Carto-C is a tool for establishing the cartography of a C source code. It allows:

  • Finding potential run-time errors with static analysis, thanks to its underlying Frama-C stem
  • Finding input and output points in the code, even those the designer/developer is not aware of. This includes files, standard input and output, environment variables, the network, the localization, the current time, etc
  • Finding critical points that depend on these input or that have an influence on the output. This allows e.g. finding whether a password can potentially be output on the standard error output
  • Finding vulnerabilities linked with formatting and execution functions. These vulnerabilities correspond to the common weaknesses enumeration items CWE 134 et CWE 78

The evaluation of Carto-C w.r.t. the aforementioned weaknesses and error is based on the NIST's Juliet test suite.