In addition, the documentation for each check provides information about any vulnerabilities it identifies and a description of the problems that can be caused by code that fails the check, such as memory leaks, undefined or unpredictable behavior, or program crashes. Usually, there are also two source code examples: one that illustrates code that fails the check and generates a message, and one that illustrates code that passes the check. For each check, there is also information about which rules in the different coding standards that the check corresponds to.

A grid shows the severity of the problems that code that does not conform to the rule (non-conformant code) can cause, and the level of certainty that the message reflects a true error in the source code. The grid is divided into three zones—indicated with pale colors—that reflect the risks based on the severity and certainty. The actual risk for a specific check is indicated with a grid cell in strong color.

Here follow some example grids.

Example 1—high severity and high certainty = high risk

This grid shows a check with high severity and high certainty, which means that it very likely indicates a true bug. While all messages should be investigated, those with a high certainty are more likely to identify real problems in your source code.

Example 2—medium severity and high certainty = medium risk

This grid shows a check with medium severity and high certainty. A medium severity indicates that, for the code that fails the check, there is a medium risk of causing serious errors in your application. A high certainty means that it is very likely that the message reflects a true positive.

Example 3—low severity and medium certainty = low risk

This grid shows a check with low severity and medium certainty, which indicates that the code probably is safe to use. That the check fails can be due to an offense in a macro, or programmers writing safe, but unusual code.