Hi Mark, Thank you for letting us know about CodeSecure and CodeSonar static analysis.
Some years ago I used PVS-Studio (info here: https://acassis.wordpress.com/2017/07/13/using-pvs-studio-to-find-bugs-in-cc/ ), but this kind of software coverage finds tons of false positives. So, we will spend more time filtering what is really an issue and what is not. So, if you can share publicly what you have found it could be helpful. BR, Alan On Thu, Oct 3, 2024 at 9:31 AM Mark Hermeling <mhermel...@codesecure.com> wrote: > Hello, > > I work for CodeSecure, who builds and sells the CodeSonar static analysis > tool that detects both coding style violations (think MISRA) as well as > deep security vulnerability (think buffer overruns due to tainted data). > Over the past while, we have been running CodeSonar on a couple of open > source projects nightly and yesterday I added NuttX to that list. > > These runs are driven from GitLab and I have a fork of the official repo > here: > https://gitlab.com/codesonar/examples/nuttx > > Repo is updated nightly and then CodeSonar is run on the changes and these > changes are stored on a SaaS CodeSonar hub. > > Two things I can do: > > * I can send a daily email to the dev list with the new warnings of > that day (if there were any changes). This is what I do with a couple of > OSS projects. > * I can also give people from the community access to the CodeSonar > hub to review the warnings there. This would provide you with the code > browsing capabilities of CodeSonar as well and it would allow you to > annotate warnings (High prio, low prio, false positives and so forth). > * Unfortunately, at this point in time the hub is not publicly > accessible. Reach out to me at mhermel...@codesecure.com<mailto: > mhermel...@codesecure.com> if you would like access. > > > I am open to other ideas as well. Right now, it only builds for > raspberrypi-pico-w:nsh, I can certainly add other configurations. > > > (note: I had to make one change to arch/arm/src/common/Toolchain.defs and > comment out line 308: > #ARCHOPTIMIZATION += --param=min-pagesize=0 > as this was throwing an error with arm-none-eabi-gcc during compilation. > > > Regards, > Mark > > ________________________________ > The information contained in this e-mail and any attachments from > CodeSecure, Inc may contain confidential and/or proprietary information, > and is intended only for the named recipient to whom it was originally > addressed. If you are not the intended recipient, any disclosure, > distribution, or copying of this e-mail or its attachments is strictly > prohibited. If you have received this e-mail in error, please notify the > sender immediately by return e-mail and permanently delete the e-mail and > any attachments. >
