• EXP40-CPP. Do not pass a reference or nontrivially-copyable type to va_start 
• MSC36-CPP. Value-returning functions must return a value from all exit paths 
• MSC37-CPP. Do not return from a function declared [[noreturn]] 
• DCL39-CPP. Functions declared with [[noreturn]] must return void 
• Relation to the CERT C Coding Standard
  Added a child page to describe how the CERT C++ Secure Coding Standard relates to the CERT C Coding Standard.

Changed

• The "Arrays and the STL" section has been renamed to "Containers"-, and its designation has changed from ARR to CTR. All guideline titles in this section have been updated
  to reflect these changes.
• DCL33-CPP. Never qualify a reference type with const or volatile
  Considerable edits to content, including title change.
• DCL37-CPP. Overloaded postfix increment and decrement operators should return a const object
  Considerable edits to content, including title change.
• ERR37-CPP. Honor exception specifications
  Considerable edits to content to update it for noexcept specifications; title change.
• STR08-CPP. Do not specify the bound of a character array initialized with a string literal
  Was previously STR36-CPP. Do not specify the bound of a character array initialized with a string literal; this guideline was downgraded from a rule to a recommendation and matches the severity of the analogous C guideline.
• FIO19-CPP. Do not create temporary files in shared directories
  Was previously FIO43-CPP. Do not create temporary files in shared directories; this guideline was downgraded from a rule to a recommendation and matches the severity of the analogous C guideline.
• INT18-CPP. Evaluate integer expressions in a larger size before comparing or assigning to that size
  Was previously INT35-CPP. Evaluate integer expressions in a larger size before comparing or assigning to that size; this guideline was downgraded from a rule to a recommendation and matches the severity of the analogous C guideline.
• FLP05-CPP. Convert integers to floating point for floating point operations
  Was previously FLP33-CPP. Convert integers to floating point for floating point operations; this guideline was downgraded from a rule to a recommendation and matches the severity of the analogous C guideline.
• DCL20-CPP. Use volatile for data that cannot be cached
  Was previously DCL34-CPP. Use volatile for data that cannot be cached; this guideline was downgraded from a rule to a recommendation and matches the severity of the analogous C guideline.
• INT30-CPP. Do not cast to an out-of-range enumeration value
  Considerable edits to content, including title change.
• CTR32-CPP. Do not use iterators invalidated by container modification and MEM30-CPP. Do not access freed memory
  Received NCCE/CS pairs from STR33-CC. Do not access invalid output of c_str() or data().
• MEM32-CPP. Detect and handle memory allocation errors
  Considerable edits to the content; added and extended examples from MEM36-CPP.
• MEM34-CPP. Only free memory allocated dynamically
  Considerable edits to the content. Received NCCE/CS pair and text from MEM31-CPP. Free dynamically allocated memory exactly once.
• MEM30-CPP. Do not access freed memory
  Considerable edits to the content. 
• OOP38-CPP. Gracefully handle self-assignment
  Considerable edits to the content, including a title change. Was previously MEM42-CPP. Ensure that copy assignment operators do not damage an object that is copied to itself.
• ERR40-CPP. Do not leak resources when handling exceptions
  Considerable edits to content. It received the content of MEM33-CPP. Ensure that aborted constructors do not leak, and was moved from the MEM section into the ERR section. Was previously MEM44-CPP. Do not leak resources when handling exceptions.
   

Removed

• DCL39-CPP. Non-const references should only be initialized with lvalues
  This rule affects only C++03 and earlier and is ill-formed code in C++11 and later.
• FLP31-CPP. Do not call functions expecting real values with complex values
  This rule applies only to ill-formed C++ code.
• STR33-CPP. Do not access invalid output of c_str() or data()
  This rule affects only C++03 or is covered by CTR32-CPP. Do not use iterators invalidated by container modification and MEM30-CPP. Do not access freed memory.
• MEM36-CPP. Never allocate more than one resource in a single statement
  This rule was subsumed by MEM32-CPP. Detect and handle memory allocation errors
• MEM33-CPP. Ensure that aborted constructors do not leak
  This rule was subsumed by ERR40-CPP. Do not leak resources when handling exceptions
• MEM31-CPP. Free dynamically allocated memory exactly once
  This rule was subsumed by MEM34-CPP. Only free memory allocated dynamically
   

The following rules were removed as being covered by the CERT C Coding Standard: 

• PRE31-CPP. Avoid side-effects in arguments to unsafe macros
• EXP31-CPP. Avoid side-effects in assertions
• EXP34-CPP. Ensure a null pointer is not dereferenced
• EXP37-CPP. Call variadic functions with the arguments intended by the API
• EXP38-CPP. Do not modify constant values
• ARR31-CPP. Use consistent array notation across all source files
• STR30-CPP. Do not attempt to modify string literals
• STR31-CPP. Guarantee that storage for character arrays has sufficient space for character data and the null terminator
• STR32-CPP. Null-terminate character arrays as required
• STR34-CPP. Cast characters to unsigned types before converting to larger integer sizes
• STR37-CPP. Arguments to character handling functions must be representable as an unsigned char
• MEM35-CPP. Allocate sufficient memory for an object
• FIO32-CPP. Do not perform operations on devices that are only appropriate for files
• FIO33-CPP. Detect and handle input output errors resulting in undefined behavior
• FIO38-CPP. Do not use a copy of a FILE object for input and output
• FIO34-CPP. Use int to capture the return value of character IO functions
• FIO35-CPP. Use feof() and ferror() to detect end-of-file and file errors when sizeof(int) == sizeof(char)
• FIO36-CPP. Do not assume a new-line character is read when using fgets()
• FIO37-CPP. Do not assume character data has been read
• FIO40-CPP. Reset strings on fgets() failure
• FIO41-CPP. Do not call getc() or putc() with stream arguments that have side effects
• FIO44-CPP. Only use values for fsetpos() that are returned from fgetpos()
• ENV30-CPP. Do not modify the string returned by getenv()
• ENV31-CPP. Do not rely on an environment pointer following an operation that may invalidate it
• ENV32-CPP. All atexit handlers must return normally
• ERR32-CPP. Do not rely on indeterminate values of errno
• MSC31-CPP. Ensure that return values are compared against the proper type
• INT30-CPP. Ensure that unsigned integer operations do not wrap
• INT31-CPP. Ensure that integer conversions do not result in lost or misinterpreted data
• INT32-CPP. Ensure that operations on signed integers do not result in overflow
• INT33-CPP. Ensure that division and modulo operations do not result in divide-by-zero errors
• INT34-CPP. Do not shift a negative number of bits or more bits than exist in the operand
• FLP30-CPP. Do not use floating point variables as loop counters
• FLP32-CPP. Prevent or detect domain and range errors in math functions
• FLP34-CPP. Ensure that floating point conversions are within range of the new type
• FLP36-CPP. Beware of precision loss when converting integral types to floating point 

CERT Oracle Secure Coding Standard for Java

• JNI02-J. Do not assume object references are constant or unique 
• JNI03-J. Do not use direct pointers to Java objects in JNI code 
• JNI04-J. Do not assume that Java strings are null-terminated  
• EXP07-J. Prevent loss of useful data due to weak references 
• FIO15-J. Do not reset a servlet's output stream after committing it 
• IDS14-J. Do not trust the contents of hidden form fields 
• IDS15-J. Do not allow sensitive information to leak outside a trust boundary 
• MSC08-J. Do not store non-serializable objects as attributes in an HTTP session 
• NUM14-J. Use shift operators correctly 
• OBJ12-J. Respect object-based annotations 
• VNA06-J. Do not use non-static member fields in a servlet

• JNI01-J. Safely invoke standard APIs that perform tasks using the immediate caller's class loader instance (loadLibrary) has new code examples illustrating compliance and noncompliance.
• LCK08-J. Ensure actively held locks are released on exceptional conditions has a new noncompliant code example that unlocks a lock that might not have been locked. That would be unlocky (smile)
• SER07-J. Do not use the default serialized form for classes with implementation-defined invariants now has code examples that illustrate CVE-2012-0507, which exploited the AtomicReferenceArray class in Java 1.7.0_02. OBJ06-J. Defensively copy mutable inputs and mutable internal components also mentions this vulnerability, as it was mitigated by complying with this rule, too.
• OBJ03-J. Prevent heap pollution now has code examples to illustrate lists of lists, including variadic parameters.
• EXP02-J. Do not use the Object.equals() method to compare two arrays has a new title, updated descriptions, and new noncompliant code examples and compliant solutions.

Deprecation Candidates   

• NUM04-J. Do not use floating-point numbers if precise computation is required is conditional on programmer's intent.
• NUM05-J. Do not use denormalized numbers is unenforcable.
• NUM06-J. Use the strictfp modifier for floating-point calculation consistency across platforms is conditional on programmer's intent.

FIO15-J. Do not operate on untrusted file links