klocwork

• environment

• analysis

  • initial a klocwork analysis

  • full build analysis

  • incremental build analysis

  • load result from both windows and linux

  • using kwwrap plus kwinject to generate a build specification

  • when editing the makefile is not an option

  • download

• authentication

  • get ltoken

• import your projects and server settings

• report

  • creating a report

• CI

  • Jenkinsfile

• ssl

  • renew LDAP cert

  • using a secure klocwork server connection

reference:

• * Klocwork Documentation
• PiCache MongoDB Backup/Recovery Procedure
• Klocwork Build integration for C Cplus plus projects EN
• Command Reference
• Troubleshooting an incomplete kwinject build specification
• Providing a build specification template for your developers
• Compiler options for kwbuildproject
• Klocwork Jenkins CI plugin
• Synchronizing status changes and comments across projects
• Continuous integration and Klocwork analysis
• examples
• Klocwork - Knowledgebase
• Running the C and C++ integration build analysis

  • Running your first integration build analysis
  • Running your next integration build analysis
  • Creating a C/C++ build specification
  • C/C++ integration build analysis - Cheat sheet
• example about integrate with Jenkins
• 最佳实践：Klocwork增量/VerifyCI检查
• Running a distributed Klocwork C/C++ analysis
• Security Best Practices + Klocwork
• Integrating Static Code Analysis and Defect Tracking.pdf
• klocwork 2020

  • Setting up Klocwork with Containers (Linux)
  • Limitations
• checkers

  • C and C++ checker reference

    • UNUSED.FUNC.GEN
    • UNUSED.FUNC.WARN
  • CERT community C and C++ checker reference
• How can I know which parts in the code are never used?

  • -Wunused

  • -Wunreachable-code

• How do I locate Uncalled Functions?

  • Cppcheck

    $ cppcheck --enable=unusedFunction .
    Checking foo.c...
    1/2 files checked 0% done
    Checking main.c...
    2/2 files checked 0% done
    [foo.c:1]: (style) The function 'foo' is never used.

• Dead code detection in legacy C/C++ project

environment

[!NOTE|label:references:]

• Install and Configure Klocwork cmd client
• User manual | Installation and Upgrade
• Klocwork Desktop for C/C++ project setup overview
• video: Build integration for C/C++ projects
• video: Klocwork Demo
• Useful resources
• Creating the Python script
• bwinhwang/PyKW

analysis

[!NOTE|label:references:] issue severity

• 1 - Critical

• 2 - Error

• 3 - Warning

• 4 - Review

• 5 - Severity 5

• 6 - Severity 6

• 7 - Severity 7

• 8 - Severity 8

• 9 - Severity 9

• 10 - Severity 10

initial a klocwork analysis

[!NOTE|label:references:] sample code

• capture build settings

  $ kwinject --output "<.out_path>" <original build command>

  • i.e.:

    $ kwinject --output "~/npp/npp.out" devenv "~/npp/PowerEditor/visual.net/notepadPlus.sln" /Rebuild

• run an analysis using the build spec

  $ kwbuildproject --url "<kw_url:kw_port>/<project_name>" \
                   --tables-directory "<table_path>" \
                   "<.out_path>"

  • i.e.:

    $ kwbuildproject --url "http://klocwork.domain.com/NotepadPlusPlus" --tables-directory "~/npp/npp_tables" "~/npp/npp.out"

• load the database

  $ kwadmin --url "<kw_url:kw_port>" \
            load "<project_name>" \
            "<table_path>"

  • i.e.:

    $ kwadmin --url "http://klocwork.domain.com" load "NotepadPlusPlus" "~/npp/npp_tables"

  • debug for authentication issue

    $ kwadmin --debug --url <Klocwork server url> list-projects

    • logout via

      $ kwauth --log-out

full build analysis

[!NOTE|label:references:] sample code

• re-create the build spec

  $ kwinject --output "~/kw.out" <regular command line>

  • i.e.

    $ kwinject --output "~/npp/npp.out" devenv "~/npp/PowerEditor/visual.net/notepadPlus.sln" /Rebuild

• force a full analysis

  $ kwbuildproject --url "<kw_url:kw_port>/<project_name>" \
                   --tables-directory "<table_path>" \
                   --force "<.out file>"

  • i.e.:

    $ kwbuildproject --url "http://klocwork.domain.com/NotepadPlusPlus" --tables-directory "~/npp/npp_tables" --force "~/npp/npp.out"

• load the result

  $ kwadmin --url "<kw_url:kw_port>" \
            load "<project_name>" \
            "<table_path>"

  • i.e.:

    $ kwadmin --url http://klocwork.domain.com/ load NotepadPlusPlus "~/npp/npp_tables"

incremental build analysis

[!NOTE|label:references:] sample code

• update the build settings

  $ kwinject --update "<.out_path>" <original build command>

  • i.e.:

    $ kwinject --update "~/npp/npp.out" devenv "~/npp/PowerEditor/visual.net/notepadPlus.sln" /Build

• execute the incremental analysis

  $ kwbuildproject --url "<kw_url:kw_port>/<project_name>" \
                   --tables-directory "<table_path>" \
                   --incremental "<table_path>"

  • i.e.:

    $ kwbuildproject --url "http://klocwork.domain.com/NotepadPlusPlus" --tables-directory "~/npp/npp_tables" --incremental "~/npp/npp_tables"

• load the result

  $ kwadmin --url "<kw_url:kw_port>" \
            load "<project_name>" \
            "<table_path>"

  • i.e.:

    $ kwadmin --url "http://klocwork.domain.com" load NotepadPlusPlus "~/npp/npp_tables"

load result from both windows and linux

[!NOTE|label:references:] sample code kwbuildproject

• create an integration project on kw server via command line

  $ kwadmin --url "<kw_url:kw_port>" \
            create-project "<project_name>"

  • i.e.:

    $ kwadmin --url http://klocwork.domain.com create-project NotepadPlusPlus

• capture build settings on linux machine

  $ kwinject --output "<.out_path>" <original build command>

  • i.e.:

    $ kwinject --output "~/npp/npp.out" make

• run an analysis using the build spec on linux

  $ kwbuildproject --url "<kw_url:kw_port>/<project_name>" \
                  [--project "<project_name>"]
                   --tables-directory "<table_path>" \
                   "<.out_path>"

  • i.e.:

    $ kwbuildproject --url "http://klocwork.domain.com/NotepadPlusPlus" \
                     --tables-directory "~/npp/npp_tables" \
                     "~/npp/npp.out"

  • load multiple specification

    $ kwbuildproject --tables-directory <dir> \
                     [--url http://<klocwork_server_host>:<klocwork_server_port>/<server_project>] \
                     [<other_options>] \
                     <build_specification_1> [<build_specification_2>...]

• load the database on windows

  $ kwadmin --url "<kw_url:kw_port>" \
            load "<project_name>" \
            "<table_path>"

  • i.e.:

    $ kwadmin --url "http://klocwork.domain.com/NotepadPlusPlus" \
              load NotepadPlusPlus \
              "~/npp/npp_tables"

using kwwrap plus kwinject to generate a build specification

[!NOTE|label:references:]

• Using a build trace to troubleshoot build specification problems
• Can I concatenate the results of more than one kwinject.out file?
• Running a distributed analysis

Note: For distributed builds, you must run the following procedure on all build machines and merge the resultant build trace files.

1. inserting the kwwrap command line before your compiler and linker names

CC = gcc

convert to

CC = kwwrap -o <path_to_kwwrap_trace_file> gcc
// or
CC = kwwrap -o <path_to_kwwrap_trace_file> $(command -v gcc)

or via creating wrapper scripts

1. execute the original build command

2. Convert the build trace into a build specification with kwinject

$ kwinject --trace-in <path_to_kwwrap_trace_file> \
           --output <path_to_kwinject_output_file>

• i.e.:

  $ kwinject --trace-in C:/temp/kwwrap.trace \
             --output C:/Klocwork/temp/kwinject.out

when editing the makefile is not an option

i.e.: <path_to_kwwrap_trace_file> is /temp/kwwrap.trace

using environment variables

1. create environment variables

$ LDSHARED="kwwrap -o /temp/kwwrap.trace $(command -v gcc)"
$ CC="kwwrap -o /temp/kwwrap.trace $(command -v gcc)"
$ C++="kwwrap -o /temp/kwwrap.trace $(command -v g++)"
$ CMAKE="kwwrap -o /temp/kwwrap.trace $(command -v cmake)"
$ AR="kwwrap -o /temp/kwwrap.trace $(command -v ar) rc"
$ export CC C++ CMAKE AR LDSHARED

1. build with original command

$ cmake

1. use kwwrap with CMake and generate the trace

$ kwinject --trace-in /temp/kwwrap.trace --output kwinject.out

using wrapper scripts

1. creating wrapper scripts

$ echo "kwwrap -r -o <path_to_kwwrap_trace_file> $(command -v gcc)" > $HOME/.hook/gcc
$ echo "kwwrap -r -o <path_to_kwwrap_trace_file> $(command -v g++)" > $HOME/.hook/g++
$ echo "kwwrap -r -o <path_to_kwwrap_trace_file> $(command -v cmake)" > $HOME/.hook/cmake
$ chmod +x $HOME/.hook/*

1. setup environment variables

$ export KWWRAP_HOOKS_DIR="$HOME/.hook"
$ export PATH=${KWWRAP_HOOKS_DIR}:${PATH}

1. build with original command

$ cmake # the original command

1. use kwwrap with CMake and generate the trace

$ kwinject --trace-in /temp/kwwrap.trace --output kwinject.out

download

[!NOTE|label:homepages:]

• 24.4.0.43
• 23.4.0.69 - 3/29/2024
• 23.3.0.57 - 1/24/2024
• 23.2.0.66 - 1/24/2024

authentication

[!TIP|label:references:]

• Authentication using the ltoken

Failing authentication if host name is not found You can enable kwauth to fail authentication in the case where the server host name was not found in the certificate CN or Subject Alternative Name by setting the verifyCertificate option to true. Enabling this results in the following error message if the host name cannot be found:

Unable to authenticate using SSL with <url>

To set this value to true, create a 'client_config.xml' file in your {client_tools_install_folder}\config\ folder (if it does not already exist). The file must contain the following:

<?xml version="1.0" encoding="UTF-8"?>
   <params>
     <host resolveHost="false" verifyCertificate="true"/>
   </params>

Note that setting resolveHost="false" is not mandatory, but doing so can prevent the Klocwork Server from resolving the wrong FQDN as the Server will use whatever host you specify in a remote server URL.

ltoken is used to authenticate users with tools such as kwbuildproject:

• Windows:C:\Users<user_name>.klocwork\ltoken

• Unix:~/.klocwork/ltoken

• Mac:~/.klocwork/ltoken If there is no ltoken file in your .klocwork directory, run kwauth to generate the file.

get ltoken

[!NOTE|label:references:]

• Command Reference
• Support Portal

  • Klocwork Downloads: 2023.3

    • kwbuildtools.23.3.0.57.linux64.zip
    • kwbuildtools.23.3.0.57.win64.zip
  • Klocwork Downloads: 2023.2

    • kwbuildtools.23.2.0.66.linux64.zip
    • kwbuildtools.23.2.0.66.win64.zip

$ export KLOCWORK_LTOKEN=/home/marslo/.klocwork/ltoken
$ kwauth --url https://klocwork.domain.com:443
Login: marslo
Password: ****
$ cat /home/marslo/.klocwork/ltoen
klocwork.domain.com;443;marslo;abcdefg1234567**************************************************

import your projects and server settings

[!NOTE|label:references:]

• Import your projects and server settings
• Import your projects and server settings
• Import your existing projects into a new projects root
• Using the search API
• kwadmin import-config
• Kwxsync

• api

  # import project
  $ curl --data "action=import_project&user=myself&project=my_project&sourceURL=http://oldserver:8080&sourceAdmin=user&sourcePassword=pwd" http://local.klocwork.com:8080/review/api
  
  # import server configuration
  $ curl --data "action=import_server_configuration&user=myself&sourceURL=http://oldserver:8080&sourceAdmin=user&sourcePassword=pwd" http://local.klocwork.com:8080/review/api

• cli

  # import
  $ kwadmin import-config <project_name> <file>
  # i.e.:
  $ kwadmin import-config workspace C:\Klocwork\OurMetrics.mconf
  
  # export
  $ kwadmin export-config [options] <project-name> <server-file> <local-file>
  # i.e.:
  $ kwadmin export-config Toolbus ExportedOurMetrics.mconf C:\Klocwork\OurMetrics.mconf

  # kwxsync import single project
  $ kwxsync [<options>] <project_name_1>|<project_URL_1> <project_name_2>|<project_URL_2> [...]
  
  # i.e.:
  $ kwxsync --url https://klocwork.domain.com:443 -f -c project project-backup

report

creating a report

CI

[!NOTE|label:reference:]

• Klocwork Jenkins CI plugin
• Continuous integration and Klocwork analysis
• Ebook: klocwork ci/cd best practice.pdf
• Video: Add Static Code Analysis to Your CI/CD Pipelines

Jenkinsfile

pipeline {
  agent any

  environment {
    KLOCWORK_URL = "http://localhost:8080"
    KLOCWORK_PROJECT = "zlib-pipeline"
    KLOCWORK_LICENSE_HOST = "flexlm-server"
    KLOCWORK_LICENSE_PORT = "27000"
    KLOCWORK_LTOKEN = ""
  }

  stages {
    stage('Get src from git') {
      steps {
        git 'https://github.com/madler/zlib.git'
      }
    } // stage : clone code

    stage('Klocwork Build') {
      steps {
        klocworkBuildSpecGeneration([
          additionalOpts: '',
          buildCommand: 'c:\\dev\\zlib-git.bat',
          ignoreErrors: true,
          output: 'kwinject.out',
          tool: 'kwinject'
        ])
      }
    } // stage : klocwork build

    stage('Klocwork Analysis') {
      steps {
        klocworkIntegrationStep1([
          additionalOpts: '',
          buildSpec: 'kwinject.out',
          disableKwdeploy: true,
          duplicateFrom: '',
          enabledCreateProject: true,
          ignoreCompileErrors: true,
          importConfig: '',
          incrementalAnalysis:       false,
          tablesDir: 'kwtables'
        ])
      }
    } // stage : klocwork analysis

    stage('Klocwork Db-load') {
      steps {
        klocworkIntegrationStep2 reportConfig: [
                                   displayChart: true,
                                   query: 'status:Analyze'
                                 ],
                                 serverConfig: [
                                   additionalOpts: '',
                                   buildName: '',
                                   tablesDir: 'kwtables'
                                 ]
      }
    } // stage : klocwork db-load

    stage('Build Failure Conditions') {
      steps {
        klocworkFailureCondition([
          enableCiFailureCondition: true,
          failureConditionCiConfigs: [[
            withDiffList: true,
            diffFileList: 'my_list.txt',
            enableHTMLReporting: true,
            name: 'one',
            reportFile: '',
            threshold: '1',]]
        ])
      }
    } // stage : build failure conditions
  } // stages
} // pipeline

• full static code analysis

  stage("full static code analysis") {
    steps{
      echo "performance integration analysis"
      klocworkIntegrationStep1([
        buildSpec: "${KLOCWORK_BUILDSPEC}",
        tableDir: "${KLONWORK_TABLES}",
        incrementalAnalysis : true,
        ignoreCompileErrors: false,
        importConfig : "",
        additionalOpts: "--replace-path ${WORKSPACE}=workspace",
        disableKwdeploy: true
      ])
    }
  }

ssl

renew LDAP cert

[!NOTE|label:references:]

• keytool and java : /opt/Klocwork/Server/_jvm/bin

• Security Best Practices + Klocwork
• Simple bind failed error when trying to connect to Active Directory
• Klocwork 部署的安全最佳实践
• [SOLVED]-LDAPS : SIMPLE BIND FAILED-JAVA

  - -djdk.tls.client.protocols=tlsv1
  + -djdk.tls.client.protocols=tlsv1,tlsv1.1,tlsv1.2,tlsv1.3

• 2020.4.1

  • Error occurred during SSL handshake
  • Using a secure Klocwork Server connection
  • Troubleshooting
  • Setting up LDAP access control

$ keytool -import -alias ldaproot  -file rootca.cer -keystore cacerts
$ keytool -import -alias ldapInter -file inter.cer  -keystore cacerts
$ keytool -import -alias ldap      -file ldap.cer   -keystore cacerts

using a secure klocwork server connection

[!TIP] for klocwork 2020.4 Build 20.4.0.81

• Create a self-signed keystore file

  # from <server_install>, run the following command:
  # The keystore is saved into the Tomcat config directory at <projects_root>/tomcat/conf.
  $ _jvm/bin/keytool -genkeypair -alias tomcat \
                     -keyalg RSA \
                     -keystore <projects_root>/tomcat/conf/.keystore \
                     -dname "cn=<KlocworkServer_hostname>, ou=<your_organizational_unit>,o=<your_organization>" \
                     -keypass changeit \
                     -storepass changeit
  
  # i.e.:
  $ _jvm/bin/keytool -genkeypair -alias tomcat \
                     -keyalg RSA \
                     -keystore <projects_root>/tomcat/conf/.keystore \
                     -dname "cn=testserver.klocwork.com, ou=Development, o=Klocwork" \
                     -keypass changeit \
                     -storepass changeit

• Configure the Klocwork Server to use SSL (manually)

  
  $ grep klocwork.protocol <projects_root>/config/admin.conf
  - klocwork.protocol=http
  + klocwork.protocol=https
  
  $ grep Connector <projects_root>/tomcat/conf/server.template
  -  <Connector port="$PORT" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="64" minSpareThreads="20" redirectPort="8443" acceptCount="200" connectionTimeout="20000" URIEncoding="UTF-8" compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla,traviata" compressableMimeType="text/html,text/xml,text/javascript" maxPostSize="-1" />
  +  <Connector port="$PORT" maxthreads="4-" minSpareThreads="20" maxSpareThreads="40" enableLooksups="false" redirectPort="8443" acceptCount="50" debug="0" connectionTimeout="20000" compression="on" compressionMinSize="2048" noCompressionUserAgents=".*MSIE.*,gozilla,traviata" compressableMimeType="text/html,text/xml" maxPostSize="0" />

• restart klocwork service

  [!TIP|label:see also:]

  • iMarslo: start/restart service

  $ kwservice --projects-root <projects_root> stop
  $ kwservice --projects-root <projects_root> start
  
  # or
  $ kwservice --projects-root <projects_root> restart klocwork

• verify

  $ kwadmin --ssl --host klocwork.example.com -port 443 list-projects
  # same as
  $ kwadmin --url https://klocwork.example.com:443 list-projects

• disabling the ssl connection

  [!NOTE]

  • Simple bind failed error when trying to connect to Active Directory

    simple bind failed: ad.hostname.com:636

  1. import the ldap server public certificate directly into the klocwork keystore

  # location
  <path_to_JVM_install>\_jvm\lib\security\cacerts

  1. ask your LDAP administrator to set this extension of your LDAP server certificate to non-critical

  [!NOTE|label:references:]

  • Third Party Application Fails Using LDAP over SSL
  • Troubleshoot LDAP over SSL connection problems
  • Enable LDAP over SSL (LDAPS) for Microsoft Active Directory servers
  • Enable LDAP over SSL with a third-party certification authority
  • How to Enable LDAP over TLS on a SonicWall without a Certificate Authority (CA)
  • LDAP over SSL configuration in Active Directory
  • Windows Server – Enable LDAPS