C/C++
This article shows you how to analyze your applications written in C/C++ using preZero. It assumes that you have already set up and authenticated with Qwiet.
Requirements
See Prerequisites for more information.
Analyzing your C/C++ application
Qwiet offers a sample application that you can use to run and test preZero.
To analyze your C/C++ application, run:
sl analyze --app <name> --c </path/to/code>
| Parameter | Description |
|---|---|
--app <name> | The name of the application to be analyzed (maximum length: 100 characters) |
--c | The flag identifying the application's language |
<path/to/code> | The path to your project |
See the CLI reference for additional sl analyze options.
Additional parameters
The analysis accepts additional parameters after a double hyphen --.
For example, the following enables scanning of C/C++ system header files if you have GCC and g++ installed for the auto-discovery of such files:
sl analyze --app <name> --c </path/to/code> -- --with-include-auto-discovery
| Parameter | Description |
|---|---|
--exclude <path> | Exclude the specified file/directory during code analysis; the path provided must either be an absolute path or a relative path to the project directory; can be specified multiple times |
--exclude-regex <value> | A regex specifying the files to exclude during the analysis (the match is to the absolute file path), e.g., --exclude-regex ".*([-.])min\\.c" |
--with-include-auto-discovery | Enables scanning of system header files if you have GCC and g++ installed for the auto-discovery of such files |
--compilation-database <path> | Enables the processing of compilation database files (e.g., compile_commands.json) |
Using a compilation database
When analyzing C/C++ applications, preZero can extract compiler options, source files, and other build information from a compilation database. This allows the analysis to be more consistent with the build configuration.
To generate a compilation database for CMake based builds, use the CMAKE_EXPORT_COMPILE_COMMANDS environment variable. See the CMake documentation for additional details.
Clang based builds are also supported, but additional tools such as Build EAR or Compilation Database Generator might be required. See the Clang documentation for additional details.
For example, take the following Makefile:
all: shiftleft-c-demo
shiftleft-c-demo:
gcc -o shiftleft-c-demo main.c
clean:
rm shiftleft-c-demo
To generate a compilation database for a Make-based project using compiledb, run the following command:
compiledb make
The compilation database will look something like this:
[
{
"directory": "/Users/gacevedo/Development/shiftleft-c-demo",
"arguments": [
"gcc",
"-o",
"shiftleft-c-demo",
"main.c"
],
"file": "main.c"
}
]
Once you have a compilation database, you can provide it during the analysis invocation:
sl analyze --app <name> --c </path/to/code> -- --compilation-database compile_commands.json
Tagging results with your branch name
To include the branch name in your preZero results, allowing you to distinguish one set of results from another, add the following to your invocation of Qwiet:
sl analyze --app <name> --c --tag branch=`git symbolic-ref --short HEAD` </path/to/code>
If you're working in a GitHub environment (e.g., GitHub Actions), you can also use --tag branch=${{ github.head_ref }} to populate your branch name.
If you don't provide a branch name, but Qwiet detects one available in your environment, it will use that name.
Troubleshooting
If you have any issues scanning your project, please see our general troubleshooting page.