Use a Static Analysis Tool Extensively (SWE03)
Level \(\rightarrow\) Mandatory
- Category
- Safety:
\(\checkmark\)
- Cyber:
\(\checkmark\)
- Goal
- Maintainability:
\(\checkmark\)
- Reliability:
\(\checkmark\)
- Portability:
\(\checkmark\)
- Performance:
\(\checkmark\)
- Security:
\(\checkmark\)
Remediation \(\rightarrow\) High
Verification Method \(\rightarrow\) Static analysis tools
Reference
Power of 10 rule #10: "All code must also be checked daily with at least one, but preferably more than one, strong static source code analyzer and should pass all analyses with zero warnings."
Description
If not using SPARK for regular development, use a static analyzer, such as CodePeer, extensively. No warnings or errors should remain unresolved at the given level adopted for analysis (which can be selected to adjust the false positive ratio).
Specifically, any code checked into the configuration management system must be checked by the analyzer and be error-free prior to check-in. Similarly, each nightly build should produce a CodePeer baseline for the project.
Applicable Vulnerability within ISO TR 24772-2
6.6 Conversion errors [FLC]
6.18 Dead store [WXQ]
6.19 Unused variable [YZS]
6.20 Identifier name reuse [YOW]
6.24 Side-effects and order of evaluation [SAM]
6.25 Likely incorrect expression [KOA]
Applicable Common Weakness Enumeration
N/A
Noncompliant Code Example
N/A
Compliant Code Example
N/A
Notes
CodePeer is the recommended static analyzer. Note that CodePeer can detect
GNATcheck rule violations (via the --gnatcheck
CodePeer switch and a
rules file).