Cppcheck - A tool for static C/C++ code analysis https://cppcheck.sourceforge.

io/

A tool for staƟc C/C++ code analysis

Download Features News DocumentaƟon Support Contribute

Cppcheck is a staƟc analysis tool for C/C++ code. It provides unique code analysis to detect bugs and focuses on detecƟng
undefined behaviour and dangerous coding constructs. The goal is to have very few false posiƟves. Cppcheck is designed to
be able to analyze your C/C++ code even if it has non-standard syntax (common in embedded projects).

Cppcheck is available both as open-source (this page) and as Cppcheck Premium with extended funcƟonality and support.
Please visit www.cppchecksoluƟons.com for more informaƟon and purchase opƟons for the commercial version.

Download
Cppcheck 2.9 (open source)

Plaƞorm File
Windows 64-bit (No XP support) Installer
Source code (.zip) Archive
Source code (.tar.gz) Archive

Packages

Cppcheck can also be installed from various package managers; however, you might get an outdated version then.

Debian:

sudo apt-get install cppcheck

Fedora:

sudo yum install cppcheck

Mac:

brew install cppcheck

Features
Unique code analysis that detect various kinds of bugs in your code.

Both command line interface and graphical user interface are available.

Cppcheck has a strong focus on detecƟng undefined behaviour.

Unique analysis

Using several staƟc analysis tools can be a good idea. There are unique features in each tool. This has been established in
many studies.

So what is unique in Cppcheck.

Cppcheck uses unsound flow sensiƟve analysis. Several other analyzers use path sensiƟve analysis based on abstract
interpretaƟon, that is also great however that has both advantages and disadvantages. In theory by definiƟon, it is beƩer
with path sensiƟve analysis than flow sensiƟve analysis. But in pracƟce, it means Cppcheck will detect bugs that the other
tools do not detect.

1 of 4 12/11/2022, 9:05 pm
Cppcheck - A tool for static C/C++ code analysis https://cppcheck.sourceforge.io/

In Cppcheck the data flow analysis is not only "forward" but "bi-direcƟonal". Most analyzers will diagnose this:

void foo(int x)
{
int buf[10];
if (x == 1000)
buf[x] = 0; // <- ERROR
}

Most tools can determine that the array index will be 1000 and there will be overflow.

Cppcheck will also diagnose this:

void foo(int x)
{
int buf[10];
buf[x] = 0; // <- ERROR
if (x == 1000) {}
}

Undefined behaviour

Dead pointers
Division by zero
Integer overflows
Invalid bit shiŌ operands
Invalid conversions
Invalid usage of STL
Memory management
Null pointer dereferences
Out of bounds checking
UniniƟalized variables
WriƟng const data

Security

The most common types of security vulnerabiliƟes in 2017 (CVE count) was:

Category Amount Detected by Cppcheck

Buffer Errors 2530 A few
Improper Access Control 1366 A few (unintended backdoors)
InformaƟon Leak 1426 A few (unintended backdoors)
Permissions, Privileges, and Access Control1196 A few (unintended backdoors)
Input ValidaƟon 968 No

CVEs that was found using Cppcheck:

CVE-2017-1000249 : file : stack based buffer overflow

This was found by Thomas Jarosch using Cppcheck. The cause is a mistake in a condiƟon.
CVE-2013-6462 : 23 year old stack overflow in X.org that was found with Cppcheck.
This has been described in a few arƟcles (link).
CVE-2012-1147 : readfilemap.c in expat before 2.1.0 allows context-dependent aƩackers to cause a denial of service
(file descriptor consumpƟon) via a large number of craŌed XML files..

These CVEs are shown when you google "cppcheck CVE". Feel free to compare the search results with other staƟc analysis
tools.

Security experts recommend that staƟc analysis is used. And using several tools is the best approach from a security
perspecƟve.

Coding standards

Misra C 2012: Full coverage in open source tool.

2 of 4 12/11/2022, 9:05 pm
Cppcheck - A tool for static C/C++ code analysis https://cppcheck.sourceforge.io/

Autosar: ParƟal coverage in Cppcheck Premium.

Cert C: Full coverage in Cppcheck Premium.

Misra C++ 2008: ParƟal coverage in Cppcheck Premium.

All checks

For a list of all checks in Cppcheck see: hƩp://sourceforge.net/p/cppcheck/wiki/ListOfChecks.

Clients and plugins

Cppcheck is integrated with many popular development tools. For instance:

Buildbot - integrated
CLion - Cppcheck plugin
Code::Blocks - integrated
CodeDX (soŌware assurance tool) - integrated
CodeLite - integrated
CppDepend 5 - integrated
Eclipse - Cppcheclipse
gedit - gedit plugin
github - Codacy and SoŌaCheck
Hudson - Cppcheck Plugin
Jenkins - Cppcheck Plugin
KDevelop - integrated since v5.1
Mercurial (Linux) - pre-commit hook - Check for new errors on commit (requires interacƟve terminal)
QtCreator - Qt Project Tool (qpt)
Tortoise SVN - Adding a pre-commit hook script
Visual Studio - Visual Studio plugin

Other staƟc analysis tools

Using a baƩery of tools is beƩer than using one tool. Each tool has unique code analysis and therefore we recommend that
you also use other tools.

Cppcheck focus on bugs instead of stylisƟc issues. Therefore a tool that focus on stylisƟc issues could be a good addiƟon.

Cppcheck tries very hard to avoid false posiƟves. SomeƟmes people want to detect all bugs even if there will be many false
warnings, for instance when they are working on a release and want to verify that there are no bugs. A tool that is much
more noisy than Cppcheck might be a good addiƟon.

Even tools that have the same design goals as Cppcheck will probably be good addiƟons. StaƟc analysis is such a big field,
Cppcheck only covers a small fracƟon of it. No tool covers the whole field. The day when all manual tesƟng will be obsolete
because of some tool is very far away.

News
Cppcheck-2.8 2022-05-21
Cppcheck-2.7 2022-02-05
Cppcheck Premium 21.10 2021-11-02

View all news…

DocumentaƟon
You can read the manual or download some arƟcles.

Support

3 of 4 12/11/2022, 9:05 pm
Cppcheck - A tool for static C/C++ code analysis https://cppcheck.sourceforge.io/

Use Trac to report bugs and feature requests

Ask quesƟons at the IRC channel #cppcheck

Donate CPU
The Cppcheck project is a hobby project with limited resources. You can help us by donaƟng CPU (1 core or as many as you
like). It is simple:

1. Download (and extract) Cppcheck source code

2. Run script: python cppcheck/tools/donate-cpu.py

The script will analyse debian source code and upload the results to a cppcheck server. We need these results both to
improve Cppcheck and to detect regressions.

You can stop the script whenever you like with Ctrl C.

Contribute
You are welcome to contribute. Help is needed.

A presentaƟon that might be interesƟng: Contribute to open source staƟc analysis

TesƟng
Pick a project and test its source with the latest version of Cppcheck. Submit Ɵckets to Trac about the issues you find
in Cppcheck.
Developing
Pick a Ɵcket from Trac, write a test case for it (and write a comment to the Ɵcket for which that test case has been
created). AlternaƟvely, pick a test case that fails and try to fix it. Make a patch and submit it to Trac either inline, if it
is small, or otherwise - aƩach it as a file.
MarkeƟng
Write arƟcles, reviews or tell your friends about us. The more users we have, the more people we have tesƟng and
the beƩer we can become.
Design
Come up with some new good checks, and create Ɵckets in the Trac instance about them.
IntegraƟon
Write a plugin for your favorite IDE or create a package for your distribuƟon or operaƟng system.
Technical WriƟng
Write beƩer documentaƟon for the bugs we find. Currently only a few bugs have any documentaƟon at all.

4 of 4 12/11/2022, 9:05 pm