CODEWITHSUNDEEP
cstatic-code-analysiscoverity
Amit Sharma
Amit Sharma

Reputation: 2067

How sparse and coverity tool for static code analysis are different?

I am very new to linux kernel. I want to know how sparse and coverity tool are different ? Since both are used for static code analysis. Then how to decide which tool is better ? Only difference I know is that: sparse is open source but for coverity we should have license to use it.

Is there any specific set of bugs that can only be traced by coverity/sparse ?

Here is the piece of code in which Coverity reports the issue, however Sparse does not:

foo(){

     int x;
     scanf("%d", &x);

     switch(x){

               case 1: printf("CASE 1");
               case 2: printf("CASE 2");
                       break;
               default:
     }
}

In the above set example; Coverity will report the warning of missing break statement in case 1. But,Sparse is not ?

However, both tools are used for static code analysis of software. Please, share any documentation which can highlights the plus and negatives of both the tools.

Upvotes: -1

Views: 949

Answers (1)

thurizas
thurizas

Reputation: 2528

Tools vary in what they detect and how well they detect them. As a general rule, it is always recommend running as many tools as possible on the source code. Granted, there are a number of considerations about doing that. First and foremost is the cost of owning and maintaining any one tool.

The big names (Fortify, Code sonar, Coverity, Klockwerk, etc) are all expensive to buy, and have a hefty yearly maintenance cost. On the upside, they all tend to preform better then the open-source tools.

Any tool, be it open-source or proprietary will require "care and feeding", in creation of custom rules, modification of what is reported etc. This should be done by, in my opinion, a dedicated senior programmer that is well versed in the theory and practice of secure programming.

The evaluation of the tool reports, also should be done by a programmer / analyst well versed in security. The take a way message here is that a proficient programmer is not necessarily a secure programmer. There are additional sets of knowledge and skills to be a secure programmer.

For a brief overview of various tools, I would suggest looking at the various SAMATE (static-analysis metrics and tool evaluation) reports located here. Although I do not believe that the SAMATE team ever evaluated "Sparse".

I know these are more generalities about the use of static analysis tools, but given the current state of the art, I suspect that these are probably the best you are going to get. Also, you can check out this State of the Art report of software assurance.

Upvotes: 1

Related Questions