Cppcheck is a static analysis tool for C/C++ code. It provides unique code analysis to detect bugs and focuses on detecting undefined behaviour and dangerous coding constructs. The goal is to have very few false positives. Cppcheck is designed to be able to analyze your C/C++ code even if it has non-standard syntax (common in embedded projects).

Cppcheck is available both as open-source (this page) and as Cppcheck Premium with extended functionality and support. Please visit www.cppchecksolutions.com for more information and purchase options for the commercial version.

Download

Cppcheck 2.13 (open source)

Platform File
Windows 64-bit (No XP support) Installer
Source code (.zip) Archive
Source code (.tar.gz) Archive

Packages

Cppcheck can also be installed from various package managers; however, you might get an outdated version then.

Debian:

sudo apt-get install cppcheck

Fedora:

sudo yum install cppcheck

Mac:

brew install cppcheck

Features

Unique code analysis that detect various kinds of bugs in your code.

Both command line interface and graphical user interface are available.

Cppcheck has a strong focus on detecting undefined behaviour.

Unique analysis

Using several static analysis tools can be a good idea. There are unique features in each tool. This has been established in many studies.

So what is unique in Cppcheck.

Cppcheck uses unsound flow sensitive analysis. Several other analyzers use path sensitive analysis based on abstract interpretation, that is also great however that has both advantages and disadvantages. In theory by definition, it is better with path sensitive analysis than flow sensitive analysis. But in practice, it means Cppcheck will detect bugs that the other tools do not detect.

In Cppcheck the data flow analysis is not only "forward" but "bi-directional". Most analyzers will diagnose this:

void foo(int x)
{
    int buf[10];
    if (x == 1000)
        buf[x] = 0; // <- ERROR
}

Most tools can determine that the array index will be 1000 and there will be overflow.

Cppcheck will also diagnose this:

void foo(int x)
{
    int buf[10];
    buf[x] = 0; // <- ERROR
    if (x == 1000) {}
}

Undefined behaviour

Security

The most common types of security vulnerabilities in 2017 (CVE count) was:

Category Amount Detected by Cppcheck
Buffer Errors 2530 A few
Improper Access Control 1366 A few (unintended backdoors)
Information Leak 1426 A few (unintended backdoors)
Permissions, Privileges, and Access Control 1196 A few (unintended backdoors)
Input Validation 968 No

CVEs that was found using Cppcheck:

These CVEs are shown when you google "cppcheck CVE". Feel free to compare the search results with other static analysis tools.

Security experts recommend that static analysis is used. And using several tools is the best approach from a security perspective.

Coding standards

Coding standard Open Source  Premium 
 Misra C 2012 - original rules  Yes Yes
 Misra C 2012 - amendment #1  Yes Yes
 Misra C 2012 - amendment #2  Yes Yes
 Misra C 2012 - amendment #3  Yes
 Misra C 2012 - amendment #4  Yes
 Misra C 2012 - Compliance report  Yes
 Misra C 2012 - Rule texts  User provided Yes
 Misra C 2023  Yes
 Misra C++ 2008  Yes
 Misra C++ 2023  Work in progress 
 Cert C  Yes
 Cert C++  Yes
 Autosar  Partial

All checks

For a list of all checks in Cppcheck see: http://sourceforge.net/p/cppcheck/wiki/ListOfChecks.

Clients and plugins

Cppcheck is integrated with many popular development tools. For instance:

Other static analysis tools

Using a battery of tools is better than using one tool. Each tool has unique code analysis and therefore we recommend that you also use other tools.

Cppcheck focus on bugs instead of stylistic issues. Therefore a tool that focus on stylistic issues could be a good addition.

Cppcheck tries very hard to avoid false positives. Sometimes people want to detect all bugs even if there will be many false warnings, for instance when they are working on a release and want to verify that there are no bugs. A tool that is much more noisy than Cppcheck might be a good addition.

Even tools that have the same design goals as Cppcheck will probably be good additions. Static analysis is such a big field, Cppcheck only covers a small fraction of it. No tool covers the whole field. The day when all manual testing will be obsolete because of some tool is very far away.

News