SAST Tools Must Support Your Embedded Operating Systems, Toolchains & Compilers – Chose Wisely
Embedded software development is very close to the development platform used. Whether it’s bare metal development, commercial RTOS or embedded Linux, the tool chain is an important component in software development. It’s imperative that tools meant to help developers and integrate into their workflows also support the toolchain of choice.
The compiler suite chosen is a clear example. In the case of projects using a commercial RTOS, these tool chains are sold as a package. In the case of bare metal development, the tools chain might be related to the chip vendor or a well knows specialist like our partners, IAR.
Supporting a Wide Variety of Host and Embedded Target Compilers
GrammaTech CodeSonar comes with a large number of pre-installed compiler and compiler driver models and is expected to be compatible with widely used versions of these compilers. Other compilers can be accommodated either through the generic compiler, or with the custom compiler accompanied with some scripting.
The following table provides the compiler support and host configuration for each compiler – Linux, FreeBSD, NetBSD and Microsoft Windows hosts.
Model | Description | Linux | FreeBSD | NetBSD | Windows |
armcc | ARM Real View Compiler Tools C/C++ compiler | ||||
armclang | ARM Clang compiler | ||||
borland | Borland C++ for Win32, Embarcadero C++ for Win32 | ||||
c++ppc | Wind River version of GNU C compiler | ||||
c51 | Keil C51 C compiler | ||||
cc | Generic C compiler | ||||
ccppc | Wind River version of GNU C compiler | ||||
ccrx | Renesas C/C++ compiler for RX family | ||||
ch38 | Renesas C/C++ compiler for H8S, H8/300 Series | ||||
chc12 | Freescale CodeWarrior for HC12 | ||||
c1 | Microsoft C compiler | ||||
c130 | Texas Instruments TMS320C3x/C4x Optimizing Compiler | ||||
c16x | Texas Instruments TMS320C6000 Optimizing C/C++ Compiler | ||||
clang | Clang C compiler | ||||
clangpp | Clang C++ compiler | ||||
cosmic | Cosmic C compilers | ||||
cvavr | CodeVisionAVR C compiler | ||||
dcc | Wind River C and C++ compilers | ||||
ecomppc | Green Hills C Compiler | ||||
gcc | GNU Compiler Collection C Compiler | ||||
gpp | GNU Compiler Collection C++ Compiler | ||||
icc430 | IAR MSP430 compiler | ||||
iccarm | IAR ARM compiler | ||||
iccavr | IAR AVR compiler | ||||
iccgeneric | IAR compilers not covered by specific models | ||||
iccm32c | IAR M32C compiler | ||||
iccrx | IAR Renesas RX compiler | ||||
iccstm8 | IAR STM8 compiler | ||||
iccv850 | IAR v850 compiler | ||||
mcc18 | MPLAB C18 C Compiler | ||||
mcpcom | Intel C/C++ compiler | ||||
mwccmcf | Freescale CodeWarrior for ColdFire compiler | ||||
picc | Hi-Tech C compiler | ||||
gcc | QNX C/C++ compiler | ||||
shc | Renesas C/C++ compilers for the SuperH RISC engine family | ||||
shcpp | Renesas C/C++ compilers for the SuperH RISC engine family | ||||
tasking | The TASKING TriCore, PCP, and C166/ST10 compilers | ||||
visualdsp | The SHARC, TigerSHARC and Blackfin compilers that ship with VisualDSP++ | ||||
xcc | Customizable C compiler |
Table of GrammaTech CodeSonar v7 Supported Compilers
Compiler support is important during the software build process. At the developer desktop, it’s also important to provide support for integrated development environments they are already using.
Supporting SAST at the Developer Desktop
CodeSonar integrates with the most popular Integrated Development Environments (IDE) on the market such as the Eclipse IDE, Microsoft Visual Studio and Studio Code. These integrations shift left security and quality improvement by bringing the power of SAST and advanced static analysis directly to the developer. Finding and fixing software weaknesses as the code is developed greatly reduces the downstream costs of these vulnerabilities.
The CodeSonar integration with top IDEs provides the following capabilities:
- Menu and toolbar shortcuts for quick access to the CodeSonar features.
- View warnings in the editor as you would any other error or warning. These errors are displayed in the code view and in the warning panels typically below the code view. Clicking on the warnings in any location brings you a new panel that provides more details on the error plus access to additional CodeSonar features such as setting priority and state information.
- Show the warning path with the events that lead to warning. The trace of the error is navigable within the CodeSonar panel and back to the code view. This greatly simplifies the analysis to determine the veracity of the warning.
- Perform permanent assessments on the warnings once the priority and accuracy of the warning has been determined. Any settings given to the warnings are persistent in the CodeSonar database in the same manner as the web UI.
- List active warnings to perform further investigation on project wide analysis. It’s then possible to open the web UI for CodeSonar to perform required actions as needed.
- Kick off builds and new analyses within the IDE to make it quick and easy to see updated results based on recent fixes or code changes. This is a great way to ensure code has been analyzed and fixed before submitting to a build or source control.
- Results are automatically synchronized with a CodeSonar Hub, enabling the development team to manage results in a coordinated way.
SAST Tool Considerations Match Operating System Platform
When buying any product, quality, reliability, and long-term maintenance are key factors. When buying commercial embedded operating systems or using free and open source alternatives, there are similar factors involved. This same consideration should apply to SAST tool selection:
- Quality and performance: There’s a baseline of expected product quality for tools, OS, and platform libraries in embedded systems. These products are expected to have high quality and meet industry standards for security and safety, including certification if needed. SAST tools must be in the same category of trusted tools.
- Documentation and support: Customers have high expectations of technical and after sales support for embedded OS platforms. In many cases, they need custom engineering work to help make the platform specifically support their hardware. SAST tools must have the same level of support and documentation with the ability to be customized for specific applications.
- Risk reduction: Embedded OS platforms are purchased as reduced risk approach to home grown solutions. Going with a proven solution is less risky than an unproven one and vendors are selected based on this criterion. SAST tools must prove to further reduce risk and not pose a disruption to developer workflow.
- Reputation: Vendor reputation plays an important part in embedded development tools choices. Vendors are typically in business for decades and have proven-in-use statistics that satisfy strict safety and security guidelines. SAST vendors need to be held to the same standard with a proven track record of product success but also innovation and support.
Summary
Embedded software development relies on the development platform used. Whether it’s bare metal development, commercial RTOS or embedded Linux, the tool chain is an important component in software development. The quality, reliability and support expectations should be the same for SAST tools as they are for the platform itself. CodeSonar has a proven track record in embedded development extensive support for the most popular IDEs and embedded tool chains.
More detailed information on CodeSonar supported Platforms, Languages, and Compilers
More detailed information on CodeSentry supported On-Premise System Requirements & Supported File Formats
Related Blogs:
VISIT our Mark Hermeling at Embedded World Nuremberg DE, in Booth #423, Hall 4, from March 14-16, 2023.
The post SAST Tools Must Support Your Embedded Operating Systems, Toolchains & Compilers – Chose Wisely appeared first on Grammatech.
*** This is a Security Bloggers Network syndicated blog from GrammaTalk | Grammatech authored by Alison Napolitano. Read the original post at: https://www.grammatech.com/learn/sast-tools-must-support-your-embedded-operating-systems-toolchains-compilers-chose-wisely/