Skip to main content

HYCOM security analysis

Goal

Lear how to use Codee for Static Application Security Testing (SAST) and generate a SAST report for HYCOM

Getting ready

For this demonstration, we will use HYCOM, an ocean modeling system consisting of dozens of files. Start by cloning the repository:

git clone https://github.com/codee-com/codee-demos.git

Walkthrough

1. Generate the compile_commands.json

Firstly, navigate to the source code directory:

cd codee-demos/Fortran/HYCOM/src/

The project comes with a Makefile, so we can leverage the tool bear (version 3 or later) to generate the compile_commands.json file required by Codee:

bear -- make

It is as simple as prepending bear -- to the make invocation. This command will produce a compile_commands.json file with all the compiler invocations needed to build the source files.

2. Run Codee SAST report

New feature

Running codee commands with the additional --db codee.db flag enables Incremental Static Analysis. This reduces runtime by storing analysis results and reusing them in subsequent analysis, reanalyzing only the source code that has changed.

To obtain Codee SAST results for the CWE standard execute the following command; use --compile-commands (or -p as its short version) to point to the compilation database:

Codee Sast command
codee screening --sast --compile-commands compile_commands.json --db codee.db
Codee output
Date: 2026-03-26 Codee version: 2026.1 License type: Team

Searching Incremental Static Analysis database... Enabled

Dependency processing... Done (5601 ms)

[ 1/50] mod_dimensions.F90 ... Done: new
[ 2/50] mod_xc.F90 ... Done: new
<...>
[50/50] hycom.F90 ... Done: new

SCREENING REPORT

------Number of files------
Total | C C++ Fortran Other
----- | - --- ------- -----
50    | 1 0   49      0

RANKING OF SECURITY CHECKERS

Checker CWE                      Priority AutoFixes #    Title
------- ------------------------ -------- --------- ---- ---------------------------------------------------------------------------------------
PWR068  CWE628                   P18 (L1)           192  Encapsulate procedures within modules to avoid the risks of calling implicit interfaces
PWR007  CWE628                   P18 (L1) 19        22   Disable the implicit declaration of variables and procedures
PWR080  CWE908, CWE909, CWE758   P12 (L1)           39   Conditionally initialized variables can lead to undefined behavior
PWR063  CWE477, CWE1075, CWE1119 P12 (L1)           19   Avoid using legacy Fortran constructs
PWR073  CWE1108, CWE1083         P12 (L1)           7    Transform common block into a module for better data encapsulation
PWR008  CWE374                   P9 (L2)  30        196  Declare the intent for each procedure argument
PWR081  CWE908, CWE909, CWE758   P9 (L2)            2    Avoid undefined behavior due to uninitialized output argument
PWR075  CWE474, CWE1103          P8 (L2)            20   Avoid using compiler-specific Fortran extensions
PWR071  CWE1102, CWE1339         P6 (L2)            831  Prefer real(kind=kind_value) for declaring consistent floating types
PWR082  CWE563                   P4 (L3)            228  Remove unused variables
PWR001  CWE1108                  P4 (L3)            189  Pass global variables as function arguments
PWR070  CWE130                   P4 (L3)            74   Declare array dummy arguments as assumed-shape arrays
------- ------------------------ -------- --------- ---- ---------------------------------------------------------------------------------------
Total                                     49        1819

<...>

0 file analyses reused from cache, 50 files analyzed from scratch
50 target files, 251 functions, 2058 loops, 44679 SLOCs successfully analyzed (1819 checkers) and 0 non-analyzed files in 1 m 38 s

3. Re Codee checks report focusing on a specific checker with --verbose

From the output above, we can now run the checks report with the --verbose and --check-id flags enabled, which provides additional details about a specific checker. The output includes autofixes if available, as well as links to the Open Catalog. We For example, let's pick the PWR008 for this case study.

Codee command
codee checks --verbose --compile-commands compile_commands.json --check-id pwr008 mod_floats.F90:f_stat --db codee.db
Codee output
Date: 2026-03-26 Codee version: 2026.1 License type: Team

Searching Incremental Static Analysis database... Enabled

Dependency processing... Done (156 ms)

[Dep] mod_dimensions.F90 ... Cached
[Dep] mod_xc.F90 ... Cached
[Dep] mod_cb_arrays.F90 ... Cached
[Dep] mod_pipe.F90 ... Cached
[1/1] mod_floats.F90 ... Cached

QUALITY CHECKS REPORT

mod_floats.F90:2607:7 [PWR008] (level: L2): Declare the intent for each procedure argument
  Suggestion: Add the missing INTENT for arguments of the procedure 'f_stat':
    intent in: 'ser' and 'ls'
    intent out*: 'std'
    intent inout*: 'amean' and 'var'
    * May break compilation if literal values are used for these arguments in calls to 'f_stat'; only variables may be used
  Documentation:
    https://open-catalog.codee.com/Checks/PWR008
  AutoFix:
    codee rewrite --check-id pwr008 --in-place mod_floats.F90:f_stat --compile-commands compile_commands.json --db codee.db

OPTIMIZATION CHECKS REPORT

No actionable items were found

5 file analyses reused from cache, 0 files analyzed from scratch
1 target file, 1 function, 2 loops, 2028 SLOCs successfully analyzed (1 checker) and 0 non-analyzed files in 193 ms

4. Autofix

Let's use Codee's autofix capabilities to automatically modernize the code:

Codee command
codee rewrite --check-id pwr008 --in-place mod_floats.F90:f_stat --compile-commands compile_commands.json --db codee.db
Codee output
Date: 2026-03-26 Codee version: 2026.1 License type: Team

Searching Incremental Static Analysis database... Enabled

Dependency processing... Done (158 ms)

[Dep] mod_dimensions.F90 ... Done
[Dep] mod_xc.F90 ... Done
[Dep] mod_cb_arrays.F90 ... Done
[Dep] mod_pipe.F90 ... Done
[1/1] mod_floats.F90 ... Done

Results for file '/home/user/codee-demos/Fortran/HYCOM/src/mod_floats.F90':
  Successfully applied AutoFix to the procedure at 'mod_floats.F90:2607:7' [using insert argument intent]

Successfully updated /home/user/codee-demos/Fortran/HYCOM/src/mod_floats.F90

We can review the code changes to verify correctness:

diff command
git diff .
diff output
diff --git a/Fortran/HYCOM/src/mod_floats.F90 b/Fortran/HYCOM/src/mod_floats.F90
index d1d2581..4f3beee 100644
--- a/Fortran/HYCOM/src/mod_floats.F90
+++ b/Fortran/HYCOM/src/mod_floats.F90
@@ -2608,8 +2608,10 @@
       implicit none
 !
 ! --- computes mean, variance, standard deviation of data sequence
-      real, dimension(16) :: ser
-      integer ls
+      ! Codee: Added argument intent (2025-11-06 12:01:26)
+      real, dimension(16), intent(in) :: ser
+      ! Codee: Added argument intent (2025-11-06 12:01:26)
+      integer, intent(in) :: ls
       real amean,var,std
       real sum,value
       integer j
Last updated on