How to Automate Static Security Analysis with Intel® C++ Compiler for Linux*

Published: 02/09/2012, Last Updated: 02/09/2012

Automate the static security analysis check done by the Intel® C++ Compiler for Linux. Static security analysis is the process of finding errors and security weaknesses in software through detailed analysis of source code.

An automated quality gate like this one can notably reduce code reviews efforts, and of course will decrease the likely of having bugs and security threats found once the product is in production. 

To automate the static security analysis as a quality gate in any project, execute the check without graphical user interface which requires human interaction.

 

In the case of legacy projects, ask the developers to submit new code only if they reduce the number of findings.
In the case of coding from scratch, allow no findings before uploading new code in your repository.

When enabling the check (-diag-enable sc3) and compiling the code, a new folder will be created where the findings will be stored using a custom XML format.

$ file rXsc/data.X/rXsc.pdr
rXsc/data.X/rXsc.pdr: XML document text


The xmlstar* package can be used to easily list the findings and the associated location information (file, line and function). The package provides a command line tool to process XML documents.

http://xmlstar.sourceforge.net

The following line can be used to verify that no findings are found before proceeding with the usual development cycle. 

$ xml sel -t -m /diags/diag -v "concat(message/thread/stacktrace/loc/file, ':', message/thread/stacktrace/loc/line, ':', sc_verbose)" -n rXsc/data.0/rXsc.pdr
/home/$USER/work/$PROD/src/pool.c:157:pool.c(157): warning #12178: this value of "ret" isn't used in the program
/home/$USER/work/$PROD/src/pool.c:186:pool.c(186): error #12192: unreachable statement
/home/$USER/work/$PROD/src/pool.c:216:pool.c(216): warning #12135: procedure "pool_done" is never caled

 

Product and Performance Information

1

Intel's compilers may or may not optimize to the same degree for non-Intel microprocessors for optimizations that are not unique to Intel microprocessors. These optimizations include SSE2, SSE3, and SSSE3 instruction sets and other optimizations. Intel does not guarantee the availability, functionality, or effectiveness of any optimization on microprocessors not manufactured by Intel. Microprocessor-dependent optimizations in this product are intended for use with Intel microprocessors. Certain optimizations not specific to Intel microarchitecture are reserved for Intel microprocessors. Please refer to the applicable product User and Reference Guides for more information regarding the specific instruction sets covered by this notice.

Notice revision #20110804