Cobra

Developed by Gerard Holzmann, a computer scientist and researcher at Bell Labs and NASA, Cobra is a static analysis tool that works well for large code bases. Cobra provides software developers, peer reviewers, testers, and quality assurance personnel with a tool that facilitates searching for patterns in source code to confirm compliance with rulesets, which are typically conformance checks for coding guidelines and standards.

Cobra first performs a lexical analysis of source code to generate a stream of language-level tokens, storing the information in a simple data structure. Using a token-level approach is fast and allows Cobra to scale up to very large code bases, where using static analyzers that perform a full parse of the source code would be impractical. Cobra then applies a rule set across the data structure to search for patterns in the code that indicate flaws or issues, such as violations of coding rules. Cobra is able to evaluate code according to the following rule sets:

• Common Weakness Enumeration (CWE)

• Power of 10

• JPL Coding Standard

• MISRA C 2012

• AUTOSAR C++ 14 (subset)

Cobra can be used in one of three modes:

• Interactive – Cobra can be used interactively to load the token-based representation of a complete code base and query patterns in the code using a simple query language

• Program-based – Cobra can execute programs that can contain arbitrary branching and iteration over the token stream to identify more complex types of patterns

• Toolkit – Cobra can be used as an infrastructure for building more elaborate standalone checkers that are compiled separately and linked with the Cobra code that builds the central data structure

How is Cobra used in Space ROS?

The Space ROS Docker image incorporates the cobra command-line tool via the cobra_vendor package. In addition, there is a Python-based wrapper tool, ament_cobra, that is used to integrate Cobra into the ament-based build and test system. Space ROS adds cobra to the common set of linters used by most of the Space ROS core by including it in its forked version of ament_lint_common. Then, when building and executing tests for Space ROS, along with the other source code analysis tools, ament_cobra is invoked to analyze the code using the AUTOSAR C++ 14 ruleset. For more detailed information about how to use Cobra when developing code for Space ROS, see the Using the Cobra Static Analyzer How-To Guide.

Additional resources

If you are interested to learn more about Cobra, there are several resources available:

• The NASA Cobra site

• The Cobra github repository

• Move Fast and Fix Things - Slides from the keynote presentation at SMC-IT, July 31, 2019

• Interactive Code Checking with Cobra - A Cobra Version 3.0 tutorial covering the use of pattern expressions, query commands, inline programs, and the construction of standalone checkers linked with the Cobra front-end

• Cobra: Fast Structural Code Checking - A presentation from 2017 that introduces the tool