CodeSonar Extension for Visual Studio Code
This extension from GrammaTech provides access to static code analysis results from a CodeSonar hub inside Visual Studio Code.
VS Code is an editor; it does not ship with a built-in compiler or build tools. Before starting, you should ensure you have CodeSonar, build tools such as make, and a compiler, like gcc, installed and available in the PATH.
Note: The instructions in this document assume a single user working on a project. People working in teams will have to adapt the instructions for things like Settings and Tasks when you deploy this for multiple engineers.
Step 1: Create a New Project
First, we need some code to scan. Create a new folder and add a file named
Now, we let's add a makefile to help us build the project. Create a file named
If you are using a compiler other than
Make Sure it all Works
We will add tasks to automate our project later, but for now, let's make sure the project builds. If you have not already done so, open a terminal from the
To build the project, type
Unfortunately, diagnosing build failures is outside the scope of this document. Many problems can be resolved by making sure tools are actually installed and the PATH environment variable is properly set.
Step 2: Run an Analysis
Now, we want to run an initial analysis. We need to create a command that will instruct CodeSonar to analyze a build and send the results to a hub. The format of the command is:
Replace the placeholders above with actual data for your environment. An example command for a first analysis:
Your command line will be be different, depending on where you have CodeSonar installed, how you login to your hub, and where you intend to store project information.
Step 3: Save that Information in Settings
We are going to store the information from the command line you just tested so we can use it later. The extension has several options, and explaining them all is beyond the scope of this document, but we will use the most important options to get started.
Open the Settings page by selecting menu File > Preferences > Settings (or
Where is CodeSonar installed
To run an analysis, you need access to a local installation of CodeSonar. Define the root of your installation in Install Dir.
Where is your hub
You need to define the URL of the hub you want to interact with. In this example, the hub is a remote server. Enter the address of your hub in Hub Address.
Define how you provide credentials
In order to interact with a hub, you usually need to provide credentials. You have to instruct the extension how to authenticate with the hub by selecting an option in Authentication Mode.
In this example, we will login to the hub with a user name and password so we enter a valid username on Hub User.
Step 4: Download an Analysis
You can request the results of a scan from a hub you have login privileges on. Open the Command Palette by selecting the menu View > Command Palette... (or
You will be prompted to save the SARIF file on your local machine. You can save the file anywhere, but it can be easier to use a subdirectory in your source folder. Once saved, the file will be opened in the SARIF viewer and you can begin assessing warnings.
Step 5: Achieve Repeatable Analyses with a Task
If you want to have CodeSonar analyze your code as a VS Code Task, you can start from this one and customize to your specific needs:
Now we want to test the task. Type
in the terminal. Then, run the task by selecting the
If you used the exact task we defined in step 5, you will be prompted for an analysis name. Since we already have a baseline, let's call this Analysis-1. You can pick any naming convention you like, or skip this prompt altogether when you modify your task going forward.
This task will start a build in the terminal, and if you entered the data in the settings correctly, this should have the same result as typing the command manually. If not, check the warnings in the terminal and adjust your settings accordingly.
Once the analysis completes successfully, you can download it from the hub as we did in Step 4.
Step 6: Experiment
Now that you know the basic theory of operation, you can experiment with the setings, create your own tasks, modify the code to fix errors or introduce new one, and apply this to a full project.
Define a Baseline Analysis
The CodeSonar extension for VS Code allows you to compare two analyses and download only newer warnings. This saves time and allows you to focus on what is important. To unlock this feature, you need to define a baseline analysis against which to compare. If you recall, we named our first analysis Baseline. We will enter that analysis name in the Baseline Analysis setting so that we won't be prompted to choose a baseline analysis when we request the new warnings.
Open the command pallette and type
The extension will request the newer warnings in your last analysis compared with your baseline. If you did not specify a baseline in your Settings, the extension will prompt you for one.
Explore Some Additional Settings
Compress the SARIF file during download
You can save some bandwidth by requesting a SARIF file without whitespaces from the hub. This file will not be as easy for a human to read, but can reduce the size of the SARIF file by up to 50% which can speed up downloads for large projects.