Source code static analysis tool recommendations

Hi folks-

Does anybody have any recommendations for static source code analysis 
tools based on practical use?

My customer is asking us to apply a static source code analysis tool to 
an existing medical product.  The product is undergoing changes for 
which the FDA requires another round of testing.  The customer was 
dinged by the FDA for not using an analysis tool so they want to correct 
the process this time around.

My concerns are:
- cost
- time to set up
- effectiveness
- too many false problems identified
- open source vs paid product

The project size is about 50K lines of code.

Thanks - John

On Fri, 2 Feb 2018 13:32:42 -0800, John Speth <johnspeth@yahoo.com>
wrote:

>Hi folks-
>
>Does anybody have any recommendations for static source code analysis 
>tools based on practical use?
>
>My customer is asking us to apply a static source code analysis tool to 
>an existing medical product.  The product is undergoing changes for 
>which the FDA requires another round of testing.  The customer was 
>dinged by the FDA for not using an analysis tool so they want to correct 
>the process this time around.
>
>My concerns are:
>- cost
>- time to set up
>- effectiveness
>- too many false problems identified
>- open source vs paid product
>
>The project size is about 50K lines of code.
>
>Thanks - John

What language(s) and what platform should the tool run on?


This is going back a ways [so take with a grain of salt] but circa
2000 when I was in medical imaging the FDA was quite happy with Lint
for C or C++.

If the code never has been linted previously, you are likely to get
many pages of warnings.  Examining them, you are likely to find quite
a large percentage are trivial / ignorable, but checking a large code
base for the 1st time will not go quickly.

All the tools I am familiar with allow to disable particular checks
that consistently produce ignorable results.  But you have to
determine that by actually looking at the code.

Whatever tool you use, you'll need to verify that the FDA will accept
the result ... I've been away from that arena for too long to know
what tools currently are acceptable.


George

On 2/2/2018 3:24 PM, George Neuner wrote:
> On Fri, 2 Feb 2018 13:32:42 -0800, John Speth <johnspeth@yahoo.com>
> wrote:
> 
>> Hi folks-
>>
>> Does anybody have any recommendations for static source code analysis
>> tools based on practical use?
>>
>> My customer is asking us to apply a static source code analysis tool to
>> an existing medical product.  The product is undergoing changes for
>> which the FDA requires another round of testing.  The customer was
>> dinged by the FDA for not using an analysis tool so they want to correct
>> the process this time around.
>>
>> My concerns are:
>> - cost
>> - time to set up
>> - effectiveness
>> - too many false problems identified
>> - open source vs paid product
>>
>> The project size is about 50K lines of code.
>>
>> Thanks - John
> 
> What language(s) and what platform should the tool run on?
> 
> 
> This is going back a ways [so take with a grain of salt] but circa
> 2000 when I was in medical imaging the FDA was quite happy with Lint
> for C or C++.
> 
> If the code never has been linted previously, you are likely to get
> many pages of warnings.  Examining them, you are likely to find quite
> a large percentage are trivial / ignorable, but checking a large code
> base for the 1st time will not go quickly.
> 
> All the tools I am familiar with allow to disable particular checks
> that consistently produce ignorable results.  But you have to
> determine that by actually looking at the code.
> 
> Whatever tool you use, you'll need to verify that the FDA will accept
> the result ... I've been away from that arena for too long to know
> what tools currently are acceptable.

Thanks George.  The code is in C.  We'd like to run the tools on Windows 
computers.

It happens that the first FDA submission was subject to only PC-Lint. 
The customer told me that the FDA did accept that test but I didn't 
believe it.  PC-Lint is not a deep testing tool, in my opinion.  I'll 
need to take a second look at that.

JJS

On Fri, 2 Feb 2018 17:13:40 -0800, John Speth <johnspeth@yahoo.com>
wrote:

>On 2/2/2018 3:24 PM, George Neuner wrote:
>> On Fri, 2 Feb 2018 13:32:42 -0800, John Speth <johnspeth@yahoo.com>
>> wrote:
>> 
>>> Hi folks-
>>>
>>> Does anybody have any recommendations for static source code analysis
>>> tools based on practical use?
>>>
>>> My customer is asking us to apply a static source code analysis tool to
>>> an existing medical product.  The product is undergoing changes for
>>> which the FDA requires another round of testing.  The customer was
>>> dinged by the FDA for not using an analysis tool so they want to correct
>>> the process this time around.
>>>
>>> My concerns are:
>>> - cost
>>> - time to set up
>>> - effectiveness
>>> - too many false problems identified
>>> - open source vs paid product
>>>
>>> The project size is about 50K lines of code.
>>>
>>> Thanks - John
>> 
>> What language(s) and what platform should the tool run on?
>> 
>> 
>> This is going back a ways [so take with a grain of salt] but circa
>> 2000 when I was in medical imaging the FDA was quite happy with Lint
>> for C or C++.
>> 
>> If the code never has been linted previously, you are likely to get
>> many pages of warnings.  Examining them, you are likely to find quite
>> a large percentage are trivial / ignorable, but checking a large code
>> base for the 1st time will not go quickly.
>> 
>> All the tools I am familiar with allow to disable particular checks
>> that consistently produce ignorable results.  But you have to
>> determine that by actually looking at the code.
>> 
>> Whatever tool you use, you'll need to verify that the FDA will accept
>> the result ... I've been away from that arena for too long to know
>> what tools currently are acceptable.
>
>Thanks George.  The code is in C.  We'd like to run the tools on Windows 
>computers.
>
>It happens that the first FDA submission was subject to only PC-Lint. 
>The customer told me that the FDA did accept that test but I didn't 
>believe it.  PC-Lint is not a deep testing tool, in my opinion.  I'll 
>need to take a second look at that.

I haven't seen PC-Lint in many years, so I can't comment on that.
Splint and cppcheck are free alternatives that are worth a look.  

There's an add-in that will integrate cppcheck into any recent Visual
Studio edition.  Also VS Professional (or better) since 2013 has a
pretty decent lint module included.

Splint works fine with VS, but there's no integration available AFAIK.
You can use it as an external tool.


Synopsys's Coverity Scan is quite nice and decently comprehensive, but
note that I only have used the free online version, which uploads your
code to Synopsys's servers for analysis [and license-wise requires
your project to be FOSS].  They do sell a version for proprietary use,
but I have no knowledge of the cost.


At this point, I'm out of suggestions.  Maybe someone else has other
ideas?  

George

Am 03.02.2018 um 09:40 schrieb George Neuner:
> On Fri, 2 Feb 2018 17:13:40 -0800, John Speth <johnspeth@yahoo.com>
>> Thanks George.  The code is in C.  We'd like to run the tools on Windows 
>> computers.
>>
>> It happens that the first FDA submission was subject to only PC-Lint. 
>> The customer told me that the FDA did accept that test but I didn't 
>> believe it.  PC-Lint is not a deep testing tool, in my opinion.  I'll 
>> need to take a second look at that.
> 
> I haven't seen PC-Lint in many years, so I can't comment on that.
> Splint and cppcheck are free alternatives that are worth a look.  
> 
> There's an add-in that will integrate cppcheck into any recent Visual
> Studio edition.  Also VS Professional (or better) since 2013 has a
> pretty decent lint module included.

Not sure what lint module you're referring to, but Visual Studio has had
an "/analyze" option for quite some while. I remember there some tricks
circulating for enabling that on editions that did not officially
support it. One advantage that tool has over others is that it knows
Windows APIs, and finds things like "this API call returns a handle that
you should close if you don't need it".

The same thing can be said of cppcheck: it knows some POSIX APIs and
tells you you're leaking stuff.

> Splint works fine with VS, but there's no integration available AFAIK.
> You can use it as an external tool.
> 
> Synopsys's Coverity Scan is quite nice and decently comprehensive, but
> note that I only have used the free online version, which uploads your
> code to Synopsys's servers for analysis [and license-wise requires
> your project to be FOSS].  They do sell a version for proprietary use,
> but I have no knowledge of the cost.

Our company evaluated Coverity vs. Klocwork and ended up at Klocwork,
although I was not involved at the decision.

My main gripe with tools of that kind is that they have tons of checkers
and people turn them on all at once because they can. Klocwork literally
has something to say for every line of code, ending up with tens of
thousands of "issues" in a perfectly working software. Our QA people
defined a subset what to consider critical - about 1% of that - and even
of that remainder, in my team's software only 1% is actual problems, 50%
is style issues ("no 'break' after the last branch of this 'switch'",
"no '&' before this function name used as pointer"), and the remainder
is false positives ("please remove this check for errors, because I can
prove that this function call does not ever produce an error").

If my goal were getting better software, I'd start with turning up
compiler warnings to the max (warnings count as static analysis,
right?), unit tests with coverage analysis, valgrind, and an occasional
cppcheck or cl /analyze.

If the goal is to get a tool permanently into your workflow in a
documented way, a database-based tool like Klocwork doesn't sound too
bad, mainly because it has a way to re-identify findings across source
code changes (you need to tell it only once that that finding is a false
positive, not adjust a suppressions file after every edit). Just be
careful at what checkers you use and what to do about them. "Fix all
findings" is the wrong approach.


  Stefan

On 2018-02-03, George Neuner <gneuner2@comcast.net> wrote:

> I haven't seen PC-Lint in many years, so I can't comment on that.
> Splint and cppcheck are free alternatives that are worth a look.  

I haven't tried splint it years, but it used to be completely
useless for real code.  It would warn you about things like this:


    uint8_t b;
    b = 1;

  or 

    uint8_t i,j;
    [...]    
    i = j+1;

The warning was because the expression on the RHS was of type "int"
(16 or 32 bits on the platforms I cared about) and was being truncated
by the assignment to an 8-bit wide LHS.

On small processors with only a few hundred bytes of RAM one tended to
use the smallest variable types possible, and as a result splint
produced thousands of meaningless warnings unless you typecast most of
your integer assignments -- which made the code completely unreadable.
    
I spent a few days hacking on splint to try to fix issues like
that&nbsp;but was told by the split developers that they didn't care to
incorporate fixes like mine because splint wasn't intended for use on
real code in the real world because it was solely an academic project
for use studying language concepts.

Have they since pulled their heads out of <whatever>?

-- 
Grant

Am 03.02.2018 um 17:37 schrieb Grant Edwards:
> On 2018-02-03, George Neuner <gneuner2@comcast.net> wrote:
>> I haven't seen PC-Lint in many years, so I can't comment on that.
>> Splint and cppcheck are free alternatives that are worth a look.  
> 
> I haven't tried splint it years, but it used to be completely
> useless for real code.  It would warn you about things like this:
> 
> 
>     uint8_t b;
>     b = 1;
> 
>   or 
> 
>     uint8_t i,j;
>     [...]    
>     i = j+1;

The latter gives a warning with gcc "-Wconversion" as well. Although I
was long opposing that warning, it's hard to argue your head out of it
if your company's software already had a few incidents with it. For
control code, it is definitively possible to get "-Wconversion"-free;
for computational code, it's some more work but possible (e.g. make a
'sample_add' inline function that does the casting, and use that).

What I find more annoying is that MISRA finds this

     uint32_t MASK = UINT32_C(1) << 17;

objectionable. '1', no matter how spelled, has type 'char' for MISRA,
and cannot be shifted by 17 bits.


  Stefan

On 2018-02-04, Stefan Reuther <stefan.news@arcor.de> wrote:

> What I find more annoying is that MISRA finds this
>
>      uint32_t MASK = UINT32_C(1) << 17;
>
> objectionable. '1', no matter how spelled, has type 'char' for MISRA,
> and cannot be shifted by 17 bits.

In MISRA C, the literal 1 is a char not an int?

-- 
Grant

Am 04.02.2018 um 16:12 schrieb Grant Edwards:
> On 2018-02-04, Stefan Reuther <stefan.news@arcor.de> wrote:
>> What I find more annoying is that MISRA finds this
>>
>>      uint32_t MASK = UINT32_C(1) << 17;
>>
>> objectionable. '1', no matter how spelled, has type 'char' for MISRA,
>> and cannot be shifted by 17 bits.
> 
> In MISRA C, the literal 1 is a char not an int?

Yes. MISRA C 6.10.4 "Underlying type".

The problem they're trying to solve isn't too far-fetched: if 'int' has
16 bits only, '1 << 17' is undefined, so you'd better be explicit about
the type you're shifting. The problem now is that C99's way of being
explicit is the 'UINT32_C' macro - but that one expands to nothing on a
32-bit architecture...


  Stefan

Am 05.02.2018 um 18:48 schrieb Stefan Reuther:
> The problem now is that C99's way of being
> explicit is the 'UINT32_C' macro

Where on earth did you get that idea?  UINT32_C does not even _appear_ 
in the C99 standard.