C and C++ checker reference
From current
Reference > C and C++ checker reference
To download all of these pages from the Wiki as a PDF, go to the Documentation Wiki Bookshelf.
See also:
| Checker code | Description | Default severity | Enabled by default? | Introduced | Improved |
|---|---|---|---|---|---|
| ABV.ANY_SIZE_ARRAY | Buffer overflow—unspecified-sized array index out of bounds | 1 | Yes | Pre-9.2 | 9.5 |
| ABV.GENERAL | Buffer overflow—array index out of bounds | 1 | Yes | 9.6 | |
| ABV.ITERATOR | Buffer overflow—array index may be out of bounds in an iteration | 1 | Yes | Pre-9.2 | 9.5 |
| ABV.MEMBER | Buffer overflow—array index out of bounds in a structure | 1 | Yes | 9.5 | |
| ABV.STACK | Buffer overflow—local array index out of bounds | 1 | Yes | Pre-9.2 | 9.5 |
| ABV.TAINTED | Buffer overflow—array index from tainted input out of bounds | 1 | Yes | Pre-9.2 | 9.5 |
| ABV.UNICODE.BOUND_MAP | Buffer overflow—array index out of bounds in mapping function | 1 | No | Pre-9.2 | 9.5 |
| ABV.UNICODE.FAILED_MAP | Buffer overflow—array index out of bounds in failed mapping function | 1 | No | Pre-9.2 | 9.5 |
| ABV.UNICODE.NNTS_MAP | Buffer overflow from non null-terminated string in mapping function | 1 | No | Pre-9.2 | 9.5 |
| ABV.UNICODE.SELF_MAP | Buffer overflow—array index out of bounds in failed mapping function | 1 | No | 9.6 | |
| ABV.UNKNOWN_SIZE | Buffer overflow—unknown-sized array index out of bounds | 1 | Yes | 9.6 | |
| ASSIGCOND.CALL | Assignment call in conditional expression | 3 | No | Pre-9.2 | |
| ASSIGCOND.GEN | Assignment in conditional expression | 3 | No | Pre-9.2 | |
| BSTR.CAST.C | Incorrect C style type cast to BSTR | 4 | No | Pre-9.2 | |
| BSTR.CAST.CPP | Incorrect C++ style type cast to BSTR | 4 | No | Pre-9.2 | |
| BSTR.FUNC.ALLOC | Incorrect call to BSTR allocating function | 4 | No | Pre-9.2 | |
| BSTR.FUNC.FREE | Incorrect call to BSTR freeing function | 4 | No | Pre-9.2 | |
| BSTR.FUNC.LEN | Attempt to get length of non-BSTR string using BSTR function | 4 | No | Pre-9.2 | |
| BSTR.FUNC.REALLOC | Incorrect call to BSTR reallocating function | 4 | No | Pre-9.2 | |
| BSTR.IA.ASSIGN | BSTR variable is assigned a non-BSTR value | 4 | No | Pre-9.2 | |
| BSTR.IA.INIT | BSTR variable is initialized with a non-BSTR value | 4 | No | Pre-9.2 | |
| BSTR.OPS.ARITHM | Incorrect arithmetic operation with BSTR values | 4 | No | Pre-9.2 | |
| BSTR.OPS.COMP | Incorrect comparison operation with BSTR values | 4 | No | Pre-9.2 | |
| BSTR.OPS.EQS | Incorrect equality comparison of BSTR values | 4 | No | Pre-9.2 | |
| BYTEORDER.HTON.SEND | Byte order not converted before host-to-network send | 3 | No | 9.2 | |
| BYTEORDER.HTON.WRITE | Byte order not converted before host-to-network write | 3 | No | 9.2 | |
| BYTEORDER.NTOH.READ | Byte order not converted after network-to-host read | 3 | No | 9.2 | |
| BYTEORDER.NTOH.RECV | Byte order not converted after network-to-host receive | 3 | No | 9.2 | |
| CCOMBSTR.OPS.TERN | CComBSTR is used as a condition in ternary operation | 4 | No | Pre-9.2 | |
| CL.ASSIGN.NON_CONST_ARG | Non-constant object passed to assign operator= | 4 | Yes | 9.5 | |
| CL.ASSIGN.RETURN_CONST | Non-constant object returned with assign operator= | 4 | Yes | 9.5 | |
| CL.ASSIGN.VOID | Void returned with assign operator= | 4 | Yes | 9.5 | |
| CL.FFM.ASSIGN | Freeing freed memory due to missing assign operator= | 3 | Yes | Pre-9.2 | 9.5 |
| CL.FFM.COPY | Freeing freed memory due to missing copy constructor | 3 | Yes | Pre-9.2 | 9.5 |
| CL.FMM | Freeing memory with mismatched functions | 3 | Yes | Pre-9.2 | 9.5 |
| CL.MLK | Memory leak in destructor | 3 | Yes | Pre-9.2 | 9.5 |
| CL.MLK.VIRTUAL | Virtual memory leak | 2 | Yes | Pre-9.2 | 9.5 |
| CL.SELF-ASSIGN | Memory leak in assign operator= | 2 | Yes | Pre-9.2 | 9.5 |
| CONC.DL | Deadlock | 2 | No | 9.2 | |
| CONC.NO_UNLOCK | Missing unlock | 2 | Yes | Pre-9.2 | |
| CONC.SLEEP | Call to blocking function in critical section | 3 | Yes | Pre-9.2 | |
| CWARN.ALIGNMENT | Possible incorrect pointer scaling | 4 | Yes | 9.5 | |
| CWARN.BOOLOP.INC | Attempt to increment or decrement boolean | 4 | Yes | Pre-9.2 | 9.5 |
| CWARN.CMPCHR.EOF | Char expression is compared with EOF constant | 4 | No | 9.2 | 9.5 |
| CWARN.CONSTCOND.DO | Condition of do expression is constant | 4 | No | Pre-9.2 | 9.5 |
| CWARN.CONSTCOND.IF | Condition of if expression is constant | 4 | No | Pre-9.2 | 9.5 |
| CWARN.CONSTCOND.SWITCH | Switch selector expression is constant | 4 | No | Pre-9.2 | 9.5 |
| CWARN.CONSTCOND.TERNARY | Condition of ternary expression is constant | 4 | No | Pre-9.2 | 9.5 |
| CWARN.CONSTCOND.WHILE | Condition of while expression is constant | 4 | No | Pre-9.2 | 9.5 |
| CWARN.COPY.NOASSIGN | Class defines copy constructor but no assignment operator | 4 | No | Pre-9.2 | 9.5 |
| CWARN.DTOR.NONVIRT.DELETE | Delete expression in a class with virtual methods and no virtual destructor | 2 | Yes | Pre-9.2 | 9.5 |
| CWARN.DTOR.NONVIRT.NOTEMPTY | Inherited virtual functions in class, but destructor is not virtual and not empty | 2 | Yes | Pre-9.2 | 9.5 |
| CWARN.EMPTY.LABEL | Empty label statement | 4 | No | Pre-9.2 | 9.5 |
| CWARN.EMPTY.TYPEDEF | Missing typedef name | 4 | No | Pre-9.2 | 9.5 |
| CWARN.FUNCADDR | Function address is used instead of a call to the function | 2 | No | Pre-9.2 | 9.5 |
| CWARN.HIDDEN.PARAM | Parameter hidden by local variable | 4 | No | Pre-9.2 | 9.5 |
| CWARN.IMPLICITINT | Anachronistic implicit int | 4 | No | Pre-9.2 | 9.5 |
| CWARN.INCL.ABSOLUTE | Absolute path is used in include directive | 4 | No | 9.6 | |
| CWARN.INLINE.NONFUNC | Keyword inline is used with non-function | 4 | No | Pre-9.2 | 9.5 |
| CWARN.MEMBER.INIT.ORDER | Initialization list members are not in the correct order | 4 | No | 9.5 | |
| CWARN.NOEFFECT.UCMP.GE | Ineffective comparison of unsigned value is always true | 4 | Yes | Pre-9.2 | 9.5 |
| CWARN.NOEFFECT.UCMP.GE.MACRO | Ineffective comparison of unsigned value in a macro is always true | 4 | No | Pre-9.2 | 9.5 |
| CWARN.NOEFFECT.UCMP.LT | Ineffective comparison of unsigned value is always false | 4 | Yes | Pre-9.2 | 9.5 |
| CWARN.NOEFFECT.UCMP.LT.MACRO | Ineffective comparison of unsigned value in a macro is always false | 4 | No | Pre-9.2 | 9.5 |
| CWARN.NOEFFECT.SELF_ASSIGN | Ineffective self-assignment | 4 | No | 9.2 | 9.5 |
| CWARN.NULLCHECK.FUNCNAME | Ineffective function address check | 4 | Yes | Pre-9.2 | 9.5 |
| CWARN.OVERRIDE.CONST | Function override fails due to mismatch of const qualifiers | 4 | Yes | Pre-9.2 | 9.5 |
| CWARN.PACKED.TYPEDEF | Attribute 'packed' is ignored in typedef | 4 | No | Pre-9.2 | 9.5 |
| CWARN.PASSBYVALUE.ARG | Function argument passed by value is too large | 4 | No | Pre-9.2 | 9.5 |
| CWARN.PASSBYVALUE.EXC | Exception object passed by value is too large | 4 | No | Pre-9.2 | 9.5 |
| CWARN.RET.MAIN | Incorrect return type for main | 4 | Yes | Pre-9.2 | 9.5 |
| CWARN.SIGNEDBIT | Signed bit field has only one bit | 4 | Yes | Pre-9.2 | 9.5 |
| EFFECT | Statement has no effect | 4 | No | Pre-9.2 | |
| FMM.MIGHT | Freeing memory possible with mismatched function | 2 | Yes | Pre-9.2 | |
| FMM.MUST | Freeing memory with mismatched function | 1 | Yes | Pre-9.2 | |
| FNH.MIGHT | Freeing non-heap memory possible | 1 | Yes | Pre-9.2 | |
| FNH.MUST | Freeing non-heap memory | 2 | Yes | Pre-9.2 | |
| FREE.INCONSISTENT | Freeing memory inconsistent | 3 | No | Pre-9.2 | |
| FUM.GEN.MIGHT | Freeing unallocated memory possible | 1 | Yes | Pre-9.2 | |
| FUM.GEN.MUST | Freeing unallocated memory | 1 | Yes | Pre-9.2 | |
| FUNCRET.GEN | Non-void function doesn't return value | 1 | No | Pre-9.2 | |
| FUNCRET.IMPLICIT | Non-void function implicitly returning int doesn't return value | 2 | No | Pre-9.2 | |
| INCONSISTENT.LABEL | Inconsistent case labels | 4 | Yes | Pre-9.2 | 9.5 |
| INCORRECT.ALLOC_SIZE | Incorrect allocation size | 3 | Yes | Pre-9.2 | |
| INFINITE_LOOP.GLOBAL | Infinite loop with global variable | 2 | No | 9.5 | |
| INFINITE_LOOP.LOCAL | Infinite loop with local variable | 2 | Yes | 9.5 | |
| INFINITE_LOOP.MACRO | Infinite loop in macro | 2 | No | 9.5 | |
| ITER.INAPPROPRIATE | Use of iterator with inappropriate container object | 1 | Yes | 9.5 | |
| ITER.INAPPROPRIATE.MULTIPLE | Use of iterators with inappropriate container object | 1 | Yes | 9.5 | |
| ITER.CONTAINER.MODIFIED | Invalid iterator | 1 | Yes | Pre-9.2 | |
| ITER.END.DEREF.MIGHT | Dereference of 'end' iterator | 1 | Yes | 9.5 | |
| ITER.END.DEREF.MUST | Dereference of 'end' iterator | 1 | Yes | 9.5 | |
| LA_UNUSED | Unused label | 4 | No | Pre-9.2 | |
| LOCRET.ARG | Function returns address of local variable | 1 | Yes | Pre-9.2 | 9.5 |
| LOCRET.GLOB | Function returns address of local variable in a global variable | 1 | Yes | Pre-9.2 | 9.5 |
| LOCRET.RET | Function returns address of local variable in return | 1 | Yes | Pre-9.2 | 9.5 |
| LV_UNUSED.GEN | Unused local variable | 4 | No | Pre-9.2 | |
| MLK.MIGHT | Memory leak possible | 2 | Yes | Pre-9.2 | 9.2, 9.5 |
| MLK.MUST | Memory leak | 2 | Yes | Pre-9.2 | 9.2, 9.5 |
| MLK.RET.MIGHT | Memory leak possible | 2 | No | 9.6 | |
| MLK.RET.MUST | Memory leak | 2 | Yes | 9.6 | |
| NNTS.MIGHT | Buffer overflow possible from non null-terminated string | 1 | Yes | Pre-9.2 | 9.2 |
| NNTS.MUST | Buffer overflow from non null-terminated string | 1 | Yes | Pre-9.2 | 9.2 |
| NNTS.TAINTED | Buffer overflow from non null-terminated string in tainted input | 1 | Yes | Pre-9.2 | 9.2 |
| NPD.CHECK.CALL.MIGHT | Previously checked null pointer may be dereferenced through a function call | 1 | Yes | Pre-9.2 | 9.2, 9.5 |
| NPD.CHECK.CALL.MUST | Previously checked null pointer is dereferenced through a function call | 1 | Yes | Pre-9.2 | 9.2, 9.5 |
| NPD.CHECK.MIGHT | Previously checked null pointer may be dereferenced | 1 | Yes | Pre-9.2 | 9.2, 9.5 |
| NPD.CHECK.MUST | Previously checked null pointer is dereferenced | 1 | Yes | Pre-9.2 | 9.2, 9.5 |
| NPD.CONST.CALL | Null-pointer constant value may be dereferenced through a function call | 1 | No | Pre-9.2 | 9.2, 9.5 |
| NPD.CONST.DEREF | Null-pointer constant value is dereferenced | 1 | No | Pre-9.2 | 9.2, 9.5 |
| NPD.FUNC.CALL.MIGHT | Possible null pointer may be dereferenced through a conditional function call | 1 | No | Pre-9.2 | 9.2, 9.5 |
| NPD.FUNC.CALL.MUST | Possible null pointer may be dereferenced through a function call | 1 | No | Pre-9.2 | 9.2, 9.5 |
| NPD.FUNC.MIGHT | Possible null pointer may be dereferenced | 1 | Yes | Pre-9.2 | 9.2, 9.5 |
| NPD.FUNC.MUST | Possible null pointer is dereferenced | 1 | Yes | Pre-9.2 | 9.2, 9.5 |
| NPD.GEN.CALL.MIGHT | Possible assigned null pointer may be dereferenced through a conditional function call | 1 | Yes | Pre-9.2 | 9.2, 9.5 |
| NPD.GEN.CALL.MUST | Possible assigned null pointer will be dereferenced through a function call | 1 | Yes | Pre-9.2 | 9.2, 9.5 |
| NPD.GEN.MIGHT | Possible assigned null-pointer constant value may be dereferenced | 1 | Yes | Pre-9.2 | 9.2, 9.5 |
| NPD.GEN.MUST | Assigned null-pointer constant value may be dereferenced | 1 | Yes | Pre-9.2 | 9.2, 9.5 |
| PORTING.BITFIELDS | Bit fields in a structure | 4 | No | 9.2 | 9.5 |
| PORTING.BSWAP.MACRO | Use of a custom byte-swap macro without endianness check | 4 | No | 9.2 | 9.5 |
| PORTING.BYTEORDER.SIZE | Use of an incompatible type with a network conversion macro | 4 | No | 9.2 | 9.5 |
| PORTING.CAST.FLTPNT | Cast between floating point and non-floating point types | 4 | No | 9.2 | 9.5 |
| PORTING.CAST.PTR | Cast between pointer and non-pointer types | 4 | No | 9.2 | 9.5 |
| PORTING.CAST.PTR.FLTPNT | Pointer cast between floating point and non-floating point types | 4 | No | 9.2 | 9.5 |
| PORTING.CAST.PTR.SIZE | Pointer cast to a type of potentially incompatible size | 4 | No | 9.2 | 9.5 |
| PORTING.CAST.SIZE | Cast of an expression to a type of potentially incompatible size | 4 | No | 9.2 | 9.5 |
| PORTING.CMPSPEC.EFFECTS.ASSIGNMENT | Assignment in a function parameter | 4 | No | 9.2 | 9.5 |
| PORTING.CMPSPEC.TYPE.BOOL | Assignment to a bool type larger than 1 byte | 4 | No | 9.2 | 9.5 |
| PORTING.CMPSPEC.TYPE.LONGLONG | Use of 'long long' | 4 | No | 9.2 | 9.5 |
| PORTING.MACRO.NUMTYPE | Macro describing a builtin numeric type | 4 | No | 9.2 | 9.5 |
| PORTING.OPTS | Compiler-dependent option | 4 | No | 9.2 | 9.5 |
| PORTING.PRAGMA.ALIGN | Use of #pragma align | 4 | No | 9.2 | 9.5 |
| PORTING.PRAGMA.PACK | Use of #pragma pack | 4 | No | 9.2 | 9.5 |
| PORTING.SIGNED.CHAR | Use of 'char' without explicitly specifying signedness | 4 | No | 9.2 | 9.5 |
| PORTING.STORAGE.STRUCT | Uncertain storage results | 4 | No | 9.2 | 9.5 |
| PORTING.STRUCT.BOOL | Struct or class has a bool member | 4 | No | 9.2 | 9.5 |
| PORTING.UNIONS | Union in an enclosing struct, class, or other union | 4 | No | 9.2 | 9.5 |
| PORTING.UNSIGNEDCHAR.OVERFLOW.FALSE | Relational expression may be always false | 4 | No | 9.2 | 9.5 |
| PORTING.UNSIGNEDCHAR.OVERFLOW.TRUE | Relational expression may be always true | 4 | No | 9.2 | 9.5 |
| PORTING.UNSIGNEDCHAR.RELOP | Relational operations between signed/unsigned char and char without signedness specification | 4 | No | 9.2 | 9.5 |
| PORTING.VAR.EFFECTS | Variable used twice in one expression where one usage is subject to side-effects | 4 | No | 9.2 | 9.5 |
| PRECISION.LOSS | Loss of precision | 4 | No | Pre-9.2 | 9.5 |
| PRECISION.LOSS.CALL | Loss of precision during function call | 4 | No | Pre-9.2 | 9.5 |
| RETVOID.GEN | Non-void function returns void value | 2 | No | Pre-9.2 | |
| RETVOID.IMPLICIT | Implicit int function returns void value | 2 | No | Pre-9.2 | |
| RH.LEAK | Resource leak | 2 | Yes | Pre-9.2 | 9.5 |
| RN.INDEX | Suspicious use of index before negative check | 1 | Yes | 9.5 | |
| RNPD.CALL | Suspicious dereference of pointer in function call before null check | 1 | Yes | Pre-9.2 | |
| RNPD.DEREF | Suspicious dereference of pointer before null check | 1 | Yes | Pre-9.2 | |
| SEMICOL | Suspiciously placed semicolon | 4 | No | Pre-9.2 | |
| STRONG.TYPE.ASSIGN | Assignment of different strong types | 4 | No | 9.2 | |
| STRONG.TYPE.ASSIGN.ARG | Assignment of unexpected strong type argument | 4 | No | 9.2 | |
| STRONG.TYPE.ASSIGN.CONST | Assignment of unexpected strong type constant | 4 | No | 9.2 | |
| STRONG.TYPE.ASSIGN.INIT | Assignment of two different strong types in initialization | 4 | No | 9.2 | |
| STRONG.TYPE.ASSIGN.RETURN | Assignment strong type with inexplicit return | 4 | No | 9.2 | |
| STRONG.TYPE.ASSIGN.ZERO | Assignment of zero to strong type variable | 4 | No | 9.2 | |
| STRONG.TYPE.EXTRACT | Assignment of strong type variable to different type variable | 4 | No | 9.2 | |
| STRONG.TYPE.JOIN.CMP | Comparison of different strong types | 4 | No | 9.2 | |
| STRONG.TYPE.JOIN.CONST | Comparison of strong type with constant | 4 | No | 9.2 | |
| STRONG.TYPE.JOIN.EQ | Combination of different strong types with equals operator | 4 | No | 9.2 | |
| STRONG.TYPE.JOIN.OTHER | Combination of different strong types with arithmetic operator | 4 | No | 9.2 | |
| STRONG.TYPE.JOIN.ZERO | Comparison of strong type with zero | 4 | No | 9.2 | |
| SV.BANNED.RECOMMENDED.ALLOCA | Banned recommended API: stack allocation functions | 4 | No | 9.5 | |
| SV.BANNED.RECOMMENDED.NUMERIC | Banned recommended API: unsafe numeric conversion functions | 4 | No | 9.5 | |
| SV.BANNED.RECOMMENDED.OEM | Banned recommended API: OEM character page conversion functions | 4 | No | 9.5 | |
| SV.BANNED.RECOMMENDED.PATH | Banned recommended API: unsafe path name manipulation functions | 4 | No | 9.5 | |
| SV.BANNED.RECOMMENDED.SCANF | Banned recommended API: unsafe scanf-type functions | 4 | No | 9.5 | |
| SV.BANNED.RECOMMENDED.SPRINTF | Banned recommended API: unsafe sprintf-type functions | 4 | No | 9.5 | |
| SV.BANNED.RECOMMENDED.STRLEN | Banned recommended API: unsafe string length functions | 4 | No | ||
| SV.BANNED.RECOMMENDED.TOKEN | Banned recommended API: unsafe string tokenizing functions | 4 | No | 9.5 | |
| SV.BANNED.RECOMMENDED.WINDOW | Banned recommended API: unsafe window functions | 4 | No | ||
| SV.BANNED.REQUIRED.CONCAT | Banned required API: unsafe string concatenation functions | 4 | No | 9.5 | |
| SV.BANNED.REQUIRED.COPY | Banned required API: unsafe buffer copy functions | 4 | No | 9.5 | |
| SV.BANNED.REQUIRED.GETS | Banned required API: unsafe stream reading functions | 4 | No | ||
| SV.BANNED.REQUIRED.ISBAD | Banned required API: IsBad-type functions | 4 | No | 9.5 | |
| SV.BANNED.REQUIRED.SPRINTF | Banned required API: unsafe sprintf-type functions | 4 | No | 9.5 | |
| SV.BFC.USING_STRUCT | Insecurely bound socket | 4 | No | Pre-9.2 | |
| SV.BRM.HKEY_LOCAL_MACHINE | Use of HKEY_LOCAL_MACHINE macro to defeat least privileges principle | 4 | No | Pre-9.2 | |
| SV.CODE_INJECTION.SHELL_EXEC | Command injection vulnerability | 3 | No | Pre-9.2 | |
| SV.DLLPRELOAD.NONABSOLUTE.DLL | Potential DLL-preload hijack vector | 2 | No | 9.5 | |
| SV.DLLPRELOAD.NONABSOLUTE.EXE | Potential DLL-preload process-injection vector | 2 | No | 9.5 | |
| SV.DLLPRELOAD.SEARCHPATH | Potential DLL-preload SearchPath vector | 2 | No | 9.5 | |
| SV.FIU.PROCESS_VARIANTS | Exposure to privilege escalation | 4 | No | Pre-9.2 | |
| SV.FMTSTR.GENERIC | Format string vulnerability | 1 | No | Pre-9.2 | |
| SV.FMT_STR.BAD_SCAN_FORMAT | Missing width field for format | 2 | Yes | Pre-9.2 | 9.5 |
| SV.FMT_STR.PRINT_FORMAT_MISMATCH.BAD | Mismatched specification and parameter | 2 | Yes | Pre-9.2 | 9.5 |
| SV.FMT_STR.PRINT_FORMAT_MISMATCH.UNDESIRED | Unexpected specification and parameter match | 4 | Yes | Pre-9.2 | 9.5 |
| SV.FMT_STR.PRINT_IMPROP_LENGTH | Incompatible length modifier | 2 | Yes | Pre-9.2 | 9.5 |
| SV.FMT_STR.PRINT_PARAMS_WRONGNUM.FEW | Too few arguments in print function call | 2 | Yes | Pre-9.2 | 9.5 |
| SV.FMT_STR.PRINT_PARAMS_WRONGNUM.MANY | Too many arguments in print function call | 2 | Yes | Pre-9.2 | 9.5 |
| SV.FMT_STR.SCAN_FORMAT_MISMATCH | Incompatible type of a scan function parameter | 2 | Yes | Pre-9.2 | 9.5 |
| SV.FMT_STR.SCAN_IMPROP_LENGTH | Improper use of length modifier in a scan function call | 2 | Yes | Pre-9.2 | 9.5 |
| SV.FMT_STR.SCAN_PARAMS_WRONGNUM.FEW | Too few arguments in a scan function call | 2 | Yes | Pre-9.2 | 9.5 |
| SV.FMT_STR.SCAN_PARAMS_WRONGNUM.MANY | Too many arguments in a scan function call | 2 | Yes | Pre-9.2 | 9.5 |
| SV.FMT_STR.UNKWN_FORMAT | Unknown format specifier in print function call | 3 | Yes | Pre-9.2 | 9.5 |
| SV.FMT_STR.UNKWN_FORMAT.SCAN | Unknown format specifier in a scan function call | 3 | Yes | Pre-9.2 | 9.5 |
| SV.INCORRECT_RESOURCE_HANDLING.URH | Insecure resource handling—allocation and release | 3 | No | Pre-9.2 | |
| SV.INCORRECT_RESOURCE_HANDLING.WRONG_STATUS | Insecure resource handling—status checking | 3 | No | Pre-9.2 | |
| SV.LPP.CONST | Use of insecure macro for dangerous function | 3 | No | 9.5 | |
| SV.LPP.VAR | Use of insecure parameter in variable for dangerous function | 3 | No | 9.5 | |
| SV.PCC.CONST | Insecure constant temporary filename | 4 | No | Pre-9.2 | |
| SV.PCC.INVALID_TEMP_PATH | Insecure temporary path | 4 | No | Pre-9.2 | |
| SV.PCC.MISSING_TEMP_CALLS.MUST | Insecure temporary variable filename | 4 | No | Pre-9.2 | |
| SV.PCC.MISSING_TEMP_FILENAME | Missing temporary filename | 4 | No | Pre-9.2 | |
| SV.PCC.MODIFIED_BEFORE_CREATE | Insecure modification of temporary filename | 4 | No | Pre-9.2 | |
| SV.PIPE.CONST | Potential pipe hijacking | 3 | No | 9.5 | |
| SV.PIPE.VAR | Potential pipe hijacking | 3 | No | 9.5 | |
| SV.RVT.RETVAL_NOTTESTED | Ignored return value | 4 | No | Pre-9.2 | |
| SV.SIP.CONST | Use of Insecure Macro for Dangerous Functions | 3 | No | 9.6 | |
| SV.SIP.VAR | Use of Insecure Parameter for Dangerous Functions | 3 | No | 9.6 | |
| SV.STRBO.BOUND_COPY | Buffer overflow from bound string copy | 1 | No | Pre-9.2 | |
| SV.STRBO.BOUND_SPRINTF | Buffer overflow from bound sprintf | 1 | No | Pre-9.2 | |
| SV.STRBO.UNBOUND_COPY | Buffer overflow from unbound string copy | 1 | No | Pre-9.2 | |
| SV.STRBO.UNBOUND_SPRINTF | Buffer overflow from unbound sprintf | 1 | No | Pre-9.2 | |
| SV.STR_PAR.UNDESIRED_STRING_PARAMETER | String parameter in file path | 4 | No | Pre-9.2 | |
| SV.TAINTED.ALLOC_SIZE | Unvalidated input used in memory allocation | 2 | Yes | Pre-9.2 | |
| SV.TAINTED.CALL.INDEX_ACCESS | Unvalidated input used in array indexing by function call | 2 | Yes | Pre-9.2 | |
| SV.TAINTED.CALL.LOOP_BOUND | Unvalidated input used as a loop boundary by function call | 2 | Yes | Pre-9.2 | |
| SV.TAINTED.FMTSTR | Unvalidated input in format string | 1 | Yes | Pre-9.2 | |
| SV.TAINTED.INDEX_ACCESS | Unvalidated input in array indexing | 1 | Yes | Pre-9.2 | |
| SV.TAINTED.INJECTION | Unvalidated input in downstream injection | 3 | Yes | Pre-9.2 | |
| SV.TAINTED.LOOP_BOUND | Unvalidated input used as a loop boundary | 2 | Yes | Pre-9.2 | |
| SV.TOCTOU.FILE_ACCESS | TOCTOU race condition in file access | 4 | No | Pre-9.2 | |
| SV.UNBOUND_STRING_INPUT.CIN | Buffer overflow from unbounded string input | 1 | Yes | 9.5 | |
| SV.UNBOUND_STRING_INPUT.FUNC | Buffer overflow from unbounded string copy | 1 | Yes | 9.5 | |
| SV.USAGERULES.PERMISSIONS | Exposure to privilege escalation | 4 | No | Pre-9.2 | |
| SV.USAGERULES.PROCESS_VARIANTS | Exposure to privilege escalation in process | 4 | No | Pre-9.2 | |
| SV.USAGERULES.SPOOFING | Spoofing security vulnerability | 4 | No | Pre-9.2 | |
| SV.WEAK_CRYPTO.WEAK_HASH | Weak password vulnerability | 4 | No | Pre-9.2 | |
| SYM.MLK | Symbian memory leak | 3 | No | Pre-9.2 | |
| UFM.DEREF.MIGHT | Pointer to freed memory may be dereferenced | 1 | Yes | Pre-9.2 | 9.2, 9.5 |
| UFM.DEREF.MUST | Pointer to freed memory dereferenced | 1 | Yes | Pre-9.2 | 9.2, 9.5 |
| UFM.FFM.MIGHT | Freeing freed memory possible | 1 | Yes | Pre-9.2 | 9.2, 9.5 |
| UFM.FFM.MUST | Freeing freed memory | 1 | Yes | Pre-9.2 | 9.2, 9.5 |
| UFM.RETURN.MIGHT | Pointer to freed memory may be returned | 2 | Yes | Pre-9.2 | 9.2, 9.5 |
| UFM.RETURN.MUST | Pointer to freed memory returned | 2 | Yes | Pre-9.2 | 9.2, 9.5 |
| UFM.USE.MIGHT | Freed memory may be used | 2 | Yes | Pre-9.2 | 9.2, 9.5 |
| UFM.USE.MUST | Freed memory is used | 2 | Yes | Pre-9.2 | 9.2, 9.5 |
| UNINIT.CTOR.MIGHT | Uninitialized variable in constructor possible | 1 | Yes | Pre-9.2 | 9.2, 9.5 |
| UNINIT.CTOR.MUST | Uninitialized variable in constructor | 2 | No | Pre-9.2 | 9.2, 9.5 |
| UNINIT.HEAP.MIGHT | Uninitialized heap use possible | 1 | Yes | Pre-9.2 | 9.2, 9.5 |
| UNINIT.HEAP.MUST | Uninitialized heap use | 1 | Yes | Pre-9.2 | 9.2, 9.5 |
| UNINIT.STACK.ARRAY.MIGHT | Uninitialized array possible | 1 | Yes | Pre-9.2 | 9.2, 9.5 |
| UNINIT.STACK.ARRAY.MUST | Uninitialized array | 1 | Yes | Pre-9.2 | 9.2, 9.5 |
| UNINIT.STACK.ARRAY.PARTIAL.MUST | Partially uninitialized array | 1 | Yes | Pre-9.2 | 9.2, 9.5 |
| UNINIT.STACK.MIGHT | Uninitialized variable possible | 1 | Yes | Pre-9.2 | 9.2, 9.5 |
| UNINIT.STACK.MUST | Uninitialized variable | 1 | Yes | Pre-9.2 | 9.2, 9.5 |
| UNREACH.GEN | Unreachable code | 3 | No | Pre-9.2 | 9.2, 9.5 |
| UNREACH.RETURN | Unreachable return | 3 | No | Pre-9.2 | 9.2, 9.5 |
| VA_UNUSED.GEN | Value is never used after assignment | 4 | No | Pre-9.2 | 9.5 |
| VA_UNUSED.INIT | Value is never used after initialization | 4 | No | Pre-9.2 | 9.5 |
| VOIDRET | Void function returns value | 2 | No | Pre-9.2 | 9.5 |