Using Static Checkers
Let's learn about utilities that can understand program source code in order to perform static analysis.
We'll cover the following...
Static program analysis is the process of checking the source code without actually running the compiled version. The rigorous application of static checkers dramatically improves the quality of the code: it becomes more consistent and less bug-prone. The chance of introducing known security vulnerabilities is reduced too.
Integrating static checkers with CMake
The C++ community has created dozens of static checkers: Astrée, Clang-Tidy, CLazy, CMetrics, Cppcheck, Cpplint, CQMetrics, ESBMC, FlawFinder, Flint, IKOS, Joern, PC-Lint, Scan-Build, Vera++, and so on.
Many of them recognize CMake as the industry standard and will provide out-of-the-box support (or an integration tutorial). Some build engineers don’t want to go to the trouble of writing CMake code, and they add static checkers by including external modules available online.
It's no wonder, as the general misconception is that we'd need to jump through many hoops to get our code checked. The reason for ...