Sunday 16 October 2016

Static code analysis

Hi folks,

In the software development process, the static code analysis is an important step and I am personally convinced by its utility (although knowing it is a difficult science) even when I contribute to open source projects. Usually I use either the popular clang scan-build command line tool and/or the excellent online solution Scan Coverity. Sometimes cppcheck as well.

But today, I m going to present another set of tools, PVS-Studio from viva64.com which has originally a Windows version with an integration with Visual Studio but appears to have been working on a Linux version as well which I will be focusing with. It works with my main languages C / C++ and in addition with .NET/C#

With the Linux version 6.09.18904, we have the choice between a simple tgz archive, a RedHat family rpm and a Debian family package. I did all my tests under Linux Mint 18 and the GCC suite.

1/ Choice of a project

Let's try with one well known open source project, the PHP programming language, which is basically uses the not less famous trio configure/make/make install ... Thus after setting our preferences via the configure script, we can now use pvs-studio on top of the make build system.

pvs-studio-analyser trace -- make













pvs-studio-analyser analyse -o php.plog -l <path to licence file> -j<number of parallel jobs>













Which produces an output file in the PLOG format which can be converted to xml, task files with the provided plog-converter command line. Fortunately as the process can take a certain time, it is possible to parallelize via the j flag.

2/ Outcomes

The output gotten, here in XML, contains well known useful good practices like about realloc http://www.viva64.com/en/w/V701/






or the return check for strcmp http://www.viva64.com/en/w/V526/


 some rules specific to C++ obviously like implementing the copy constructor but not the assignment operator http://www.viva64.com/en/w/V690/
 or the uselessness of checking null from a raw pointer after a new operator use
http://www.viva64.com/en/w/V668/
 ... and many more, there is a list available here.

PVS-studio was successfully exploited by another user in another open source project I pushed a pull request to recently, Unvanquished

3/ Conclusion

One of the few criticisms I may have is it seems not able to catch resource / memory leaks even very simple cases, whether it is C or C++.  Another proof that using more than one analyser is mandatory.

Maybe a Mac OS version with an integration with Xcode would be a plus in the future, although I perfectly understand the cost of development but ... might be worthy.

Labels: , ,

View David Carlier's profile on LinkedIn

1 Comments:

At 29 January 2017 at 06:36 , Blogger ICS Cyber Security said...

These tips and advices are really very much effective. Keep it up with sharing such useful informations with us. Thanks for the post.

Code review techniques

 

Post a Comment

Subscribe to Post Comments [Atom]

<< Home