Home » Security Bloggers Network » SAST Tools Must Support Your Embedded Operating Systems, Toolchains & Compilers – Chose Wisely

SAST Tools Must Support Your Embedded Operating Systems, Toolchains & Compilers – Chose Wisely

by Mark Hermeling on March 10, 2023

Embedded software development is very close to the development platform used. Whether it’s bare metal development, commercial RTOS or embedded Linux, the tool chain is an important component in software development. It’s imperative that tools meant to help developers and integrate into their workflows also support the toolchain of choice.

The compiler suite chosen is a clear example. In the case of projects using a commercial RTOS, these tool chains are sold as a package. In the case of bare metal development, the tools chain might be related to the chip vendor or a well knows specialist like our partners, IAR.

Supporting a Wide Variety of Host and Embedded Target Compilers

GrammaTech CodeSonar comes with a large number of pre-installed compiler and compiler driver models and is expected to be compatible with widely used versions of these compilers. Other compilers can be accommodated either through the generic compiler, or with the custom compiler accompanied with some scripting.

The following table provides the compiler support and host configuration for each compiler – Linux, FreeBSD, NetBSD and Microsoft Windows hosts.

Model Sponsorships Available Sponsorships Available Sponsorships Available	Description	Linux	FreeBSD	NetBSD	Windows
armcc	ARM Real View Compiler Tools C/C++ compiler
armclang	ARM Clang compiler
borland	Borland C++ for Win32, Embarcadero C++ for Win32
c++ppc	Wind River version of GNU C compiler
c51	Keil C51 C compiler
cc	Generic C compiler
ccppc	Wind River version of GNU C compiler
ccrx	Renesas C/C++ compiler for RX family
ch38	Renesas C/C++ compiler for H8S, H8/300 Series
chc12	Freescale CodeWarrior for HC12
c1	Microsoft C compiler
c130	Texas Instruments TMS320C3x/C4x Optimizing Compiler
c16x	Texas Instruments TMS320C6000 Optimizing C/C++ Compiler
clang	Clang C compiler
clangpp	Clang C++ compiler
cosmic	Cosmic C compilers
cvavr	CodeVisionAVR C compiler
dcc	Wind River C and C++ compilers
ecomppc	Green Hills C Compiler
gcc	GNU Compiler Collection C Compiler
gpp	GNU Compiler Collection C++ Compiler
icc430	IAR MSP430 compiler
iccarm	IAR ARM compiler
iccavr	IAR AVR compiler
iccgeneric	IAR compilers not covered by specific models
iccm32c	IAR M32C compiler
iccrx	IAR Renesas RX compiler
iccstm8	IAR STM8 compiler
iccv850	IAR v850 compiler
mcc18	MPLAB C18 C Compiler
mcpcom	Intel C/C++ compiler
mwccmcf	Freescale CodeWarrior for ColdFire compiler
picc	Hi-Tech C compiler
gcc	QNX C/C++ compiler
shc	Renesas C/C++ compilers for the SuperH RISC engine family
shcpp	Renesas C/C++ compilers for the SuperH RISC engine family
tasking	The TASKING TriCore, PCP, and C166/ST10 compilers
visualdsp	The SHARC, TigerSHARC and Blackfin compilers that ship with VisualDSP++
xcc	Customizable C compiler

Table of GrammaTech CodeSonar v7 Supported Compilers

Compiler support is important during the software build process. At the developer desktop, it’s also important to provide support for integrated development environments they are already using.

Supporting SAST at the Developer Desktop

CodeSonar integrates with the most popular Integrated Development Environments (IDE) on the market such as the Eclipse IDE, Microsoft Visual Studio and Studio Code. These integrations shift left security and quality improvement by bringing the power of SAST and advanced static analysis directly to the developer. Finding and fixing software weaknesses as the code is developed greatly reduces the downstream costs of these vulnerabilities.

The CodeSonar integration with top IDEs provides the following capabilities:

Menu and toolbar shortcuts for quick access to the CodeSonar features.
View warnings in the editor as you would any other error or warning. These errors are displayed in the code view and in the warning panels typically below the code view. Clicking on the warnings in any location brings you a new panel that provides more details on the error plus access to additional CodeSonar features such as setting priority and state information.
Show the warning path with the events that lead to warning. The trace of the error is navigable within the CodeSonar panel and back to the code view. This greatly simplifies the analysis to determine the veracity of the warning.
Perform permanent assessments on the warnings once the priority and accuracy of the warning has been determined. Any settings given to the warnings are persistent in the CodeSonar database in the same manner as the web UI.
List active warnings to perform further investigation on project wide analysis. It’s then possible to open the web UI for CodeSonar to perform required actions as needed.
Kick off builds and new analyses within the IDE to make it quick and easy to see updated results based on recent fixes or code changes. This is a great way to ensure code has been analyzed and fixed before submitting to a build or source control.
Results are automatically synchronized with a CodeSonar Hub, enabling the development team to manage results in a coordinated way.

SAST Tool Considerations Match Operating System Platform

When buying any product, quality, reliability, and long-term maintenance are key factors. When buying commercial embedded operating systems or using free and open source alternatives, there are similar factors involved. This same consideration should apply to SAST tool selection:

Quality and performance: There’s a baseline of expected product quality for tools, OS, and platform libraries in embedded systems. These products are expected to have high quality and meet industry standards for security and safety, including certification if needed. SAST tools must be in the same category of trusted tools.
Documentation and support: Customers have high expectations of technical and after sales support for embedded OS platforms. In many cases, they need custom engineering work to help make the platform specifically support their hardware. SAST tools must have the same level of support and documentation with the ability to be customized for specific applications.
Risk reduction: Embedded OS platforms are purchased as reduced risk approach to home grown solutions. Going with a proven solution is less risky than an unproven one and vendors are selected based on this criterion. SAST tools must prove to further reduce risk and not pose a disruption to developer workflow.
Reputation: Vendor reputation plays an important part in embedded development tools choices. Vendors are typically in business for decades and have proven-in-use statistics that satisfy strict safety and security guidelines. SAST vendors need to be held to the same standard with a proven track record of product success but also innovation and support.

Summary

Embedded software development relies on the development platform used. Whether it’s bare metal development, commercial RTOS or embedded Linux, the tool chain is an important component in software development. The quality, reliability and support expectations should be the same for SAST tools as they are for the platform itself. CodeSonar has a proven track record in embedded development extensive support for the most popular IDEs and embedded tool chains.

More detailed information on CodeSonar supported Platforms, Languages, and Compilers

More detailed information on CodeSentry supported On-Premise System Requirements & Supported File Formats

Related Blogs: