Software Assurance            Software Hardening            Autonomic Computing

Automatic Detection of Proprietary Coding Rule Violations

Guest Blog by Rob Daulton, Consultant at Valbrio

GRMT348_Grammatech_Box760x400_Compliance 3.51.03 PM.jpg

Modern, static code analysis tools for C++ and C provide a multitude of checkers out of the box, capable of detecting many different types of defect and violation. In addition, there is likely to be lots of configurable parameters that the adventurous (or instructed!) team can tinker with to try and bend some aspect of the tools operation more to their demands. Inevitably though, situations will arise where the tool simply cannot be tuned to detect a teams particular requirement(s). These could include specialist situations impossible to predict by the tool authors, or perhaps, the team simply has certain requirements that are too unique to their environment. In many of these cases, CodeSonar, our static analysis tool for C and C++, does actually provide a solution: custom checkers.

CodeSonar provides a rich API for the creation of custom checkers. This API is offered in a number of different languages – including C, C++, C#, Java, and Python. The API provides functionality allowing your custom checker to piggy back its analysis requirements on the existent analysis framework. In more detailed terms, as the analysis automatically traverses along the statically valid paths of execution through your codebase (known as symbolic execution), your checker gets to delve into the details of the currently visited source code location, where upon, you can extract the values and states of variables or pointers, and other important characteristics, which can then be used to detect your particular proprietary issues. Once such an issue has been determined, the API also provides methods for annotating the source with English commentary, as well as registering the issue so that its reported in the same way as any other built in checker.

Continue reading on Valbrio's blog.