The gml4gtk graph viewer can be used with many graphviz dot files but not all
and is GNU GPL Free software at https://sourceforge.net/projects/gml4gtk/

The rosecheckers software can generate callgraph or ast graph data as dot files
which can be used with the gml4gtk graph viewer.

The rosecheckers project has MIT Free software to check for cert rules at

https://sourceforge.net/projects/rosecheckers/


These checkers enforce the CERT Secure Coding Standards for C and C++.
The standards are available at https://www.securecoding.cert.org

This is unmaintained software now but last commit is from year 2021
and because it is Free software others can do the maintance of this.

To get the source:

svn checkout https://svn.code.sf.net/p/rosecheckers/code/trunk rosecheckers-code

To get the C rules goto this page

https://sourceforge.net/p/rosecheckers/code/HEAD/tree/tags/jpcert-Jan-2008/


and download the tar.gz file of it

These files have the html page with the text of the rules.

The rules are also available as xml files for other uses.

The cert standard is at this site

https://wiki.sei.cmu.edu/confluence/display/seccode/SEI+CERT+Coding+Standards


"This site supports the development of coding standards for commonly used
programming languages such as C, C++, Java, and Perl, and the Androidâ„¢ platform.
These standards are developed through a broad-based community effort by
members of the software development and software security communities."

This site has a Free C and C++ guide for programming.

This site has test data available at

https://wiki.sei.cmu.edu/confluence/display/seccode/Open+Dataset+RC_Data+for+Classifier+Research


The cwe list is available at mitre

https://cwe.mitre.org/data/index.html


For example common problems in C are in a list here:

https://cwe.mitre.org/data/definitions/734.html


Also there are visualizations at

https://cwe.mitre.org/data/pdfs.html

The whole archive with all versions is at:

https://cwe.mitre.org/data/archive.html

The cert manifest xml files are available at:

https://wiki.sei.cmu.edu/confluence/display/c/CERT+manifest+files

"These files can be used by static analysis tool developers
to test their coverage of (some of the) CERT Secure Coding Rules for C,
using many of 61,387 test cases in the Juliet test suite v1.2."

The dot graph files in the rosecheckers repo can be used with gml4gtk
and have ast information but a tiny program below ith a possible
buffer overflow results in big graph images to explore

Here are few screenshots of gml4gtk with this data
gml4gtk-rosecheckers-1.png
gml4gtk-rosecheckers-2.png
gml4gtk-rosecheckers-3.png
gml4gtk-rosecheckers-4.png
Todo: gml4gtk can be more optimized for this and because rosecheckers
is now unmaintaned can do some work on it to be used with programming
of gml4gtk and other.

The Linux sparse source code checker is also excellent but is not designed
specific for checking cert rules.

Linux sparse is on kernel.org at

https://www.kernel.org/doc/html/v4.12/dev-tools/sparse.html


"Sparse is a semantic checker for C programs; it can be used to
find a number of potential problems with kernel code."

This is example dot graph language output from rosecheckers

This is a safe clib with example source how toi do it at
https://github.com/rurban/safeclib

c and c++ source code improvements ideas from intel
https://software.intel.com/content/www/us/en/develop/articles/the-ultimate-question-of-programming-refactoring-and-everything.html