Starting C/C++ Applications Analysis

In DerScanner, the following methods of importing C/C++ applications for analysis are implemented:

• Upload file from a local device Upload a source code archive (as ZIP, 7Z, RAR (up to version 4.0), EAR, AAR, tar.bz2, tar.gz, tar, cpio) or the application executable file (.exe or .dll file).

If a project build is not configured, it is recommended to add file dependencies to the archive. This will improve the analysis results.

• Upload via link Specify a path to the repository with the project source code (Git and Subversion are supported). DerScanner’s server should have access to the specified repository. Via the link, it should be possible to download code from the repository using the git clone or svn export command. Example links:

  • [https://gitlab.example.com/myproject.git] (https://gitlab.example.com/myproject.git) (Git)
  • ssh://gitlab.example.com/myproject (Git)
  • https://svn.example.com/mysvnproject/trunk/ (Subversion)
  • svn://svn.example.com/mysvnproject/branches/my-branch (Subversion)
  • svn+ssh://svn.example.com/mysvnproject/(Subversion)

To upload code from a private repository, specify your username and password. For more information about analysis settings see Settings.

A list of supported file extensions can be found in the Appendix. To analyze nested archives, select the Analyze libraries and nested archives option.

Analysis of projects in C/C++, Objective-C and Swift programming languages requires building the application. Therefore, full analysis is possible if the code is built without errors on a machine with the iccheck analyzer installed. For Linux installations, iccheck for Linux is installed by default. For Windows installations, iccheck for Windows is installed by default.

The system has an option to select the OS environment to build the application. In order to make the OS selection option available in the interface, you need to install the corresponding iccheck analysis module and connect it to the main server. Instructions for installing iccheck for Windows and macOS are available in the Administrator and System Installation Guides for Linux.

When analyzing C/C++ source code, analysis without build is possible, but fewer vulnerabilities will be found.

When analyzing source code (either as an archive or by link to a repository), the project should be built without errors:

• To build C/C++ on Linux/macOS, CMake projects are supported (versions <=3.17.3), which are built by mkdir build && cd build && cmake .. && make command in the same environment as DerScanner. Supported versions of compilers include:

  • Apple Clang <= 11.0.3
  • Open source Clang <= 10.0.0
  • GCC <= 10.1

• To build C/C++ on Linux, the following options are supported in addition:

  • Makefile projects

  • Autotools projects

  • Custom non-interactive shell scripts. Executable shell script file named build.sh should be provided along with other project files. The script should be able to build the project from its location in the project file tree.

• To build C/C++ on Windows, Visual Studio projects are supported (2005, 2008, 2010, 2012, 2013, 2015, 2017, 2019) (select the corresponding option in analysis settings), which are built by the msbuild <project_name>.sln command.

Therefore, either the CMake/Visual Studio project must establish its dependencies by itself, or they must be installed on the machine with DerScanner in advance.

For advanced analysis settings click Show settings. For details, see General.