Security Description Summary

Clang provides a language front-end and tooling infrastructure for languages in the C language family. The Clang static analyzer comprises among many other checks a category of security checks.

Security DSLs provided by the Tool

Name

Description

Security Checks provided by the Tool

Name

Description

UncheckedReturn

Warn on uses of functions whose return values must be always checked.

bcmp

Warn on uses of the ‘bcmp’ function.

bcopy

Warn on uses of the ‘bcopy’ function.

bzero

Warn on uses of the ‘bzero’ function.

getpw

Warn on uses of the ‘getpw’ function.

gets

Warn on uses of the ‘gets’ function.

mkstemp

Warn on uses of the ‘mkstemp’ function.

mktemp

Warn on uses of the ‘mktemp’ function.

rand

Warn on uses of the ‘rand’ function.

strcopy

Warn on uses of the ‘strcopy’ function.

vfork

Warn on uses of the ‘vfork’ function.

DeprecatedOrUnsafeBufferHandling

Warn on occurrences of unsafe or deprecated buffer handling functions, which now have a secure variant: sprintf, fprintf, vsprintf, scanf, wscanf, fscanf, fwscanf, vscanf, vwscanf, vfscanf, vfwscanf, sscanf, swscanf, vsscanf, vswscanf, swprintf, snprintf, vswprintf, vsnprintf, memcpy, memmove, strncpy, strncat, memset.

SetgidSetuidOrder

When dropping user-level and group-level privileges in a program by using setuid and setgid calls, it is important to reset the group-level privileges (with setgid) first. Function setgid will likely fail if the superuser privileges are already dropped.

Invalid pointer check

Checks if a pointer might be invalid.

Float loop counter check

Warns on using a floating point value as a loop counter.

Clang Static Analyzer Security Checks