Performing a More Thorough Analysis

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.2p0

CONFIDENTIAL

CodeSecure Inc

Performing a More Thorough Analysis

In many cases the default configuration file parameter settings will work well for your analyses. In some cases, however, projects are sufficiently complex that the default settings do not provide enough resources for comprehensive exploration. In addition, enabling warning classes that are disabled by default will generally result in a larger set of warnings, covering a broader range of issues.

This section lists the parameters to concentrate on if you want to perform a more thorough analysis, and suggests settings to try.

The thorough Preset

The thorough preset collects together all the settings described below (with the exception of the skeleton WARNING_FILTER rule). To use the preset:

Command Line	Specify -preset thorough as part of your build/analysis command. For example: codesonar analyze MyProj -preset thorough localhost:7340 make
Define as a default preset	Copy thorough.conf from $CSONAR/codesonar/presets/ to $CSONAR/codesonar/default_presets/. OR Use the CodeSonar Configuration Tool Modify Analysis Settings option.
Windows Build Wizard	Select thorough from the Preset list on screen 2.
Eclipse Plug-In	Select thorough from the Presets list in the Properties dialog.
Visual Studio Plug-In	Select thorough from the Presets list in the Project Properties dialog.

Command Line

Specify -preset thorough as part of your build/analysis command. For example:

codesonar analyze MyProj -preset thorough localhost:7340 make

Define as a default preset

Copy thorough.conf from $CSONAR/codesonar/presets/ to $CSONAR/codesonar/default_presets/.
OR
Use the CodeSonar Configuration Tool Modify Analysis Settings option.

Windows Build Wizard

Select thorough from the Preset list on screen 2.

Eclipse Plug-In

Select thorough from the Presets list in the Properties dialog.

Visual Studio Plug-In

Select thorough from the Presets list in the Project Properties dialog.

Setting Notes

The following table suggests configuration settings to try if you want to perform a more thorough analysis. For most of these parameters the trade-off for added thoroughness is an increased analysis time, but sometimes additional space is also required, and in some cases an increased number of true positives will be accompanied by an increase in false positives.

Analyze More Aggressively
	Parameter	Notes
SEARCH_BOUND = 300	CodeSonar will explore more paths in a procedure before moving on. This is most likely to be useful when procedures have complicated structure. The time spent on exploration will generally increase, but is limited by TIME_LIMIT_INTRA_EXPLORE.
PATH_FINDING_EFFORT = 2000 PATH_SHORTENING_EFFORT = 300	CodeSonar will spend more time searching sets of candidates when vulnerabilities are suspected, and more effort in attempting to find warnings 'similar' to those already found. The time spent on warning resolution will generally increase, but is limited by TIME_LIMIT_RESOLVE.
MAX_ATTEMPTED_SIMILAR_PATHS = 16 TAINT_MAX_ATTEMPTED_SIMILAR_PATHS = 16	CodeSonar will try to find larger sets of warnings 'similar' to those already found. The time spent on warning refinement will generally increase, but is limited by TIME_LIMIT_REFINE and TIME_LIMIT_TAINT_REFINE, respectively.
MAX_SUMMARIES_PER_PROCEDURE = 7 MAX_MODIFIED_VALUES = 150 MAX_CHECKED_INPUTS_PER_PROCEDURE = 100 MAX_CHECKS_PER_INPUT = 30 MAX_GLOBAL_CHECK_AGE = 2 MAX_CHECK_COMPLEXITY = 40 MAX_EXPRESSION_COMPLEXITY = 48	Increasing these values can make the analysis more precise, at the cost of longer analysis time and higher memory usage.
TIME_LIMIT_INTRA_EXPLORE = 600 TIME_LIMIT_INTRA_CLASSIFY = 600 TIME_LIMIT_INTER_CLASSIFY = 600 TIME_LIMIT_RESOLVE = 600 TIME_LIMIT_REFINE = 600 TIME_LIMIT_LEAK_CLASSIFY = 600 TIME_LIMIT_PROP_EXHAUSTIVE = 600	CodeSonar will spend more time per procedure on various aspects of the analysis before moving on. Projects with large procedures are the most likely to experience improved results with increased TIME_LIMIT_* settings, at the cost of longer analysis times. With the settings shown, CodeSonar will spend at most 70 minutes analyzing each procedure.
TAINT_MAX_MODIFIED_VALUES = 150 TAINT_MAX_CHECKED_INPUTS_PER_PROCEDURE = 100 TAINT_MAX_EXPRESSION_COMPLEXITY = 80 TAINT_MAX_SET_CARDINALITY = 20	Increasing these values can make the taint analysis more precise, at the cost of longer analysis time and higher memory usage.
DP_REFINEMENT_EXACT_TIMEOUT = 20 DP_REFINEMENT_APPROXIMATE_TIMEOUT = 20 TAINT_PLUS_DP_REFINEMENT_TIMEOUT = 40	CodeSonar will spend more time trying to rule out complex false-positive warnings before reporting them.
Enable More Classes
	WARNING_FILTER += allow <rule>	Use WARNING_FILTER rules to enable some or all of the warning classes that are disabled by default, for more comprehensive analysis results.
Other
	REPORT_IMPLIED_INEQUALITY = Yes	Will generally result in more true positives, but also more false positives. This tradeoff is usually only useful on small code bases.

Analyze More Aggressively

Parameter

Notes

SEARCH_BOUND = 300

CodeSonar will explore more paths in a procedure before moving on.

This is most likely to be useful when procedures have complicated structure.
The time spent on exploration will generally increase, but is limited by TIME_LIMIT_INTRA_EXPLORE.

PATH_FINDING_EFFORT = 2000
PATH_SHORTENING_EFFORT = 300

CodeSonar will spend more time searching sets of candidates when vulnerabilities are suspected, and more effort in attempting to find warnings 'similar' to those already found.

The time spent on warning resolution will generally increase, but is limited by TIME_LIMIT_RESOLVE.

MAX_ATTEMPTED_SIMILAR_PATHS = 16
TAINT_MAX_ATTEMPTED_SIMILAR_PATHS = 16

CodeSonar will try to find larger sets of warnings 'similar' to those already found.

The time spent on warning refinement will generally increase, but is limited by TIME_LIMIT_REFINE and TIME_LIMIT_TAINT_REFINE, respectively.

MAX_SUMMARIES_PER_PROCEDURE = 7
MAX_MODIFIED_VALUES = 150
MAX_CHECKED_INPUTS_PER_PROCEDURE = 100
MAX_CHECKS_PER_INPUT = 30
MAX_GLOBAL_CHECK_AGE = 2
MAX_CHECK_COMPLEXITY = 40
MAX_EXPRESSION_COMPLEXITY = 48

Increasing these values can make the analysis more precise, at the cost of longer analysis time and higher memory usage.

TIME_LIMIT_INTRA_EXPLORE = 600
TIME_LIMIT_INTRA_CLASSIFY = 600
TIME_LIMIT_INTER_CLASSIFY = 600
TIME_LIMIT_RESOLVE = 600
TIME_LIMIT_REFINE = 600
TIME_LIMIT_LEAK_CLASSIFY = 600
TIME_LIMIT_PROP_EXHAUSTIVE = 600

CodeSonar will spend more time per procedure on various aspects of the analysis before moving on.

Projects with large procedures are the most likely to experience improved results with increased TIME_LIMIT_* settings, at the cost of longer analysis times.
With the settings shown, CodeSonar will spend at most 70 minutes analyzing each procedure.

TAINT_MAX_MODIFIED_VALUES = 150
TAINT_MAX_CHECKED_INPUTS_PER_PROCEDURE = 100
TAINT_MAX_EXPRESSION_COMPLEXITY = 80
TAINT_MAX_SET_CARDINALITY = 20

Increasing these values can make the taint analysis more precise, at the cost of longer analysis time and higher memory usage.

DP_REFINEMENT_EXACT_TIMEOUT = 20
DP_REFINEMENT_APPROXIMATE_TIMEOUT = 20
TAINT_PLUS_DP_REFINEMENT_TIMEOUT = 40

CodeSonar will spend more time trying to rule out complex false-positive warnings before reporting them.

Enable More Classes

WARNING_FILTER += allow <rule>

Use WARNING_FILTER rules to enable some or all of the warning classes that are disabled by default, for more comprehensive analysis results.

Other

REPORT_IMPLIED_INEQUALITY = Yes

Will generally result in more true positives, but also more false positives. This tradeoff is usually only useful on small code bases.