Looking for a SAST Solution Engineered for Embedded and Product Security? Chose Wisely.

Posted On

by

Whether it’s bare metal development, commercial RTOS, or embedded Linux, the tool chain is an important component in software development.

The compiler suite chosen is a clear example. In the case of projects using a commercial RTOS, these tool chains are sold as a package. In the case of bare metal development, the tools chain might be related to the chip vendor or a well-known specialist like our partners, IAR.

Supporting a Wide Variety of Host and Embedded Target Compilers

GrammaTech CodeSonar comes with a large number of pre-installed compiler and compiler driver models and is expected to be compatible with widely used versions of these compilers. Other compilers can be accommodated either through the generic compiler or with the custom compiler accompanied by some scripting.

The following table provides the compiler support and host configuration for each compiler – Linux, FreeBSD, NetBSD, and Microsoft Windows hosts.

Model Description Linux FreeBSD NetBSD Windows
armcc ARM Real View Compiler Tools C/C++ compiler
armclang ARM Clang compiler
borland Borland C++ for Win32, Embarcadero C++ for Win32

c++ppc Wind River version of GNU C compiler
c51 Keil C51 C compiler

cc Generic C compiler
ccppc Wind River version of GNU C compiler
ccrx Renesas C/C++ compiler for RX family

ch38 Renesas C/C++ compiler for H8S, H8/300 Series
chc12 Freescale CodeWarrior for HC12
c1 Microsoft C compiler
c130 Texas Instruments TMS320C3x/C4x Optimizing Compiler
c16x Texas Instruments TMS320C6000 Optimizing C/C++ Compiler
clang Clang C compiler
clangpp Clang C++ compiler
cosmic Cosmic C compilers
cvavr CodeVisionAVR C compiler

dcc Wind River C and C++ compilers
ecomppc Green Hills C Compiler
gcc GNU Compiler Collection C Compiler
gpp GNU Compiler Collection C++ Compiler
icc430 IAR MSP430 compiler
iccarm IAR ARM compiler
iccavr IAR AVR compiler
iccgeneric IAR compilers not covered by specific models
iccm32c IAR M32C compiler
iccrx IAR Renesas RX compiler
iccstm8 IAR STM8 compiler
iccv850 IAR v850 compiler
mcc18 MPLAB C18 C Compiler
mcpcom Intel C/C++ compiler
mwccmcf Freescale CodeWarrior for ColdFire compiler

picc Hi-Tech C compiler
gcc QNX C/C++ compiler
shc Renesas C/C++ compilers for the SuperH RISC engine family
shcpp Renesas C/C++ compilers for the SuperH RISC engine family
tasking The TASKING TriCore, PCP, and C166/ST10 compilers
visualdsp The SHARC, TigerSHARC and Blackfin compilers that ship with VisualDSP++
xcc Customizable C compiler

Table of GrammaTech CodeSonar v7 Supported Compilers

Compiler support is important during the software build process. At the developer desktop, it’s also important to provide support for integrated development environments they are already using.

Supporting SAST at the Developer Desktop

CodeSonar integrates with the most popular Integrated Development Environments (IDE) on the market such as the Eclipse IDE, Microsoft Visual Studio and Studio Code. These integrations shift left security and quality improvement by bringing the power of SAST and advanced static analysis directly to the developer. Finding and fixing software weaknesses as the code is developed greatly reduces the downstream costs of these vulnerabilities.

The CodeSonar integration with top IDEs provides the following capabilities:

  • Menu and toolbar shortcuts for quick access to the CodeSonar features.
  • View warnings in the editor as you would any other error or warning. These errors are displayed in the code view and in the warning panels typically below the code view. Clicking on the warnings in any location brings you a new panel that provides more details on the error plus access to additional CodeSonar features such as setting priority and state information.
  • Show the warning path with the events that lead to warning. The trace of the error is navigable within the CodeSonar panel and back to the code view. This greatly simplifies the analysis to determine the veracity of the warning.
  • Perform permanent assessments on the warnings once the priority and accuracy of the warning have been determined. Any settings given to the warnings are persistent in the CodeSonar database in the same manner as the web UI.
  • List active warnings to perform further investigation on project-wide analysis. It’s then possible to open the web UI for CodeSonar to perform required actions as needed.
  • Kick-off builds and new analyses within the IDE to make it quick and easy to see updated results based on recent fixes or code changes. This is a great way to ensure code has been analyzed and fixed before submitting to a build or source control.
  • Results are automatically synchronized with a CodeSonar hub, enabling the development team to manage results in a coordinated way.

SAST Tool Considerations Match Operating System Platform

When buying any product, quality, reliability, and long-term maintenance are key factors. When buying commercial embedded operating systems or using free and open-source alternatives, there are similar factors involved. This same consideration should apply to SAST tool selection:

  • Quality and performance: There’s a baseline of expected product quality for tools, OS, and platform libraries in embedded systems. These products are expected to have high quality and meet industry standards for security and safety, including certification if needed. SAST tools must be in the same category of trusted tools.
  • Documentation and support: Customers have high expectations of technical and after-sales support for embedded OS platforms. In many cases, they need custom engineering work to help make the platform specifically support their hardware. SAST tools must have the same level of support and documentation with the ability to be customized for specific applications.
  • Risk reduction: Embedded OS platforms are purchased as a reduced-risk approach to homegrown solutions. Going with a proven solution is less risky than an unproven one and vendors are selected based on this criterion. SAST tools must prove to further reduce risk and not pose a disruption to developer workflow.
  • Reputation: Vendor reputation plays an important part in embedded development tools choices. Vendors are typically in business for decades and have proven-in-use statistics that satisfy strict safety and security guidelines. SAST vendors need to be held to the same standard with a proven track record of product success but also innovation and support.

Summary

Embedded software development relies on the development platform used. Whether it’s bare metal development, commercial RTOS or embedded Linux, the tool chain is an important component in software development. The quality, reliability and support expectations should be the same for SAST tools as they are for the platform itself. CodeSonar has a proven track record in embedded development and extensive support for the most popular IDEs and embedded tool chains.

More detailed information on CodeSonar supported Platforms, Languages, and Compilers

More detailed information on CodeSentry supported On-Premise System Requirements & Supported File Formats

Related Blogs:

Other Posts

Check out all other blog posts and stay informed.

view all posts