Discussion and meeting on static code analysis

[mossmaurice]

Brief feature description

Several companies are working on Eclipse iceoryx nowadays. The maintainers chose QAC from Perforce to check the certain rulesets common in the automotive industry w.r.t. to the ISO26262. Beside local scans things like the CI integration or upload to the Perforce server never went live. Therefore, let's revive this topic :-)

Comes from #356

Detailed information

Proposed proceeding:

1) Re-do assessment with all maintainers

• Choose a single vendor or agree to a suppression syntax to be able to use different tools? 2) Talk to the vendors 3) Make decision 4) Setup CI and infrastructure (tbd in a future issue, not here)

Pending list of criteria for the assessment (not complete yet):

• Developer experience with the tool (prior knowledge)
• Developer convenience (usability)
  • How easy to use is the tool for developers?
• Suppression syntax
  • How does the suppression syntax look like?
  • Are there dependencies?
  • Common MISRA-C++:2020 suppression syntax supported?
• Commercial agreement needed (affordability)?
• Maintenance
• Ability to export results
• SLA and support
  • What happens if developers run in trouble?
  • How fast can the vendor react?
• CI support
• Coding rules support (extensibility, customizability)
  • Which coding rules are supported (e.g. AUTOSAR, MISRA, CERT)?
• What is experience of developers with false positives (correctness)?
• How long does a scan take with the iceoryx code base (efficiency)?

[mossmaurice]

@elfenpiff @elBoberido and myself had a call with Axivion today.

Major points:

• Axivion did an analysis of iceoryx
  • No parsing errors
  • Analysis time is 15 minutes
• Plugins for various IDEs available e.g. VSCode and Eclipse IDE
• Webinterface/dashboard to display the scan results is available
• Axivion can parse Lint and PRQA suppression syntax, that we are currently using

Next steps:

• [ ] @mossmaurice tries out Axivion
• [x] Setup meeting with Axivion sales to clarify open source usage in January

[mossmaurice]

Today I learned that MISRAC++:2020 will introduce a common suppression syntax, so that different SCA tools can be used.

[marthtz]

  * Analysis time is 15 minutes

This seems rather long for a code base of < 10k line of code?

Is it possible to do a delta analysis or does the analysis always run over the whole project?

[mossmaurice]

@budrus @dkroenke and myself had a call with Perforce today.

Major points:

• In 2020 QAC scan was only done locally and not uploaded to Perforce dashboad
• Perforce has two SCA tools
  • QAC is better for compliance (AUTOSAR/MISRA); however, it recently improved and finds defects Klocwork does not
  • Klocwork is better for defect analysis of C/C++
• License is required for exploring detailed results (e.g. line numbers and path/sink information for defects).
• SERIF will be put into both Klocwork and QAC to share data between tools (could be extended to Axivion?)

Next steps:

• [ ] Get dashboard up and running, take up the thread of last year
• [x] Meetup in a month to review progress

[mossmaurice]

@budrus @dkroenke and myself had a call with Axivion today.

• Axivion is happy to support iceoryx on creating a CI setup
• Limited number of contributors (e.g. Bosch, Apex.AI or externals) using Axivion through CI is fine
• Report might be not made available as ~1k pages PDF in the pull requests report, but as markdown?
• Docker + GitHub action shoulnd't be an issue

Next steps:

• [x] Meet again in a few weeks to plan the technical CI setup

[mossmaurice]

Axivion scan went live yesterday on master branch.