120
CERT-C rules
vs Coverity 121 / 118
120 CERT-C + 83 CERT-C++ + 160 CERT-Java rules - 100% of the catalog, 2,164 native Java SAST rules on top. The CERT Coding Standards from Carnegie Mellon's Software Engineering Institute are the de-facto secure-coding standard for C, C++, and Java. PhantomYerra ships the full catalog natively with per-rule mapping and full Java parity where Coverity ships 76.5%.
The SEI CERT Coding Standards predate (and outlast) every commercial scanner. They are maintained by Carnegie Mellon and used by US government, defense, and finance. PhantomYerra ships the entire CERT-C, CERT-C++, and CERT-Java catalogue natively, with per-rule mapping in resources/cert/cert_c.json, resources/cert/cert_cpp.json, and resources/cert/cert_java.json.
The CERT standards split into per-language catalogues. PhantomYerra emits findings tagged with the specific CERT rule ID, category, and severity. Reports can render any language individually or all three together for a polyglot codebase.
| Language | PhantomYerra rules | Coverity rules | Catalogue total | Coverage |
|---|---|---|---|---|
| CERT-C (Secure Coding in C) | 120 | 121 / 118 | ~120 active | Parity |
| CERT-C++ (Secure Coding in C++) | 83 | 83 / 83 | 83 | 100% native |
| CERT-Java (Secure Coding in Java) | 160 | 153 / 200 (76.5%) | 160 active | 100% native |
| Total | 363 | 357 published | 363 | PhantomYerra parity-or-better |
Counts marked "121 / 118" reflect Coverity's published "supported / fully analysed" split where applicable. The Coverity Java catalogue covers 153 of the 200 historical CERT-Java rules - 76.5%. PhantomYerra's CERT-Java pack covers all 160 currently-active rules; the 40 historical rules deprecated by the SEI between 2015 and 2024 are not implemented by either vendor.
CERT rules are organized by three-letter category codes. The same code can appear in C, C++, and Java with different rule numbers - for example IDS00-J (Java) and IDS01-C (C) both cover input-data sanitization. PhantomYerra preserves the category code in every emission so a polyglot report groups by topic cleanly.
| Code | Category | Languages | Rule count (PY) |
|---|---|---|---|
| PRE | Preprocessor | C, C++ | 15 |
| DCL | Declarations and Initialization | C, C++, Java | 28 |
| EXP | Expressions | C, C++, Java | 31 |
| INT | Integers | C, C++ | 22 |
| FLP | Floating Point | C, C++ | 7 |
| ARR | Arrays | C, C++ | 9 |
| STR | Strings & Characters | C, C++ | 14 |
| MEM | Memory Management | C, C++ | 17 |
| FIO | Input / Output | C, C++, Java | 26 |
| ENV | Environment | C, C++, Java | 12 |
| SIG | Signals | C | 5 |
| ERR | Error Handling | C, C++, Java | 22 |
| CON | Concurrency | C, C++, Java | 28 |
| MSC | Miscellaneous | C, C++, Java | 26 |
| IDS | Input Data Sanitization | Java | 17 |
| OBJ | Object Orientation | Java | 14 |
| MET | Methods | Java | 13 |
| LCK | Locking | Java | 11 |
| SER | Serialization | Java | 12 |
| SEC | Platform Security | Java | 7 |
| TPS | Runtime Environment | Java | 5 |
| JNI | Java Native Interface | Java | 4 |
Representative CERT rules covered natively across the three languages. Each rule maps to a specific YerraSAST detector and is cross-checked against the bundled CodeQL / Semgrep query pack where available for HIGH-confidence emissions.
| Rule ID | Title | Severity | Likelihood | Remediation cost |
|---|---|---|---|---|
| MEM30-C | Do not access freed memory | High | Likely | Medium |
| MEM34-C | Only free memory allocated dynamically | High | Likely | Medium |
| STR31-C | Guarantee that storage for strings has sufficient space for character data and the null terminator | High | Likely | Medium |
| INT30-C | Ensure that unsigned integer operations do not wrap | High | Likely | High |
| ARR30-C | Do not form or use out-of-bounds pointers or array subscripts | High | Likely | High |
| FIO30-C | Exclude user input from format strings | High | Likely | Medium |
| ERR33-C | Detect and handle standard library errors | High | Likely | Medium |
| CTR50-CPP | Guarantee that container indices and iterators are within the valid range | High | Likely | Medium |
| EXP54-CPP | Do not access an object outside of its lifetime | High | Likely | High |
| OOP54-CPP | Gracefully handle self-copy assignment | Medium | Probable | Medium |
| IDS00-J | Prevent SQL injection | High | Probable | Medium |
| IDS01-J | Normalize strings before validating them | High | Probable | Medium |
| IDS02-J | Canonicalize path names before validating them | High | Probable | Medium |
| IDS06-J | Exclude unsanitized user input from format strings | High | Probable | Medium |
| SER01-J | Do not deviate from the proper signatures of serialization methods | Medium | Probable | Low |
| SER12-J | Prevent deserialization of untrusted data | High | Probable | Medium |
| LCK01-J | Do not synchronize on objects that may be reused | Medium | Probable | Medium |
| ERR01-J | Do not allow exceptions to expose sensitive information | Medium | Probable | Medium |
| FIO16-J | Canonicalize path names before validating them | High | Probable | Medium |
The CERT catalogue covers the foundational secure-coding patterns. But modern Java codebases use Spring, Hibernate, Apache HTTP, Apache POI, Jackson, Log4j, gRPC, Kafka, micronaut, Quarkus - frameworks the CERT standard predates by years. PhantomYerra's 2,164 native Java SAST rules sit on top of the CERT pack to cover those framework-specific weaknesses.
| Layer | Rules | What it covers |
|---|---|---|
| CERT-Java (this page) | 160 | Language-level secure coding - IDS, DCL, EXP, ERR, FIO, CON, OBJ, SER, LCK, etc. |
| YerraJava SAST | 2,164 | Framework-specific weaknesses: Spring authz bypass, Jackson polymorphic deserialization, Log4Shell-class JNDI lookups, Hibernate HQL injection, Apache POI XXE, OGNL injection, Velocity SSTI, etc. |
| Total Java rules emitted | 2,324 | Single scan, both layers, one finding stream, each finding tagged with both CERT clause and YerraJava rule ID where applicable. |
Counts: Java scanner ships 2,164 native rule IDs (counted from python/scanners/sast/yerra_java.py). Aggregate with CERT-Java pack gives 2,324 distinct rule IDs available on a Java codebase.
For CERT-C and CERT-C++ the two vendors are at parity (120 vs 121 / 118, and 83 vs 83). For CERT-Java, PhantomYerra ships 100% of the active catalogue (160 / 160) while Coverity ships 76.5% (153 of 200 historical rules). Beyond CERT, PhantomYerra adds 2,164 native Java rules targeting modern frameworks the CERT catalog predates.
Where PhantomYerra exceeds across all three: (1) single-scan multi-language emission - one run produces CERT-C, CERT-C++, CERT-Java, MISRA, AUTOSAR, ISO 26262, PCI evidence simultaneously; (2) cross-tool corroboration on every emission; (3) AI false-positive review baked in; (4) air-gapped operation; (5) perpetual licence pricing.