Cpplumber is a static analysis tool that helps detecting and keeping track of C and C++ source code information that leaks into compiled executable files.
The project is written in Rust and depends on libclang, so it's cross-platform and can be used on projects that use the latest C and C++ standards.
- Supports JSON compilation databases
- Tracks leaks of string literals, struct names and class names
- Allows filtering reported leaks through a YAML configuration file
- Generates raw text and JSON reports
Imagine you have a source file file1.c that you compiled into a.out and
you want to know if some string literal ended up in a.out, you can simply do:
$ cpplumber --bin a.out file1.c
[2022-09-24T19:57:14Z INFO cpplumber] Gathering source files...
[2022-09-24T19:57:14Z INFO cpplumber] Filtering suppressed files...
[2022-09-24T19:57:14Z INFO cpplumber] Extracting artifacts from source files...
[2022-09-24T19:57:15Z INFO cpplumber] Filtering suppressed artifacts...
[2022-09-24T19:57:15Z INFO cpplumber] Looking for leaks in 'a.out'...
"My_Super_Secret_API_Key" (string literal) leaked at offset 0x14f20 in "/full/path/to/a.out" [declared at /full/path/to/file1.c:5]
Error: Leaks detected!
The full user documentation is available here (and also here as Markdown).
Rust version 1.63.0 or greater is needed to build the project.
git clone https://github.com/ergrelet/cpplumber.git
cd cpplumber
cargo build --release
If you have Rust installed, you can easily install Cpplumber with cargo:
cargo install --git https://github.com/ergrelet/cpplumber --tag 0.1.0
After that, you can invoke cpplumber from anywhere through the command-line.
Keep in mind that you need to have the required dependencies installed for
cpplumber to run properly. Check out the user documentation for more details.