We’re excited about the new release of CodeSonar, versions 5.1, that increases focus on safety critical systems and associated standards and supports multiple programming languages that are emerging in cross-platform, cross-language development in the Internet of Things (IoT). CodeSonar 5.1 will be available shortly and a beta program is currently available for existing customers.
Cross-Language Support for IoT Development
The latest version of CodeSonar allows IoT projects the flexibility they need to support multiple languages such as Java and Python. Developers now use a single user interface to understand and assess security vulnerabilities found in systems using multiple programming languages. This is important in the world of IoT as devices and enterprise services are built using different platforms and different languages. While C#, Objective C or Java are typically the languages used on the user-interface or enterprise side, embedded devices are built using C/C++, with Python in the mix for scripting. All these languages are now covered by CodeSonar and support for additional languages can be added easily with a direct integration or leveraging our support for Static Analysis Results Interchange Format (SARIF.)
Improved SARIF Support
Speaking of SARIF, CodeSonar has improved support for SARIF an open standard for facilitating integrations between analysis tools and other software lifecycle tools. Users can export analysis results in SARIF form, which can then be imported into a viewer that supports SARIF, such as Microsoft Visual Studio Code discussed in a previous post. Additionally, CodeSonar can import SARIF results generated from other tools, so that those results can then be managed through the CodeSonar user interface.
Qualification kits are an essential ingredient to tool qualification for safety critical software. For projects that are building the most critical software, where failures can lead to injury or loss of life, they must prove the tools they are using are of the same quality as the product under development. To this end, our customers can use our qualification kit to reduce the effort and documentation needed to qualify CodeSonar. These kits are available as an add-on and available for standards such as IEC 61508, DO178B/C, or ISO 26262.
API Anomaly Detection
Application programming interfaces (API) are heavily used everywhere: they allow developers to reuse functionality and build software faster. Unfortunately, there is little automated tools support to help a developer verify correct usage since most tools don’t understand the semantics of the APIs being used. Manually writing rules for all the API functions and building custom checkers in static analysis tools is time consuming and doesn’t scale.
GrammaTech was contracted by the Department of Homeland Security to investigate possible solutions to automate the detection of API usage anomalies. In this ongoing project, GrammaTech has analyzed a large body of code to detect API usage patters to discover what APIs existed and how they were used. The large body of code, a “code corpus”, consists of about 7000 C/C++ projects and about 498 million lines of code. Using the rules automatically inferred by this endeavor, GrammaTech was able to use CodeSonar to detect API anomalies in new code. More details are available in another post.