Static Analysis for Python in CodeSonar

March 19, 2019 Mark Hermeling

python

In a previous post we discussed the continuing popularity of C and C++ as a programming language, the surveys referenced there showed that Python is more popular each year and is now 1st (according to the IEEE) or 3rd (2019 TIOBE index).  The language has grown in popularity because it is easy to learn and use and has become the language of choice for AI, machine learning and data science.

In this particular case, GrammaTech has not built their own static analysis engine for Python but rather integrates with the very capable Pylint tool.  As we have done with other languages outside our core support for C/C++ we have relied on other best of breed tools to provide the expanded language support our customers are requesting. This approach means increased language support combining our best in class C/C++ analysis with results from other integrated tools stored in a shared repository, accessible through a single user interface. This approach provides the same analysis and management capabilities across all languages.

Consider the following example of a Pylint warning, “superfluous-parens” in the file calc.py displayed in the CodeSonar web portal. Warnings from Pylint are treated the same way as C/C++ warnings, allowing users to provide assessments, set the appropriate priority and state, etc. These assessments are tracked through versions of the python file even if the user adds or removes lines of code before line 43 (in this case).

CodeSonar_Python_Blog_pic1

CodeSonar also analyzes the results from Pylint as it does other languages, for example, organizing warnings by class in the following histogram:

CodeSonar_Python_Blog_pic2

This integration further expands CodeSonar into the world of Python and provides customer with the ability to improve quality and security of a multi-language project. Software teams benefit from having static analysis results from all of their projects in the same repository with a common management interface. 

Interested in learning more? Read our guide on "Enhancing Code Reviews with Static Analysis."

 

Previous Article
The Industrial Internet Reference Architecture and Security Framework
The Industrial Internet Reference Architecture and Security Framework

The Industrial Internet Consortium (IIC) is a non-profit, industry group that is investigating a...

Next Article
Embedded World 2019 Presentation: Static Analysis for Safety and Security
Embedded World 2019 Presentation: Static Analysis for Safety and Security