds Read |
|
CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
CWE-416 | Use After Free |
|
CWE-190 | Integer Overflow or Wraparound |
|
CWE-352 | Cross-Site Request Forgery (CSRF) | N/A |
CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
CWE-787 | Out-of-bounds Write |
|
CWE-287 | Improper Authentication |
|
CWE-476 | NULL Pointer Dereference |
|
CWE-732 | Incorrect Permission Assignment for Critical Resource |
|
CWE-434 | Unrestricted Upload of File with Dangerous Type | N/A |
CWE-611 | Improper Restriction of XML External Entity Reference |
|
CWE-94 | Improper Control of Generation of Code ('Code Injection') | N/A |
CWE-798 | Use of Hard-coded Credentials |
|
CWE-400 | Uncontrolled Resource Consumption |
|
CWE-772 | Missing Release of Resource after Effective Lifetime |
|
CWE-426 | Untrusted Search Path |
|
CWE-502 | Deserialization of Untrusted Data | N/A |
CWE-269 | Improper Privilege Management |
|
CWE-295 | Improper Certificate Validation | N/A |
CWE Weaknesses On the Cusp 2019 Mapping
CWE ID | CWE Name | Parasoft rule ID(s) |
---|---|---|
CWE-835 | Loop with Unreachable Exit Condition ('Infinite Loop') |
|
CWE-522 | Insufficiently Protected Credentials | N/A |
CWE-704 | Incorrect Type Conversion or Cast |
|
CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
|
CWE-918 | Server-Side Request Forgery (SSRF) | N/A |
CWE-415 | Double Free |
|
CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | N/A |
CWE-863 | Incorrect Authorization |
|
CWE-862 | Missing Authorization | N/A |
CWE-532 | Inclusion of Sensitive Information in Log Files |
|
CWE-306 | Missing Authentication for Critical Function | N/A |
CWE-384 | Session Fixation | N/A |
CWE-326 | Inadequate Encryption Strength |
|
CWE-770 | Allocation of Resources Without Limits or Throttling |
|
CWE-617 | Reachable Assertion |
|