SourceMeter

SourceMeter
Developer(s)	FrontEndART Ltd.
Stable release	8.2 / December 16, 2016;5 years ago
Written in	C, C++
Operating system	Cross-platform
License	EULA
Website	www.sourcemeter.com

Last updated January 11, 2022

SourceMeter is a source code analyzer tool, which can perform deep static program analysis of the source code of complex programs in C, C++, Java, Python, C#, and RPG (AS/400).^[1] FrontEndART has developed SourceMeter based on the Columbus technology^[2] researched and developed at the Department of Software Engineering of the University of Szeged.^[3]^[4]

Background

During the static analysis, an abstract semantic graph (ASG) is constructed from the language elements of the source code. This ASG is then processed by the different tools in the package to calculate product metrics^[5] like LLOC,^[6] NLE or NOA, identify duplicate code (copy-pasted code; clones), coding rule violations, etc.

SourceMeter can analyze source code conforming to Java 8 and earlier versions, C/C++, RPG III and RPG IV versions (including free-form), C# 6.0 and earlier versions and Python 2.7.8 and earlier versions. In the case of C/C++, SourceMeter supports the ISO/IEC 14882:2011 international standard^[7] extended with several new features from ISO/IEC 14882:2014, and C language defined by the ANSI/ISO 9899:1990, ISO/IEC 9899:1999 and ISO/IEC 9899:2011 standards. Besides the standard features, several GCC and Microsoft specific extensions are also supported.

Features

Precise and deep static analysis, building full semantic graphs, containing semantic edges (calls, references), comments, etc.
60+ source code metrics (complexity, coupling, cohesion, inheritance, etc.), on different levels (package, namespace, class, method, etc.)
Type-2 duplications regarding syntax boundaries
Code duplication metrics (stability, embeddedness, dispersion, etc.)
Detecting inconsistent changes of duplications
Checking coding rules (Differences between PMD rule violations and FaultHunter rule violations)
Detecting security vulnerabilities based on data-flow (SQL injection, XSS, etc.)
Checking metric-based rule violations
Checking Android specific rule violations
Detecting runtime exceptions by means of symbolic code execution, for Java only

SonarQube plug-in

SourceMeter plug-in for SonarQube platform is an extension of the open-source SonarQube platform for managing code quality. The plug-in executes SourceMeter from the SonarQube platform and uploads the source code analysis results of SourceMeter into the SonarQube database. The plug-in is open-source, and provides all the usual SonarQube code analysis results, extended with many additional metrics and issue detectors provided by the SourceMeter tool. The plug-in supports the C/C++, Java, C#, Python and RPG languages.^[8]

Related Research Articles

Static program analysis is the analysis of computer software performed without executing any programs, in contrast with dynamic analysis, which is performed on programs during their execution.

C++ is a general-purpose programming language created by Bjarne Stroustrup as an extension of the C programming language, or "C with Classes". The language has expanded significantly over time, and modern C++ now has object-oriented, generic, and functional features in addition to facilities for low-level memory manipulation. It is almost always implemented as a compiled language, and many vendors provide C++ compilers, including the Free Software Foundation, LLVM, Microsoft, Intel, Oracle, and IBM, so it is available on many platforms.

In computer programming, undefined behavior (UB) is the result of executing a program whose behavior is prescribed to be unpredictable, in the language specification to which the computer code adheres. This is different from unspecified behavior, for which the language specification does not prescribe a result, and implementation-defined behavior that defers to the documentation of another component of the platform.

In computing, a null pointer or null reference is a value saved for indicating that the pointer or reference does not refer to a valid object. Programs routinely use null pointers to represent conditions such as the end of a list of unknown length or the failure to perform some action; this use of null pointers can be compared to nullable types and to the Nothing value in an option type.

The One Definition Rule (ODR) is an important rule of the C++ programming language that prescribes that objects and non-inline functions cannot have more than one definition in the entire program and template and types cannot have more than one definition by translation unit. It is defined in the ISO C++ Standard 2003, at section 3.2.

In computer programming, a naming convention is a set of rules for choosing the character sequence to be used for identifiers which denote variables, types, functions, and other entities in source code and documentation.

PMD is an open source static source code analyzer that reports on issues found within application code. PMD includes built-in rule sets and supports the ability to write custom rules. PMD does not report compilation errors, as it only can process well-formed source files. Issues reported by PMD are rather inefficient code, or bad programming habits, which can reduce the performance and maintainability of the program if they accumulate. It can analyze files written in Java, JavaScript, Apex and Visualforce, PLSQL, Apache Velocity, XML, and XSL.

This is an alphabetical list of articles pertaining specifically to software engineering.

MISRA C is a set of software development guidelines for the C programming language developed by The MISRA Consortium. Its aims are to facilitate code safety, security, portability and reliability in the context of embedded systems, specifically those systems programmed in ISO C / C90 / C99.

IAR Systems is a Swedish computer software company that offers development tools for embedded systems. IAR Systems was founded in 1983, and is listed on Nasdaq Nordic in Stockholm. IAR is an abbreviation of Ingenjörsfirman Anders Rundgren, which means Anders Rundgren Engineering Company.

Unspecified behavior is behavior that may vary on different implementations of a programming language. A program can be said to contain unspecified behavior when its source code may produce an executable that exhibits different behavior when compiled on a different compiler, or on the same compiler with different settings, or indeed in different parts of the same executable. While the respective language standards or specifications may impose a range of possible behaviors, the exact behavior depends on the implementation and may not be completely determined upon examination of the program's source code. Unspecified behavior will often not manifest itself in the resulting program's external behavior, but it may sometimes lead to differing outputs or results, potentially causing portability problems.

SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages. SonarQube offers reports on duplicated code, coding standards, unit tests, code coverage, code complexity, comments, bugs, and security vulnerabilities.

PVS-Studio is a proprietary static code analyzer on guard of code quality, security (SAST), and code safety supporting C, C++, C++11, C++/CLI, C++/CX, C# and Java..

ThreadSafe is a source code analysis tool that identifies application risks and security vulnerabilities associated with concurrency in Java code bases, using whole-program interprocedural analysis. ThreadSafe is used to identify and avoid software failures in concurrent applications running in complex environments.

Java code coverage tools are of two types: first, tools that add statements to the Java source code and require its recompilation. Second, tools that instrument the bytecode, either before or during execution. The goal is to find out which parts of the code are tested by registering the lines of code executed when running a test.

SonarSource is a Swiss company founded in 2008. It develops open source software for continuous code quality and security.

CodeScene is a behavioral code analysis tool developed by Empear AB. CodeScene provides code visualizations based on version-control data and machine learning algorithms that identify social patterns and hidden risks in code.

CodeSonar is a static code analysis tool from GrammaTech. CodeSonar is used to find and fix bugs and security vulnerabilities in source and binary code. It performs whole-program, inter-procedural analysis with abstract interpretation on C, C++, C#, Java, as well as x86 and ARM binary executables and libraries. CodeSonar is typically used by teams developing or assessing software to track their quality or security weaknesses. CodeSonar supports Linux, BSD, FreeBSD, NetBSD, MacOS and Windows hosts and embedded operating systems and compilers.

References

↑ Szőke, Gábor; Nagy, Csaba; Ferenc, Rudolf; Gyimóthy, Tibor (2014). "A Case Study of Refactoring Large-Scale Industrial Systems to Efficiently Improve Source Code Quality" (PDF). Computational Science and its Applications – ICCSA 2014. Lecture Notes in Computer Science. 8583. pp. 524–540. doi:10.1007/978-3-319-09156-3_37. ISBN 978-3-319-09155-6.
↑ Árpád Beszédes, Rudolf Ferenc, Tibor Gyimóthy: "Columbus: A reverse engineering approach"
↑ Department of Software Engineering
↑ University of Szeged
↑ Source code metrics reference
↑ István Siket, Árpád Beszédes, John Taylor: "Differences in the Definition and Calculation of the LOC Metric in Free Tools"
↑ SourceMeter at ISO C++ standard
↑ Ferenc R., Langó L., Siket I., Gyimóthy T.: "Source Meter Sonar Qube Plug-in" In Proceedings of the 14th IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM 2014). Victoria, British Columbia, Canada, pages 77-82. September 28–29, 2014]

External links

Official website

This programming-tool-related article is a stub. You can help Wikipedia by expanding it.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Szőke, Gábor; Nagy, Csaba; Ferenc, Rudolf; Gyimóthy, Tibor (2014). "A Case Study of Refactoring Large-Scale Industrial Systems to Efficiently Improve Source Code Quality" (PDF). Computational Science and its Applications – ICCSA 2014. Lecture Notes in Computer Science. 8583. pp. 524–540. doi:10.1007/978-3-319-09156-3_37. ISBN 978-3-319-09155-6.

[2] Árpád Beszédes, Rudolf Ferenc, Tibor Gyimóthy: "Columbus: A reverse engineering approach"

[3] Department of Software Engineering

[4] University of Szeged

[5] Source code metrics reference

[6] István Siket, Árpád Beszédes, John Taylor: "Differences in the Definition and Calculation of the LOC Metric in Free Tools"

[7] SourceMeter at ISO C++ standard

[8] Ferenc R., Langó L., Siket I., Gyimóthy T.: "Source Meter Sonar Qube Plug-in" In Proceedings of the 14th IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM 2014). Victoria, British Columbia, Canada, pages 77-82. September 28–29, 2014]

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]