Skip to content

clangsa-sast: implement analyzer configuration

Problem to solve

Clang static analyzer can be tuned for performance and coverage, in particular by enabling/disabling checkers.

clangsa-sast should respect existing configuration mechanisms for Clang static analyzer, e.g. its config file as much as possible.

In addition, the list of checkers should be

  • logged during run at the debug level
  • set with a sensible default that is easy to manage
  • modifiable by the user

Proposal

Initially, we can start with the default set of "sensible" CodeChecker checkers less those found to have very low precision while benchmarking.

Implementation plan

  • implement passthroughs
    • specification of "target" is an error - there is only one file that's either overwritten or appended to.
    • create a golang CodeCheckerConfig struct to represent a CodeChecker configuration
      • A CodeChecker configuration is a list of command line options for each subcommand. We only use analyze and parse subcommands, so ignore any other subcommand lists.
      • for each option (e.g. of analyze) determine whether repeats conform to a sensible behavior for passthrough append mode.
        • the last --enable x or --disable x determines whether checker x is enabled or disabled
        • --checker-config uses the OrderedConfigAction action, which ensures the list of config items accumulates instead of being overwritten with each new --checker-config
      • unmarshal from YAML and JSON CodeChecker config file formats
      • marshal to YAML
      • add methods
        • Disable(checker string) and Enable(checker string)
        • Append(CodeCheckerConfig)
  • create the default configuration that explicitly selects the set determined by benchmarking - the sensitive profile further filtered (with -t .051) for low FP rate. Some of the checkers with high FPs in the SARD set are due to peculiarities of the test cases, and shouldn't be filtered. We'll err on the side of adding FPs by keeping the initial list of checkers large.
  • update the calls to CodeChecker to use the config file from ruleset.Config.TargetDir configured CodeCheckerConfig
  • add LoadRulesetConfig to command.Config
    • generate a CodeCheckerConfig by loading the default and parsing passthroughs
    • parse disabled rules to translate from cwe identifiers to clangsa_id / checker names that can be disabled in a final "append passthrough" operation. this is an optimization and requires id mapping
    • write the file and use ruleset.Config.TargetDir to store its location no need
Edited by Jason Leasure