CERT secure coding L1 level rules for Java, C, C++


CERT secure coding guidelines prioritize rules based on Severity, Likelihood and Remediation Cost

L1 rules are the ones with High severity, likely and inexpensive to repair.

For more details = https://wiki.sei.cmu.edu/confluence/display/perl/Risk+Assessment

CERT also provides priority information for Java,C, C++ rules:




SonarQube already has some coverage, if SonarQube can provide complete L1 rules coverage and mapping data for Java, C/ C++, it would be really great.

Thank you,


Hello Vinod,

Thanks for reaching out and putting this “Level” topic on the table. I was looking at it without taking the time to understand it. Now it’s clear and I have a way to prioritize which part of CERT we should cover first.

I like your idea and I believe we could imagine ways to make this “Level” information more visible in SonarQube.
Before thinking about that, we need to do a gap analysis between CERT and SonarJava and determine which Level 1 rules are missing.

I take the action to study that.


1 Like

3 posts were split to a new topic: CERT rules for C++