Hot Topics
Security Bloggers Network 
SBN

Two Key New Features in CodeSonar

by Mark Hermeling on April 6, 2023

CodeSonar 7.3 is available to all customers under current support and maintenance agreements and as always, GrammaTech highly recommends that users upgrade to the latest release. The release notes provide a great summary of the new features.

In this blog, I want to pick out two features that power users will want to be aware of. There are always the usual enhancements around parser upgrades that ensure CodeSonar stays at the forefront of language support, compiler model work, new warning classes (interesting especially if MISRA is your cup of tea), latest CWE (e.g., 4.10) support, and so forth.

In this blog post I want to talk about two specific features though:

  • Remote-Archive, and
  • Properties
 Remote-Archive

 CodeSonar has an amazing set of features that help you navigate a piece of source code. The start is usually a warning, in a procedure. Using the info window and/or the warning details page, you can see the call tree as to which path of functions hit the offending function. Like the following diagram: 

Figure 1 – Call-tree for rsa_get_public_exp

With this, you can then select a path and get all the code in-line, which makes it really easy to understand cross-compilation unit and cross-function warning paths. This is one of CodeSonar’s strengths, not just looking at local patterns, but actually performing abstract execution across the whole program to find bugs.

 The other key capability is the Info window. This give you a quick overview of the functions that you hover over and allows you to see where the function is used, where a variable comes from, quickly look up other pieces of code that you need to cross reference and so forth. It really is a very powerful and much loved piece of capability.

 

Figure 2 – Info window

 There was only one problem with this capability. It required the user to keep the program model around after analysis. And this is complicated, as it is usually on a build-host, or in a container. And this often gets removed, is hard to keep track of and such.

CodeSonar 7.3 now has a capability that allows you to designate a host and send the program models to that host after analysis for safe keeping. In most configurations that host would be the hub. This is what the remote-archive feature does, a new addition to the command line.

 In true GrammaTech tradition, product management and engineering have done an amazing job to design this feature. There are all types of limits and ownership rights that you can assign to the feature and it supports Role Based Access Control as well. You can have different teams use different hosts for the remote-archive capability for scalability too. CodeSonar is used by teams from 1 to thousands of engineers, so scalability is critical.

 This feature by itself is worth the upgrade to CodeSonar 7.3.

 And then we have Properties, another key feature worth an upgrade by itself as well.

 Properties

 CodeSonar is a key component of the DevSecOps workflow. It performs a critical step in the approval of pipelines and without it, many teams are unable to release their software. It was (pre CodeSonar 7.3) hard to create traceability from a pipeline to a CodeSonar analysis to a test report and back. This is where Properties come in.

 Properties are key-value pairs that you can attach to an analysis, either on the command-line during the analysis step, or in the GUI, or in the REST API. Technically we snuck in the REST API (with SwaggerUI support) in CodeSonar 7.2. These properties can document anything, for example, I like to put the git commit hash as a property commitHash, you can put a Gerrit Change Id, a JIRA ticket number, anything. You can then use the property (key-value pair) as a search term to get the analysis that correspond to that property.

Figure 3 – Example property

This is invaluable in large teams; it allows for bi-directional navigation from code repository (branch) to CodeSonar and back. The ability to make your CodeSonar environment branch-aware will greatly help large teams manage their workflows.

 

More detailed information on CodeSonar supported Platforms, Languages, and Compilers

Related Blogs:

VISIT GrammaTech at RSA 2023 San Francisco, April 24-27, Booth #5300.

*** This is a Security Bloggers Network syndicated blog from Blog authored by Mark Hermeling. Read the original post at: https://blogs.grammatech.com/two-key-new-features-in-codesonar

Mark Hermeling , ,