Primary Use Case

This tool is used by C++ developers and security engineers to integrate static code analysis into their build process, helping to detect vulnerabilities and code quality issues early. It is particularly useful in DevSecOps pipelines to automate security checks and enforce coding standards within CMake-based projects.

Key Features

Clang plugin for static analysis of C++ code

Supports multiple configurable static analysis checks

Integration with CMake projects as an external project or subdirectory

Customizable check levels: none, warning, or error

Ability to suppress specific warnings

Requires Clang 10 and supports Boost headers optionally

Generates check messages with optional URL integration

Insights & Recommendations

Currently, ICA only supports clang-10 and requires specific libclang development packages. Boost headers are optionally needed and can be downloaded during build. Users should carefully configure checks and emit levels to balance noise and coverage. Integration with CMake projects is streamlined but requires adding ICA either as an external project or subdirectory. Suppressing warnings and disabling URL integration are supported for customization.

Installation

Ensure Clang 10 and CMake are installed
Install libclang-10-dev and libclang-cpp10-dev packages
Optionally have Boost 1.68+ headers or enable downloading during build
Create and enter a build directory: mkdir build && cd build
Run cmake with parameters: cmake -DGCC_TOOLCHAIN=<path> -DBOOST_FROM_INTERNET=ON -DTARGET_COMPILER=clang++-10 ../
Build the plugin with: cmake --build . --parallel
The plugin will be available as ./build/libica-plugin.so

Usage

[ -load path/to/libica-plugin.so ] -add-plugin ica-plugin -plugin-arg-ica-plugin checks=$CHECKS

Load the ICA plugin into clang-10 and specify which checks to run using a comma-separated list.

-Xclang -load -Xclang ../build/libica-plugin.so -Xclang -add-plugin -Xclang ica-plugin -Xclang -plugin-arg-ica-plugin -Xclang checks=$CHECKS

Example of passing plugin load and arguments to clang frontend using -Xclang flags.

add_ica_checks(check1 check2 ...)

CMake helper function to load the ICA plugin and enable specified static analysis checks.

ica_no_url()

CMake helper to disable URL integration in check messages.

target_ica_checks(MyTarget VISIBILITY ...)

Apply ICA checks configuration to a specific CMake target and its dependencies.

target_ica_no_url(MyTarget VISIBILITY)

Disable URL integration for ICA messages on a specific CMake target.

cmake --install . --install-prefix /path/to/ica/installation/

Install the built ICA plugin to a specified directory for use as an external project.

Smart Usage Notes

Integrate itiviti-cpp-analyzer into CI/CD pipelines to automate early vulnerability detection and reduce remediation costs.Customize check levels to enforce strict coding standards in high-risk modules while allowing flexibility in less critical areas.Combine with dynamic analysis tools for comprehensive coverage of both static and runtime vulnerabilities.Use suppression features strategically to minimize noise and focus developer attention on critical security issues.Leverage generated URLs in check messages to provide developers with immediate access to remediation guidance and best practices.

OpenSec Atlas

itiviti-cpp-analyzer

About This Tool

Primary Use Case

Key Features

Insights & Recommendations

Installation

Usage

Smart Usage Notes

Security Capability Profile

Tags

You Might Also Like