CodeSonar and the Clang Static Analyzer

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.0p0 Hot Tips

CONFIDENTIAL

CodeSecure Inc

CodeSonar and the Clang Static Analyzer

The CodeSonar SARIF Importer loads warning information from a file in Static Analysis Results Interchange Format (SARIF) and adds those warnings to the set of analysis results recorded on the hub.

This can be used to view results from other static analysis tools, such as the Clang Static Analyzer (CSA), in CodeSonar.

Windows Note: Some Windows users have reported that they cannot run the scan-build command and obtain SARIF output even independently of CodeSonar. If you are a Windows user having difficulties completing the analysis steps below and the general troubleshooting advice does not help you resolve them, you may need to file a Clang Static Analyzer bug report.

Overview
C/C++ Analysis
Objective-C Analysis
Example Command Lines
Troubleshooting
Example/Tutorial

Overview

When working with CodeSonar in conjunction with the Clang Static Analyzer, a typical workflow is to either use an IDE like Apple's Xcode^®, or a command line tool like scan-build to execute the Clang Static Analyzer while CodeSonar observes the build. The Clang Static Analyzer provides static analysis capabilities and executes the host compiler to perform an actual build of the source code. When executing the Clang Static Analyzer, you must specify that it output its results to the SARIF format (.sarif) so that these results may be imported into your project.

CodeSonar can load warning information from SARIF files and add those warnings to the set of analysis results recorded on the hub. The warnings can then be browsed alongside any warnings reported by CodeSonar.

Important: SARIF exports are supported in Clang Static Analyzer v8.0 and later. If a suitable version of Clang Static Analyzer is not already available on your local system, you will need to install and configure it to use the features described in this page.

Note

In this section (and throughout this manual), $CSONAR indicates the CodeSonar installation directory.

If you have defined environment variable CSONAR to the location of the CodeSonar installation directory, you can use $CSONAR directly in your command lines. On Windows systems, use %CSONAR% in place of $CSONAR.
If you don't want to use environment variables, replace $CSONAR with the path to your CodeSonar installation directory before using the command lines.

C/C++ Analysis

The following diagram provides an overview of a CodeSonar C/C++ build/analysis process based on Clang Static Analyzer results.

diagram: building and analyzing a CodeSonar project with Clang results

To build and analyze a C/C++ project based on the invocation of the Clang Static Analyzer scan-build command, do the following.

Run a codesonar build command to observe the execution of the scan-build command on your regular project build. The general form of the command is:
codesonar build /path/to/pfiles-name [[protocol://]host:port] [other_options] \
/path/to/clang/bin/scan-build -sarif -enable-checker core command
Where command is your normal build command.
Run a codesonar analyze or codesonar build command to observe the execution of codesonar import_sarif.py on the SARIF results that were produced by the Clang Static Analyzer. The general form of the command is:
codesonar analyze /path/to/pfiles-name [[protocol://]host:port] [other_options] \
codesonar import_sarif.py /tmp/scan-build-datetime/*
Where /tmp/scan-build-datetime is provided in the output of the scan-build command observed by the CodeSonar build command. CodeSonar will finalize and analyze the project, incorporating the SARIF results.
View the results in your hub.

Objective-C Analysis

The following diagram provides an overview of importing Objective-C analysis results into CodeSonar.

diagram: importing Objective-C analysis results and source files to CodeSonar

This section assumes that /path/to/clang/bin/ is in the PATH. To import CSA results into a CodeSonar project called ExampleTest, do the following.

Run the Clang Static Analyzer on your Objective-C source code. The general form of the command is:
scan-build -sarif -o . command
Where command is your normal build command.
Run a codesonar analyze command based on codesonar import_sarif.py to load the SARIF results that were produced by the Clang Static Analyzer into the project, along with the corresponding source files. The command will be something like the following.
codesonar analyze ExampleTest [other codesonar options] \
codesonar import_sarif.py /tmp/scan-build-datetime/* -include-sources /path/to/sourcefiles/**/*.[mh]
Where
- /tmp/scan-build-datetime is provided in the output of the scan-build command.
- /path/to/sourcefiles/ is the directory tree containing your source files, and all your source files have extension .m or .h.
CodeSonar will finalize the project and send the results to the hub.
View the results in your hub.

Example Command Lines

The following command lines display methods for importing results produced by the Clang Static Analyzer into CodeSonar.

This section assumes that /path/to/clang/bin/ is in the PATH.

Example 1 (C/C++)

codesonar build cs-myproj scan-build -sarif -enable-checker core make
codesonar analyze cs-myproj codesonar import_sarif.py /tmp/scan-build-2019-03-20-112313-2843-1/*

Build and analyze a CodeSonar project based on the invocation of the Clang Static Analyzer.

The build command observes the execution of Clang's scan-build command on your regular project build. The regular build command observed by Clang's scan-build, and thus by CodeSonar, is make.
For the sake of this example, suppose that the result directory reported by Clang in the output from this command is tmp/scan-build-2019-03-20-112313-2843-1.
CodeSonar imports the results of the Clang analysis into project cs-myproj, then finalizes and analyzes the project.

Example 2 (C/C++)

codesonar build cs-myproj scan-build -sarif -enable-checker core make
codesonar build cs-myproj codesonar import_sarif.py /tmp/scan-build-2019-03-20-112313-2843-1/*
codesonar analyze cs-myproj

Exactly the same as Example 1, except that the SARIF output from Clang Static Analyzer is imported in a separate codesonar build invocation before the project is finalized and analyzed.

Example 3 (C/C++)

codesonar build cs-myproj scan-build -sarif -enable-checker core gcc -c file1.c
codesonar build cs-myproj codesonar import_sarif.py /tmp/scan-build-2019-03-20-112313-2843-1/report-file1.sarif
codesonar build cs-myproj scan-build -sarif -enable-checker core gcc -c file2.c
codesonar build cs-myproj codesonar import_sarif.py /tmp/scan-build-2019-03-20-121413-2137-1/report-file2.sarif
codesonar analyze cs-myproj

Observe the compilation of file1.c and file2.c and load their respective Clang analysis results from the directories reported in the Clang Static Analyzer output.

Example 4 (Objective-C)

scan-build -sarif -o . clang-9 -ObjC -framework Foundation -isysroot `xcrun --show-sdk-path` -c scratch.m
codesonar analyze ExampleTest codesonar import_sarif.py /tmp/scan-build-datetime/* -include-sources scratch.m

Analyze Objective-C source file scratch.m with the Clang Static Analyzer, then import both the source file and the analysis results into a CodeSonar project.

scan-build analyzes scratch.m, producing .sarif output.
The CodeSonar imports the results of the Clang Static Analyzer analysis into project ExampleTest, along with corresponding source file scratch.m.
CodeSonar finalizes the ExampleTest project and runs the CodeSonar analysis on all eligible components. Note that in this case there aren't any such eligible components: the only results in the analysis will be those imported from the Clang Static Analyzer output.

Troubleshooting

If the corresponding Analysis page on your hub is not showing any results from the Clang Static Analyzer, check the following.

A. Do you have a sufficiently recent version of Clang Static Analyzer?

The CodeSonar integration requires Clang Static Analyzer v8.0 or later.

B. Does your scan-build command run correctly in isolation?

Run make clean to ensure you will be fully rebuilding the project.
make clean
Run the scan-build command in isolation.
/path/to/clang/bin/scan-build -sarif -enable-checker core command
Where command is your normal build command.
Check the following.
- Did scan-build exit with success?
- Did the scan-build output a line indicating where the analysis results are stored? It will look (something) like the following.
  
  scan-build: Analysis results (sarif files) deposited in /tmp/scan-build-datetime
- Does directory /tmp/scan-build-datetime exist?
- Does directory /tmp/scan-build-datetime contain one or more SARIF files?
If the answer to any of these questions is "no", the problem is within scan-build and is independent of CodeSonar.
1. Consult the scan-build documentation for help in diagnosing and resolving your problem.
2. If you still cannot run scan-build in isolation, file a Clang Static Analyzer bug report.

C. Is your codesonar analyze command line free from typos?

Double-check to make sure your codesonar analyze command line contains all the required elements.

In particular, make sure you have specified the correct path to the directory where scan-build wrote its SARIF files. This will be different every time you run scan-build.

Example/Tutorial

An illustrated usage example for using the CodeSonar SARIF importer to incorporate results found by the Clang Static Analyzer is provided in section SARIF Importer for CodeSonar Using the Clang Static Analyzer: Example.