|
| 1 | +# Static code analysis for coreJSON library |
| 2 | +This directory is made for the purpose of statically testing the MISRA C:2012 compliance of coreJSON using |
| 3 | +[Synopsys Coverity](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) static analysis tool. |
| 4 | +To that end, this directory provides a [configuration file](https://github.com/FreeRTOS/coreJSON/blob/main/tools/coverity/misra.config) to use when |
| 5 | +building a binary for the tool to analyze. |
| 6 | + |
| 7 | +> **Note** |
| 8 | +For generating the report as outlined below, we have used Coverity version 2018.09. |
| 9 | + |
| 10 | +For details regarding the suppressed violations in the report (which can be generated using the instructions described below), please |
| 11 | +see the [MISRA.md](https://github.com/FreeRTOS/coreJSON/blob/main/MISRA.md) file. |
| 12 | + |
| 13 | +## Getting Started |
| 14 | +### Prerequisites |
| 15 | +You can run this on a platform supported by Coverity. The list and other details can be found [here](https://sig-docs.synopsys.com/polaris/topics/c_coverity-compatible-platforms.html). |
| 16 | +To compile and run the Coverity target successfully, you must have the following: |
| 17 | + |
| 18 | +1. CMake version > 3.13.0 (You can check whether you have this by typing `cmake --version`) |
| 19 | +2. GCC compiler |
| 20 | + - You can see the downloading and installation instructions [here](https://gcc.gnu.org/install/). |
| 21 | +3. Download the repo and include the submodules using the following commands. |
| 22 | + - `git clone --recurse-submodules [email protected]:FreeRTOS/coreJSON.git ./coreJSON` |
| 23 | + - `cd ./coreJSON` |
| 24 | + - `git submodule update --checkout --init --recursive` |
| 25 | + |
| 26 | +### To build and run coverity: |
| 27 | +Go to the root directory of the library and run the following commands in terminal: |
| 28 | +1. Update the compiler configuration in Coverity |
| 29 | + ~~~ |
| 30 | + cov-configure --force --compiler cc --comptype gcc |
| 31 | + ~~~ |
| 32 | +2. Create the build files using CMake in a `build` directory |
| 33 | + ~~~ |
| 34 | + cmake -B build -S test |
| 35 | + ~~~ |
| 36 | +3. Go to the build directory and copy the coverity configuration file |
| 37 | + ~~~ |
| 38 | + cd build/ |
| 39 | + ~~~ |
| 40 | +4. Build the static analysis target |
| 41 | + ~~~ |
| 42 | + cov-build --emit-complementary-info --dir cov-out make coverity_analysis |
| 43 | + ~~~ |
| 44 | +5. Go to the Coverity output directory (`cov-out`) and begin Coverity static analysis |
| 45 | + ~~~ |
| 46 | + cd cov-out/ |
| 47 | + cov-analyze --dir . --coding-standard-config ../../tools/coverity/misra.config --tu-pattern "file('.*/source/.*')" |
| 48 | + ~~~ |
| 49 | +6. Format the errors in HTML format so that it is more readable while removing the test and build directory from the report |
| 50 | + ~~~ |
| 51 | + cov-format-errors --dir . --file "*/source" --exclude-files '(/build/|/test/)' --html-output html-out; |
| 52 | + ~~~ |
| 53 | +7. Format the errors in JSON format to perform a jq query to get a simplified list of any exceptions. |
| 54 | + NOTE: A blank output means there are no defects that aren't being suppressed by the config or inline comments. |
| 55 | + ~~~ |
| 56 | + cov-format-errors --dir . --file "*/source" --exclude-files '(/build/|/test/)' --json-output-v2 defects.json; |
| 57 | + echo -e "\n-------------------------Non-Suppresed Deviations, if any, Listed Below-------------------------\n"; |
| 58 | + jq '.issues[] | .events[] | .eventTag ' defects.json | sort | uniq -c | sort -nr; |
| 59 | + echo -e "\n-------------------------Non-Suppresed Deviations, if any, Listed Above-------------------------\n"; |
| 60 | + ~~~ |
| 61 | + |
| 62 | +For your convenience the commands above are below to be copy/pasted into a UNIX command friendly terminal. |
| 63 | + ~~~ |
| 64 | + cov-configure --force --compiler cc --comptype gcc; |
| 65 | + cmake -B build -S test; |
| 66 | + cd build/; |
| 67 | + cov-build --emit-complementary-info --dir cov-out make coverity_analysis; |
| 68 | + cd cov-out/ |
| 69 | + cov-analyze --dir . --coding-standard-config ../../tools/coverity/misra.config; |
| 70 | + cov-format-errors --dir . --file "*/source" --exclude-files '(/build/|/test/)' --html-output html-out; |
| 71 | + cov-format-errors --dir . --file "*/source" --exclude-files '(/build/|/test/)' --json-output-v2 defects.json; |
| 72 | + echo -e "\n-------------------------Non-Suppresed Deviations, if any, Listed Below-------------------------\n"; |
| 73 | + jq '.issues[] | .events[] | .eventTag ' defects.json | sort | uniq -c | sort -nr; |
| 74 | + echo -e "\n-------------------------Non-Suppresed Deviations, if any, Listed Above-------------------------\n"; |
| 75 | + cd ../../; |
| 76 | + ~~~ |
| 77 | + |
| 78 | +You should now have the HTML formatted violations list in a directory named `build/cov-out/html-output`. |
| 79 | +With the current configuration and the provided project, you should not see any deviations. |
0 commit comments