Using CodeSonar and SARIF with Microsoft Visual Studio Code

December 11, 2018


Here at GrammaTech, we get compliments on how well CodeSonar and the hub, specifically, handles warning display and the necessary information provided to track down the root cause.  However, as to be expected, developers like to work within their development environment and want to be able to deal with warnings directly, quickly and efficiently. We’ve outline our support for Visual Studio in a previous post and CodeSonar also integrates with Eclipse.

For other development environments that aren’t directly supported via a plugin-like integration, there is SARIF. SARIF is an open standard format for the interchange of static analysis results. For more details see our previous post. Briefly, SARIF is a standard interchange format for static analysis results between development tools. This also for integration into any tool that supports the standard, such as Microsoft Visual Code.

Visual Studio Code

Is a free-to-use, lightweight, multi-platform code development environment from Microsoft. It differentiates itself from Visual Studio proper by being lightweight and specifically designed for quick code, debug, test, build cycles used in CI/CD and DevOps processes.

CodeSonar, SARIF and Visual Studio Code

In the spirit of Visual Studio Code’s design intent, we have a lightweight yet highly functional interface with CodeSonar using SARIF as the exchange format. CodeSonar exports its code warnings into a SARIF format as a json file that is readable by Visual Studio Code. At this point developers can do the following within the IDE:

  • View static analysis warnings in the problems pane. These warnings can be investigated in the same manner as compilation warnings.
  • Investigate the root cause of a warning by navigating the provided crumb trail through the code.
  • Explore results via SARIF explorer to get a larger picture of where problems reside in the code.

The following demonstration video illustrates these features: