Return to SwATips | pdf |
Scanning code which will not fully build is often a thorn in the side of the software assurance analyst who has been delivered code from an external customer. This is doubly true in a language such as Ada with few viable scanning options.
AdaCore CodePeer has an operation called “Analyze File by File” which sounds like it would help if the entire Ada project will not build. After all, if a portion of the code will build, surely obtaining scan results for that portion of the code is better than no results at all. An enterprising software assurance analyst, full of hope and cheer, might try this tool, only to come to the crushing realization that even though it operates on individual files, it is only intended for use in the context of an already buildable project, sending them back to square one.
A workaround to this issue, and a way to have CodePeer successfully operate on individual files in an Ada project is a little more involved.
While a normal codepeer-gprbuild scan operates on a project and expects the full project to build, one can pass it a project and a specific file, and while the project will fail to build, if the individual file builds, it will generate a .SCIL file, which is the output of the building/linking process which CodePeer requires for analysis. The command line argument for this setup is shown in Listing 1.
Once this file has been processed and its .SCIL file created, one can do a normal codepeer-gprbuild on the entire project from within GPS. While the build will fail, it will still check for existing .SCIL files and then perform an analysis on these files. By iteratively performing the above command on all .ada, .ads, and .adb files in the project, and following it with a normal analysis, an analyst can get some results out of CodePeer. The full process is:
I hope this makes the reader’s next adventure in the world of unbuildable Ada code a little less painful!
Jon Hood, ed. SwATips. https://www.SwATips.com/.