Carto-C is a tool for establishing the cartography of a C source code. It allows:
- Finding potential run-time errors with static analysis, thanks to its underlying Frama-C stem
- Finding input and output points in the code, even those the designer/developer is not aware of. This includes files, standard input and output, environment variables, the network, the localization, the current time, etc
- Finding critical points that depend on these input or that have an influence on the output. This allows e.g. finding whether a password can potentially be output on the standard error output
- Finding vulnerabilities linked with formatting and execution functions. These vulnerabilities correspond to the common weaknesses enumeration items CWE 134 et CWE 78
The evaluation of Carto-C w.r.t. the aforementioned weaknesses and error is based on the NIST's Juliet test suite.