Static code check –
Klocwork
Denisa Ivan
Contents:
•
•
•
•
Overview
Usage
Cases
Conclusions
Overview
• Klocwork is a static code analysis tool that
manages baselines and issues over a
database.
Klocwork analyses the code after capture of
compilation
• Designed for C/C++, C# and Java code
• Command-line tool
• Integrated in a IDE
• Standalone IDE
• Can be integrated into a IDE (e.g. Eclipse,
Visual Studio, IntelliJ IDEA)
• Down-side: The code is read-only in the IDE viewer
• Users of text editors or unsupported IDEs have
the option of Klocwork Desktop or commandline tools.
• Used by both integrators and developers
• Built-in checkers (200+) can be
enabled/disabled at every static code check
session.
Usage
• Set up local project
• kwcheck create --url http://server2:8080/my_project (
only the first time)
•
•
•
•
Capture build settings : ./kwshell
Run analysis: kwcheck run
Display issues: kwcheck list -F detailed
Automated build monitoring with kwshell
• kwshell -pn /space/testing/jlee/myproject/.kwlp
• make
• Unsupported compilers need additional steps
• Ignore issues:
– kwcheck set-status 22 7 30-32 --status fix -c "top priority“ // issues
number 22, 7, 30-32 will be ignored
• Statuses:
– kwcheck list-statuses
Issue Statuses
Issue severity
• An issue severity is made up of a level from 1 through
10, plus a label such as Warning.
• Severities are displayed for detected issues in Klocwork
Review and on the desktop.
• Each checker has a default severity.
• The available severity levels and their default labels are
as follows:
• 1 - Critical
• 2 - Error
• 3 - Warning
• 4 - Review
• 5 - Severity 5 - 10 - Severity 10
Issue severity
• Checkers are assigned severities 1 through 4.
• Custom checkers are assigned severity 4 by
default.
• You can edit:
• the severity level for individual checkers
• the labels for each severity level
Examples of detected weaknesses
•
•
•
•
•
•
•
Buffer overflows
Un-validated user input
Injection
Cross-site scripting
Information leakage
Infinite loops
Memory and resource leaks
Full description here
Built-in checkers for secure coding
standards
•
•
•
•
•
CWE
CWE/SANS Top 25
CERT
OWASP
DISA STIG (Defense Information Systems Agency Security Technical Implementation Guide)
• MISRA (Motor Industry Software Reliability
Association)
Preferences checkers for C/C++
language
Cases
Following are several C/C++ errors
reported by Klocwork desktop
Buffer Overflow
The “More information” link redirect to a complete help manual which helps
understanding the origin and the solution for the problems
Infinite loop
NULL pointer dereferences
• void setValue(int* p){ *p = 32;}
Resource leaks
Memory leaks / Usage of uninitialized
data
• Complete C and C++ checker reference: here
• Complete Java checker reference: here
• Complete C# checker reference: here
Conclusions
• Unlike other static code analysis tools,
Klocwork integrates into desktop IDEs
• Mirroring how code is developed, Klocwork
prevents defects and finds vulnerabilities onthe-fly, as code is being written.
• Klocwork is a versatile tool for static code
checking complex projects developed in
C/C++/C# and Java
• Customizing checkers, issue statuses and
severities is possible
• Issues monitoring along the project baselines
is made easy because of the wide category of
issue statuses.
• Klocwork can be a plugin for the IDE or a IDE
itself and provide easy ways to find and solve
issues
Questions?