DATASHEET

DATASHEET NEW CODESONAR EDITIONS

“CodeSonar helps us to achieve the safety and security that we need efficiently,
allowing engineers to spend more time developing new and innovative features
for our customers.” –Stoneridge, Inc.

Accelerate Application Security

Software teams are under constant pressure to staff their teams and deliver more content with higher
complexity, in shorter timeframes, with increased quality and security. Static Application Security Testing is
a proven best practice to help software teams deliver the best code in the shortest timeframe. CodeSecure
has been a leader in this field for over 15 years with CodeSonar delivering multi-language SAST
capabilities for enterprises where software quality and software security matter.

DevSecOps – Speed and Scale. Software developers need rapid feedback on security vulnerabilities in
their code. CodeSonar can be integrated into distributed software development environments, works
unobtrusively to the developer, and provides rapid feedback, with cloud options for analysis in the
cloud.
Language Support. CodeSonar supports many popular languages, including C/C++, Java, C# and
Android, as well as support for native binaries in Intel, ARM, and PowerPC instruction set architectures.
CodeSonar also supports OASIS SARIF, for exchange of information with other tools in the
DevSecOps environment.
Reporting. CodeSonar provides built-in reports for security standards such as OWASP and SANS Top
25.CodeSonar also includes a custom report builder for the development of specific reports your
organization can use to develop a better understanding of the quality and security of your software
projects.
Security – Depth. CodeSecure SAST tools use the concept of abstract interpretation to statically
Examine all the paths through the application, understand the values of variables and how they impact
Program state by exposing vulnerabilities, and offers hybrid cloud options in response to digital
business
Initiatives and geographically dispersed teams.

•Buffer over-and underruns •Copy-paste error

•Memory leak •Dangerous function
•Cast and conversion •Concurrency
problems •Unused parameter /
•Tainted data value
•Command injection •Ignored return value
•Null pointer dereference and hundreds more

Security. Broad coverage of security vulnerabilities, including OWASP Top10, SANS/CWE 25. Support
for third-party applications through byte code analysis.
Quality. Integration into DevSecOpsto improves the quality of the code and developer efficiency. Find
code quality and performance issues at speed.
Privacy. Checkers that detect performance impacts such as unnecessary tests for nullness, creation of
redundant objects, or superfluous memory writes.

U.S. Sales: 888-695-2668

International Sales: +1-607-273-7340
Email: [email protected] ©2023
Team Support Built In
CodeSonaris designed to support large teams. Defects are persistent and tracked across builds, even
if code changes. They can be annotated, ranked, assigned, searched for, and compared. Support for
many team-tools is provided out of the box.

Project Orchestration & Business

Repositories IDEs Containers
Management Automation Intelligence

Use Cases
Enterprise customers are developing in many languages in their internal applications, either in-
house built or built by a third party. Static analysis is needed to to improve security and quality to
drive business continuity.
Mobile and Client customers are on end-points, sometimes in an internet-of-things deployment, or
to
provide information to mobile users. Security is critical due to the diverse environment, privacy is
top-of-mind as well.
Web Apps drive dynamic content for websites and web-based applications. In a hostile
environment tainted data analysis is crucial to assist developers to understand where their
applications may be vulnerable.
Embedded application development has seen tremendous growth in the software component of
devices, including a greater reliance on connectivity for control and monitoring. This has increased
the pressure on organizations to add static application security testing alongside quality testing in
order to ensure reliable and secure operation of their embedded platforms.

Built-In DevSecOpsIntegration
CodeSonarenables the shift to DevSecOpsby integrating with the most popular CI tools such as GitLab,
GitHub, Jenkins and others, and offers hybrid cloud options in response to digital business initiatives
and geographically dispersed teams. Managers can report on the application security state with their
preferred reporting tool. Developers can view and remediate security issues and quality defects within
their familiar CI/CD environments, and access more detailed information from CodeSonarwith a single
mouse click.

U.S. Sales: 888-695-2668

International Sales: +1-607-273-7340
©2023
Email: [email protected]
Code Understanding: Finding problems is not sufficient, the developer needs to understand the
problems that have been uncovered. CodeSonar provides comprehensive code understanding
capabilities, helping developers understand and fix issues rapidly.

Textual Descriptions. Easy, clear textual

descriptions describe what the problem is.
Path Visualization. Shaded background and
annotations explain the defect path.
Call Tree Visualization. To understand how a
function fits in the larger application.

Metrics and Trends. CodeSonar allows graphing of complexity and quality trends over time to give the
management teams the information they need. Data can be visualized and interactively explored inside
of the CodeSonar user interface, or programmatically exported via SARIF and/or XML to be used in third
party dashboarding applications.
Scalability. CodeSonar is ultimately scalable. It can do quick scans on subsets of the code on
developers’ desktops, as well as deep and exhaustive checks including concurrency analysis during
regression testing and anything in between. It supports incremental builds and analysis and can use
highly parallel and distributed compute farms and CodeSecure Cloud resource for work offloading.
CodeSonar can adjust to your software development environment and process.
Dashboarding. An advanced, interactive dashboard plug-in allows managers and security analysts to
understand current status and track progress, whether the analysis is hosted on-premises or within the
CodeScure Cloud.

Metrics
Dashboards

Process integration. CodeSonar is flexible and can provide output in a variety of different formats such
as PDF, XML, CSV and SARIF for easy integration in your process.

The CodeSecure Difference

Accurate Analysis. CodeSonar’s highly advanced analysis engine can provide fast analysis of the
largest codebases and empower developers to pinpoint defects with greater precision.
Functional Safety. Static analysis is an important technology for developing software that needs to
achieve high levels of functional safety. CodeSonaris pre-qualified for the highest levels of safety for
the IEC 61508, ISO 26262, and CENELEC EN 50128 standards. Artifacts for qualification according to
DO 178C / DO-330 are also available.
Analyze Third-Party Code. CodeSonarfor Java and C# analyzes bytecode and then reflects these
warnings back into your source code. This allows the analysis of both your own code as well as third-
party applications where source code may not be available.

U.S. Sales: 888-695-2668

International Sales: +1-607-273-7340 ©2023
Email: [email protected]
CodeSonar C/C++
Compiler Model Support
•ARM Real View •Freescale CodeWarrior •IAR • Renasas
• Borland •Green Hills • Intel •SHARC, TigerSHARC, Blackfin
• Clang •Gnu • Microsoft • TASKING
• CodeVision • Keil • MPLAB •Texas Instruments
• Cosmic • Hi-Tech •QNX •Wind River

Functional Safety
•Pre-qualified for the highest levels of safety for the IEC 61508, ISO 26262 and CENELEC EN 50128 standards.
•Artifacts for qualification according to DO-178C / DO-330 are also available.

Safety and Security Standards Support

• Safety Critical : MISRA-C and MISRA-C++, AUTOSAR C++-14, JSF++
• Security : CERT, DISA STIG, OWASP, CWE

CodeSonarJava and C#
Warning Classes
CodeSonarincludes a complete range of checkers for security, quality, efficiency and style, some examples:
Security Quality
• Injections • Cookies • Nullness • DeadCode
• Cryptography • Passwords • Approximation • BadEq
• External Entity Reference • LDAP • CloseResource • EqualsHashCode

Frameworks Supported
• Java: Apache-CXF, AspectJ, EJB, JAX-RS, JAX-WS, JPA, JSP, Jersey, RESTeasy, RESTlet, Servlet,
Spring, Android
• C#: Unity, WebForms, WindowsForms, MVC

IDE Support
• Eclipse
• Microsoft Visual Studio
• Microsoft Visual Studio Code

System Requirements

• Host: Windows, Linux, FreeBSD, NetBSD

• Hardware: 2+ Cores, 2+GB of RAM, 15+GB of disk
• Compilers: Supports most popular and embedded compilers
• Languages: C/C++, Java, C#, Binaries
• Output: SARIF, XML, CSV, PDF, HTML

U.S. Sales: 888-695-2668

International Sales: +1-607-273-7340 ©2023
Email: [email protected]