<h1 align="center"> <br> <img src="https://github.com/Ericsson/codechecker/raw/master/docs/logo/logo_blue.png" alt="CodeChecker" width="200"> <br> CodeChecker <br> </h1> <p align="center"> <a href="https://github.com/Ericsson/codechecker/actions"> <img src="https://github.com/Ericsson/codechecker/workflows/codechecker-tests/badge.svg" alt="Github Action"> </a> <a href="https://gitter.im/codecheckerHQ/Lobby?utm_source=share-link&utm_medium=link&utm_campaign=share-link"> <img src="https://badges.gitter.im/codecheckerHQ/Lobby.svg" alt="Gitter"> </a> <a href="https://codechecker.readthedocs.io/en/latest/?badge=latest"> <img src="https://readthedocs.org/projects/codechecker/badge/?version=latest" alt="Documentation Status"> </a> <a href="https://securityscorecards.dev/viewer/?uri=github.com/Ericsson/codechecker"> <img src="https://api.securityscorecards.dev/projects/github.com/Ericsson/codechecker/badge" alt="OpenSSF Scorecard Score"> </a> </p>

CodeChecker is a static analysis infrastructure built on the LLVM/Clang Static Analyzer toolchain, replacing scan-build in a Linux or macOS (OS X) development environment.

Check out our DEMO showing some analysis results of open-source projects!

Main features

Command line C/C++ Analysis

• Executes Clang-Tidy, Clang Static Analyzer with Cross-Translation Unit analysis, Statistical Analysis (when checkers are available), Cppcheck, GCC Static Analyzer and the Facebook Infer Analyzer.
• Creates the JSON compilation database by wiretapping any build process (e.g., CodeChecker log -b "make").
• Automatically analyzes GCC cross-compiled projects: detecting GCC or Clang compiler configuration and forming the corresponding clang analyzer invocations.
• Incremental analysis: Only the changed files and its dependencies need to be reanalyzed.
• False positive suppression with a possibility to add review comments.
• Result visualization in command line or in static HTML.

Web-based report storage

• You can store & visualize thousands of analysis reports of many analyzers like Clang Static Analyzer (C/C++), Clang Tidy (C/C++), Facebook Infer (C/C++, Java), Clang Sanitizers (C/C++), Spotbugs (Java), Pylint (Python), Eslint (Javascript) ... For a complete list see Supported Analyzers
• Web application for viewing discovered code defects with a streamlined, easy experience (with PostgreSQL, or SQLite backend).
• Gerrit and GitLab integration Shows analysis results as GitLab or Gerrit reviews.
• Filterable (defect checker name, severity, source paths, ...) and comparable (calculates difference between two analyses of the project, showing which bugs have been fixed and which are newly introduced) result viewing.
• Diff mode: This shows the list of bugs that have been introduced since your last analyzer execution.
• Results can be shared with fellow developers, the comments and review system helps communication of code defects.
• Easily implementable Thrift-based server-client communication used for storing and querying of discovered defects.
• Support for multiple bug visualization frontends, such as the web application, a command-line tool and an Eclipse plugin.

Command line features

CodeChecker command has many subcommands which can be used for example to log and analyze your projects, print the results or start a web server. For full list see the following table or check the help message of this command (CodeChecker --help):

| CodeChecker subcommand | Description | |--------------------------|-----------------------------------------------------------------------------------------------| | analyze | Execute the supported code analyzers for the files recorded in a JSON Compilation Database. | | analyzer-version | Print the version of CodeChecker analyzer package that is being used. | | analyzers | List supported and available analyzers. | | check | Perform analysis on a project and print results to standard output. | | checkers | List the checkers available for code analysis. | | cmd | View analysis results on a running server from the command line. | | fixit | Apply automatic fixes based on the suggestions of the analyzers. | | log | Run a build command, collect the executed compilation commands and store them in a JSON file. | | parse | Print analysis summary and results in a human-readable format. | | server | Start and manage the CodeChecker Web server. | | store | Save analysis results to a database. | | version | Print the version of CodeChecker package that is being used. | | web-version | Print the version of CodeChecker server package that is being used. |

CodeChecker cmd subcommand also has many other subcommands which can be used to get data (products, runs, results, statistics) from a running CodeChecker server. For full list see the following table or check the help message of this subcommand (CodeChecker cmd --help):

| CodeChecker cmd subcommand | Description | |------------------------------|---------------------------------------------------------------------------------------------------| | runs | List the available analysis runs. | | history | Show run history of multiple runs. | | results | List analysis result (finding) summary for a given run. | | diff | Compare two analysis runs and show the difference. | | sum | Show statistics of checkers. | | token | Access subcommands related to configuring personal access tokens managed by a CodeChecker server. | | del | Delete analysis runs. | | update | Update an analysis run. | | suppress | Manage and import suppressions of reports on a CodeChecker server. | | products | Access subcommands related to configuring the products managed by a CodeChecker server. | | components | Access subcommands related to configuring the source components managed by a CodeChecker server. | | login | Authenticate into CodeChecker servers that require privileges. | | export | Export comments and review statuses from CodeChecker. | | import | Import comments and review statuses into CodeChecker. |

Usage flow

• Step 1: CodeChecker log runs the given build command and records the executed compilation steps. These steps are written to an output file (Compilation Database) in a JSON format.
• Step 2: CodeChecker analyze uses the previously created JSON Compilation Database to perform an analysis on the project, outputting analysis results in a machine-readable (plist) format.
• Step 3: In this step, you can do multiple things:
  • Parse and pretty-print the summary and results from analysis result files (CodeChecker parse).
  • Store the results to a running CodeChecker server (CodeChecker store).
  • Compare two analysis results/runs to show the results that differ between the two (CodeChecker cmd diff).
  • etc.

For more information how to use CodeChecker see our user guide.

User documentation

• Getting started (How-To with examples)

C/C++ Analysis

• Analyzer User guide
• Avoiding or suppressing false positives
• Checker and Static Analyzer configuration
• GCC incompatibilities
• Suppressing false positives

Web based report management

• Webserver User Guide
• WEB GUI User Guide
• [Command line and