AdaCore recently announced that its CodePeer advanced static analysis tool for Ada has been formally designated as “CWE-Compatible” by the MITRE Corporation’s Common Weakness Enumeration (CWE) Compatibility and Effectiveness Program. This program is a web-based initiative that consolidates and organizes information about cyber-security products and services.
“It’s a great achievement to have CodePeer officially recognized as CWE compatible, which confirms that the tool can detect the most frequent types of software vulnerability,” said Arnaud Charlet, AdaCore technical director and CodePeer product manager. “CodePeer’s deep analysis of Ada code supports a wide range of uses including coding standard checking, automated code review, and exhaustive detection of certain CWE weaknesses as well as other kinds of error.”
CodePeer was recognized as CWE-Compatible based on its ability to detect the following code weaknesses, which are among the CWE’s Top 25 Most Dangerous Software Errors:
- CWE-120 (Classic Buffer Overflow)
“The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.” - CWE-131 (Incorrect Calculation of Buffer Size)
“The software does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.” - CWE-190 (Integer Overflow or Wraparound)
“The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.”
A number of other CWE weaknesses are also detected by CodePeer:
Check |
CWE weakness |
Array index out of bounds |
CWE 124, 125-125, 129, 130-131, 135, 170, 193 |
Division by zero |
CWE 189 |
Dereferencing a null pointer |
CWE 252-253, 476 |
Numeric overflow |
CWE 128, 190-192, 197 |
Range constraint violation |
CWE 118 |
Variant record field violation |
CWE 136-137 |
Use of incorrect type in inheritance hierarchy |
CWE 136-137 |
Dead (unreachable) code |
CWE 561 |
Reference to uninitialized variable |
CWE 232, 236, 475 |
Test predetermined (redundant conditional) |
CWE 561 |
Loop runs forever or fails to complete normally |
CWE 835 |
Unused (redundant) or useless assignment, or unused “out” parameter |
CWE 563 |
Unprotected access to shared variable |
CWE 362, 366-367, 374, 820 |