Mitre has released a list of the most dangerous software weaknesses.
https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html
Item #2 on that list is "Out-of-bounds Write" (CWE-787). I have investigated this a little. I looked at the related vulnerabilities that has been published.
Vulnerabilities
As a static analysis tool developer I wanted to investigate CWE-787 vulnerabilities (if Cppcheck would detect them and if not why..). Details about vulnerabilities can be found in a few locations but I used the National Vulnerability Database (NVD).
I wanted to find vulnerabilities that meets these criteria:
- CWE-787
- Published in 2020
- Vulnerability in open source project so I can look at it
- C++ code
To start with I used this search:
https://nvd.nist.gov/vuln/search/results?cwe_id=CWE-787&pub_start_date=01%2F01%2F2020
That search resulted in ~800 vulnerabilities and I manually looked through these results to find vulnerabilities in open source c++ projects. All such vulnerabilities I could find are listed below;
CVE-2020-25693 - CImgCVE-2020-25219 - libproxy
CVE-2020-15365 - libraw
CVE-2020-15306 - openexr
CVE-2020-11764 - openexr
CVE-2020-11763 - openexr
CVE-2020-11762 - openexr
CVE-2020-0451 - Android
CVE-2020-0409 - Android
CVE-2020-0245 - Android
CVE-2020-0120 - Android
CVE-2020-0218 - Android
CVE-2020-0131 - Android
CVE-2020-0124 - Android
CVE-2020-0118 - Android
CVE-2020-0094 - Android
CVE-2020-0079 - Android
CVE-2020-0078 - Android
CVE-2020-0053 - Android
CVE-2020-0046 - Android
CVE-2020-0033 - Android
CVE-2020-0027 - Android
So there was in total ~22 (the year has not ended yet) such vulnerabilities in 2020. I do not think that ~22 is a lot; this is the #2 most dangerous software weakness and the search criteria included all open source C++ projects.
Please feel free to let me know if there is a vulnerability I missed.
Conclusion
You can certainly make mistakes in C++ also but it's not highly unsafe. At least CWE-787 vulnerabilities are rare. Those that disagree please feel free to take a look in the NVD...
