Automating Code Reviews by Writing Your Own Program Analysis Rules

Code reviews and the application of automated source code analysis tools are two standard processes to ensure software quality and security. While automated source code analysis, or static analysis, is an efficient means to inspect large amounts of software, it is typically limited to standard rules shipped by vendors of such tools. On the other hand, code reviews enable software development organisations to enforce project and company specific rules, but at the expense of often large and error-prone human effort. In this talk we present CodeXM, a novel description language to specify coding rules that can be enforced automatically by source code analysis tools. Developed by Synopsys, CodeXM provides a means to declaratively specify what to look for in source code without the detailed how. The how is left to the underlying static analysis execution engine and its capabilities. As such, CodeXM provides a readable interface to define static analysis rules that can be interpreted and evaluated automatically. We explain CodeXM through a number of examples obtained from common embedded and automotive software projects. In particular, we show the power of CodeXM by express concepts far beyond simple pattern matching, including those of path-based cross-file precision analysis when combined with the Coverity static analysis execution engine. As a result, it enables quality and security mangers for the first time to specify and automatically enforce deep semantic coding guidelines