Developer(s) | CodeSecure, Inc. |
---|---|
Stable release | 7.3 / 8 May 2023 |
Operating system | Cross-platform |
Type | static code analysis |
License | Proprietary |
CodeSonar is a static code analysis tool from CodeSecure, Inc. CodeSonar is used to find and fix bugs and security vulnerabilities [1] in source and binary code. [2] [3] [4] It performs whole-program, inter-procedural analysis with abstract interpretation on C, C++, C#, Java, as well as x86 and ARM binary executables and libraries. CodeSonar is typically used by teams developing or assessing software to track their quality or security weaknesses. CodeSonar supports Linux, BSD, FreeBSD, NetBSD, MacOS and Windows hosts and embedded operating systems and compilers.
CodeSonar provides information for every weakness found, including the trace through the source code that would trigger the bug as well as a call-tree visualization that represents how the weakness is related to the wider application.
CodeSonar supports compliance with functional safety standards like IEC 61508, ISO 26262, DO-178B/C, or ISO/IEC TS 17961. CodeSonar's warning classes also support several coding standard initiatives, [5] including MITRE's CWE, JPL, Power of 10, MISRA C/C++ and SEI CERT C.
CodeSonar is used in the defense/aerospace, medical, industrial control, automotive, electronic, tele/datacommunications and transportation industries. Some well known use cases are FDA Center for Devices and Radiological Health uses it to detect defects in fielded medical devices. [6] [7] The NHTSA and NASA used CodeSonar to study on sudden unintended acceleration in the electronic throttle control systems of Toyota vehicles [8] [9]
Supported Programming Languages: C, C++, C#, Java, Python, binary code analysis supports Intel x86-32, amd64 and ARM.
Supported Platforms: Microsoft Windows, Linux, FreeBSD, NetBSD, MacOS
Supported Compilers: Apple Xcode, ARM RealView, CodeWarrior, GNU C/C++, Green Hills Compiler, HI-TECH Compiler, IAR Compiler, Intel C++ Compiler, Microsoft Visual Studio, Renesas Compiler, Sun C/C++, Texas Instruments CodeComposer, Wind River Compiler
In computing, the Executable and Linkable Format, is a common standard file format for executable files, object code, shared libraries, and core dumps. First published in the specification for the application binary interface (ABI) of the Unix operating system version named System V Release 4 (SVR4), and later in the Tool Interface Standard, it was quickly accepted among different vendors of Unix systems. In 1999, it was chosen as the standard binary file format for Unix and Unix-like systems on x86 processors by the 86open project.
The GNU Debugger (GDB) is a portable debugger that runs on many Unix-like systems and works for many programming languages, including Ada, Assembly, C, C++, D, Fortran, Go, Objective-C, OpenCL C, Modula-2, Pascal, Rust, and partially others.
In computing, cross-platform software is computer software that is designed to work in several computing platforms. Some cross-platform software requires a separate build for each platform, but some can be directly run on any platform without special preparation, being written in an interpreted language or compiled to portable bytecode for which the interpreters or run-time packages are common or standard components of all supported platforms.
In computing, binary translation is a form of binary recompilation where sequences of instructions are translated from a source instruction set to the target instruction set. In some cases such as instruction set simulation, the target instruction set may be the same as the source instruction set, providing testing and debugging features such as instruction trace, conditional breakpoints and hot spot detection.
A cross compiler is a compiler capable of creating executable code for a platform other than the one on which the compiler is running. For example, a compiler that runs on a PC but generates code that runs on an Android smartphone is a cross compiler.
Valgrind is a programming tool for memory debugging, memory leak detection, and profiling.
C99 is an informal name for ISO/IEC 9899:1999, a past version of the C programming language standard. It extends the previous version (C90) with new features for the language and the standard library, and helps implementations make better use of available computer hardware, such as IEEE 754-1985 floating-point arithmetic, and compiler technology. The C11 version of the C programming language standard, published in 2011, replaces C99.
Free Pascal Compiler (FPC) is a compiler for the closely related programming-language dialects Pascal and Object Pascal. It is free software released under the GNU General Public License, with exception clauses that allow static linking against its runtime libraries and packages for any purpose in combination with any other software license.
In the context of software engineering, software quality refers to two related but distinct notions:
QEMU is a free and open-source emulator. It emulates a computer's processor through dynamic binary translation and provides a set of different hardware and device models for the machine, enabling it to run a variety of guest operating systems. It can interoperate with Kernel-based Virtual Machine (KVM) to run virtual machines at near-native speed. QEMU can also do emulation for user-level processes, allowing applications compiled for one architecture to run on another.
coreboot, formerly known as LinuxBIOS, is a software project aimed at replacing proprietary firmware found in most computers with a lightweight firmware designed to perform only the minimum number of tasks necessary to load and run a modern 32-bit or 64-bit operating system.
UPX is a free and open source executable packer supporting a number of file formats from different operating systems.
Rosetta is a dynamic binary translator developed by Apple Inc. for macOS, an application compatibility layer between different instruction set architectures. It enables a transition to newer hardware, by automatically translating software. The name is a reference to the Rosetta Stone, the artifact which enabled translation of Egyptian hieroglyphs.
A free and open-source graphics device driver is a software stack which controls computer-graphics hardware and supports graphics-rendering application programming interfaces (APIs) and is released under a free and open-source software license. Graphics device drivers are written for specific hardware to work within a specific operating system kernel and to support a range of APIs used by applications to access the graphics hardware. They may also control output to the display if the display driver is part of the graphics hardware. Most free and open-source graphics device drivers are developed by the Mesa project. The driver is made up of a compiler, a rendering API, and software which manages access to the graphics hardware.
In C and related programming languages, long double
refers to a floating-point data type that is often more precise than double precision though the language standard only requires it to be at least as precise as double
. As with C's other floating-point types, it may not necessarily map to an IEEE format.
In the context of free and open-source software, proprietary software only available as a binary executable is referred to as a blob or binary blob. The term usually refers to a device driver module loaded into the kernel of an open-source operating system, and is sometimes also applied to code running outside the kernel, such as system firmware images, microcode updates, or userland programs. The term blob was first used in database management systems to describe a collection of binary data stored as a single entity.
GrammaTech is a cybersecurity research services company based in Ithaca, New York. The company was founded in 1988 as a technology spin-off of Cornell University. GrammaTech software research services include the following; software analysis, vulnerability detection and mitigation, binary transformation and hardening, and autonomous computing. In September 2023, Battery Ventures acquired GrammaTech's software products division, including the CodeSonar and CodeSentry product lines. Thus establishing a new, independent entity that will operate under the CodeSecure, Inc. name and be headquartered in Bethesda, Maryland.
NetBSD is a free and open-source Unix operating system based on the Berkeley Software Distribution (BSD). It was the first open-source BSD descendant officially released after 386BSD was forked. It continues to be actively developed and is available for many platforms, including servers, desktops, handheld devices, and embedded systems.
Parasoft C/C++test is an integrated set of tools for testing C and C++ source code that software developers use to analyze, test, find defects, and measure the quality and security of their applications. It supports software development practices that are part of development testing, including static code analysis, dynamic code analysis, unit test case generation and execution, code coverage analysis, regression testing, runtime error detection, requirements traceability, and code review. It's a commercial tool that supports operation on Linux, Windows, and Solaris platforms as well as support for on-target embedded testing and cross compilers.
AbsInt is a software-development tools vendor based in Saarbrücken, Germany. The company was founded in 1998 as a technology spin-off from the Department of Programming Languages and Compiler Construction of Prof. Reinhard Wilhelm at Saarland University. AbsInt specializes in software-verification tools based on abstract interpretation. Its tools are used worldwide by Fortune 500 companies, educational institutions, government agencies and startups.