46
Rules in TS 17961
All shipped natively
All 46 C secure-coding rules covered - Coverity ships this; PhantomYerra documents per-rule mapping.
ISO / IEC TS 17961:2013 - "C secure coding rules" - is the international standard from JTC1/SC22/WG14 that complements MISRA and CERT for C. PhantomYerra ships the full pack natively with a documented rule-by-rule mapping table in resources/compliance/ISO_IEC_TS_17961.json.
ISO/IEC TS 17961:2013 is the international Technical Specification for analysable C secure-coding rules. It was developed in coordination with CERT and is the ISO-canonical reference for C analysers that target security. PhantomYerra covers all 46 rules natively and ships the rule-by-rule mapping table so an auditor can trace each emitted finding to the published clause without external lookup.
The full TS 17961 rule set, by short-name, paired with the corresponding YerraSAST rule ID and its closest CERT-C analogue. Sample table - full mapping is in the JSON pack shipped with PhantomYerra.
| Short name | Description | YerraSAST rule | CERT-C analogue |
|---|---|---|---|
| accfree | Accessing freed memory | C-TS17961-accfree | MEM30-C |
| alignconv | Converting pointer values to more strictly aligned types | C-TS17961-alignconv | EXP36-C |
| argcomp | Comparison of differently-qualified arguments | C-TS17961-argcomp | EXP05-C |
| asyncsig | Calling functions in the C standard library other than abort, _Exit, and signal from within a signal handler | C-TS17961-asyncsig | SIG30-C |
| boolasgn | No assignment in conditional expressions | C-TS17961-boolasgn | EXP45-C |
| chrsgnext | Passing arguments to character-handling functions | C-TS17961-chrsgnext | STR37-C |
| dblfree | Freeing memory multiple times | C-TS17961-dblfree | MEM30-C |
| diverr | Integer division errors | C-TS17961-diverr | INT33-C |
| filcmp | Use of an invalid file pointer | C-TS17961-filcmp | FIO46-C |
| fileclose | Closing a file pointer multiple times | C-TS17961-fileclose | FIO46-C |
| funcdecl | Declaring the same function or object in incompatible ways | C-TS17961-funcdecl | DCL40-C |
| getenvfail | Calling functions without verifying that the operation succeeded | C-TS17961-getenvfail | ENV34-C |
| incompptr | Converting pointer values to incompatible types | C-TS17961-incompptr | EXP37-C |
| insufmem | Allocating insufficient memory | C-TS17961-insufmem | MEM35-C |
| intoflow | Overflowing signed integers | C-TS17961-intoflow | INT32-C |
| intptrconv | Converting a pointer to integer or integer to pointer | C-TS17961-intptrconv | INT36-C |
| invfmtstr | Using invalid format strings | C-TS17961-invfmtstr | FIO30-C |
| invptr | Forming invalid pointers by library functions | C-TS17961-invptr | ARR38-C |
| ioileave | Interleaving stream inputs and outputs without a flush or positioning call | C-TS17961-ioileave | FIO39-C |
| libmod | Modifying the string returned by getenv, localeconv, setlocale, and strerror | C-TS17961-libmod | ENV30-C |
| libptr | Forming or using out-of-bounds pointers or array subscripts | C-TS17961-libptr | ARR30-C |
| liberr | Failing to detect and handle standard library errors | C-TS17961-liberr | ERR33-C |
| nonnullcs | Passing a non-null-terminated character sequence to a library function that expects a string | C-TS17961-nonnullcs | STR32-C |
| nullref | Dereferencing an out-of-domain pointer | C-TS17961-nullref | EXP34-C |
| padcomp | Comparison of padding data | C-TS17961-padcomp | EXP42-C |
| ptrcomp | Using a tainted value to write to an object using a formatted input or output function | C-TS17961-ptrcomp | FIO47-C |
| ptrobj | Accessing an object through a pointer to an incompatible type | C-TS17961-ptrobj | EXP39-C |
| resident | Returning pointers to local objects | C-TS17961-resident | DCL30-C |
| restrict | Passing pointers into the same object as arguments to different restrict-qualified parameters | C-TS17961-restrict | EXP43-C |
| sigcall | Calling signal from interruptible signal handlers | C-TS17961-sigcall | SIG34-C |
| signconv | Converting between signed and unsigned types without checking for overflow | C-TS17961-signconv | INT31-C |
| sizeofptr | Taking the size of a pointer to determine the size of the pointed-to type | C-TS17961-sizeofptr | EXP01-C |
| strmod | Modifying string literals | C-TS17961-strmod | STR30-C |
| swtchdflt | Use of an implied default in a switch statement | C-TS17961-swtchdflt | MSC01-C |
| syscall | Calling system | C-TS17961-syscall | ENV33-C |
| taintformatio | Using a tainted value as an argument to an unprotected I/O function | C-TS17961-taintformatio | FIO30-C |
| taintnoproto | Using a tainted value as a function argument to an unprototyped function | C-TS17961-taintnoproto | DCL31-C |
| taintsink | Tainted, potentially mutilated, or out-of-domain integer values are used in a restricted sink | C-TS17961-taintsink | INT04-C |
| taintstrcpy | Tainted strings are passed to a string copying function | C-TS17961-taintstrcpy | STR02-C |
| uglobal | Tainted, potentially mutilated, or out-of-domain integer values are used as memory size arguments | C-TS17961-uglobal | MEM35-C |
| uninitref | Referencing uninitialized memory | C-TS17961-uninitref | EXP33-C |
| usrfmt | Including tainted or out-of-domain input in a format string | C-TS17961-usrfmt | FIO30-C |
| xfilepos | Using a value for fsetpos other than a value returned from fgetpos | C-TS17961-xfilepos | FIO44-C |
| xfree | Reallocating or freeing memory that was not dynamically allocated | C-TS17961-xfree | MEM34-C |
| deprecated | Use of deprecated or obsolescent functions | C-TS17961-deprecated | MSC34-C |
| undef | Use of an object with indeterminate value | C-TS17961-undef | EXP33-C |
A look at three of the most-cited TS 17961 rules - what they detect, what the YerraSAST detector does, and what the report shows.
| Rule | What the rule forbids | YerraSAST detector mechanism |
|---|---|---|
| accfree | Accessing memory after it has been freed (use-after-free). Reading or writing freed memory is undefined behaviour and a frequent root cause of remote code execution in C codebases. | Inter-procedural taint engine tracks free() / realloc() / cleanup calls; any subsequent dereference through the same pointer fires the detector. Cross-checked against CodeQL cpp/use-after-free. |
| intoflow | Signed-integer overflow. Behaviour is undefined per ISO C - compilers exploit this to remove "redundant" range checks, often introducing CVEs in code that looked safe to the author. | Symbolic range analysis on every arithmetic expression of signed type. Reports any expression whose computed range can exceed INT_MAX or fall below INT_MIN. Cross-checked against UBSan instrumentation results when present. |
| taintsink | Tainted (attacker-controlled) data flowing into a restricted sink - typically a memory-size argument, a format-string argument, or a file path. | Source-to-sink taint propagation across the entire translation unit + inter-procedural calls; sinks defined per-function in the YerraSAST sink catalogue (over 800 sink declarations for libc + POSIX). |
Both vendors ship 100% (46 of 46) of the TS 17961 rule catalogue. The gap PhantomYerra closes is documentation: Coverity emits findings tagged with TS 17961 short names; PhantomYerra emits the same tags plus ships the machine-readable per-rule mapping JSON inside the platform so auditors can trace each finding's TS 17961 clause without consulting external tables.
Where PhantomYerra otherwise exceeds: (1) co-emission with CERT-C - every TS 17961 finding is also tagged with its closest CERT-C analogue (see table above), so a single scan produces two compliant reports; (2) co-emission with MISRA C 2023 - TS 17961 / MISRA overlap is computed at scan time so a single audit pack covers both; (3) cross-tool corroboration on every emission with CodeQL + Semgrep + the bundled C analyser; (4) AI false-positive review; (5) air-gapped operation; (6) perpetual licence pricing.