What is static code analysis?
Static analysis tools are today an important part of the CI/CD tool-chain and are required by regulatory standards. Furthermore, to combat the increasing threat from cyber security attacks, Static Application Security Testing (SAST) has been identified as one of the key tools.
Specifically, according to CWE Top 25, any commercial code will not be either Safe or Secure if you can’t find all of the Undefined Behavior bugs.
What is undefined behavior?
A program that has undefined behavior is broken according to the C and C++ specifications. The result of undefined behavior can be any of: crash, hang, security vulnerability, safety issues, bug, unreachable code can be executed, works exactly as you want, etc. Undefined behavior allows the compiler to generate arbitrary code for instance it can freely remove code that has undefined behavior.
Examples of what may generate undefined behavior are listed below:
- Dead pointers
- Division by zero
- Integer overflows
- Invalid bit shift operands
- Invalid conversions
- Invalid usage of STL
- Memory management
- Null pointer dereferences
- Out of bounds checking
- Uninitialized variables
- Writing const data
Static code analysis for cyber security compliance
Static code analysis is a key tool for cybersecurity that checks source code for potential vulnerabilities, coding flaws, and compliance with security standards without running the program. Its role in cybersecurity compliance is becoming more important due to the growing number of cyber threats and regulatory requirements.
In automotive cybersecurity, ISO 21434 is a new standard that outlines requirements for managing cybersecurity risks in automotive products. Static code analysis helps ensure that automotive software is checked for vulnerabilities and compliance issues, supporting manufacturers in meeting this standard and improving the cybersecurity of automotive products.
The upcoming Network and Information Systems Directive 2 (NIS2), Radio Equipment Directive (RED), and Cyber Resilience Act (CRA) in the European Union are significant efforts to strengthen cybersecurity across different sectors. These laws will impose stricter cybersecurity requirements, highlighting the importance of secure software development practices.
Static code analysis will be crucial in meeting these new regulations. By identifying and addressing security issues during software development, organizations can show their commitment to cybersecurity, lower the risk of regulatory penalties, and protect themselves from the reputational damage caused by cyber breaches.
So what's unique about Cppcheck?
Cppcheck uses unsound flow sensitive analysis. Several other analyzers use path sensitive analysis based on abstract interpretation, that is also great however that has both advantages and disadvantages. In theory by definition, it is better with path sensitive analysis than flow sensitive analysis.
But in practice, it means Cppcheck will detect bugs that the other tools do not detect. In Cppcheck the data flow analysis is not only "forward" but "bi-directional". Most analyzers will diagnose this:
void foo(int x)
{
int buf[10];
if (x == 1000)
buf[x] = 0; // <- ERROR
}
Most tools can determine that the array index will be 1000 and there will be overflow.
Cppcheck will also diagnose this:
void foo(int x)
{
int buf[10];
buf[x] = 0; // <- ERROR
if (x == 1000) {}
}
What is TÜV SÜD?
TÜV stands for “Technischer Überwachungsverein,” which translates to “Technical Inspection Association” in English. TÜV SÜD is committed to protecting people and the environment through comprehensive testing, certification, auditing, and advisory services. The company ensures that new and updated technologies comply with regulations, with a strong focus on automotive innovation and development. Additionally, it acts as a notified body for medical devices in Europe.
Cppcheck Premium has received TÜV SÜD certification, signifying that it meets high safety and quality standards. TÜV SÜD has evaluated Cppcheck Premium to ensure its reliability and compliance with industry regulations. This certification underscores Cppcheck Premium's commitment to delivering high-quality static code analysis tools, particularly for applications in safety-critical industries.