Skip to content

knela96/Static_Code_Analysis

Repository files navigation

Welcome, my name is Èric Canela and I'm a student of 2nd Year of UPC Tech Talent Center from Barcelona under supervision of the lecturer Ricard Pillosu on the 2nd Year Project subject. Today I will introduce you an interesting and useful guide about Static Analysis and I will explain why you should use it when developing any game or application.

When we are developing a program there is a lot of pressure and sometimes the timelines are too heavy, and the developers can’t ensure a good quality on the code, creating more bugs and slowing down de current development. To ensure that this do not happen, exist some amazing tools to make it easier and avoid possible problems in the future.

Static Code Analisis

First of all let’s talk about the concept of Static Code Analysis.

It is a method of debugging with a computer program by examining our code without having to run the program. This process provides us some feedback to find programming faults and display it to the developers. This analysis is made against a set of multiple coding guidelines to ensure the quality on the code with the current standards on the industry.

Misra ISO26262

Quality Standards

Techniques

It uses different methods to detect these errors, which are:

  • Pattern-Based Static Analysis: It looks for predefined patterns in the code and detects if they are used and reports them as a possible error.
  • Data Flow Analysis: It checks for problematic constructions against a set of rules and detect errors such as null pointers and buffer overflows.
  • Control Flow Analysis: It is an abstract representation on the software that aims to determine the order of instructions separated in blocks and the execution order.
  • Taint Analysis Detects variables that could be modifiable externally, and be used in functions that could compromise the security of the application, E.g. SQL injection.

Advantages vs. Disadvantages

Static Code Analysis

Advantages

Limitations

It can find weaknesses in the code at the exact location.

Time-consuming if conducted manually.

Problems detected earlier in the production phase

Production of false positives and false negatives.

Allow to fix the problems earlier

Need too much personal to do the tests

Fast development cycle if automated tools are used.

Do not find all the problems

Unreachable Code

Only detect problems stipulated by the quality guidelines

Variable Use(undeclared, unused)

Do not find vulnerabilities in the runtime environment

Uncalled functions

It can take dome time analyzing

When should I Use It?

During an early stage, the creation phase, just before the unit tests. Using it in this stage allow us to detect a possible vulnerability or bug that can cause a future problem and be harder to remove it, if we had find it in an early stage.

A peer developer, someone other than the developer who wrote the code, should do these tests.

Why Should I Use It?

  • Reliability
  • Maintainability
  • Portability
  • Efficiency

Available Tools

Now that we know what is the Static Analysis, we might think about which tools there are on the market. We can find Premium tools, which will give us more features and support by a moderate prize, or in the other hand, Open Source and Free tools that might be more limited.

These are some of the best tools you can find:

Premium

PC-LINT Helix QAC Code Sonar Visual Studio Goanna

Free

Cpp Check BSS Lint Parasoft C/C++ test Eclipse Frama-C Clang

Which Tool Should I Select?

The tools above are compatible with C/C++. Also, if you do a little of research, you’ll find a lot more but probably you might ask “Which tool should I select?”.

Here are some basic tips for you, to select the best one for your project:

  • Must support your programming language.
  • Which and how many vulnerabilities can detect.
  • Can it be integrated into the developer's IDE?
  • How much it cost the tool, is it Free?
  • Does it support Object-oriented programming?

Procedure of Usage

Static Analysis Tool

We are going to use CppChecker as the static code analysis tool. This is because the low rate on finding possible false positives and negatives. But it is strongly recommended to use more than one, to detect all possible errors that one tool couldn't find.

We can use between two versions:

Add-on for Visual Studio

The analyzer is thought to be used in the command line, but thanks to a plugin for Visual Studio, we will be able to see it with the interface of the Visual Studio and interactuate with the errors detected.

CppCheck GUI

With the GUI version, it will allow us to see everything much better with a clean interface. But this version has a big problem, the current version hasn't implemented all functionalities of the command line or plugin version. Even that, it will work for the main purpose of identifying the errors in the code.

Configuration

Follow these steps to configure the Add-on for Visual Studio or the GUI version:

Add-on for Visual Studio

To use the addon first you will have to download CppCheck and install on your computer

Step 1

Download and Install the .exe from the Official Website, compatible with the version of your SO.

Step 2

Download the add-on from this Repository link and install it.

Step 3

Open Visual Studio and you will notice that has been added new features in the "Tool" section. Click on the Tools -> Cppcheck settings

Step 4

It will appear the next screen, set the same configuration as the next image.

Step 5

Execute the first scan on your project by clicking on "Tools -> Check current project with cppcheck". It will ask you to find cppchecker.exe, it whould be in "C:\Program Files\Cppcheck".

You will see that has appeared a new tab at the bottom named "Cppcheck analysis results". Here will appear the warnings and errors that you have in your code and has to be fixed.

Step 6

To add filters and avoid some errors to appear, you only need to right-click on the message and it will appear some options, select the one that you need.

Step 7

To filter libraries or other files and avoid the analyzer to check them alway you execute the scan, go to "Tools -> Cppcheck settings->Edit Global Supressions.

Here you will see the suppressions that you have added:

  • Cppcheck suppressions: Are all the suppressions/filters that you have activated for the messages, errors/warnings or exact errors in a line of code.

    • *:*p2List.h to hide all warnings from the file.
    • variableScope will hide all warnings from this rule, you can check all the possible rules in this link.
    • unreachableCode:*p2SString.h:155 will hide this error from the file p2SString.h at the line 155.
  • Files excluded from check: This will deny the analyzer to scan the file.

    • j1Input\ .cpp$ will exclude the file j1Input to be scanned. (IMPORTANT: headers not supported)
  • Excluded include paths: Will exclude the path inserted, very useful for big libraries that don't need to be scanned and make the scan faster.

Once you have configured everything you only need to save and do more tests.

Step 8

If you want to create your own rules, you will have to do the Steps 9 and 10 of the CppCheck GUI Configuration, and when you create the file, save it inside the cppcheck.exe directory.

Step9

Go to "Tools->cppcheck settings" and add the next line inside Additional arguments

--library=config.cfg

CppCheck GUI

Step 1

Download and Install the .exe from the Official Website, compatible with the version of your SO.

Step 2

Go to the Installation folder and execute cppcheckgui.exe. It will appear as the image above.

Step 3

Click on File->New Project, it will ask you where do you want to store the file. I recommend you to put it in the solution folder.

Step 4

Import the project solution by clicking the top button Browse.

Step 5

Go to the Warning options tab and select your root path where you have all the files you want to scan. Exclude all the paths that you don't want to be scanned, and add the suppresions needed like messages or other possible filters.

Step 6

Save all changes and go to "Edit->Preferences" and set the configuration as the image above. This is the basic configuration to find almost all errors in your code.

Step 7

To analyze your project you only need to click on the two blue arrows and it will start scanning. When it is done, will appear a list with all errors detected.

Step8

To supress an ID you just have to right-click on the id of the message, and click Supress selected id(s). In this version of CppCheck as I said before, it is limited, to supress a message, you only have the option of suppress by id in the GUI interface.

Step 9

Create a file named "config.cfg" in the folder where is located your solution and add this line of code

<?xml version="1.0"?>

Go to File->Edit Project->Checking tab" and you will see in the list of checkboxes that has appeared one named exactly as the file, ensure to check it to make the analyzer use your rules.

Step 10

Go to View->Library Editor and open the .cfg you have created. You can create some rules for the functions you insert in this list, saying how many arguments it takes and the expected types they are or if it has to return something or not. If in your code you have the function and it is wrong, it will jump an give you an error.

TODOs

Download the Handout from the Releases and extract it to start the TODO exercises:

You can check the Solution of these TODOs exercises in the Releases page

TODO 1

Configure the Cppcheck GUI version.

TODO 2

  • Suppress the error id funcArgNamesDifferent
  • Suppress the error variableScope from line 56 of the j1Scene1.cpp (Recommendation: Use absolute path)
Solution

TODO 3

  • Exclude the path of PugiXml library
  • Exclude j1App files

(Recommendation: Use absolute path)

Solution

TODO 4

Fix Pathfinding.h and Pathfinding.cpp.

Reference Links

https://www.perforce.com/blog/qac/what-static-code-analysis

https://www.perforce.com/blog/qac/how-static-code-analysis-works

https://www.owasp.org/index.php/Static_Code_Analysis

https://www.kiuwan.com/blog/static-analysis-in-automated-software-quality-tests/

https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis#C,_C++

http://cppcheck.sourceforge.net/

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Packages

No packages published