[ros-users] [Discourse.ros.org] [Quality Assurance] Statick: A static analysis framework

[Thomas Denewiler]

Thanks! We hope it is useful work.

I have not had a chance to look at Haros too much (although it has been on my todo list for a while). From brief glances it appears that there is a lot of overlap. If anything I say about Haros is inaccurate please correct me. It looks like Haros provides much more introspection into ROS aspects of source code. Haros also has a web interface that looks very nice.

Statick can easily be run from the command line so it integrates well with local development and continuous integration such as Jenkins and Travis. Statick supports setting flags for each tool and collecting those flags to make a level. Each package in a workspace can be configured to be tested at a different level (or all of them can be tested at the same level). Suppressing false positives (globally or per file) is easy to do with Statick.

There are some efforts underway to test ROS and ROS2 source code for security issues (using the sei_cert level) and provide feedback to OSRF about the findings. We would like to turn the report feature into a plugin so that different types of reports could be generated (right now they are XML based so that Jenkins can use them). We are probably going to support testing web files soon (html, js, css). We always like adding support for new tools.





---
[Visit Topic](https://discourse.ros.org/t/statick-a-static-analysis-framework/6034/3) or reply to this email to respond.