Finding client-side vulnerabilities at compile time with GCC
To what extent can GCC detect possibly vulnerable conditions when compiling C and C++ applications? And if I want to take full advantage of such capabilities, what GCC options should I use?
The obvious one is -Werror, but in particular I'm wondering what categories of extended warning options it should be used in combination with. e.g. a lot of stuff won't compile with -Wpedantic -Werror, because POSIX violates the "pedantic" rules.
Failing that, are there other tools for checking code for vulnerable conditions that GCC may miss, *before* said code is compiled? In particular, are there tools to help vet preprocessor macros?
Edit: please disregard, I just discovered splint and cppcheck.
Edit 2: though the above should probably be considered complementary rather than replacing compiler warnings. In any case, -Wall -Werror seems to catch a lot of stuff in most programs, and you can just exclude stuff with -Wno-[whatever] if you absolutely must.
Last edited by Gullible Jones; 05-15-2014 at 04:24 PM.
|