Supported analyzers

For now, kiskadee supports cppcheck (http://cppcheck.sourceforge.net/), flawfinder (https://www.dwheeler.com/flawfinder/), Frama-C, and the Clang Static Analyzer (scan-build). While there’s full support for cppcheck and flawfinder, Frama-C and scan-build support is still in early stages, since these tools run more sophisticated analysis and require some tunning for each software analyzed, which makes it harder to come up with a general analysis approach.

Each analyzer in kiskadee runs under docker, so you will have to properly configure a docker engine in your environment in order to run the analysis. The output of each analyzer is parsed using the firehose (https://github.com/fedora-static-analysis/firehose) project, generating a common JSON output. If you intend to add a new analyzer to kiskadee, keep in mind that this analyzer must be supported by the firehose project. To enable a new analyzer for some fetcher, just add the analyzer name in the /etc/kiskadee.conf (the analyzer must be installed on the environment).

Frama-C white lists

Frama-C analyses need to be specified in a per-project basis. The white lists are implemented in util/dockerfiles/frama_c/docker-entrypoint.sh. If you want to include new projects for Frama-C runs, we would be happy to accept your patches.

The analyzers module

This module provides functions to run static analyzers.

kiskadee.analyzers.run(analyzer, sources)

Run a static analyzer on a given package.

analyzer is the name of the static analyzer container to run. sources is the absolute path for the uncompressed package. Returns a analysis results.