CodeChecker is a popular open-source quality control tool on Linux and macOS. In this short post, we will tell you how to use it with the PVS-Studio analyzer.

CodeChecker is written in Python and supports many code analyzers for various languages. Some of the pros of this tool include ease of use and the straightforward installation process. CodeChecker has supported the PVS-Studio analyzer quite recently. Therefore, we're writing this article guide readers through the installation process and demonstrate how to use the tool with the PVS-Studio static code analyzer.

CodeChecker installation

In order to use CodeChecker, we need a Python interpreter of the 3.8 version or later. The tool is distributed as a Python package, so we'll need to run a few simple commands to install it.

First, create a Python virtual environment, then install the codechecker package and start the server.

For example, here are the commands for Linux:

python3 -m venv .venv
source ./venv/bin/activate
pip3 install codechecker

The PVS-Studio analyzer support in the built-in report-converter tool will appear in the CodeChecker 6.25.0 version, but you can use PVS-Studio with CodeChecker now. To do this, clone the tool source code from the GitHub repository and then install the latest version of the report-converter component from the repository into the virtual environment that was created in the previous step:

cd tools/report-converter/
python setup.py install

Next, download the codechecker.json file and save it where CodeChecker is installed. This will help display PVS-Studio diagnostic rule levels correctly. In the case of our example, this is the directory: .venv/share/codechecker/config/labels/analyzers. In the directory, change the file name to pvs-studio.json.

After that, run the following command to start the CodeChecker server:

CodeChecker server

By default, the CodeChecker server locates by the http://localhost:8001 address. Right after the run, a usable product will be created.

Report conversion

CodeChecker uses its own report format. You must convert the PVS-Studio analyzer report into it. CodeChecker's built-in tool—report-converter—will help you with this. You can pass the PVS-Studio .json report to it using the following command:

report-converter -t pvs-studio -o ./pvs_studio_reports ./PVS-Studio.json

The -t flag specifies the analyzer report that we want to convert. The -o flag indicates the directory where report-converter will save the converted report. The last parameter is the path to the PVS-Studio report.

If the PVS-Studio report is not saved in the .json format, you can convert it using the plog-converter utility with the following command:

plog-converter -t json -a 'GA:1,2;OWASP:1' 
   -o /home/user/Logs/PVS-Studio.json PVS-Studio.log

The -t flag indicates the report format after conversion, -a defines the groups of PVS-Studio diagnostic rules that should be left in the output report, -o sets the path to save the converted report. The last parameter is the path to the report to be converted.

After the PVS-Studio report is converted into the CodeChecker format, save it to the server. To do this, run the following command:

CodeChecker store ./pvs_studio_reports -n default

After the -n flag, pass the name of the CodeChecker run. When this command is executed, a run named default appears on our default product page.

Viewing the report

Now you can view and handle the analyzer warnings. To see the full list of warnings, click on the warning, and you'll get the list like this:

Warnings in CodeChecker are divided into different levels:

• Unspecified
• Low
• Medium
• High
• Critical
• Style.

The PVS-Studio analyzer warnings are classified as Low, Medium, and High. This helps adhere to the general classification of PVS-Studio warnings across different tools. Messages about errors in the analyzer's operation fall into the Unspecified category.

Note. Let's say all the warnings in the list are Unspecified. Then, save the file with PVS-Studio diagnostic level markup to the directory with the CodeChecker installation location. The above section "CodeChecker Installation" explains it.

Due to CodeChecker web interface, the analyzer warnings can be filtered by a variety of parameters: the certainty level, diagnostic rule name, etc. Click on a specific warning, and you will see the place in the code where the bug lurks.

CodeChecker enables you to markup warnings by setting a Review status of a particular warning. You can set one the following statuses to each warning:

• Confirmed bug—the warning is true and needs to be fixed;
• False positive—the warning is false;
• Intentional—the warning is true but doesn't require fixing.

If you set False positive to a warning, it will no longer appear in the list, as well as in all future runs. Also, when changing a warning status, you can leave a comment, for example, about how quickly one can fix this error.

With each follow-up run, new warnings appear with a special sign. There's another handy way to view warnings that appear between the runs. Select two runs from the menu and click on the checkboxes.

After clicking the Diff button, you'll see only the warnings that appeared on a fresh run:

Summary

Keeping code clean and neat is an important task, which requires the best tools. CodeChecker is a really convenient interface for viewing and marking warnings of analyzers, including PVS-Studio. You can read more about using the PVS-Studio analyzer in CodeChecker in the documentation.

Besides CodeChecker, the PVS-Studio static analyzer integrates into such code quality control systems as SonarQube and DefectDojo. You're welcome to try PVS-Studio by the link.