Test 1

TEST 1

Test Case ID: BIS-2.4.1 Test Name: TC_CHECK_FOR_SAFE_ALTERNATIVES_TO_BANNED_C_FUNCTIONS_RECOMMENDED

Objective:

To perform secure code review (both automated and manual) in the presence of the OEM team using a licensed static analysis tool, to verify that banned C functions have been replaced with their safe equivalents.

Tools Used:

  • Licensed Static Analysis Tool (e.g., Fortify SCA, Coverity, Klocwork, etc.)

Test Execution Steps:

  1. Vendor visits the evaluation laboratory with the complete firmware codebase.

  2. A licensed static analysis tool available at the evaluation agency is installed and configured on a designated secure system.

  3. The codebase is scanned using the static analysis tool in the presence of the OEM and evaluation team.

  4. Results are observed live, with special attention to banned functions such as strcpy, strcat, gets, sprintf, etc.

  5. A detailed report is generated post-analysis showing flagged instances (if any) and remediation status.

Expected Results for Pass:

  • The code review report confirms no usage of banned C functions.

  • All identified unsafe functions (if any) are either remediated or replaced with safe equivalents (strncpy, snprintf, fgets, etc.).

  • No false positives impacting the code flow or logic.

Test Observations:

(To be filled after test execution – includes behavior noted, exceptions, or tool-specific flags)

Evidence Provided:

  • Static analysis report

  • Screenshots of tool output (optional)

  • OEM and lab witness confirmation (sign-off)

Test Case Result:

(PASS / FAIL based on observation and analysis)

Overall Test Result:

(To be updated after completing BIS-2.4.2 to BIS-2.4.4)

Previous2.4 – Check for Safe Alternatives to Banned C FunctionsNext2.5 Validate Firmware Software Bill of Materials (SBOM)

Last updated

Was this helpful?