Get the latest critical update information for Log4j vulnerability. See how to address the issue with Parasoft guidance. Learn More >>


MISRA C Rules & Coding Standards Compliance

Developers widely use the MISRA coding standards in businesses beyond the automotive industry, such as medical and medical devices, military, aerospace, industrial automation, rail, and energy. The standards provide a set of guidelines or best practices for writing embedded C and C++ code (C++ integrates into Microsoft Visual Studio), and they facilitate the authorship of safe, secure, and portable code for safety and security critical systems.

What Is MISRA?

The Motor Industry Software Reliability Association (MISRA) refers to the widely adopted and legendary coding standard for C and C++ languages. MISRA provides a comprehensive set of coding guidelines that focuses on protecting applications against known safety violations and security vulnerabilities. The Association classifies guidelines as either a “rule” or a “directive.”

A rule comes with a complete description of the coding requirement, and through static analysis, developers can use it to check that source code complies with a guideline without the need to seek out any other information. A directive, on the other hand, offers an important prescription or development guidance for developers to follow when it’s generally not possible for them to perform a check for compliance.

MISRA is a consortium of automotive-related industries that came together in the early 1990s as a result of the United Kingdom’s Safety Critical Systems Research Programme. The U.K. government instituted this program to address some of the challenges that the automobile industry faced due to auto and truck makers increasing the use of software in the manufacture and operation of road vehicles. Parasoft is a member of the MISRA consortium.

For C development, the latest MISRA C: 2012 standard supports C90, C99, C11, and C18 language specifications. The current version, MISRA C: 2012 (sometimes written as MISRA C 2012 or MISRA C2012), has evolved over several years, and Amendment 2 to MISRA C: 2012 was published in 2020. Amendment 3 is projected to be released in 2022. For the C++ programming language, the current MISRA standard is MISRA C++ 2008.

Note: MISRA is a set of rules for secure coding, not for testing APIs (application programming interfaces).

“MISRA”, “MISRA C” and the triangle logo are registered trademarks of The MISRA Consortium Limited. ©The MISRA Consortium Limited, 2021. All rights reserved.

Benefits of MISRA

When developers implement MISRA guidelines, it helps them deliver safe, secure, and reliable code that has everlasting benefits. MISRA compliance impacts your product’s success and longevity while reducing labor costs and time to market.

Increase code quality and reduce the cost of defects.

Prevent code defects earlier in the product development process before they cascade into more expensive challenges down the line.

Satisfy industry process standards.

Parasoft offers MISRA static analysis as the solution recommended by process standards like ISO 26262, DO-178C, IEC 62304, IEC 61508, EN 50128, and more.

Satisfy static analysis security testing (SAST).

Weave MISRA security code rules and directives right into your software development lifecycle as part of your SAST strategy.

Expand from MISRA and build your own custom coding guidelines.

Create your own custom, coding-standards configuration for your organization using our RuleWizard.

Combine coding standards like CERT with MISRA to get the optimum code quality.

Parasoft offers the aggregation of standards like MISRA with any and all our other supported coding standards: CERT, CWE, OWASP, UL 2900, and others.

Incorporate MISRA SA into your CI/CD workflow.

Parasoft’s MISRA static analysis integrates easily into your streamlined CI/CD pipeline with continuous testing that delivers high-quality, safe, and secure software quickly.

Test smarter with AI and ML.

Parasoft incorporates artificial intelligence and machine learning to improve productivity in your team's MISRA static analysis workflow, flagging and prioritizing the rule violations that the team needs to fix first.

Solutions to Help Meet MISRA Requirements

Deploy Parasoft’s suite of products to conduct static analysis of code no matter which development environment you work in.

MISRA Compliance Best Practices

When it comes to MISRA compliance, we recommend several highly beneficial practices. Here is a list of some of the methods to consider.

Perform Code/Peer Reviews

In addition to MISRA compliance, convene with your fellow software engineers and systematically check each other's code for mistakes and coding style violations. Experience shows that this activity accelerates production and substantially improves code quality.

Code Clarity

MISRA compliance helps you write code that is easy to read and understand. Don’t be too clever and write cryptic code that's hard to follow or easily misunderstood. You don't want other engineers or yourself to spend a lot of time trying to decipher a bug in your code.

Code Robustness

When you achieve MISRA compliance, it helps you write reliable code that not only handles the sunny day scenarios but rainy days, too. This includes negative scenarios that prepare your application if it comes up against invalid data.

Code Portability

MISRA compliance helps programmers write code with portability in mind because portable code, like POSIX and ANSI C, allows easy and quick moves to other platforms. Developers can adapt other compilers or other operating systems with minimum code changes. Many times there are financial or business opportunities when migrating to another operating system or target needs to happen.

Code Complexity

MISA compliance helps coders write code that does not have a large number of branches. The more branches, the higher the code complexity and the higher the number of potential bugs in the code.

Code Reusability

MISRA compliance helps you write portable code that you can reuse in future products or projects. This improves productivity and reduces labor and testing costs.

Properly Log Your Deviations

Any MISRA guideline deviation requires thorough documentation on which guideline, scope, justification, safety assurance, consequences, and mitigation.

Reduce MISRA Noise

Coders may write some code constructs in a way that triggers a MISRA violation. Parasoft provides a method to knowingly filter out this noise.

Adopting MISRA Compliance

A great thing about proposing MISRA compliance is that security teams can introduce and use the guidelines at any software development phase of a project, and the guidelines are effective even if a project is incomplete and partially coded.

The biggest challenge with introducing MISRA compliance is that a large amount of code can produce a large number of warnings. Therefore, companies should focus on getting the team productive as soon as possible when integrating MISRA compliance into a project.

Companies should also concentrate on minimizing the possibility of the static analysis warnings overwhelming the team. As achieving MISRA compliance becomes part of the developers’ daily routine, the developers can analyze results quicker and fix bugs more efficiently.

Product Maturity Considerations

It’s also important to consider the maturity of the product under development, as this impacts the way the company can adopt MISRA compliance.

Existing Project Out in the Market

The primary approach to adopting MISRA compliance for these projects is called “acknowledge and defer.” Since developers are adding little new code, all of the safety bugs and security vulnerabilities they discover add to the existing technical debt.

Existing Project With Current Development

The recommended approach to MISRA compliance is called “a line in the sand” approach. At a high level, this approach means developers improve new code as they develop it while deferring less critical warnings as technical debt.

New Project

Developers can integrate MISRA compliance in their development environments from the start, ensuring a high standard of quality code as they write it. The approach to adoption in this case is aptly named “greenfield.”

Screenshot of Parasoft's reporting and analytics of MISRA C 20212 Compliance showing pie graphs and other data reflecting code compliance.

Automated Compliance Reporting Example

Parasoft’s analytics dashboard with automated compliance reporting. For safety and security-critical applications, you’ll want to use our TÜV SÜD certified solution on safety-critical systems.

Why Parasoft?

Parasoft C/C++test detects complex MISRA compliance runtime-like problems early in the development stage — without the need to execute costly runtime tests. C/C++test analyzes the execution paths through the code and finds MISRA compliance issues, like null pointer dereferencing, division by zero, memory leaks, and security vulnerabilities, such as arithmetic on a pointer operand, buffer overflows, unreachable code, and stdlib system function.

Users can view results from C/C++test’s MISRA compliance in Parasoft’s dynamic reporting dashboard, enabling automated post-processing and advanced reporting strategies using historical data. It’s easy to see MISRA compliance results across builds over time, even when working with large codebases and legacy code where visibility into the code is typically challenging so you can quickly focus on the quality of the newly added code.

With widgets that automatically track MISRA compliance, users get a dynamic view into the software compliance process, and can easily produce automatic reports for code audits and certification goals.

Frequently Asked Questions

Incorporate into your software implementation phase a TÜV certified solution that analyzes your code to the MISRA standard for known safety and application security violations.

In modern Agile development, you can also automate MISRA analysis and compliance into your continuous integration and continuous delivery (CI/CD) workflow. Make sure to understand all identified violations and make certain to address them all. If there are any deviations, thoroughly document them as required by the MISRA standard.

Lastly, you need to present the following artifacts for MISRA compliance certification.

  1. MISRA Guideline Enforcement Plan
  2. MISRA Guideline Re-categorization Plan
  3. MISRA Deviations Report
  4. MISRA Compliance Summary

The latest version, MISRA C:2012, has evolved over several years and includes 158 MISRA C rules and 17 directives for a total of 175 guidelines. Amendment 2 to MISRA C:2012, published in 2020, expanded the standard by 2 rules.

Static analysis is the process of examining source code without execution, usually for the purposes of finding bugs or evaluating code safety, security, and reliability. This means software teams and software security teams can use static analysis on partially complete code, libraries, and third-party source code.

Static analysis tools help teams conform to coding standards such as MISRA C/C++, AUTOSAR C++ 14, SEI CERT, or your own custom configuration.