Follow usLearn Embedded Together, learn and grow together

In C/C++ development, due to the flexibility and complexity of the language, defects such as memory leaks, buffer overflows, and undefined behavior are rampant.
Static Code Analysis (SCA) is a technique that can identify potential issues before code compilation and execution, making it an indispensable part of building high-reliability and high-security software.
This article will delve into the standards, mainstream tools, and related learning resources followed in C/C++ static code analysis.
Why Perform Static Code Analysis
Unlike dynamic testing (testing by running the program), static analysis is performed directly on the source code or intermediate representation without executing the program. Its main advantages include:
- Early Detection of Defects: Problems can be identified during the coding phase or early in integration, with repair costs significantly lower than during testing or after deployment.
- Detection of Deep Vulnerabilities: It can detect code paths and complex logical errors that are difficult to cover through testing, such as resource leaks and null pointer dereferences.
- Improvement of Code Quality: Enforces coding standards, ensuring consistency in code style and structure, enhancing maintainability.
- Enhanced Security: Identifies potential security vulnerabilities (such as CWE Top 25), preventing threats like SQL injection and buffer overflow.
Core Standards and Guidelines
Static analysis tools typically define rule sets based on a series of recognized programming guidelines and defect classification standards.
Understanding these standards is key to effectively using the tools.
-
MISRA C/C++:
- Overview: Originally established by the Motor Industry Software Reliability Association, it has become the recognized C/C++ coding standard for embedded systems, especially in safety-critical areas such as automotive, aerospace, and medical. It includes a series of mandatory (Required) and advisory (Advisory) rules aimed at avoiding error-prone, undefined, or implementation-dependent behaviors in the language.
- Characteristics: Extremely strict, focusing on code reliability and predictability, sometimes sacrificing some flexibility. The new version MISRA C++:2023 is based on C++17 and aligns with the AUTOSAR C++14 standard.
- Resource Link: https://www.misra.org.uk/
CWE (Common Weakness Enumeration):
- Overview: A community-developed list of software and hardware security defects maintained by MITRE. It is not a coding standard but a general dictionary of defect types. Many static analysis tools map detected vulnerabilities to CWE IDs to align with industry-standard terminology.
- Characteristics: It serves as a common language for discussing, identifying, and classifying software weaknesses. The famous “CWE Top 25” lists the most dangerous and common software errors.
- Resource Link: https://cwe.mitre.org/
CERT C/C++ Secure Coding Standards:
-
Overview: Security coding standards published by the Software Engineering Institute (SEI) at Carnegie Mellon University. It provides numerous rules and recommendations on how to use C/C++ securely to avoid introducing vulnerabilities.
-
Characteristics: Focuses on security, with detailed risk assessments and examples for each rule, making it an important reference for developing safety-critical applications.
-
Resource Links:
SEI CERT C Coding Standard: https://wiki.sei.cmu.edu/confluence/display/c/SEI+CERT+C+Coding+Standard
SEI CERT C++ Coding Standard: https://wiki.sei.cmu.edu/confluence/display/cplusplus/SEI+CERT+C+++Coding+Standard
AUTOSAR C++14:
- Overview: The Automotive Open System Architecture organization has established C++14 coding guidelines for automotive software. It has a high degree of overlap with MISRA C++ and has been extended, making it a very important standard in modern automotive software development.
- Characteristics: Focused on the automotive industry, based on modern C++ (C++14), emphasizing safety, reliability, and portability.
- Resource Link: AUTOSAR official website: https://www.autosar.org/ (Standard documents require membership, but guideline content is supported by many tools)
Google C++ Style Guide / LLVM Coding Standards:
-
Overview: These are coding standards established internally for large projects. Although not as universal as the aforementioned standards, they are highly influential. They focus on code readability, maintainability, and consistency.
-
Characteristics: Many open-source tools (such as
<span>clang-tidy</span>) have built-in checks for these styles. -
Resource Links:
Google C++ Style Guide: https://google.github.io/styleguide/cppguide.html
LLVM Coding Standards: https://llvm.org/docs/CodingStandards.html
Mainstream Static Analysis Tools
Tools are the practitioners of the standards. Here are some widely used C/C++ static analysis tools.
Commercial Tools (Powerful, Highly Integrated, Support Multiple Standards)
-
Coverity (Synopsys)
- Overview: An industry benchmark used by many large enterprises for mission-critical systems. Its analysis engine is very powerful, with a relatively low false positive rate, capable of detecting extremely complex defects.
- Supported Standards: Fully supports MISRA, CERT, CWE, AUTOSAR, etc.
- Link: https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html
Klocwork (Perforce)
- Overview: Another enterprise-level tool, particularly adept at static analysis for C/C++/C#/Java, widely used in the embedded field. It provides deep code understanding and incremental analysis.
- Supported Standards: Supports MISRA, CERT, CWE, AUTOSAR, etc.
- Link: https://www.perforce.com/products/klocwork
PVS-Studio
- Overview: A powerful tool known for detecting specific defect patterns that other tools miss. It provides good support for both Linux and Windows environments and can be integrated into SonarQube.
- Characteristics: Offers a free Linux version for open-source projects, with a low false positive rate.
- Link: https://pvs-studio.com/en/
QAC (Perforce) / C-STAT (IAR)
-
Overview: These two are traditional strong players in the embedded development field, especially deeply integrated with specific IDEs (such as IAR Embedded Workbench), providing a seamless experience for embedded developers.
-
Supported Standards: Focused on MISRA, CERT, and other safety standards.
-
Link:
Helix QAC: https://www.perforce.com/products/helix-qac
IAR C-STAT: https://www.iar.com/cstat
Free/Open Source Tools (Easily Accessible, Common in CI/CD)
- Clang-Tidy (LLVM/Clang)
- Overview: A linting tool based on Clang, it is the Swiss Army knife for modern C++ developers. It not only checks for bugs but also enforces coding styles (such as Google, LLVM styles) and promotes modern C++ usage (such as C++ Core Guidelines).
- Characteristics: Highly configurable, allows for custom checkers to be written, and integrates well with CMake, Visual Studio, etc.
- Link: https://clang.llvm.org/extra/clang-tidy/
- Overview: A lightweight static analysis tool focused on detecting actual bugs in C/C++ code (such as undefined behavior, memory leaks), rather than style issues. Its design goal is to achieve the lowest possible false positive rate.
- Characteristics: Platform-independent, easy to integrate, suitable for basic checks in the development process.
- Link: https://cppcheck.sourceforge.io/
- Overview: An open code quality management platform. Its community edition supports C/C++ (via the SonarCFamily plugin, but this plugin is now closed source, and the community edition has limited functionality), capable of detecting bugs, vulnerabilities, and code smells.
- Characteristics: Provides a beautiful web dashboard displaying code quality trends, technical debt, etc.
- Link: https://www.sonarsource.com/products/sonarqube/
- Overview: Developed by Facebook, it focuses on detecting critical issues such as null pointer dereferences and resource leaks. Its analysis is performed on the intermediate code after compilation, making it very efficient.
- Characteristics: Performs excellently on large codebases, suitable for integration into CI.
- Link: https://fbinfer.com/
How to Choose a Tool
When selecting a tool, consider the following factors:
- Project Requirements: Is it a general application or a safety-critical system (such as medical or aerospace)? The latter requires commercial tools that support strict standards like MISRA/CERT.
- Budget: Commercial tools are powerful but expensive; open-source tools are the preferred choice for budget-constrained or startup projects.
- Integration: Is seamless integration with IDEs (VS, Eclipse, CLion), build systems (CMake, Makefile), or CI/CD platforms (Jenkins, GitLab CI) required?
- Customizability: Is there a need to write custom rules based on internal company standards?
- False Positive Rate: A high false positive rate can severely drain developer energy, necessitating an assessment of the tool’s accuracy.
A strategy of combining “light and heavy” is often adopted.
During the development phase, use <span>clang-tidy</span> or <span>Cppcheck</span> for quick feedback, and employ more powerful commercial tools or <span>Infer</span> for deep scans during code submission and integration.
Summary and Resource Links
Static code analysis is a key technology for improving the quality and security of C/C++ code.
By adhering to industry standards such as MISRA and CERT, and utilizing tools like Coverity and Clang-Tidy, developers can eliminate a significant number of potential defects early in the development process, significantly reducing later maintenance costs and security risks.
Resource Links:
- Standards:
- MISRA: https://www.misra.org.uk/
- CWE: https://cwe.mitre.org/
- CERT C: https://wiki.sei.cmu.edu/confluence/display/c/SEI+CERT+C+Coding+Standard
- CERT C++: https://wiki.sei.cmu.edu/confluence/display/cplusplus/SEI+CERT+C+++Coding+Standard
- Google C++ Style: https://google.github.io/styleguide/cppguide.html
- Tools:
- Coverity: https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html
- Klocwork: https://www.perforce.com/products/klocwork
- PVS-Studio: https://pvs-studio.com/en/
- Clang-Tidy: https://clang.llvm.org/extra/clang-tidy/
- Cppcheck: https://cppcheck.sourceforge.io/
- Facebook Infer: https://fbinfer.com/
I hope this article provides a clear path and valuable reference for understanding and applying C/C++ static code analysis.

Follow 【Learn Embedded Together】 to become better together.
If you find this article helpful, click “Share”, “Like”, or “Recommend”!