The gml4gtk graph viewer can be used with many graphviz dot files
but not all
and is GNU GPL Free software at https://sourceforge.net/projects/gml4gtk/
The rosecheckers software can generate callgraph or ast graph data
as dot files
which can be used with the gml4gtk graph viewer.
The rosecheckers project has MIT Free software to check for cert
These checkers enforce the CERT Secure Coding Standards for C and
The standards are available at https://www.securecoding.cert.org
This is unmaintained software now but last commit is from year 2021
and because it is Free software others can do the maintance of this.
To get the source:
svn checkout https://svn.code.sf.net/p/rosecheckers/code/trunk
To get the C rules goto this page
and download the tar.gz file of it
These files have the html page with the text of the rules.
The rules are also available as xml files for other uses.
The cert standard is at this site
"This site supports the development of coding standards for commonly
programming languages such as C, C++, Java, and Perl, and the
These standards are developed through a broad-based community effort
members of the software development and software security
This site has a Free C and C++ guide for programming.
This site has test data available at
The cwe list is available at mitre
For example common problems in C are in a list here:
Also there are visualizations at
The whole archive with all versions is at:
The cert manifest xml files are available at:
"These files can be used by static analysis tool developers
to test their coverage of (some of the) CERT Secure Coding Rules for
using many of 61,387 test cases in the Juliet test suite v1.2."
The dot graph files in the rosecheckers repo can be used with
and have ast information but a tiny program below ith a possible
buffer overflow results in big graph images to explore
Here are few screenshots of gml4gtk with this data
Todo: gml4gtk can be more optimized for this and because
is now unmaintaned can do some work on it to be used with
of gml4gtk and other.
The Linux sparse source code checker is also excellent but is not
specific for checking cert rules.
Linux sparse is on kernel.org at
"Sparse is a semantic checker for C programs; it can be used to
find a number of potential problems with kernel code."
This is example dot graph language output from rosecheckers
This is a safe clib with example source how toi do it at
c and c++ source code improvements ideas from intel