Using Static Checkers
Explore how to use static code analysis tools within CMake to improve code quality and security. Learn to integrate popular static checkers such as Clang-Tidy and Cppcheck on a per-target basis, automate checks during builds, and enforce coding standards. This lesson helps you apply static analysis effectively in your C++ projects, leading to cleaner, more maintainable code.
We'll cover the following...
Static program analysis is the process of checking the source code without actually running the compiled version. The rigorous application of static checkers dramatically improves the quality of the code: it becomes more consistent and less bug-prone. The chance of introducing known security vulnerabilities is reduced too.
Integrating static checkers with CMake
The C++ community has created dozens of static checkers: Astrée, Clang-Tidy, CLazy, CMetrics, Cppcheck, Cpplint, CQMetrics, ESBMC, FlawFinder, Flint, IKOS, Joern, PC-Lint, Scan-Build, Vera++, and so on.
Many of them recognize CMake as the industry standard and will provide out-of-the-box support (or an integration tutorial). Some build engineers don’t want to go to the trouble of writing CMake code, and they add static checkers by including external modules available online.
It's no wonder, as the general misconception is that we'd need to jump through many hoops to get our code checked. The reason for this complexity is in the ...