CodeSonar - Static Code Analysis
When Safety and Security Matter

CodeSonar is CodeSecure´s (formerly GrammaTech) flagship static analysis software. It is specifically designed for zero-tolerance defect environments. With its advanced static analysis engine, CodeSonar is one of the most effective tools for eliminating the most costly and hard-to-find software defects early in the application development lifecycle. Compared with other tools, CodeSonar identifies twice as many defects that result in system crashes, leaks, data races, memory corruptions and security vulnerabilities.
CodeSonar has performed best on several static analysis tool benchmarks in finding static memory, resource management, concurrency, and other defects.
CodeSonar enables teams to analyze complete applications, enabling you to take control of your software supply chain and eliminate the most costly and hard-to-find defects early in the application development lifecycle. CodeSonar extends team scalability, improves quality, and instills confidence.
Many functional safety standards such as IEC 61508, ISO 26262, CENELEC EN 50128, and DO178 B/C either recommend or mandate the use of static analysis to improve code quality and enforce coding standards. CodeSonar is specifically developed to assist software developers in building these safety and security-critical software systems. Its high levels of defect recall, its whole program, deep analysis using abstract execution, the elaborate explanations of warnings, including warning paths and code navigation, and the extensibility make it a favorite for developers of systems that cannot fail.

Implement Deep SAST and Find Vulnerabilities Others Miss

CodeSonar is a static code analysis solution that helps you find and understand quality and security defects in your source code or binaries. CodeSonar makes it easy to integrate SAST into your development process with support for over 100 compilers and compiler versions, numerous integrations to popular development tools and IDEs, and whole-program analysis that finds issues other tools miss.
CodeSecure has checkers for hundreds of issues. In addition it is possbile to create customized code checkers in CodeSonar.
The tool is very strong to perform Concurrency Checks.

Bring Security into DevSecOps

CodeSonar was doing DevSecOps before it was cool. Industries and companies are rapidly undergoing a digital transformation. Techniques like DevSecOps help companies respond to this challenge by releasing solutions to market faster and with fewer defects. Static code analysis is a fundamental component of DevSecOps and CodeSonar is here to help.

Gain In-Development Insights

Go beyond just finding problems to a deep understanding of where a warning comes from and what the risks are, even in code you did not write. CodeSonar provides whole-program SAST along with unique inspection reporting capabilities, helping developers understand, prioritize, and remediate issues rapidly.

Fulfill Functional Safety and Coding Standards

CodeSonar helps you achieve your functional safety objectives and comply with coding standards like MISRA, AUTOSAR, JSF++ (Lockheed Martin Corporation), CWE (Common Weakness Enumeration), or CERT (Software Engineering Institute Computer Emergency Response Team). Also DISA-STIG (Security Technical Implementation Guide), ISO/IEC TS 17961 (C Secure Coding Rules Technical Specification), JPL (JPL Institutional Coding Standard for the C Programming Language), Power of Ten (NASA Jet Propulsion Lab), and OWASP (Open Worldwide Application Security Project) are supported.
CodeSonar is pre-qualified for the highest levels of safety for the IEC 61508, ISO 26262, and EN 50128 standards.
Artifacts for qualification according to DO-178C/DO-330 are also available.
The tool is also successfully used in safety critical projects according to IEC 62443 (Security for Industrial Automation and Control Systems) and IEC 62304 / ISO 13485 (Medical Devices).

CodeSonar Safety Documentation Kit

Static analysis is a great help during the software development phase, but it can also be a great time-saver in the functional safety process. This is where the CodeSonar Safety Documentation Kit comes in. This kit contains functional safety certificates issued by Exida that describe the qualification level that CodeSonar has reached for the various safety standards, complete with the report of that assessment. It also includes a Tool Safety Manual that has information as to how the team can best utilize CodeSonar in the functional safety process. This Safety Documentation Kit is particularly useful for teams developing software that has to adhere to IEC 61508, ISO 26262, and CENELEC EN 50128.
CodeSonar is also frequently used in avionics-related projects that have to adhere to the DO178C safety standard. The DO-330 document describes how tools can be qualified for this standard. DO-178C is a lot more project-specific and CodeSecure has experience in working with customers on certification for this standard, together with Afuzion.

Supported Languages

CodeSonar supports many popular languages, including C/C++, Java, C#, Kotlin, Python, Go, Rust, JavaScript, and TypeScript as well as support for native binaries in Intel, and ARM instruction set architectures. CodeSonar also supports OASIS SARIF to exchange information with other tools in the DevSecOps environment.

SDLC Integrations

CodeSonar is designed to support large teams. Defects are persistent and tracked across builds, even if code changes. They can be annotated, ranked, assigned, searched for, and compared. Support for many team tools is provided out of the box.

Further Information

Download Data Sheet

How Static Analysis Works

 Detect bottlenecks: Identify problems with the cache usage (by Royd Lüdtke, Verifysoft)

 Making Safety-Critical Software Development Affordable with Static Analysis (external link)

 Finding Concurrency Errors with CodeSecure Static Analysis

 Detecting Domain-specific Coding Errors with Static Analysis

 Simplifying ISO 26262 Compliance with CodeSecure

 Simplifying DO-178B Certification with CodeSecure Static Analysis Tools