Bug 376824 - Checker to detect using deprecated C/C++ CRT function for Win32 development
Summary: Checker to detect using deprecated C/C++ CRT function for Win32 development
Status: NEW
Alias: None
Product: CDT
Classification: Tools
Component: cdt-codan (show other bugs)
Version: Next   Edit
Hardware: PC Windows 7
: P3 enhancement with 1 vote (vote)
Target Milestone: ---   Edit
Assignee: CDT Codan Inbox CLA
QA Contact: Elena Laskavaia CLA
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-04-15 10:28 EDT by Henry Guan CLA
Modified: 2012-09-28 04:36 EDT (History)
3 users (show)

See Also:

Attachments
The prototype checker for checking depreciated C/C++ CRT functions (21.13 KB, patch)
2012-04-15 10:37 EDT, Henry Guan CLA 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Henry Guan CLA 2012-04-15 10:28:04 EDT 
Build Identifier: Version: Indigo Service Release 2 Build id: 20120216-1857

Secure C/C++ programming is big concern for developers. A lot of memory leak/buffer overflow problems are caused by using C/C++ functions improperly or without care. For Win32 development, developer should stop using depreciated C/C++ CRT function and take the advantage of new security enhanced function. For example, use 'strcpy_s' instead of 'strcpy'. It is nice if CDT can provide such checking for Win32 developer.

http://msdn.microsoft.com/en-ca/magazine/cc163794.aspx




Reproducible: Always
Comment 1 Henry Guan CLA 2012-04-15 10:37:08 EDT 
Created attachment 214026 [details]
The prototype checker for checking depreciated C/C++ CRT functions

Here is a simple code checker to detect using depreciated C/C++ functions, it also support quick fix. The associated unit tests for checker and quickfix are  included. The depreciated functions list need to be grown if this checker is considered to be useful by CDT team.
Comment 2 Marc-André Laperle CLA 2012-04-17 12:40:10 EDT 
Hello Henry, I think this checker is a good idea. However, I don't think we should add new checkers for this release, it might have to wait after (end of June). I haven't thoroughly reviewed the patch but I noticed the copyrights are missing and I don't think the checker should be enabled by default.
Comment 3 Henry Guan CLA 2012-04-17 20:00:11 EDT 
(In reply to comment #2)
> Hello Henry, I think this checker is a good idea. However, I don't think we
> should add new checkers for this release, it might have to wait after (end of
> June). I haven't thoroughly reviewed the patch but I noticed the copyrights are
> missing and I don't think the checker should be enabled by default.

Hello Marc-Andre,
Thanks for the comment. I am glad it is considered useful. Sorry for missing some information in my patch - my first contribution:-) I will add it and correct what you pointed out in next submission. It is ok this checker won't be added in next release. 
I started thinking of some improvement, e.g. warning and quick fix based on different C/C++ libraries. In the future release, I'd like to see more security checkers/rules being added. I conducted some static code analysis by using tools - visual studio/fortify for my work projects. Security is the most concern. 
thanks
Henry