GROMACS security analysis

Goal

Lear how to use Codee for Static Application Security Testing (SAST) and generate a SAST report for GROMACS.

Getting started

Make sure you have Codee installed and available on your machine and clone the GROMACS repository.

git clone https://github.com/gromacs/gromacs.git

Now navigate to the source code:

cd gromacs

Walkthrough

1. Generate the `compile_commands.json`

The compile_commands.json can be obtained using CMake. Make sure to obtain a complete compilation of the project:

cmake \
        -DCMAKE_EXPORT_COMPILE_COMMANDS=ON \
        -DGMX_BUILD_OWN_FFTW=ON \
        -B build \
        -S .

2. Run Codee SAST report

New feature

Running codee commands with the additional --db codee.db flag enables Incremental Static Analysis. This reduces runtime by storing analysis results and reusing them in subsequent analysis, reanalyzing only the source code that has changed.

To obtain Codee SAST results for the CWE standard execute the following command:

codee screening --sast --db codee.db

You should have obtained a result similar to this:

<...>

0 file analyses reused from cache, 1780 files analyzed from scratch
1780 target files, 22040 functions, 12128 loops, 494970 SLOCs successfully analyzed (5182 checkers) and 5 non-analyzed files in 1 h 23 m 34 s

Getting started​

Walkthrough​

1. Generate the compile_commands.json​

2. Run Codee SAST report​

Getting started

Walkthrough

1. Generate the `compile_commands.json`

2. Run Codee SAST report