HYCOM security analysis
Lear how to use Codee for Static Application Security Testing (SAST) and generate a SAST report for HYCOM
Getting ready
For this demonstration, we will use HYCOM, an ocean modeling system consisting of dozens of files. Start by cloning the repository:
git clone https://github.com/codee-com/codee-demos.git
Walkthrough
1. Generate the compile_commands.json
Firstly, navigate to the source code directory:
cd codee-demos/Fortran/HYCOM/src/
The project comes with a Makefile, so we can leverage the tool bear
(version 3 or later) to generate the compile_commands.json file required
by Codee:
bear -- make
It is as simple as prepending bear -- to the make invocation. This command
will produce a compile_commands.json file with all the compiler invocations
needed to build the source files.
2. Run Codee SAST report
To obtain Codee SAST results for the CWE standard execute
the following command; use --compile-commands (or -p as
its short version) to point to the compilation database:
codee screening --sast --compile-commands compile_commands.json
Date: 2025-11-06 Codee version: 2025.4 License type: Professional
Dependency processing... Done (2590 ms)
[ 1/50] mod_dimensions.F90 ... Done
[ 2/50] mod_xc.F90 ... Done
<...>
[50/50] hycom.F90 ... Done
SCREENING REPORT
------Number of files------
Total | C C++ Fortran Other
----- | - --- ------- -----
50 | 1 0 49 0
RANKING OF SECURITY CHECKERS
Checker CWE Priority AutoFixes # Title
------- ------------------------ -------- --------- ---- ---------------------------------------------------------------------------------------
PWR075 CWE474, CWE1103 P12 (L1) 20 Avoid using compiler-specific Fortran extensions
PWR063 CWE477, CWE1075, CWE1119 P12 (L1) 19 Avoid using legacy Fortran constructs
PWR008 CWE374 P9 (L2) 15 196 Declare the intent for each procedure argument
PWR068 CWE628 P9 (L2) 192 Encapsulate procedures within modules to avoid the risks of calling implicit interfaces
PWR007 CWE628 P9 (L2) 19 22 Disable the implicit declaration of variables and procedures
PWR071 CWE1102, CWE1339 P3 (L3) 831 Prefer real(kind=kind_value) for declaring consistent floating types
PWR073 CWE1108, CWE1083 P3 (L3) 5 Transform common block into a module for better data encapsulation
PWR070 CWE130 P2 (L3) 74 Declare array dummy arguments as assumed-shape arrays
PWR001 CWE1108 P1 (L3) 189 Pass global variables as function arguments
------- ------------------------ -------- --------- ---- ---------------------------------------------------------------------------------------
Total 34 1548
<...>
50 target files, 251 functions, 2058 loops, 44679 LOCs successfully analyzed (1548 checkers) and 0 non-analyzed files in 1 m 5 s
3. Re Codee checks report focusing on a specific checker with --verbose
From the output above, we can now run the checks report with the --verbose
and --check-id flags enabled, which provides additional details about
a specific checker. The output includes autofixes if available, as well
as links to the Open Catalog. We
For example, let's pick the PWR008 for this case study.
codee checks --verbose --compile-commands compile_commands.json --check-id pwr008 mod_floats.F90:f_stat
Date: 2025-11-06 Codee version: 2025.4 License type: Professional
Dependency processing... Done (2592 ms)
[Dep] mod_dimensions.F90 ... Done
[Dep] mod_xc.F90 ... Done
[Dep] mod_cb_arrays.F90 ... Done
[Dep] mod_pipe.F90 ... Done
[1/1] mod_floats.F90 ... Done
CHECKS REPORT
mod_floats.F90:2607:7 [PWR008] (level: L2): Declare the intent for each procedure argument
Suggestion: Add the missing INTENT for arguments of the procedure 'f_stat':
intent out*: 'std'
intent inout*: 'amean' and 'var'
* May break compilation if literal values are used for these arguments in calls to 'f_stat'; only variables may be used
Documentation:
https://open-catalog.codee.com/Checks/PWR008
SUGGESTIONS
Take advantage of static incremental analysis by specifying both a database (--db) and a target source file, e.g.:
codee checks --db codee.db mod_floats.F90 --verbose --compile-commands compile_commands.json --check-id pwr008 mod_floats.F90:f_stat
1 target file, 1 function, 2 loops, 2028 LOCs successfully analyzed (1 checker) and 0 non-analyzed files in 4972 ms
4. Autofix
Let's use Codee's autofix capabilities to automatically modernize the code:
codee rewrite --check-id pwr008 --in-place mod_floats.F90:f_stat --compile-commands compile_commands.json
Date: 2025-11-06 Codee version: 2025.4 License type: Professional
Dependency processing... Done (2598 ms)
[Dep] mod_dimensions.F90 ... Done
[Dep] mod_xc.F90 ... Done
[Dep] mod_cb_arrays.F90 ... Done
[Dep] mod_pipe.F90 ... Done
[1/1] mod_floats.F90 ... Done
Results for file 'mod_floats.F90':
Could not apply AutoFix to the procedure at 'mod_floats.F90:2607:7' [using insert argument intent]
None of the provided procedures for file 'mod_floats.F90' are suitable to rewrite using argument intent insertion. As a matter of fact, no opportunities were found in this file.
We can review the code changes to verify correctness:
git diff .
diff --git a/Fortran/HYCOM/src/mod_floats.F90 b/Fortran/HYCOM/src/mod_floats.F90
index d1d2581..4f3beee 100644
--- a/Fortran/HYCOM/src/mod_floats.F90
+++ b/Fortran/HYCOM/src/mod_floats.F90
@@ -2608,8 +2608,10 @@
implicit none
!
! --- computes mean, variance, standard deviation of data sequence
- real, dimension(16) :: ser
- integer ls
+ ! Codee: Added argument intent (2025-11-06 12:01:26)
+ real, dimension(16), intent(in) :: ser
+ ! Codee: Added argument intent (2025-11-06 12:01:26)
+ integer, intent(in) :: ls
real amean,var,std
real sum,value
integer j