SAST and Unit Testing are a Perfect Match: CodeSonar and VectorCAST Integration

Thursday, September 23, 2021

VectorCAST is an embedded software testing platform from Vector Informatik that supports the creation and management of test assets to help software developers validate software requirements. VectorCAST measures code coverage with automated regression testing and standards-compliant report generation with execution on host, simulator and embedded target systems.

Unit Test Automation

Automation is a critical to making unit testing efficient, repeatable and to be part of a continuous and collaborative development process. VectorCAST provided best-in-class unit test automation with a focus on embedded systems that works with your existing software development tools such IDEs and static analysis tools like CodeSonar. It reduces testing time, allowing teams to test more frequently. VectorCAST goes beyond unit testing with full support in the development process from unit test to system integration with results analysis and full traceability.

SAST Supports Test Automation

Static Application Security Testing (SAST) tools, like CodeSonar, also play an important role in software verification and validation in several ways, but most importantly by detecting bugs and security vulnerabilities that are missed, untested or slip through initial QA processes. Static analysis tools reduce the number of defects that reach the unit testing phased thus reducing the downstream testing effort.

There are also complex bugs and vulnerabilities that span multiple software units that are indetectable during unit testing. Tainted-data vulnerabilities like command injection or SQL injections are difficult to detect at the unit level and advanced static analysis tools can detect these early in the development process.

Another area where SAST tools assist quality and security is through coding standard enforcement. Enforcing strict coding standards, such as MISRA C, can help prevent many classes of defects in code. Enforcing good discipline in coding and creating a develop-analyze-test micro cycle for small code changes can prevent many defects from being created in the first place.

CodeSonar Integration with VectorCAST

VectorCAST provides integration to various tools including CodeSonar. This integration allows developers to see static analysis results, analyze the findings and determine state and next steps, of the code under test within the VectorCAST GUI environment.

The integration informs and helps prioritize the creation and selection of unit test cases and allows a convenient way to see the information from both tools in the same place. Selection of software units is done via the VectorCAST environment view. VectorCAST ships with a settings template for CodeSonar so the integration is simple to enable.

Individual files can be analyzed directly from within VectorCAST with the results made available in the warnings view and annotated in the code editor. Warning information is expanded with a mouse-over on each item in the warnings, as shown below, or the in the source code editor.

vectorcast-codesonar1-1CodeSonar integration in VectorCAST environment view.

At any time, developers can get more details by using the URL in the warning message to jump to the CodeSonar hub, as shown below.


CodeSonar hub accessible from VectorCAST when more details are needed

For a more detailed look at the integration between CodeSonar and VectorCAST please take a look at the following video: