TalkSecure

15 minutes to Start a New Project in CodeSecure CodeSonar

Posted on

by

As mentioned before, I run CodeSonar regularly on open-source projects. Earlier this week, I added CPPCheck to the list of open-source projects. This is kind of ironic as CPPCheck is an open-source static analysis offering. The differences between CPPCheck and CodeSonar are significant. CodeSonar is a team tool, has a persistent database for tracking findings over time and annotation, can run parallel and distributed, and scans quite a bit deeper, including using techniques such as abstract execution.


That all aside, it took me about 15 minutes of active work to get CPPCheck to analyze:

  1. Create a build container and push it to my private registry.
  2. Fork CPPCheck and create a pipeline yaml file.
  3. Add the right environment variables for logins, Docker secrets, and such.
  4. Register a runner for the project on my Kubernetes cluster.
  5. Create a pull request and adjust paths where needed.

I will monitor CPPCheck regularly going forward, but here is an interesting finding by our copy-paste error checker. This checker finds code that looks like it was copied and pasted with incomplete variable substitution, which you can clearly see in this screenshot.

Unclear if this is actually a problem or not, I’ll file a ticket soon. Give us a call if you want us to demonstrate how to integrate CodeSonar into your CI/CD pipeline.

Related Posts

Check out all of CodeSecure’s resources and stay informed.

view all posts

Book a Demo

We’re ready to help you integrate SAST and SCA security into your DevSecOps flow. Get a personally guided tour of our solution offerings to ensure you are receiving the right solution for your development team. 

book now