Looking to run Fortify static analysis tool.

Hello, two related questions:

1) We're hiring a third party, Fortify to statically analyze our code base. I'm having trouble figuring out where I can modify the build tool calls and plugin an external analyzer. Can I modify this via CMake, or a flag when calling West?

This is what Fortify sent us, which I think is intended for a standard makefile.

2) I realize I can run the analyze command from within Segger to analyze the code via Clang's static tool. How can I do this via command line for automated builds? I'm imagining this is part of an build automation system.

Parents

0 tesc over 2 years ago

Hi,

We don't think it's possible throiugh west directly.

The toolchain prefix is resolved in cmake files in zephyr/cmake/toolchain and some things are done in zephyr SDK files. Maybe something can be done in those cmake files, although it may require extensions to the files or adding it as a new toolchain.

Zephyr does add a lot of its own regarding compiler prefixes, so simply changing the compiler by adding a prefix is not expected to work (since your added prefix is prefixed by yet other prefixes.)

We have not tested this, and not made any attempts at using sourceanalyzer or other simlar tools, so there may exist other workarounds or issues that we haven't thought about.

Regards,
Terje
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 tesc over 2 years ago

Hi,

We don't think it's possible throiugh west directly.

The toolchain prefix is resolved in cmake files in zephyr/cmake/toolchain and some things are done in zephyr SDK files. Maybe something can be done in those cmake files, although it may require extensions to the files or adding it as a new toolchain.

Zephyr does add a lot of its own regarding compiler prefixes, so simply changing the compiler by adding a prefix is not expected to work (since your added prefix is prefixed by yet other prefixes.)

We have not tested this, and not made any attempts at using sourceanalyzer or other simlar tools, so there may exist other workarounds or issues that we haven't thought about.

Regards,
Terje
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 EDLT over 2 years ago in reply to tesc

Hi Tesc,

It didn't seem straight forward to us either within the West environment.

Segger IDE provides a method to export the build script. Within this build script we can manually modify the compiler command and insert the source analyzer. We were able to utilize Fortify's tool in this manner.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 tesc over 2 years ago in reply to EDLT

Hi,

If you want to look deeper into the possibility of doing this with west then you can have a look at rules.ninja and modify it to use the analysis tool instead of directly calling the compiler. However I highly suspect this could be jumping down a rabbit hole, so if you have found a working solution I would not spend too much time on it.

Regards,
Terje
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel