Visual Studio Code IDE


Whilst Codesonar does not currently provide a plug-in for Microsoft Visual Studio Code (VSCode), it is possible to approximate similar behaviour by configuring a new Task in VSCode to manually execute the codesonar analysis, and adding the Microsoft SARIF Viewer plugin to VSCode allows those results to be reviewed in the IDE.

Setting up

Firstly, follow the steps at:

To install the Microsoft SARIF Viewer plugin into VSCode.

Next configure a VSCode Task to execute the codesonar analysis and retrieve the warnings as a SARIF formatted file. At the above page, the specific instructions to follow are under the “Custom Tasks” section, but briefly, from within VSCode, select Terminal -> “Configure Tasks …” . This will pop up a file in VSCode called tasks.json with some default content in it.  Alter the content of tasks.json in to something similar to this:


Here we've create a new task that will be called “Codesonar analyze” that will execute a batch file

In this example, the above path C:\\Users\\rdaulton\\CODESONAR\\DEMO represents the location of the sample codebase being worked on.

Next, create C:\\Users\\%username%\\CODESONAR\\DEMO\vsCodeAnalyzeTask.bat. As an example:

set DIR="C:\Users\%username%\CODESONAR\DEMO"
set NMAKE="c:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30133\bin\HostX86\x86\nmake"
set CS="c:\Program Files\GrammaTech\CodeSonar6.2p2\codesonar\bin\codesonar"
set HUB=""
cd %DIR%
%NMAKE% clean
%CS% analyze %PROJECT% -foreground %HUB% %NMAKE%
%CS% --hub %HUB% --project-file %DIR%/%PROJECT%.prj --sarif -o warnings.sarif

The first 5 lines set up some key variables used in the script:

  • DIR: Where the sample codebase build command is
  • NMAKE: The build command to execute
  • CS: The full path to the Codesonar executable
  • PROJECT: The codesonar project
  • HUB: The <host>:<port> address of your pre existing and running Codesonar hub

The next line:

$NMAKE% clean

Does a clean of all output files for this build. Of course, if youre interested in producing Codesonar incremental results, this step won't be required. The following line:

%CS% analyze %PROJECT% -foreground %HUB% %NMAKE%

Invokes Codesonar to perform the analysis. Note the -foreground argument. This is required in this case to make sure the analysis completes before the next script step, as Codesonar otherwise performs the analysis as a background task meaning the script would proceed onto the attempt to retrieve the analysis results before they are available.

The final step invokes codesonar again to retrieve the warnings for the analysis just completed, as a SARIF file.  There is an extensive HTTP API for querying the codesonar hub as well as “codesonar”, which also has other arguments available for retrieving warnings. Just search in your codesonar manual for either term for more information.

Trying it out

To build your code in Vscode, select Terminal ->”Run Task”:


The given label should appear as a selected option, “Codesonar analyze” in this case:


Select it to execute the build script vsCodeAnalyzeTask.bat. If all goes well, you should see a window open at the bottom of the VSCode IDE showing the output of the executing script:


Once successfully completed, you can close the output window. The result of the script should be you equivalent of C:\Users\%username%\CODESONAR\DEMO\warnings.sarif. From VSCode select File -> “Open File …” and open warnings.sarif. That’s it! You should now see a SARIF results panel in the IDE. There are a number of ways of viewing the warnings in this panel, or alternatively, in the tabs showing opened source files, for those that contain detected codesonar warnings, hover over lines of code underlined with a squiggly line to see a warning commentary popup or click the line to jump to its detail in the SARIF panel:


Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.

Articles in this section

GrammaTech Resource Library
Welcome to GrammaTech's resource library. Here you will find useful information about software development in the IoT era, where devices must not only function with impeccable quality and safety but also remain resilient to cyber attacks.
Shift Left Academy
Shift Left Academy is an educational resource to help implement a security first approach. Shift Left focuses on finding and preventing defects and security vulnerabilities early in the software development process
Posts by topic including static analysis, software assurance, and binary analysis