JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

CodeSonar® 9.2p0 CONFIDENTIAL CodeSecure Inc
C and C++

Build and Analysis for C/C++ Projects

To build a project based on C or C++ source code, CodeSonar monitors a normal build of your application, observes the compilations performed during this normal build, and builds the CodeSonar project accordingly. We refer to this mechanism as build hooking, or simply hooking.

Once the project is built, the CodeSonar analysis phase can run. The analysis results are sent to a hub database, from which they can be viewed with an ordinary web browser.

An overview and further links about building and analyzing CodeSonar projects from software in other languages are provided in section Building.

AOSP note: if you are analyzing the Android Open Source Project (AOSP), you can use the codesonar cs_android.py subcommand. This provides functionality for running an Android build command in such a way that CodeSonar can observe its execution, including any C or C++ compilations. See codesonar cs_android.py : Prepare and Analyze the Android Open Source Project for full details.

See also: CodeSonar and the Clang Static Analyzer.

How The C/C++ Build Works

The following diagram shows the CodeSonar build and analysis process for C and C++ projects.

Diagram: build hooking

The steps of the build and analysis process are described in Building: Overview. For C and C++ source files, the steps manifest as follows.

1. Observe The user instructs CodeSonar to observe the regular software build process, in which one or more C or C++ source files are compiled.
2. Execute The normal software build process executes. It will compile one or more source files, using one or more compilers available on the local system.

Important: Because CodeSonar is observing the normal software build and basing the CodeSonar project on observed compilations, only source files compiled during the observed build will be represented in the project. Therefore, it is important to make sure that the build recompiles every source file. For example:

  • If you are using make for your normal software build, do a make clean before starting the CodeSonar project build.
  • If you are using Microsoft Visual Studio, start your normal software build with Rebuild All.
3. Recognize Compiler Calls CodeSonar can recognize calls to any compilers on its internal compiler list, plus any compilers specified with the COMPILER_MODELS configuration file parameter.

Important: Calls to compilers that are not on the list and are not specified by the user will not be recognized, and those compilations will not be accounted for in the project.
4. Update Project Each time it recognizes a compiler call, CodeSonar updates the project definition to incorporate source files associated with that call. As part of the incorporation process, each source file F.x undergoes a set of source modifications before any preprocessing occurs.
Finish Building
Once the normal build command terminates, CodeSonar finishes building the project.

All the source files compiled during the normal build are collected into a single project, even if the build is creating more than one executable.

Once it has finished building the project, CodeSonar can run the analysis. If you build from the command line with analyze, the analysis will run (and send its results to the hub) after the build has finished. The degree of parallelism in the analysis will depend on the setting of ANALYSIS_SLAVES.

Mixed Builds

When CodeSonar for Binaries is installed, the C/C++ build can be expanded into a mixed build.

Command Line Build

As described in Command Line Build/Analysis: Command, the general form of the usual CodeSonar build/analysis command is

codesonar analyze /path/to/pfiles-name
[-project [/[ancestors/]]proj-name] [-no-services] [-foreground] [-wait] [-clean] [-clean-backend] \
[-force-base-hub-analysis] [-name analysis-name] [-preset preset-name] [-no-default-presets] [-conf-file extra-conf-path] \
[-offline] [-property propkey propval] [-launchd-group ldgroup] [-launchd-key ldkey] \
[-watch-pid pid] [-watch-all-pids] \
[-auth authtype] [-hubuser username] [-hubpwfile pwfile] [-hubbearerfile bearerfile] [-hubcert certfile] [-hubkey privatekeyfile] \
[-remote analysis-launchd] [-remote-archive daemonmode-launchd] [-srcroot basedir] [[protocol://]host:port] [command]

The command element is described below; the other parts of the command line are discussed in Command Line Build/Analysis: Elements.

command The command you usually use to build your software project. In many cases no changes to existing settings are necessary, and in most remaining cases only one or two CodeSonar build options are required.

CodeSonar will execute this command, identify all the compilations that ensue, and build the CodeSonar project accordingly.

Important: Only compilations resulting from executing this command will be represented in the CodeSonar project. Make sure that old object files and executables are removed (for example, with make clean) if necessary to make sure that all source files are compiled.

Some example build commands are listed below.

If command is missing, no building takes place and the analysis starts with the pre-existing contents of pfiles-name.prj_files (which will be a child of the project directory). If pfiles-name.prj_files is empty or missing, an error is raised.

If you usually invoke your build with a list of commands, you will need to quote the list and include an invocation command: generally cmd /c on Windows and sh -c on other systems. For example:

Usual command list tool_invocation_command
Windows Other systems
gcc a.c; gcc b.c cmd /c "gcc a.c; gcc b.c" sh -c "gcc a.c; gcc b.c"
cmake . && make cmd /c "cmake . && make" sh -c "cmake . && make"

command Examples

(Additional command line examples are provided on the following pages: Command Line Build/Analysis, Build and Analysis for Java Projects.

Any build command (or build system) that can be invoked from the command line can be used as the basis for a project. Simply pass the command line build invocation as the command argument to analyze. For example:

codesonar analyze cs-myproj cc myproj.c
codesonar analyze cs-myproj cc -o myproj myproj.c
codesonar analyze cs-myproj make
codesonar analyze cs-myproj make all
codesonar analyze cs-myproj make myproj

The project build and analysis steps can be run separately, as in the following example. The first command instructs CodeSonar to observe the compilation gcc -c myfile.c and update the myproj project accordingly. The second command instructs CodeSonar to analyze myproj and send the results to the default hub.

codesonar build myproj gcc -c myfile.c
codesonar analyze myproj

Other Build/Analysis Documentation

Building An overview and further links about building and analyzing CodeSonar projects.
Command Line Build/Analysis Information about invoking the CodeSonar build/analysis from the command line.
The Build/Analyze Commands Detailed documentation for codesonar build and codesonar analyze.
Windows Build Wizard Build/Analysis Instructions for using the Windows build wizard.
The Windows Build Wizard Detailed documentation for the Windows build wizard.
Build and Analysis for Java Projects Specific information for build/analysis of projects built (in whole or in part) from Java bytecode.
Troubleshooting the Build Solutions for problems you may encounter during the CodeSonar build/analysis process
CodeSonar and the Clang Static Analyzer Performing a CodeSonar analysis that also includes results from Clang Static Analyzer.
 

To report problems with this documentation, please visit https://support.codesecure.com/.