Statick: A static analysis framework

I would like to announce the release of Statick. Statick is a plugin-based system to combine the results from a variety of static analysis and linting tools. Statick was developed by the U.S. Navy at the robotics branch of SSC Pacific and has been dedicated to the public domain.

The main benefits of Statick are:

  • manage flags for each tool in simple configuration files
  • provides support for multiple levels of testing
  • provides consistent output of results from various tools
  • configurable settings to suppress false positives
  • ignore specific files or file patterns

Source code for Statick is available at https://github.com/sscpac/statick. Experimental support for installing Statick via pip is also available (but more testing is being done to learn how to release to PyPI properly).

Plugins can be written for discovering file types and for running tools against appropriate files. The plugin system means that third parties can run their own plugins for file discovery and tools. Of course, the developers welcome additions of plugins to the main repository via pull requests.

The core of Statick is ROS agnostic and can be used for pure Python-based code and for pure CMake-based code. However, the Statick tools do know how to build ROS 1 and ROS 2 packages or entire workspaces. Examples are shown in the repository.

The Users Guide describes how to integrate Statick with the Warnings plugin of Jenkins. I have started using Statick as part of Travis builds for an example ROS package repository. The lines to use Statick are in the .travis.yml file.

We welcome feedback, bug reports, feature requests, and pull requests through the main repository.

More information is available in the README and Users Guide.

7 Likes

Congratulations on the release! This seems to be interesting and useful
work, indeed.

Take this as me being curious, and not necessarily criticism, but this
seems very similar (in concept, at least) to existing tools, such as
Haros (https://github.com/git-afsantos/haros), although Statick seems
more user-friendly in terms of, e.g., integration with Jenkins. Is there
anything substantially different that I might have skipped over? Are
there any major goals on the roadmap?

Thanks! We hope it is useful work.

I have not had a chance to look at Haros too much (although it has been on my todo list for a while). From brief glances it appears that there is a lot of overlap. If anything I say about Haros is inaccurate please correct me. It looks like Haros provides much more introspection into ROS aspects of source code. Haros also has a web interface that looks very nice.

Statick can easily be run from the command line so it integrates well with local development and continuous integration such as Jenkins and Travis. Statick supports setting flags for each tool and collecting those flags to make a level. Each package in a workspace can be configured to be tested at a different level (or all of them can be tested at the same level). Suppressing false positives (globally or per file) is easy to do with Statick.

There are some efforts underway to test ROS and ROS2 source code for security issues (using the sei_cert level) and provide feedback to OSRF about the findings. We would like to turn the report feature into a plugin so that different types of reports could be generated (right now they are XML based so that Jenkins can use them). We are probably going to support testing web files soon (html, js, css). We always like adding support for new tools.

Thanks for the clarification!

Indeed, there is a lot of overlap, but I also see some room for both
tools to evolve and stay distinct. Especially if you pursue security
issues, which is something that is not being done in Haros at any level.

You are correct in that Haros is now becoming more focused on
ROS-specific analyses, and I believe it will stay that way in the near
future.