Quality and Security Assurance with CodeSonar for Crank Software’s Mission Critical Multi-Platform Storyboard Suite

October 3, 2018 Bill Graham


Crank Software's products and services enable R&D teams and user interface (UI) designers to quickly and collaboratively develop rich, animated UIs for resource-constrained embedded devices. These embedded software solutions are used in safety-critical applications, such as animated global positioning systems, in-car graphical displays and user interfaces on factory floors, so software quality and security are paramount. In addition, Crank Software must deliver their software with the same level of quality on over 55 different target hardware platforms.

In order to achieve their quality goals, the team at Crank is using CodeSonar’s advanced static analysis capability to help find and fix quality and security issues within their code. In particular, they were looking for tools that could be dropped into their process and would quickly create improvements.

Crank’s development teams integrated CodeSonar into their production process, static analysis is used as soon as code is created or changes are made. Since issues are being caught and fixed very early in the coding process, they are seeing quantifiable results. Each found bug or security is one less patch or, most critically, calls to customers to inform them of found issues in released software. In addition, Crank supports over 55 different hardware platforms and they needed tools that support that goal. CodeSonar is well suited for analyzing code right to the “metal” as it understands the code given sufficient information such as header files for the embedded OS. As a result, of their use of CodeSonar they’ve also improved their end product and Crank Software is better-positioned for the certifications needed to drive greater adoption.

Static Analysis in Multiplatform Deployment

Crank’s rapid GUI development platform is distributed as a self-contained binary to customers who then integrate these into the mission critical software. They need to deploy this onto multiple supported hardware and software configurations with quality and security.  CodeSonar is platform agnostic, it has definitions of the underlying embedded OS platform which allows it to perform analysis down to the lowest software interface. The same is true for the compiler, CodeSonar understands data type information, for example, to help detect incorrect type usage.

Extending the Benefits of Static Analysis to Projects Using Storyboard Suite

Crank has achieved great results with CodeSonar and conversely, these same benefits are can be achieved by Cranks customers. Consider some of the advantages of adopting advanced static analysis in critical software using Crank’s platform:

  • Analysis to the bare metal: As stated before, CodeSonar is well suited to multiplatform development and can analyze source code at any level of the system assuming enough information in header files and associated code to make the analysis complete.
  • Hardware and software agnostic: Similarly, static analysis is mostly hardware and software agnostic and depends more on the programming language support (e.g. version of C or C++ and associated libraries) than the hardware or software platform.
  • “Drop in” development process integration: Just as Crank did, adoption of static analysis is fairly straightforward and can be adapted to agile, continuous integration/deployment and waterfall processes alike.
  • Detect concurrency problems that get missed during testing: CodeSonar has specialized checkers to help detect concurrency issues such as data races that are difficult to detect during testing.
  • Security vulnerability detection and tainted data analysis: Security testing is difficult and is often overlooked or incomplete even in critical software. Advanced static analysis tools can detect security vulnerabilities with the aid of tainted data analysis to help remove dangerous exploits before software is released.
  • Binary code analysis: Unique to CodeSonar is the ability to do static analysis on binary code (for ARM and x86 architectures.) Providing the same error detection capabilities as source analysis, binary analysis allows quality and security assurance on pre-compiled code from partners, third-party vendors and even internal sources.
  • Augment existing quality processes: Static analysis is meant to complement existing inspection and testing processes by providing better insight into potential bugs and security vulnerabilities.
  • Assist with software safety certifications: Reports from advanced static analysis tools are useful for complying with coding standards. In addition, demonstrated used of these tools is often needed during reviews of development processes by certification bodies.


Crank Software was able to quickly integrate static analysis into their existing process and see immediate benefits in terms of improved quality and security. The same benefits can be achieved by Crank customers, or any other mission critical project.


Previous Article
Static Analysis Results: A Format and a Protocol: SARIF & SASP
Static Analysis Results: A Format and a Protocol: SARIF & SASP

Introduction Static analysis tools are now very widely used in industry, academia, and open-sou...

Next Article
Improving Binary Code Analysis with De-compilation
Improving Binary Code Analysis with De-compilation

  Cyber security risk is a big worry for many people, leading to sleepless nights and baggy eye...