C/C++ General Questions, Response

  • How long does it take to complete the static analysis of a million lines of code?

Around 30-40 mins if it is C/C++ code, 20-30 mins for other languages

  • Can we interrupt the static analysis without an error?

Yes there’s an Abort action available

  • Does the tool run properly when we revert a change?

It scans files in their current state (or a specific commit Id), so yes it works

  • Are there cases that embold cannot parse source code, and as a result, cannot continue analysis? Complex macro usage can be an example.

When symbols are not resolved, it may not parse correctly. That’s why we recommend running the scan in “strict” mode for C/C++ , which involves monitoring the build and using that information to run the scan. Constructs such as macros and macro expansions are supported

  • Can we suppress a founded defect?

Yes, from the Embold UI

  • How deep is the scan? Is it adjustable?

Scan involves control flow and data flow analysis as well as dependency analysis. So it analyses call flows within / across modules to find potential defects, and system-wide checks which surface design anti-patterns.
The depth of the scan is not adjustable, however individual code checks can be enabled/disabled

  • When analyzing projects, is it sequential or parallel? Can different projects run in parallel?

Yes they can run in parallel on our cloud offering. In the on-premise / self-hosted offering, we offer a scanner component which runs with your build. So the amount of parallelism in that case is controlled by how many parallel builds can be run in your CI infrastructure.

How much does the tool’s database grow on average over time? Do we need capacity increase with short periods?

Response :
Stats from one of our test environments:
Repositories: 174
Snapshots: 802
LOC scanned in total: around 425 million
DB size: 50GB

So, it should be sufficient to start with a storage of about 100GB and then increase over time depending on LOC scanned

  • Is it possible to cache library results to speed analysis up?

We support incremental analysis for some languages (JAVA and C#), Support for C/C++ is coming soon

  • Is the developer required to compile source code to trigger analysis on his desktop?

Embold can scan without compiling, however in the case of C/C++ it may impact accuracy as all the symbols and headers may not be found/resolved. The recommended approach is to do a “strict mode” scan, which means use the embold-trace tool to monitor your build and run the scan after this step

  • Assuming that embold is disabled for a while (some IT infrastructure updates may cause this situation), is it possible to find the faulty git commit in the history?

If you are using pull requests, it will scan all open PRs. Otherwise, you can scan a particular commit by specifying its commit ID

  • In case the database is corrupted, what is the recovery mechanism? What is the backup period or condition?

We use Postgres DB and backup needs to be managed externally if you use our on-prem version (we have documented steps for the same). If you will use our cloud version, we manage the backup / recovery

  • Our build environment is dockerized, is embold desktop analysis tool also dockerized? And can we embed it in our docker image?

Embold server is available as a docker image as well. The scanner component is available as a tar file which can be plugged into your build environment if you want to scan during the build

2 Likes