The following tables include the test configurations shipped in the [INSTALL]/configs/builtin directory.
Static Analysis
This group includes universal static analysis test configurations. See Compliance Packs for test configurations that enforce coding standards.
Built-in Test Configuration | Description |
---|---|
Effective C++ | Checks rules from Scott Meyers’ "Effective C++" book. These rules check the efficiency of C++ programs. |
Effective STL | Checks rules from Scott Meyers’ "Effective STL" book. |
Find Duplicated Code | Applies static code analysis rules that report duplicate code. Duplicate code may indicate poor application design and lead to maintainability issues. |
Find Unused Code | Includes rules for identifying unused/dead code. |
Flow Analysis Standard | Detects complex runtime errors without requiring test cases or application execution. Defects detected include using uninitialized or invalid memory, null pointer dereferencing, array and buffer overflows, division by zero, memory and resource leaks, and dead code. This requires a special Flow Analysis license option. |
Flow Analysis Aggressive | Includes rules for deep flow analysis of code. A significant amount of time may be required to run this configuration. |
Flow Analysis Fast | Includes rules for shallow depth of flow analysis, which limits the number of potentially acceptable defects from being reported. |
Global Analysis | Checks the Global Static Analysis rules. |
Metrics | Computes values for several code metrics. |
Modern C++ (11, 14 and 17) | Checks rules that enforce best practices for modern C++ standards (C++11, C++14, C++17). |
Recommended Rules | The default configuration of recommended rules. Covers most Severity 1 and Severity 2 rules. Includes rules in the Flow Analysis Fast configuration. |
Sutter-Alexandrescu | Checks rules based on the book "C++ Coding Standards," by Herb Sutter and Andrei Alexandrescu. |
The Power of Ten | Checks rules based on Gerard J. Holzmann’s article "The Power of Ten - Rules for Developing Safety Critical Code." http://spinroot.com/gerard/pdf/Power_of_Ten.pdf |
Compliance Packs
Compliance Packs include test configurations tailored for particular compliance domains to help you enforce industry-specific compliance standards and practices. See Compliance Packs Rule Mapping for information how the standards are mapped to C/C++test's rules.
Aerospace Pack
Built-in Test Configuration | Description |
---|---|
Joint Strike Fighter | Checks rules that enforce the Joint Strike Fighter (JSF) program coding standards. |
Automotive Pack
Built-in Test Configuration | Description |
---|---|
AUTOSAR C++14 Coding Guidelines | Checks rules that enforce the AUTOSAR C++ Coding Guidelines (Adaptive Platform, version 19.03). This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. It requires dedicated license features to be activated. Contact your Parasoft representative for details. |
HIS Source Code Metrics | Checks metrics required by the Herstellerinitiative Software (HIS) group. |
High Integrity C++ | Checks rules that enforce the High Integrity C++ Coding Standard. |
MISRA C 1998 | Checks rules that enforce the MISRA C coding standards. |
MISRA C 2004 | Checks rules that enforce the MISRA C 2004 coding standard. |
MISRA C 2023 (MISRA C 2012) | Checks rules that enforce the MISRA C:2023 / MISRA C:2012 Amendment 4 guidelines. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. It requires dedicated license features to be activated. Contact your Parasoft representative for details. |
MISRA C++ 2008 | Checks rules that enforce the MISRA C++ 2008 coding standards. |
MISRA C++ 2023 | Checks rules that enforce the MISRA C++:2023 Guidelines for the use of C++17 in critical systems. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. It requires dedicated license features to be activated. Contact your Parasoft representative for details. |
Medical Devices Pack
Built-in Test Configuration | Description |
---|---|
Recommended Rules for FDA (C) | Checks rules recommended for complying with the FDA General Principles for Software Validation (test configuration for the C language). |
Recommended Rules for FDA (C++) | Checks rules recommended for complying with the FDA General Principles for Software Validation (test configuration for the C++ language). |
Security Pack
Built-in Test Configuration | Description |
---|---|
CWE Top 25 2023 | Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard v. 2023. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. It requires dedicated license features to be activated. Contact your Parasoft representative for details. |
CWE Top 25 2022 | Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard v. 2022. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. It requires dedicated license features to be activated. Contact your Parasoft representative for details. |
CWE Top 25 2023 + On the Cusp | Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard or included on the CWE Weaknesses On the Cusp list v. 2023. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. It requires dedicated license features to be activated. Contact your Parasoft representative for details. |
CWE Top 25 2022 + On the Cusp | Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard or included on the CWE Weaknesses On the Cusp list v. 2022. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. It requires dedicated license features to be activated. Contact your Parasoft representative for details. |
DISA-ASD-STIG | Includes rules that find issues identified in Application Security and Development STIG (Security Technical Implementation Guide) provided by Defense Information Systems Agency. |
OWASP API Security Top 10 2023 | Includes rules that find issues identified in OWASP’s API Security Top 10 v. 2023. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. It requires dedicated license features to be activated. Contact your Parasoft representative for details. |
OWASP API Security Top 10 2019 | Includes rules that find issues identified in OWASP’s API Security Top 10 v. 2019. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. It requires dedicated license features to be activated. Contact your Parasoft representative for details. |
OWASP Top 10 2021 | Includes rules that find web application security risks identified in the OWASP Top 10 v. 2021. |
OWASP Top 10 2017 | Includes rules that find web application security risks identified in the OWASP Top 10 v. 2017. This is a preview version of the test configuration. |
Payment Card Industry Data Security Standard | Includes rules that find issues identified in PCI Data Security Standard. |
SEI CERT C Guidelines | Checks rules and recommendations for the SEI CERT C Coding Standard. This standard provides guidelines for secure coding. The goal is to facilitate the development of safe, reliable, and secure systems by, for example, eliminating undefined behaviors that can lead to undefined program behaviors and exploitable vulnerabilities. |
SEI CERT C Rules | Checks rules for the SEI CERT C Coding Standard. This standard provides guidelines for secure coding. The goal is to facilitate the development of safe, reliable, and secure systems by, for example, eliminating undefined behaviors that can lead to undefined program behaviors and exploitable vulnerabilities. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. It requires dedicated license features to be activated. Contact your Parasoft representative for details. |
SEI CERT C++ Rules | Checks rules for the SEI CERT C++ Coding Standard. This standard provides guidelines for secure coding. The goal is to facilitate the development of safe, reliable, and secure systems by, for example, eliminating undefined behaviors that can lead to undefined program behaviors and exploitable vulnerabilities. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. It requires dedicated license features to be activated. Contact your Parasoft representative for details. |
Security Rules | General test configuration that finds security issues |
UL 2900 | Includes rules that find issues identified in the UL-2900 standard. |
Runtime Analysis
Built-in Test Configuration | Description |
---|---|
Coverage | Generates the code coverage report. |
Unit Testing | Analyzes CppUnit or CppUTest test results collected with C/C++test's connector (see Integrating with CppUnit and CppUtest) |
Integrations
Built-in Test Configuration | Description |
---|---|
Export Code Dependency Data | Exports code dependency data for Lattix Architect. See Integrating with Lattix Architect for details. |
Compliance Packs Rule Mapping
This section includes rule mapping for the CWE standard. The mapping information for other standards is available in the PDF rule mapping files shipped with Compliance Packs.
CWE Top 25 2023 Mapping
CWE ID | CWE Name | Parasoft rule ID(s) |
---|---|---|
CWE-787 | Out-of-bounds Write |
|
CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | N/A |
CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
CWE-416 | Use After Free |
|
CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
CWE-20 | Improper Input Validation |
|
CWE-125 | Out-of-bounds Read |
|
CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
CWE-352 | Cross-Site Request Forgery (CSRF) | N/A |
CWE-434 | Unrestricted Upload of File with Dangerous Type | N/A |
CWE-862 | Missing Authorization | N/A |
CWE-476 | NULL Pointer Dereference |
|
CWE-287 | Improper Authentication |
|
CWE-190 | Integer Overflow or Wraparound |
|
CWE-502 | Deserialization of Untrusted Data | N/A |
CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
|
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
CWE-798 | Use of Hard-coded Credentials |
|
CWE-918 | Server-Side Request Forgery (SSRF) | N/A |
CWE-306 | Missing Authentication for Critical Function | N/A |
CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
|
CWE-269 | Improper Privilege Management |
|
CWE-94 | Improper Control of Generation of Code ('Code Injection') | N/A |
CWE-863 | Incorrect Authorization |
|
CWE-276 | Incorrect Default Permissions | N/A |
CWE Weaknesses On the Cusp 2023 Mapping
CWE ID | CWE Name | Parasoft rule ID(s) |
---|---|---|
CWE-617 | Reachable Assertion |
|
CWE-427 | Uncontrolled Search Path Element |
|
CWE-611 | Improper Restriction of XML External Entity Reference |
|
CWE-770 | Allocation of Resources Without Limits or Throttling |
|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
|
CWE-732 | Incorrect Permission Assignment for Critical Resource |
|
CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | N/A |
CWE-1321 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | N/A |
CWE-295 | Improper Certificate Validation | N/A |
CWE-522 | Insufficiently Protected Credentials | N/A |
CWE-401 | Missing Release of Memory after Effective Lifetime |
|
CWE-400 | Uncontrolled Resource Consumption |
|
CWE-639 | Authorization Bypass Through User-Controlled Key | N/A |
CWE-59 | Improper Link Resolution Before File Access ('Link Following') |
|
CWE-668 | Exposure of Resource to Wrong Sphere |
|
CWE Top 25 2022 Mapping
CWE ID | CWE Name | Parasoft rule ID(s) |
---|---|---|
CWE-787 | Out-of-bounds Write |
|
CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | N/A |
CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
CWE-20 | Improper Input Validation |
|
CWE-125 | Out-of-bounds Read |
|
CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
CWE-416 | Use After Free |
|
CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
CWE-352 | Cross-Site Request Forgery (CSRF) | N/A |
CWE-434 | Unrestricted Upload of File with Dangerous Type | N/A |
CWE-476 | NULL Pointer Dereference |
|
CWE-502 | Deserialization of Untrusted Data | N/A |
CWE-190 | Integer Overflow or Wraparound |
|
CWE-287 | Improper Authentication |
|
CWE-798 | Use of Hard-coded Credentials |
|
CWE-862 | Missing Authorization | N/A |
CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
|
CWE-306 | Missing Authentication for Critical Function | N/A |
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
CWE-276 | Incorrect Default Permissions | N/A |
CWE-918 | Server-Side Request Forgery (SSRF) | N/A |
CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
|
CWE-400 | Uncontrolled Resource Consumption |
|
CWE-611 | Improper Restriction of XML External Entity Reference |
|
CWE-94 | Improper Control of Generation of Code ('Code Injection') | N/A |
CWE Weaknesses On the Cusp 2022 Mapping
CWE ID | CWE Name | Parasoft rule ID(s) |
---|---|---|
CWE-295 | Improper Certificate Validation | N/A |
CWE-427 | Uncontrolled Search Path Element |
|
CWE-863 | Incorrect Authorization |
|
CWE-269 | Improper Privilege Management |
|
CWE-732 | Incorrect Permission Assignment for Critical Resource |
|
CWE-843 | Access of Resource Using Incompatible Type ('Type Confusion') |
|
CWE-668 | Exposure of Resource to Wrong Sphere |
|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
|
CWE-1321 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | N/A |
CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | N/A |
CWE-401 | Missing Release of Memory after Effective Lifetime |
|
CWE-59 | Improper Link Resolution Before File Access ('Link Following') |
|
CWE-522 | Insufficiently Protected Credentials | N/A |
CWE-319 | Cleartext Transmission of Sensitive Information | N/A |
CWE-312 | Cleartext Storage of Sensitive Information |
|