Static Code Analysis

Automated code analysis without hassle!

Static analysis became an important part of software development cycle. It can identify potential bugs, vulnerabilities and security threats by doing an analysis on the source code level without having to test it on hardware or execute any code.

Static Code Analysis helps reduce development cost by enabling engineers to detect the precise location of defects and eliminate issues more efficiently and earlier in the development cycle. It can also ensure compliance with internal or industry coding standards such as MISRA, CERT, etc.

Key features

  • Fully integrated within the PlatformIO ecosystem and easy to execute on the entire project.

  • Straightforward integration with Continuous Integration services.

  • Possibility to reuse the same setup on other projects.

  • Easy and flexible rule configuration.

  • Comprehensive and detailed error information

  • Multiple architectures and development platforms.

  • Cross-platform: Windows, MacOS, Linux.

Static Code Analysis can detect a wide range of known defects in C/C++ code, including:
  • Potential NULL pointer dereferences

  • Possible indexing beyond array bounds

  • Suspicious assignments

  • Reads of potentially uninitialized objects

  • Unused variables or functions

  • Out of scope memory usage

Warning

Before performimg a static analysis check, make sure your project builds without errors. For information about how to build a project, see the platformio run command or VSCode guide.

User Interface

There is the rich and friendly interface for Static Code Analysis in PlatformIO Home. It allows you to filter messages or directly jump to an issue in a source code.

../../_images/pio-home-inspect-stats-check.png ../../_images/pio-home-inspect-code-defects.png

Configuration

Static Code Analysis allows selecting what tool is used for finding defects in the project, what source files are checked. Static Code Analysis can be configured from “platformio.ini” (Project Configuration File) using the next options:

Check tools

You can switch between or specify multiple tools used for finding defects using check_tool option:

[env:myenv]
platform = ...
board = ...
check_tool = cppcheck, clangtidy

Detailed information about supported check tools and their configuration process can be found on these pages:

Defect severity

Defect severity is a classification of software defect (bug, vulnerability, etc) that indicates the degree of negative impact on the quality of software. Static Code Analysis uses the next classification of possible defects:

Severity

Meaning

high

Issues that are possibly bugs

medium

Suggestions about defensive programming in order to prevent potential bugs

low

Issues related to code cleanup and performance (unused functions, redundant code, const-ness, etc)

CLI Guide

Static Code Analysis can be configured using command line commands. Detailed description of these commands can be found here: