Cppcheck

A tool for static C/C++ code analysis

• Home
• Wiki
• Forum
• Issues
• Developer Info
• Online Demo
• Project page

• Donate
• Download
• Features
• News
• Documentation
• Support
• Contribute

Cppcheck is a static analysis tool for C/C++ code. It provides unique code analysis to detect bugs and focuses on detecting undefined behaviour and dangerous coding constructs. The goal is to detect only real errors in the code (i.e. have very few false positives).

Donate

Please donate some money to the Cppcheck project.

Download

Cppcheck 1.81

Platform	File
Windows 64-bit (No XP support)	Installer
Windows 32-bit (No XP support)	Installer
Source code (.zip)	Archive
Source code (.tar.gz)	Archive

Packages

Cppcheck can also be installed from various package managers; however, you might get an outdated version then.
Debian:

sudo apt-get install cppcheck

Fedora:

sudo yum install cppcheck

Mac:

brew install cppcheck

Features

Unique code analysis that detect various kinds of bugs in your code.

Both command line interface and graphical user interface are available.

Undefined behaviour

• Dead pointers
• Division by zero
• Integer overflows
• Invalid bit shift operands
• Invalid conversions
• Invalid usage of STL
• Memory management
• Null pointer dereferences
• Out of bounds checking
• Uninitialized variables
• Writing const data

Security

The most common types of security vulnerabilities so far in 2017 (CVE count) are:

Category		Amount		Detected by Cppcheck
Buffer Errors		2077		A few
Improper Access Control		1237		A few (unintended backdoors)
Information Leak		1088		A few (unintended backdoors)
Permissions, Privileges, and Access Control		991		A few (unintended backdoors)
Input Validation		737		No

CVEs that was found using Cppcheck:

• CVE-2017-1000249 : file : stack based buffer overflow
  This was found by Thomas Jarosch using Cppcheck. The cause is a mistake in a condition.
• CVE-2013-6462 : 23 year old stack overflow in X.org that was found with Cppcheck.
  This has been described in a few articles (link).
• CVE-2012-1147 : readfilemap.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (file descriptor consumption) via a large number of crafted XML files..

These CVEs are shown when you google "cppcheck CVE". Feel free to compare the search results with other static analysis tools.

Security experts recommend that static analysis is used. And using several tools is the best approach from a security perspective.

All checks

For a list of all checks in Cppcheck see: http://sourceforge.net/p/cppcheck/wiki/ListOfChecks.

Clients and plugins

Cppcheck is integrated with many popular development tools. For instance:

• CLion - Cppcheck plugin
• Code::Blocks - integrated
• CodeDX (software assurance tool) - integrated
• CodeLite - integrated
• CppDepend 5 - integrated
• Eclipse - Cppcheclipse
• KDevelop - integrated since v5.1
• gedit - gedit plugin
• Hudson - Cppcheck Plugin
• Jenkins - Cppcheck Plugin
• Mercurial (Linux) - pre-commit hook - Check for new errors on commit (requires interactive terminal)
• Tortoise SVN - Adding a pre-commit hook script
• Git (Linux) - pre-commit hook - Check for errors in files going into commit (requires interactive terminal)
• Visual Studio - Visual Studio plugin
• QtCreator - Qt Project Tool (qpt)

Other static analysis tools

Using a battery of tools is better than using one tool. Each tool has unique code analysis and therefore we recommend that you also use other tools.

Cppcheck focus on bugs instead of stylistic issues. Therefore a tool that focus on stylistic issues could be a good addition.

Cppcheck tries very hard to avoid false positives. Sometimes people want to detect all bugs even if there will be many false warnings, for instance when they are working on a release and want to verify that there are no bugs. A tool that is much more noisy than Cppcheck might be a good addition.

Even tools that have the same design goals as Cppcheck will probably be good additions. Static analysis is such a big field, Cppcheck only covers a small fraction of it. No tool covers the whole field. The day when all manual testing will be obsolete because of some tool is very far away.

News

• Cppcheck-1.81 2017-10-07
• Cppcheck 1.80 2017-07-29
• Cppcheck 1.79 2017-05-13

View all news…

Documentation

You can read the manual or download some articles.

Support

• Use Trac to report bugs and feature requests
• Ask questions at the IRC channel #cppcheck

Contribute

You are welcome to contribute. Help is needed.

Testing

Pick a project and test its source with the latest version of Cppcheck. Submit tickets to Trac about the issues you find in Cppcheck.

Developing

Pick a ticket from Trac, write a test case for it (and write a comment to the ticket for which that test case has been created). Alternatively, pick a test case that fails and try to fix it. Make a patch and submit it to Trac either inline, if it is small, or otherwise - attach it as a file.

Marketing

Write articles, reviews or tell your friends about us. The more users we have, the more people we have testing and the better we can become.

Design

Come up with some new good checks, and create tickets in the Trac instance about them.

Integration

Write a plugin for your favorite IDE or create a package for your distribution or operating system.

Technical Writing

Write better documentation for the bugs we find. Currently only a few bugs have any documentation at all.