Testing Tools: Visual Code Grepper, Coverity, SonarQube

Summary

This documentation gives insights about Visual Code Grepper, Coverity, and SonarQube- some testing tools used in software development for various purposes. Visual Code Grepper helps with code search and pattern matching. Coverity is a static application security testing (SAST) tool that identifies vulnerabilities in source code. SonarQube is a platform for continuous inspection of code quality, providing insights into code issues, security vulnerabilities, and more.We are focusing more on VCG and SonarQube in this documentation.

Requirements

Operating system: Windows
Git: https://github.com/nccgroup/VCG (Visual Code Grepper v2.3.2)
sonarqube-10.3.0.82913.zip
sonar-scanner-cli-4.7.0.2747-windows.zip

Description

Visual Code Grepper (VCG)

is an open source tool designed for searching and analyzing source code. It helps developers locate specific code patterns, snippets, or identifiers within their codebase. VCG supports multiple programming languages like C, C++, C#, VB, PHP, Java, PL/SQL, and COBOL and allows users to perform complex searches using regular expressions.The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.This tool is useful for code maintenance, refactoring, and understanding code structures in large projects.

Step 1

Clone the git repository using git clone https://github.com/nccgroup/VCG.git in the command prompt of Windows.Change the directory to VCG\VCG-Setup\Release and run setup.exe.Install the VCG app in your system.

Step 2

Open the VCG app and from the dropdown list select the desired programming language.In the File menu,select the targetted File or directory.

Step 3

Go to scan menu,and there you can find different type of scan.Select Full Scan if you want to scan all components.

Optionally we can select Code Breakdown which will list and graph all scan results.

Coverity

developed by Synopsys, is a commercial robust software analysis tool designed to identify and rectify security vulnerabilities, defects, and code quality issues in source code during the development process. Leveraging advanced static analysis techniques, it thoroughly examines the codebase for potential risks, offering insights into critical areas such as memory leaks, buffer overflows, and other common programming errors.Using sophisticated algorithms and a deep understanding of programming languages (like Apex, C/C++, C#, CUDA, Java#, JavaScript, PHP, Python, .NET Core, ASP.NET, Objective-C, Go, JSP, Ruby, Swift, Fortran, Scala, VB.NET, iOS, Android, TypeScript, Kotlin), it identifies issues such as null pointer dereferences, resource leaks, and concurrency problems, allowing developers to address potential problems before they manifest into critical issues. The tool not only helps developers enhance the overall reliability and security of their software but also facilitates early bug detection, ultimately contributing to the creation of more robust and efficient applications.

SonarQube

is an open source comprehensive code quality assurance tool that conducts static and dynamic analysis on over 30 programming languages. Its key features include code smell detection, security vulnerabilities, and analysis of code duplications. Through continuous inspection, it provides recommendations on code formatting, computes metrics for code quality, and offers static code analysis to detect errors in programs. The dynamic code analysis component covers aspects such as code coverage, memory error detection, fault localization, security analysis, concurrency errors, program slicing, and performance analysis. Utilizing SonarQube brings several benefits, including early detection of code issues, improved code maintainability, enhanced security through vulnerability detection, and the reduction of technical debt, making it an essential tool for developers aiming to ensure robust and high-quality code in their projects.

Step 1

Installing SonarQube Server In the first step, download the server installer from https://www.sonarsource.com/products/sonarqube/downloads/ and extract it. Adjust the database settings in <SONARQUBE_HOME>/conf/sonar.properties, or proceed with the default settings. If using default settings, start the server in the final step at <SONARQUBE_HOME>/bin/windows-x86-64/StartSonar.bat and access it at http://localhost:9000. Log in for the first time with Username: admin and Password: admin.

Step 2

Installing SonarScanner Download the scanner from https://docs.sonarqube.org/latest/analyzing-source-code/scanners/sonarscanner/. If using default settings, no further changes are needed for the initial test. Open CMD from the SonarScanner folder and test the scanner with: sonar-scanner.bat -h.

Step 3

Defining Sonar Properties for the Project In the final setup step, create a file named sonar-project.properties in the project folder that needs analysis. Define properties in this file, such as: sonar.projectKey=python sonar.projectName=python sonar.projectVersion=1.0 sonar.sources=C:/Users/Adam/source/repos/python Ensure that the exact project path is specified under sonar.sources.

Step 4

Analysis Create a new project under Projects on the SonarQube server GUI. Fill in parameters like project name and token name and generate the command for execution.

Execute the generated command in CMD from the project folder, for example: sonar-scanner.bat -D"sonar.projectKey=test123" -D"sonar.sources=." -D"sonar.host.url=http://localhost:9000" -D"sonar.login=sqp_bca0809d04f7c5dd53babb9e4c57c3312ed46eab"

Detailed analysis results can be seen on the SonarQube server.