Tool combines static analysis with dynamic analysis

GrammaTech claims that CodeSonar is the first static analysis tool that can extend source code static analysis into libraries that are only available in binary form through its CodeSonar/Libraries plugin. Other static analysis tools for source code ignore calls into binary libraries - effectively treating those calls as if they were not there.

With 25% of embedded projects utilising third party libraries, according to VDC Research, this simplification easily leads to undetected problems (false negatives). Proper reasoning about the source code requires interpreting effects of the library code. This simplification also misses problems caused by misuse of the library API.

CodeSonar/Libraries adds the capability to seamlessly switch between source and binary analysis as it examines possible paths through the programme. This results in a net increase of the number of problems detected in the user’s source code.

Many software development projects use binary libraries with content from third party vendors, or from existing legacy code. Examples of these include firmware, operating system libraries, graphical user interface subsystems, or middleware layers such as CORBA, DDS, MQTT or others.

CodeSonar/X is a new capability connecting static analysis with dynamic analysis to help software developers improve efficiency, further reduce risk and decrease time-to-market. This plug-in for GrammaTech’s CodeSonar reports state corruptions during host-based testing by monitoring memory access. It combines static and dynamic violations and reports them in the CodeSonar User Interface, helping engineers correlate and prioritise.

Mark Hermeling, Senior Director Product Marketing at GrammaTech, said: “The use of libraries as well as state corruption due to buffer overruns are often blind spots for software development teams.

“Incorrect use of libraries can lead to difficult to detect run-time errors, while a missed buffer overrun can lead to a cyber vulnerability, which can have a severe impact on safety and security critical devices. CodeSonar/Libraries and CodeSonar/X demonstrate GrammaTech’s innovation and thought leadership in the field of static analysis for devices where failure is not an option.”