Using SARIF to Enhance Your Static Analysis Toolset

Posted on May 18th, 2020

“When debugging, novices insert corrective code; experts remove defective code.”

Richard Pattis, Quotations for Learning and Programming

Advances in static analysis tools have made their use an increasingly standard and indispensible step in software QA processes. Large gains in testing efficiency and program quality result from their capability to identify a broad range of problems in software programs. However, users are still left with the challenge of eliminating the defects that these tools find. Through SARIF (Static Analysis Results Interchange Format), static analysis environments can be extended with additional tools targeting various aspects of this downstream work. Static analysis results can be imported into program understanding tools in order to examine problematic code and determine the severity of its defects. Program quality review tools can methodically guide, track and document the results of these examinations. Bug tracking tools are able to record the history of specific defects. By extending the tool environment, the benefits of static analysis tools can be carried further into your development process.

Consider how this is done using SARIF to export static analysis results from CodeSonar to Imagix 4D. A best-of-class static analysis tool, GrammaTech‘s CodeSonar is able to find a wide range of defects, ranging from use of static memory to resource mismanagement to concurrency defects. Including unique functionality for both program understanding and program quality review, Imagix 4D can be used to fully understand each finding from CodeSonar, assess the severity and urgency of a fix, and record the review results to compare against future CodeSonar runs.


The process starts with running the static analysis in CodeSonar. The analysis identifies potential defects across dozens of checks. For many of the defects, CodeSonar provides a crumb trail leading upstream to the cause of the defect.

Using the SARIF file format, Imagix 4D imports these CodeSonar results, creating a checklist that enables the methodical review of each defect. For each defect, called a probe in Imagix 4D, this starts with a display showing the specific line of source code flagged by CodeSonar. It also includes CodeSonar’s description of the defect, along with any crumb trail, called a derivation history in Imagix 4D.

With the checklist to guide the process, the interactive exploration and visualization of Imagix 4D come into play. Graphical design information aids in understanding the context of the problem location. In Figure 1, a call graph opened from the probe shows the full control flow to the location and variable of the probe, all the way down from to the program entry point ‘main()’. It’s immediately clear that the problem location can be reached over multiple paths, which increases the urgency for a fix.

Call graph of defect indicated in SARIF import
Figure 1: Call graph showing full context of problem area

Further graphical analysis provides more details to help understand how this problem can occur. In Imagix 4D, data flows display information about the statements related to the current value of a variable. They track variable dependencies across function boundaries and through parameter passing and return statements, showing all of the initializations, sets and reads of any variable, that contribute to or are impacted by a specific variable’s value. Here, the data flow displays the sequence of statements that contribute to the variable ‘file’, starting at ‘sscanf()’, the root of the problem.

Data flow diagram of critical uninitialized variable
Figure 2: Data flow for uninitialized variable

Providing more insight into the variable‚Äôs local context, a flow chart shows the internal logic for the function where ‘sscanf()’ is called. The nodes where ‘file’ is accessed are highlighted in blue, and it’s obvious that these contributing statements are in the main paths of the function. This again makes clear that the fix needs to be done here.

Flow chart of function where variable initialization is missing
Figure 3: Flow chart of function where variable initialization is missing

Upon completition of this examination, the conclusions are recorded using the review tool functionality of Imagix 4D. A rating is assigned; here the rating is set to violation, indicating that this is urgent and must be fixed. In addition, the insight that has been gained, along with any instructions to the developer, is recorded, attached as a note or series of notes to the probe representing this defect. And the checklist guides the reviewer on to the next defect.

Throughout this process, Imagix 4D provides indication of the location of, the severity of, and the progress in reviewing the defects identified by CodeSonar. A high level architectural diagram indicates the distribution of problem areas in the project, with red to green color coding indicating the probe density. Drilling down from there results in a lower-level view of the software, again using color coding to show which functions need fixes and how they fit within the global control flow.

Subssystem architecture diagrams and control flow graphs
Figure 4: Architectural and control flow displays showing problematic areas of code