Thanks for the details. Now we know what you're doing. CodeSonar checks code for many possible faults. This includes many things which are not related to the CERT C Coding Standard guidelines. So not everything on the report is a violation of the standard. You're really asking something about CodeSonar, not CERT.
For instance CodeSonar reports every use of memset() because you /can/ leak uninitialised bits of memory using memset() (CERT C Section 3.6 DCL39-C). But it has no way to check whether what you're doing with memset() does initialise all bits. And the solution CERT suggests – a substitute for memset() – is specific to the architecture of one class of CPUs. Not useful for SQLite which has to run on pretty-much everything. CodeSonar also assumes an insecure memory model, one where every piece of memory is leaked. For instance, it assumes you're writing kernal code running in memory which might be leaked to a user. I'm a poor C programmer. (I use C only on tiny embedded devices and have never had a job which required me to write C code.). I might try a tool like CodeSonar to catch my poor assumptions and poor techniques. But it's not up to the professionalism of the SQLite devs. If your bosses require CERT compliance, that's fine. They're welcome to call in a human to check SQLite for violations, and I'm sure the SQLite devs would love to know anything found. But we don't have software that good yet. _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
