CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy
APACHE-2.0 License
Published by csordasmarton over 3 years ago
sudo snap install codechecker --classic
.Github Discussions
in our repository. Now if you have any question
or an idea
you have to create a new discussion instead of an issue. Bug reports still have to be created as an Issue
.Roadmap for 2021
is available here: https://github.com/Ericsson/codechecker/projects/15
Travis CI
to Github Actions
(#3066, #3086, #3131).Sphinx
documentation generator tool parser (#3017).CodeChecker cmd results --details
command (#3005).json
and html
output when both formats are selected (3059).resolved
reports of remote to local (#3129).CodeChecker log
debug logs go to report dir (#3166).Report Tree
view (#3037).getRunIds
API function in Baseline Run filter (#3043).thrift
requirements from 0.11.0
to 0.13.0
(#3032).lxml
requirements from 4.5.0
to 4.6.2
(#3127).For more detailed information check the milestone of this release.
Big thanks to everyone who helped us creating this release: @jay24rajput, @rasjani, @jimis, @engr-basit, @startergo.
Published by gyorb almost 4 years ago
analyze
and check
commands for better CI integration #2943:
CodeChecker cmd diff
command in the previous releases. With this change the parse command can be used for the gerrit integration too #2745CodeChecker parse analyzer_reports -e gerrit
parse
, cmd diff
...).For the full list of changes and improvements checkout the milestone
Big thanks to everyone who helped us creating this release:
@bulwahn, @gargaroff, @jay24rajput, @sudipm-mukherjee, @meghajain-1711, @dl9pf, @sylvestre, @jimis, @jgalenson,
Published by gyorb about 4 years ago
The statistics page got a new design with a lot of new features:
You will be able to list the open reports of your project for any date.
Open reports at a date are which were detected BEFORE the given date and NOT FIXED BEFORE the given date.
From the CLI the open reports can be queried like this:
CodeChecker cmd results --open-reports-date 2020:09:11:12:20 --url ...
Filters are remembered during navigating between the pages. The report list and statistics related filters are saved separately.
#2913
Analysis results from multiple static analyzers can be stored to the database, with this change for each report the analyzer
name can be viewed which produced the result.
#2717
Reports with the same hash can be seen in a drop down list for each report without uniqueing #2896
There is a new syntax extended with guideline support which can be used to enable checker sets.
With the new syntax the checkers, profiles and guideline can be enabled or disabled even if there is a conflict in their name.
The arguments may start with profile:
of guideline:
prefix which makes the choice explicit.
Without prefix it means a profile name, a guideline name or a checker group/name in this priority order.
CodeChecker analyze -o reports -e profile:sensitive -e guideline:sei-cert compile_command.json
Use these commands to list the available profiles
CodeChecker checkers --profile list
or guidelines:
CodeChecker checkers --guideline
The reports from Markdownlint can be converted and stored
to the report serve like this:
# Run Markdownlint.
mdl /path/to/your/project > ./mdl_reports.out
# Use 'report-converter' to create a CodeChecker report directory from the
# analyzer result of Markdownlint.
report-converter -t mdl -o ./codechecker_mdl_reports ./mdl_reports.out
# Store Markdownlint reports with CodeChecker.
CodeChecker store ./codechecker_mdl_reports -n mdl
#2829
It can be used to set the path prefixes in the CodeChecker config file which should be trimmed by the parse subcommand when the reports are printed:
{
"parse": [
"--trim-path-prefix",
"/$HOME/workspace"
]
}
The config file for the parse command can be set like this:
CodeChecker parse report --config codechecker_cfg.json
#2885
{
"analyzer": [
"--skip=$HOME/project/skip.txt"
]
}
#2877
The On-demand CTU analysis support introduced in the previous release is enabled by default now if the used
clang static analyzer supports it. CTU analysis will be performed without the huge temporary disc space allocation.
With the --ctu-ast-mode
the analysis mode can be switched back to the old behavior if the new consumes too much memory:
CodeChecker analyze --ctu-ast-mode lod-from-pch ....
make
versions newer than 4.3 is fixed #2689View the milestone for the complete list of changes in this release.
Big thanks to everyone who helped us creating this release: @sylvestre @gocarlos
Published by gyorb over 4 years ago
In this release the UI framework was completely replaced to increase usability, stability and performance.
The new framework allows a lot of improvements like:
With the new UI the permalinks are backward compatible so the saved URLs should work as before.
Additionally to the UI improvements there is a new feature.
If Unique reports
is enabled on the reports view there is a drop down list for each report showing the similar reports
with the same report hash (but maybe with a different execution path)
Note! When building the package nodejs newer than v10.14.2 is required!
Please check the install guide for further instructions on how to install the dependencies.
Some checkers in Clang-Tidy can provide source code changes (fixits) to automatically modify the source code
and fix a report. This feature can also be used to modernize the source code.
To use this feature the clang-tidy
analyzer and the clang-apply-replacements
tools needs to be available in the PATH.
During the clang-tidy analyzer execution the fixits are automatically collected.
CodeChecker analyze -o report_dir -j4 -e modernize -e performance -e readability compile_command.json --analyzers clang-tidy
Use the CodeChecker fixit report_dir
command to list all collected fixits.
Fixits can be applied for a source file automatically like this:
CodeChecker fixit report_dir --apply --file "*mylib.h"
or in interactive mode where every source code modification needs to be approved:
CodeChecker fixit report_dir --interactive --file "*mylib.h"
Fixits can be applied based on a checker name, so to cleanup all the readability-redundant-declaration
results execute this command:
CodeChecker fixit report_dir --apply --checker-name readability-redundant-declaration
There are coding guidelines like (SEI-CERT, C++ Core Guidelines, etc.) which contain best practices on avoiding common programming mistakes. To easily identify which checker maps to which guideline the--guideline
flag was introduced.
To list the available guidelines where the mapping was done, use this command:
CodeChecker checkers --guideline
The checkers which cover a selected guideline can be listed like this:
CodeChecker checkers --guideline sei-cert
If we want to get which checker checks the sei-cert rule err55-cpp
by executing
the command below we can get that the bugprone-exception-escape
checker should be enabled if the err55-cpp
rule needs to be checked.
CodeChecker checkers --guideline err55-cpp
bugprone-exception-escape
More detailed information about the checkers and the guideline mapping can be found by executing
this command:
CodeChecker checkers --guideline sei-cert --details
CodeChecker can generate a Makefile without executing the analysis.
The Makefile will contain all the necessary analysis commands as build targets.
With this Makefile the analysis can be executed by make
or by some distributed
build system which can use a Makefile to distribute the analysis commands.
Locally with a simple make
it can be executed like this:
CodeChecker analyze --makefile -o makefile_reports compile_command.json
make -f makefile_reports/Makefile -j8
With this new flag (--ctu-ast-mode
) the user can choose choose the way ASTs are loaded during CTU analysis.
There are two options:
load-from-pch
(the default behavior now, works with older clang versions v9 or v10)parse-on-demand
(needs clang master branch or clang 11)The mode 'load-from-pch' can use significant disk-space for the serialized ASTs.
By using the 'parse-on-demand' mode some runtime CPU overhead can incur in the second phase of the analysis but uses much less disk space is used.
Execute this command to enable the on-demand
mode:
CodeChecker analyze -j4 -o reports_ctu_demand --ctu --ctu-ast-mode parse-on-demand
See the pull request for more information.
Clang compiler warnings are reported (clang-tidy) by checker names staring with clang-diagnostic-
.
Disabling them could be done previously only one-by-one.
In this release the warnings can be disabled now with the corresponding checker group.
CodeChecker analyze --analyzers clang-tidy -d clang-diagnostic
The CodeChecker server can be configured to listen on IPv6 addresses.
--ctu-reanalyze-on-failure
flag is marked as deprecated and it will be removed in one of the upcoming releases.There are a lot of further improvements and bug fixes in this release.
The full list of changes can be found here.
Big thanks to everyone who helped us creating this release: @sylvestre @thresheek
Published by gyorb over 4 years ago
Incremental analysis extension introduced in v6.12.0 feature was changed in #2786!
Getting the c/cpp files that are dependencies of a changed header is not done automatically from now on, the user has to generate the c/cpp file list which should be analyzed.
To support this use case the tu_collector
tool was extended to be able to generate the dependency source file list like this:
tu_collector --dependents -l ./full_compilation_database.json -f "*/main.h"
Additional helper scripts and examples can be found in the tu_collector
documentation how to analyze the source and header files which were modified in a git commit.
Published by gyorb over 4 years ago
Clang-tidy reports are shown from headers (non system) now, this change can increase the number of new results!
Use the following analyzer configuration to turn back the old behavior by setting the HeaderFilterRegex value to an empty string:
CodeChecker analyze compile_command.json --analyzer-config clang-tidy:HeaderFilterRegex=\"\"
Because of Python 2 sunset at the beginning of 2020 CodeChecker was ported to Python 3 the minimal required version is 3.6. Because of the Python version change and a lot of 3pp dependencies were updated it is required to remove the old and create a new virtual environment to build the package!
Starting with this version CodeChecker can store the results of multiple static and dynamic analyzers for different programming languages:
The complete list of the supported analyzers can be found here.
To be able to store the reports of an analyzer a report converter tool is available which can convert the reports of the supported analyzers to a format which can be stored by the CodeChecker store command.
Inside a GitLab Runner CodeChecker can executed to provide a code quality report for each GitLab review request. The codeclimate json output format was added to the Codechecker parse
and
CodeChecker cmd diff
commands to generate a json file which can be parsed
by GitLab as a quality report. See the GitLab integration guide for more details how to configure the GitLab runners and CodeChecker.
Integration was simplified, no extra output parsing and converter scripts are needed. The CodeChecker cmd diff -o gerrit ...
command can generate an output format which can be sent to gerrit as a review result.
Compilation commands executed by the Bazel build system can now be logged with the Codechecker logger to run the static analyzers on the source files. Check out the Bazel build system integration guide for more details.
Compilation errors occurred during the analysis are now captured as reports by the clang-diagnostic-error
checker. These types of reports can be disabled as a normal checker like this:
CodeChecker analyze --disable clang-diagnostic-error ...
The Clang and Clang-tidy static analyzers and the checkers can be configured from the command line with the newly introduced --analyzer-config
and --checker-config
options.
Use these commands to list the available analyzer config options (use the --details
flag for the default values and more description):
CodeChecker analyzers --analyzer-config clangsa
CodeChecker analyzers --analyzer-config clang-tidy
A Clang Static Analyzer configuration option can be enabled during analysis like this:
CodeChecker analyze compile_command.json -o reports --analyzer-config clangsa:suppress-c++-stdlib=false -c
Use the CodeChecker checkers --checker-config
command to list the checker options, or the CodeChecker checkers --checker-config --details
command to get the checker options with the default values.
A checker option can be set like this:
CodeChecker analyze compile_command.json -o reports -e cplusplus.Move --checker-config clangsa:cplusplus.Move:WarnOn="All"
There is no need for a complex skip file or to create smaller compile command database files to execute the analysis only on a few files. With the --file
option the important files can be selected the analysis for the other files will be skipped.
CodeChecker analyze compile_command.json --file "*main.cpp" "*lib.cpp"
Header files can not be analyzed without a c/cpp file. If a skip file contains a header file (with a "+" tag) like this:
+*lib.h
-*
Which means the header file should be analyzed. CodeChecker tries to find all the c/cpp files including that header file and execute the analysis on those c/cpp files too so the header file will be analyzed.
The only limitation is that the full compilation database is required to collect this information.
The CodeChecker commands can be saved in a config file which can be put into a version control system or distributed between multiple developers much easier. In the previous release v6.11.0 the support for the analyzer configuration file was added. In this release it was extended to the web server related commands (store, server) so they can be stored into a configuration file too.
It is not required to type out the options in the command line all the time to store the analysis reports.
With an example store_cfg.json
config file like this:
{
"store":
[
"--name=run_name",
"--tag=my_tag",
"--url=http://codechecker.my/MyProduct"
]
}
The CodeChecker store command can be this short: CodeChecker store reports --config store_cfg.json
CodeChecker parse
commandCodeChecker store --description "analysis related extra information" ...
These CodeChecker check
and CodeChecker analyze
options were already deprecated and were removed in this release:
There are a lot of improvements and bug fixes in this release.
The full list of changes can be found here.
This is the last release with the NCSA license the new license after the release will be: "Apache 2.0 with LLVM Exception", SPDX License Identifier: "Apache-2.0 WITH LLVM-exception"
Big thanks to everyone who helped us creating this release: @itzurabhi, @tilya, @themightyoarfish @rpavlik @sylvestre
Published by gyorb over 4 years ago
Published by gyorb almost 5 years ago
Show system comments for bugs GUI #746
Review status changes by the users are automatically stored and shown at the report comment section
for each report. With this feature the status changes of the reports can be easily tracked.
Introduce different compiler argument filtering if the original compiler was clang #2382 #2482
If the original compiler used to build a project was clang/clang++ only a minimal compilation
flag filtering or modification is done.
In the case where the original compiler was gcc/g++ many non compatible compiler flags were
filtered which is not required if the original compiler is clang.
Store the Cppcheck plist reports #2474
Plist reports generated by Cppcheck can be stored by the CodeChecker store
command.
For a more detailed example how to configure Cppcheck to generate the reports in the right format
see the documentation.
CodeChecker config file support for the analysis arguments #427 #2268
The arguments for a CodeChecker analyze
command can be given in a config file.
A more detailed description about the usage and the config file format can be
found here.
Log compile commands with absolute paths #2447
With the introduction of a new environment variable (CC_LOGGER_ABS_PATH) the compiler include paths
will be converted to an absoute path.
This conversion can be necessary if the compiler command database created
by CodeChecker will be used by other static analyzers (E.g. Cppcheck).
Enforce taking the analyzers from PATH #2378
With the newly introduced environment variable the usage of the static analyzers in the PATH
can be forced even if the configuration contains analyzers not from the PATH.
List ClangSA checker options #2425
The Clang Static Analyzer options can be listed now (requires clang v9.0.0 or newer).
Use the command CodeChecker analyzers --dump-config clangsa
to print the static analyzer configuration.
Support json output for parse command #2424
The parse command can generate json output from the reports if required:
CodeChecker parse -e json analyzer_reports
Use CodeChecker parse
with multiple directories #2384
The CodeChecker cmd parse
command now accepts multiple directories to parse the reports from.
Update the name of a run from the command line #1778
-include
#2440api-metadata-path
with package option APIMetadataPath
#2403Big thanks to everyone who helped us creating this release: @josod, @LebedevRI, @sylvestre, @hpwxf, @irishrover, @scphantm
Published by gyorb about 5 years ago
This is a bug fix release including many fixes and documentation updates. There are no new features or backward incompatible changes.
alpha.security.MallocOverflow
from the sensitive profile throws too many false positives #2366include-fixed
dirs in include paths #2272include-fixed
include paths by gcc might be required for the analysis, but that is--keep-gcc-include-fixed
flag is introduced so the projects can keep or remove-nostdinc[++]
#2344, -stdlib
#2303 compilation flags are considered at the implicit compiler include path detection, because they affect the list of the include paths.--isystem
flag at a fixed place if the include files were in the package, standard clang installation should not be affected by this change.CC_GCC_LOGGER_LIKE
environment variable #2315Big thanks to everyone who helped us creating this release: @gwangmu, @irishrover, @zingo
Published by gyorb over 5 years ago
Add support to enable Z3 refutation.
Use the Z3 theorem prover if Clang is built with it, to cross check the results by Clang Static Analyzer.
The usage of this solver can reduce the false positives produced by the ranged-based solver,
and using refutation should not increase the analysis time a lot. #2091
This feature is enabled by default if available.
Add support to enable Z3 Theorem Prover #2087
Use the Z3 theorem prover if Clang is built with it. In this case the built in range-based constraints
solver will be replaced by Z3 in Clang Static Analyzer.
The performance is worse than the default range-based constraint solver right now.
It can be enabled by the --z3
flag.
Give warning if an enabled or disabled checker is missing or there was a typo in the checker name #2215
Clang warnings can be listed with the CodeChecker checkers --warnings
#1693
Add --trim_path_prefix
option for parser command #2076
You can find a more detailed list of changes here: milestone 6.10
Published by gyorb over 5 years ago
security
checkers profile #1054
security
profile with multiple security related checkers is available.CodeChecker checkers --profile security
for the full list of checkers.You can get more information about the checkers here and here.
This release contains many bug fixes and a large amount of source code refactoring.
We started the refactoring to split up the source tree to easier manageable pieces.
The work is not fully finished but we are close.
Separating the main parts will allow us to release and develop them independently in the future.
The main new parts of the restructured repository are:
You can find more details about the new layout here #1830
Published by gyorb over 5 years ago
Release 6.9.0
Published by gyorb almost 6 years ago
--force
argument for store does not work #1802check
command's -c flag should remove the report directory #1646Published by dkrupp about 6 years ago
CodeChecker cmd diff -b /path/to/report_dir_base -n /path/to/report_dir_new --new
#1654 Fine grain control of warnings
It will be possible to enable/disable clang warnings one-by-one. Example: CodeChecker analyze
/path/to/build.log -o /path/to/output/dir --enable Wunused --disable Wno-unused-parameter
Allow to set Clang Static Analyzer and Tidy checker options from CodeChecker command line See ticket (2018-Q3)
#1703 Analyzer Configuration It is supported to set all clang-tidy and clang static analyzer parameters such as -analyzer-inline-max-stack-depth, - analyzer-max-loop through configuration files. For details see pull request.
#1728 Configuration of Statistical Checkers
It will be possible to configure the significanceRatio and the minimumSampleCount for the statistical checkers:
alpha.ericsson.statisticsbased.SpecialReturnValue, alpha.ericsson.statisticsbased.UncheckedReturnValue. See issue.
#1720 Default C/C++ standard auto-detection
Detect automatically which C/C++ standard was used for compilation by gcc and pass the relevant option to Clang (e.g. -std=c++11) . See issue.
#1675 Filter reports by report hash
It will be possible to filter findings on the WEB GUI and command line based on bug hash. For details see pull request.
#1686 Filters for the checker statics page in WEB UI
Extended filters will be added to the statistics page. For details see pull request.
Possibility to delete reports based on filters in the WEB UI
#1624 Management (edit/add/delete) source code component definitions in the WEB UI
#1721 Upload Analyzer Statistics to the central server
For each analysis run, the following statistics is collected and uploaded to the central server and shown for all runs (and also in the run history): files that were successfully analyzed or analyze with failiure, CodeChecker version used for analysis, clang version used for analysis.
#1737 handle missing documentation file
#1736 Increase API version
#1735 fine tune error logs
#1734 Renaming statistical test file to cpp
#1733 Fixing exception when shutting down server process
#1732 Making the test server start synchronous
#1731 Fixing the make file
#1728 New configuration options for statistical counting
#1727 Hide Remove filtered reports button
#1726 Fix some JS and python alerts
#1723 calculate bug path length at store (schema change)
#1722 Zombie processes remain on analysis interruption
#1719 Query reports only when shown.
#1717 improve error handling for packaging
#1716 update dojotoolkit link for download
#1715 change component filtering behavior
#1714 Introducing clang-tidy config options file on the command line interface.
#1713 Print statistics at the end of parse command
#1712 Describe new features of v6.8
#1711 Removing run reports in chunks Kind: Bugfix Target: Server
#1710 Add new checker profile: portability
#1708 Fix JavaScript old browser compatibility
#1707 Fix long line in failure_lib.py
#1706 Update web userguide
#1705 Fixed Spelling.
#1703 add checker and analyzer configuration documentation
#1702 Fix checker name filter Kind: Bugfix Target: WebGUI
#1701 Pass severity map dictionary instead of the file
#1699 Encode html entities in PlistToHtml parser
#1695 Handle invalid json files Kind: Bugfix
#1694 increase scan-build version for osx install
#1690 Fix confirmed bug icon at Checker statistics page
#1689 restructure python requirements files
#1685 Fasten tests Kind: Bugfix
#1682 Extend filter text input field hint with example
#1681 Set default severity level for compiler warnings
#1680 Enable -Wall and -Wextra warnings by default
#1679 Multiline messages are displayed properly
#1678 Set default filter values at Checker statistics
#1677 Fix CTU test
#1676 Fix utf8 error at diff when generating html output
#1675 Filter reports by report hash at the command line
#1672 Ignore target dependent -mabi compiler option.
#1670 Call getSeverityCounts correctly
#1669 Fix compiler warning test cases
#1668 sysroot parameter can be given multiple ways
#1667 Update group field of the users tokens on login
#1664 Filter results by report hash on the GUI Kind: Enhancement Target: WebGUI
#1663 Plist to html browser support
add .envrc to gitignore Kind: Usability
#1662 add .envrc to gitignore Kind: Usability
#1660 Allow more product endpoint names to be valid Kind: Enhancement Target: Server
#1658 Fix tidy output converter
#1657 rename compile log file name in the bitbake example
#1655 Set file path after items are added to bug tree
#1650 Use valid license name
#1648 Summarize results for source files at parse cmd
#1645 Add statistics checkers' flags to CodeChecker check sub-command
#1644 Minor fix in documentation
#1641 Fix non existing report in the GUI
#1640 Distinguish BuildAction objects on original build command
Published by gyorb over 6 years ago
Published by gyorb over 6 years ago
Report counting was reviewed to give a consistent view in the
command line and at the web UI. The default views (without uniqueing)
shows the reports as they were found by the analyzers.
CTU can still work by dumping the AST to the disk. The on-the-fly option
managed the ASTs in memory.
misc-assert-side-effect -> bugprone-assert-side-effect
misc-argument-comment -> bugprone-argument-comment
misc-bool-pointer-implicit-conversion -> bugprone-bool-pointer-implicit-conversion
misc-dangling-handle -> bugprone-dangling-handle
misc-fold-init-type -> bugprone-fold-init-type
misc-forward-declaration-namespace -> bugprone-forward-declaration-namespace
misc-inaccurate-erase -> bugprone-inaccurate-erase
misc-move-forwarding-reference -> bugprone-move-forwarding-reference
misc-multiple-statement-macro -> bugprone-multiple-statement-macro
misc-string-constructor -> bugprone-string-constructor
misc-use-after-move -> bugprone-use-after-move
misc-implicit-cast-in-loop -> performance-implicit-conversion-in-loop
misc-inefficient-algorithm -> performance-inefficient-algorithm
misc-move-const-arg -> performance-move-const-arg
misc-move-constructor-init -> performance-move-constructor-init
misc-noexcept-move-constructor -> performance-noexcept-move-constructor
readability-implicit-bool-cast -> readability-implicit-bool-conversion
CodeChecker parse
ouptut #1559-analyzer-config notes-as-events=true
to the clang flags which will convert notes to events #1518Published by gyorb over 6 years ago
Published by gyorb over 6 years ago
Published by gyorb over 6 years ago
Published by gyorb almost 7 years ago
-idirafter
gcc argument is not forwarded to clang analyzer #1267alpha.cpluscplus.IteratorRange
was remove from all checker profiles as the checker is unstable #1255cmd diff -o html
does not work if -n is a report directory #1277