As mentioned before, I run CodeSonar regularly on open-source projects. Earlier this week, I added CPPCheck to the list of open-source projects. This is kind of ironic as CPPCheck is an open-source static analysis offering. The differences between CPPCheck and CodeSonar are significant. CodeSonar is a team tool, has a persistent database for tracking findings over time and annotation, can run parallel and distributed, and scans quite a bit deeper, including using techniques such as abstract execution.

That all aside, it took me about 15 minutes of active work to get CPPCheck to analyze:

1. Create a build container and push it to my private registry.
2. Fork CPPCheck and create a pipeline yaml file.
3. Add the right environment variables for logins, Docker secrets, and such.
4. Register a runner for the project on my Kubernetes cluster.
5. Create a pull request and adjust paths where needed.

I will monitor CPPCheck regularly going forward, but here is an interesting finding by our copy-paste error checker. This checker finds code that looks like it was copied and pasted with incomplete variable substitution, which you can clearly see in this screenshot.

Unclear if this is actually a problem or not, I’ll file a ticket soon. Give us a call if you want us to demonstrate how to integrate CodeSonar into your CI/CD pipeline.

The post 15 minutes to Start a New Project in CodeSecure CodeSonar appeared first on CodeSecure.

*** This is a Security Bloggers Network syndicated blog from TalkSecure | CodeSecure authored by Mark Hermeling. Read the original post at: https://codesecure.com/learn/15-minutes-to-start-a-new-project-in-codesecure-codesonar/