Cppcheck is a static analysis tool for C/C++ code. It provides unique code analysis to detect bugs and focuses on detecting undefined behaviour and dangerous coding constructs. The goal is to have very few false positives. Cppcheck is designed to be able to analyze your C/C++ code even if it has non-standard syntax (common in embedded projects).
Cppcheck is available both as open-source (this page) and as Cppcheck Premium with extended functionality and support. Please visit www.cppcheck.com for more information and purchase options for the commercial version.
Download
Cppcheck 2.16 (open source)
Platform | File |
---|---|
Windows 64-bit (No XP support) | Installer |
Source code (.zip) | Archive |
Source code (.tar.gz) | Archive |
Packages
Cppcheck can also be installed from various package managers; however, you might get an outdated version then.
Debian:
sudo apt-get install cppcheck
Fedora:
sudo yum install cppcheck
Mac:
brew install cppcheck
Features
Unique code analysis that detect various kinds of bugs in your code.
Both command line interface and graphical user interface are available.
Cppcheck has a strong focus on detecting undefined behaviour.
Unique analysis
Using several static analysis tools can be a good idea. There are unique features in each tool. This has been established in many studies.
So what is unique in Cppcheck.
Cppcheck uses unsound flow sensitive analysis. Several other analyzers use path sensitive analysis based on abstract interpretation, that is also great however that has both advantages and disadvantages. In theory by definition, it is better with path sensitive analysis than flow sensitive analysis. But in practice, it means Cppcheck will detect bugs that the other tools do not detect.
In Cppcheck the data flow analysis is not only "forward" but "bi-directional". Most analyzers will diagnose this:
void foo(int x) { int buf[10]; if (x == 1000) buf[x] = 0; // <- ERROR }
Most tools can determine that the array index will be 1000 and there will be overflow.
Cppcheck will also diagnose this:
void foo(int x) { int buf[10]; buf[x] = 0; // <- ERROR if (x == 1000) {} }
Undefined behaviour
- Dead pointers
- Division by zero
- Integer overflows
- Invalid bit shift operands
- Invalid conversions
- Invalid usage of STL
- Memory management
- Null pointer dereferences
- Out of bounds checking
- Uninitialized variables
- Writing const data
Security
The most common types of security vulnerabilities in 2017 (CVE count) was:
Category | Amount | Detected by Cppcheck |
---|---|---|
Buffer Errors | 2530 | A few |
Improper Access Control | 1366 | A few (unintended backdoors) |
Information Leak | 1426 | A few (unintended backdoors) |
Permissions, Privileges, and Access Control | 1196 | A few (unintended backdoors) |
Input Validation | 968 | No |
CVEs that was found using Cppcheck:
- CVE-2017-1000249 : file : stack based buffer overflow
This was found by Thomas Jarosch using Cppcheck. The cause is a mistake in a condition. - CVE-2013-6462 : 23 year old stack overflow in X.org that was found with Cppcheck.
This has been described in a few articles (link). - CVE-2012-1147 : readfilemap.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (file descriptor consumption) via a large number of crafted XML files..
These CVEs are shown when you google "cppcheck CVE". Feel free to compare the search results with other static analysis tools.
Security experts recommend that static analysis is used. And using several tools is the best approach from a security perspective.
Coding standards
Coding standard | Open Source | Premium | |
---|---|---|---|
Misra C 2012 - original rules | Partial | Yes | |
Misra C 2012 - amendment #1 | Partial | Yes | |
Misra C 2012 - amendment #2 | Partial | Yes | |
Misra C 2012 - amendment #3 | Yes | ||
Misra C 2012 - amendment #4 | Yes | ||
Misra C 2012 - Compliance report | Yes | ||
Misra C 2012 - Rule texts | User provided | Yes | |
Misra C 2023 | Yes | ||
Misra C++ 2008 | Yes | ||
Misra C++ 2023 | Yes | ||
Cert C | Yes | ||
Cert C++ | Yes | ||
Autosar | Partial |
All checks
For a list of all checks in Cppcheck see: http://sourceforge.net/p/cppcheck/wiki/ListOfChecks.
Clients and plugins
Cppcheck is integrated with many popular development tools. For instance:
- Buildbot - integrated
- CLion - Cppcheck plugin
- Code::Blocks - integrated
- CodeDX (software assurance tool) - integrated
- CodeLite - integrated
- CppDepend 5 - integrated
- Eclipse - Cppcheclipse
- gedit - gedit plugin
- github - Codacy, Codety and SoftaCheck
- Hudson - Cppcheck Plugin
- Jenkins - Cppcheck Plugin
- KDevelop - integrated since v5.1
- Mercurial (Linux) - pre-commit hook - Check for new errors on commit (requires interactive terminal)
- QtCreator - Qt Project Tool (qpt)
- Tortoise SVN - Adding a pre-commit hook script
- Vim - Vim Compiler
- Visual Studio - Visual Studio plugin
- VScode - VScode plugin
Other static analysis tools
Using a battery of tools is better than using one tool. Each tool has unique code analysis and therefore we recommend that you also use other tools.
Cppcheck focus on bugs instead of stylistic issues. Therefore a tool that focus on stylistic issues could be a good addition.
Cppcheck tries very hard to avoid false positives. Sometimes people want to detect all bugs even if there will be many false warnings, for instance when they are working on a release and want to verify that there are no bugs. A tool that is much more noisy than Cppcheck might be a good addition.
Even tools that have the same design goals as Cppcheck will probably be good additions. Static analysis is such a big field, Cppcheck only covers a small fraction of it. No tool covers the whole field. The day when all manual testing will be obsolete because of some tool is very far away.
News
Documentation
You can read the manual or download some articles.
Support
Donate CPU
The Cppcheck project is a hobby project with limited resources. You can help us by donating CPU (1 core or as many as you like). It is simple:
- Download (and extract) Cppcheck source code
- Run script: python cppcheck/tools/donate-cpu.py
The script will analyse debian source code and upload the results to a cppcheck server. We need these results both to improve Cppcheck and to detect regressions.
You can stop the script whenever you like with Ctrl C.
Contribute
You are welcome to contribute. Help is needed.
A presentation that might be interesting: Contribute to open source static analysis
- Testing
- Pick a project and test its source with the latest version of Cppcheck. Submit tickets to Trac about the issues you find in Cppcheck.
- Developing
- Pick a ticket from Trac, write a test case for it (and write a comment to the ticket for which that test case has been created). Alternatively, pick a test case that fails and try to fix it. Make a patch and submit it to Trac either inline, if it is small, or otherwise - attach it as a file.
- Marketing
- Write articles, reviews or tell your friends about us. The more users we have, the more people we have testing and the better we can become.
- Design
- Come up with some new good checks, and create tickets in the Trac instance about them.
- Integration
- Write a plugin for your favorite IDE or create a package for your distribution or operating system.
- Technical Writing
- Write better documentation for the bugs we find. Currently only a few bugs have any documentation at all.