Parasoft C and C++ Development Testing

Deliver C and C++ software that’s robust, reliable, and secure

https://youtu.be/_9rnFSec7-s

Parasoft C/C++test is a unified, fully-integrated testing solution that helps users identify defects earlier in the development process. Parasoft C/C++test is the best tool on the market for reducing the burden of achieving compliance with security, functional safety, and coding standards such as MISRA, CERT, ISO 26262, DO-178B/C, IEC 61508, IEC 62304, and AUTOSAR.

Capabilities

Static Analysis

https://youtu.be/IupqJgtO234

The Most Comprehensive Static Code Analysis Tool for Developing C and C++ Software
Parasoft C/C++test uses the most comprehensive set of static analysis techniques (pattern-based analysis, dataflow analysis, metrics, and more), verifying code quality with the largest number of checkers in the industry, and providing actionable workflows to help the team prioritize findings. Parasoft C/C++test’s static code analyzer provides the most complete coverage for security standards, functional safety standards, and other industry-specific coding standards.

Parasoft C/C++test uses a state-of-the-art C/C++ code parsing engine to analyze and understand the code under test, then applies checkers to find problems and violations in the code. Over 2500 different rules are shipped with the C/C++test tool, covering general best practices (Effective C++, Modern C++), industry standards (AUTOSAR, MISRA, JSF, CERT, CWE), and specialized bug-finders (i.e. null pointer dereference, division by zero, memory leaks and more). The rules are grouped into predefined configurations, allowing users to quickly configure the analysis.

Static analysis can be performed either in the IDE (Eclipse, Visual Studio) or in the command-line interface (for automation/continuous integration scenarios). The results of the analysis can be accessed immediately (in the IDE, or with HTML/PDF/XML reports) or aggregated for further post-processing, reporting, and analytics. Parasoft’s Process Intelligence Engine seamlessly integrates with other components of the development environment (i.e. source control management system or requirements management system) to help users effectively manage development efforts. Users can, for example, view static analysis results only from the code that has changed between two different builds, or view coverage results achieved on only modified code.

To make static analysis and unit testing more maintainable, Parasoft helps users manage results of testing, including prioritizing findings, suppressing unwanted findings, assigning findings to developers, and much more. Customizing the views of these results help teams focus on the warnings with the highest risk.

Parasoft C/C++test’s static code analyzer shines in a functional-safety development process, certified by TÜV SÜD to comply with ISO 26262 and IEC 61508, and providing a multi-standard Qualification Kit (ISO 26262, IEC 61508, DO 178B/C) with extra automation to help users manage the burden of compliance documentation.

Features

Static analysis to detect runtime problems without executing code

• Parasoft C/C++test detects complex runtime-like problems early in the development stage – without the need to execute costly runtime tests. C/C++test analyzes the execution paths through the code, and finds possible issues (i.e. null pointer dereferencing, division by zero, memory leaks) and security vulnerabilities (i.e. tainted data, buffer overflows, command injection, SQL injection).

Code compliance with industry standards

• C/C++test provides set of built-in checkers (rules) for verifying compliance with standards like MISRA C 2012, MISRA C++ 2008, JSF AV C++, SEI CERT C/C++, AUTOSAR C++14, HIC++ and more. Such analysis is recommended/required for regulated industries (automotive, medical, aviation etc.), functional safety development (with standards like ISO 26262, IEC 61508 or DO-178C), and security (SEI CERT C/C++, CWE, OWASP). Parasoft Compliance Packs provide users with industry-specific configurations, along with dynamic compliance reporting dashboards, to help stakeholders easily understand progress.

Ability to easily create checkers for custom coding standards

• C/C++test helps users verify company-specific or team-specific guidelines and coding standards with its specialized editor for creating custom rules (checkers), enabling users to extend (or replace) built-in rules provided with C/C++test, without writing any scripts.

Collection of source code metrics

• Code metrics, collected during static analysis, provide further insight into code quality. These metrics are collected and analyzed on a per-unit, per-build level of granularity. Teams can use this information to access high risk code that is too complex, for example, as candidates for better testing or refactoring.

Centralized reporting and analytics

• Results from C/C++test’s analyses can be viewed in Parasoft’s dynamic reporting dashboard, enabling automated post-processing and advanced reporting using historical data. It’s easy to see static analysis results across builds over time, even when working with large codebases and legacy code where visibility into the code is typically challenging, so you can quickly focus on the quality of the newly-added code.
• With widgets that automatically track compliance with a given coding standard, users get a dynamic view into the compliance process, and can easily produce automatic reports for code audits.

Qualification kits for safety-critical software development

• Along with being independently certified for use in safety-critical projects by TÜV SÜD, Parasoft also provides Qualification Kits that go way beyond simple documentation to dramatically reduce the amount of time and effort required for achieving tool qualification for standards like ISO 26262, DO 178 B/C, IEC 61508, and EN 50128.
• A unified testing solution means only one vendor to deal with. Parasoft’s qualification kits provide a certifiable and qualifiable test tool suite, taking the risk out of safety-critical testing and qualification, while saving time by only having to qualify a single solution for multiple testing practices.

Benefit from the Parasoft Approach

Unified C/C++ Tooling

Parasoft C/C++test users benefit from an integrated approach to software development, with a combination of testing techniques (i.e. runtime analysis, unit testing, code coverage). Users don’t have to combine tools and vendors to gain a complete code quality solution, and for compliance efforts, tool qualification is simplified by only having to qualify one tool.

Smart Analytics

Parasoft C/C++test’s reporting and analytics dashboard enables users to benefit from Parasoft’s award winning Process Intelligence Engine, which provides business intelligence about the current state of of the product, indicators about areas of risk in the code, and the ability to pinpoint and focus on key areas in the product.

Support for Functional Safety

In addition to 2500+ static analysis rules that include better coverage for coding standards than any other vendor, Parasoft provides Qualification Kits and functional safety certifications, making Parasoft C/C++test the perfect fit for functional-safety development. Static analysis rule configurations are available out-of-the-box for safety and security standards.

---

Unit Testing

https://youtu.be/IymRuV18-F0

Unit Testing on Host and Target for C and C++ Applications
With Parasoft C/C++test’s complete framework for unit testing, developers get everything they need to create, execute, and maintain tests. Integrating with leading IDEs, Parasoft C/C++test’s unit testing features include multi-metric code coverage analysis, a powerful stubbing/mocking framework, and automated cross-platform execution. These features are easy to use, reduce the burden of implementing unit testing, and improve developers’ productivity.

With a combination of convenient graphical editors and views, Parasoft C/C++test is used by developers who want to quickly build and execute their test cases, and testers, who benefit from its graphical editors.

Unit testing modules in Parasoft C/C++test include the Test Case Explorer, Test Case Editor, Stubs View, and Coverage View, which come together to simplify unit test creation and results analysis. Users can quickly discover untested code, locate unsatisfied stub call expectations, or find failed assertions, and corrections can be made right away from the views in which the problem was located.

Users optimize their testing efforts by analyzing merged coverage results (from previous tests, build-by-build) that present data generated from system and unit level testing, and the Coverage View can be synchronized with the Test Case Explorer to present filtered data for any arbitrary selection of test cases.

Suitable for use in large organizations as well as in small teams, users can either review their work directly in the IDE, or aggregate team-wide testing efforts for further post-processing, reporting, and advanced analytics through Parasoft’s web interface. From there, teams can generate interactive reports with traceability between requirements, source, and test cases.

Features

An Easy-to-Use Stubbing and Mocking Framework

• Unit testing is easier and more productive when used together with a stubbing/mocking framework. Parasoft C/C++test provides a powerful module for automatically creating stubs and mocks, which can help in fault injection testing, reduce dependencies of the tested code, or simply stub out not-yet-implemented source code. Stub/mock logic is efficiently implemented using dedicated graphical editors or by typing code.
• The C/C++test stubbing framework does not require any special code design to apply stubs (e.g. virtual functions) and is supported for all compilers, including cross-compilers.

Integrated Code Coverage

• Comprehensive code coverage reports automatically provide information about the thoroughness of the unit testing process (and are required to achieve compliance with functional-safety standards). Parasoft C/C++test supports all important types of code coverage, including statement, branch, and MC/DC coverage types.
• Dedicated coverage views are closely integrated with the source code editor and Test Case Explorer, allowing developers to quickly understand coverage gaps and focus their effort based on areas of risk. Merging coverage results from different testing sessions (including from system-level testing) enables teams to focus their testing to untested code and tests impacted by recent code changes, thus reducing the amount of time spent on testing.

An Intuitive Interface

• Parasoft C/C++test makes unit testing easier by simplifying the process of test case creation. With its easy-to-understand GUI, Parasoft C/C++test reduces technical barriers, allowing testers or QA staff, who don’t necessarily have deep development skills, to create unit tests.
• Users can easily build advanced test scenarios by defining a collection of steps responsible for various elements of test scenario implementation, such as parameters initialization, stubs configuration, or assertions validation. Users with large test vectors recorded during a model simulation phase or during real-world experiments, can easily connect those data sources to parameterized test cases, which fetch test inputs and outputs directly from csv files or XLS spreadsheets.
• Developers who prefer to create test cases and stubs by writing the source code instead of using graphical interface can use C/C++test’s powerful APIs to define test cases logic and behavior of isolated components.

Cross-Platform and Embedded Testing

• Parasoft C/C++test can be used to execute unit tests on the host platform, target processor simulator, or on the embedded target. Optimized to take minimal additional overhead for the binary footprint or process cycles, Parasoft C/C++test’s test harness is provided in the form of source code, and can be customized if platform-specific modifications are required.
• Dedicated integrations with embedded IDEs and debuggers make the process of executing unit test cases smooth and automated. Supported environments include Green Hills Multi, Wind River Workbench, IAR EW, ARM MDK, ARM DS-5, TI CCS, and many others.

Safety-Critical Application Development

• Parasoft C/C++test’s unit testing framework was designed with safety-critical software testing in mind. Stubs and test cases with values for tested software simulation can be edited with graphical editors, but are generated as source code. Users can store and review created test artifacts together with the project’s files, and the initialization of the variables and input parameters for tested software simulation is done in exactly the same way as during production software operation. As such, the unit testing framework can be easily qualified for achieving compliance with safety standards such as ISO 26262, DO 178B/C, IEC 61508, or EN 50128. Parasoft C/C++test is certified by TÜV SÜD for these standards.

Benefit from the Parasoft Approach

Realistic Test Cases

• Other tools store input values for test cases and stubs in a proprietary format as a collection of values, which is fundamentally different than the variable’s initialization in production. With Parasoft C/C++test, test cases are instead stored as source code, and values for the tested code parameters are also initialized in the source code, closer to the process of parameter initialization in the production code, making it better suited for testing safety-critical code.

Time-Saving Qualification Kits

• Along with being independently certified for use in safety critical projects by TÜV SÜD, Parasoft C/C++test also provides industry-specific Qualification Kits that dramatically reduce the amount of time and effort required for achieving tool qualification for standards like ISO 26262, DO 178B/C, IEC 61508, and EN 50128.

Easily Switch Between Isolation and Integration Testing

• Parasoft C/C++test can be used for both pure isolation testing (where a tested function is entirely surrounded with stubs) and integration testing (in which tested components interact with other real software modules). The same test cases can be verified in isolation and integration mode, and results compared for any potential differences. Changing the mode of testing is a simple operation, and requires only the specification of the new stubs’ location.

---

Coverage & Traceability

Code Coverage and Requirements Traceability for C and C++
Parasoft’s solution for code coverage and requirements traceability provides critical feedback about the completeness and thoroughness of the testing process, by correlating tests and coverage results with requirements.

Parasoft’s solution for code coverage and requirements traceability intelligently leverages information about the relationship of code coverage results to the test cases, changes made to the code, and requirements, for a more valuable coverage metric. Code coverage reports are gathered along with an understanding of how they relate to the test cases and requirements, and reports generated after the testing session show the detailed reports in the context of every requirement.

Presenting test results in this way prevents users from spending time and effort testing non-important functionality, without covering critical system requirements. This powerful solution for requirements traceability is essential for achieving compliance with functional safety standards, such as DO 178B/C, ISO 26262, IEC 61508, and others.

Features

Collects comprehensive coverage metrics

• The most pragmatic way to monitor the completeness of the testing process is by monitoring coverage metrics. Parasoft C/C++test’s code coverage metrics can be used for assessing unit, integration, and system level testing completeness, supporting all important types of code coverage (function, call, line, statement, block, path, decision, simple condition, and MC/DC) and object/assembly coverage. Coverage results are available directly in the IDE, with convenient views and highlights in the source code editor, as well as in the form of static html or pdf reports, and dynamic reports through Parasoft’s centralized reporting dashboard.
• Users can monitor applications executed natively on the desktop, cross-platform using simulators, or on real embedded hardware. C/C++test’s coverage module is optimized to minimize the impact on the execution performance and test binary footprint, which makes it suitable for use with high end, server-based applications, as well as very limited systems based on 16 bit microcontrollers.

Correlates unit testing results with requirements

• Parasoft correlates all unit test cases created with C/C++test, or created using open source unit testing frameworks (executed with the C/C++test plugin), with requirements. Users can then absorb the results of the tests’ execution together with the information about code coverage, to achieve the full traceability required for safety-critical applications.

Correlates system level testing results with requirements

• C/C++test can be used to instrument an entire application’s codebase for code coverage monitoring. The instrumented application can be executed and examined based on the test procedures defined in manual test scenarios. During testing, users can easily annotate the coverage results with the information about the executed test scenarios.
• Users can view the coverage results collected from the testing process, together with the information about the correlation between test cases and requirements. Parasoft’s unique automatically-generated reports that merge unit testing and system testing coverage results help users determine the quality of the testing process to focus and optimize the testing effort.

Provides requirements traceability reports that integrate with the RMS

• By integrating with users’ Requirements Management System, users get traceability reports that display the correlation between requirements and:
  • Source code created to implement these requirements
  • Test cases created to test the requirements
  • Results of executed tests
  • Code coverage results
• Traceability reports provide clear and complete information about the development progress, and teams can easily determine how many requirements were already implemented and how thoroughly they have been tested.

Focus testing efforts by leveraging test impact analysis

• When connected with Parasoft’s Process Intelligence Engine, users benefit from test impact analysis. For each and every test performed, including manual, system level or UI-based, tests are recorded for not just test/fail and results but also their coverage impact on the code base. Each additional test is overlaid on this existing information, creating a complete picture of test success and coverage. As code is changed, the impact is clearly visible on the underlying record, highlighting tests that now fail or code that is now untested. Raising this information in various degrees of detail allows developers and testers to quickly identify what needs to be altered/fixed for the next test run.

Benefit from the Parasoft Approach

Correlate both tests and requirements to source code for full traceability

• Parasoft correlates requirements not only with tests and test results, but also with requirements, and the source code created to implement requirements. Users can tag created code using flexible schema and provide this information to the reporting center, enabling detailed test and coverage reports focused on a selected requirement, without obfuscation that would otherwise came from the code related to other requirements. This capability enables a complete view of quality, bringing together test results, code analysis, and code coverage with requirements, enabling teams to get a better understanding of areas of risk, so they can focus remediation activities.

Get a complete view of test coverage

• Instead of just seeing the coverage results from unit testing alone, Parasoft C/C++test captures coverage information across different development testing practices, to provide a complete view of what was and wasn’t tested. Parasoft’s reporting and analytics dashboard also displays which tests were used to exercise the specific parts of the codebase, so users have complete traceability. This helps users understand how to most efficiently re-test the codebase and re-use tests to increase code coverage.

Focus on the code and tests that matter to reduce risks

• With Parasoft, teams can concentrate on code coverage for the areas of active development, instead of the entire codebase, which can be especially problematic when working with legacy codebases. Rather than solely trying to achieve a coverage number for the entire codebase, Parasoft helps you pinpoint the parts of the code that are changing. Parasoft’s reporting dashboard correlates the data from C/C++test with observed changes in the codebase to focus the development team on achieving higher levels of code coverage for those specific, modified parts of the codebase. With Parasoft, you can minimize the impact of changes by efficiently managing the change itself.

---

Runtime Analysis

Runtime Analysis for Embedded C Applications
Parasoft C/C++test finds runtime defects, stability issues, and security vulnerabilities, such as memory leaks, null pointers, uninitialized memory, and buffer overflows, by monitoring the runtime when running a host-based or embedded application, or executing unit tests written in C. The runtime component is extremely lightweight, requiring only small amounts of extra code and data space.

Parasoft C/C++test automatically instruments an application’s codebase to activate monitoring when the application is running, identifying serious defects, stability issues, and security vulnerabilities, such as:

• Memory leaks
• Memory corruption
• Reading uninitialized memory
• Accessing memory using an out of range pointer (e.g. buffer overflow)
• Accessing memory using a null pointer
• Using free() on an invalid pointer

Parasoft C/C++test’s runtime analysis provides predefined test configurations to support both native and embedded applications with C-style memory allocations (malloc / free). Runtime analysis can be performed during both unit testing, to validate specific scenarios and execution paths, and functional testing, to monitor the fully integrated application.

• Defects that have been found during runtime testing can be presented directly in the developer’s IDE, and correlated with other test results and quality metrics, such as code coverage or static analysis findings from Parasoft C/C++test, so the user can get a complete picture of the tested application, making it easier to understand the root-cause of runtime defects.

Features

Detects real problems at runtime

• Parasoft C/C++test monitors a running application, detecting runtime-related problems (i.e. memory leaks, memory corruption, reading uninitialized memory, buffer overflows) that could lead to stability issues, functional misbehaviors, or security vulnerabilities. Unlike static analysis, where warnings may not necessarily result in bugs in the running code (a.k.a. false positives), bugs found by dynamic analysis are always true positives.

Detects hidden problems when executing unit tests

• Parasoft C/C++test monitors test binaries when running unit tests, providing insight into the code under test to help users understand unit testing failures or instabilities. Runtime analysis can detect errors that aren’t easily determined from unit test results. For example, memory leaks might be overlooked during unit testing since memory problems aren’t checked or the impact on memory isn’t significant. By detecting runtime defects for execution paths enforced by unit test cases, C/C++test can exercise paths not easily reached when running the original application.

Performs runtime checks for cross-platform environments

• Runtime analysis can be performed for not only native applications, but also for cross-platform/embedded environments, so the analysis is performed in the original production environment. Bugs may not manifest themselves with host-based development and the target code may have a different processor architecture, operating system and device constraints, so without this, users would need to perform complicated on-target debugging (assuming the defects could be detected by having some visible side effects during regular functional testing).

Provides deeper insights by combining runtime analysis results with other test results and quality data

• Runtime defects are presented in the IDE in a unified way with other test data, such as code coverage, unit testing failures, or static analysis findings, so it’s easier to analyze and understanding the root cause of the runtime defects.

Benefit from the Parasoft Approach

Identify real defects and security vulnerabilities early, during unit and integration testing, in the original runtime embedded environment

• Runtime defects in embedded environments are often difficult to reproduce on a host platform (and often difficult on target platforms too). By monitoring the runtime execution of an embedded application, in the original embedded runtime environment, Parasoft helps you uncover real-world defects in your software.

Understand the root cause of defects for a preventative approach

• By correlating runtime defects with static analysis results, Parasoft gives users visibility to understand and identify the root cause of defects. This helps teams apply preventative practices across the entire codebase to uncover additional hidden defects and reduce the appearance of defects in the future.

Find more bugs when unit testing

• Unit testing is a critical testing practice to ensure that your code performs as expected under conditions that are difficult or impossible to reproduce when the application is fully assembled. Parasoft C/C++test enables you to leverage runtime analysis during the execution of unit tests, to uncover runtime issues that are buried within the application that you can’t easily reproduce within your pre-production environment.

---

Security Testing

Security testing for delivering robust C/C++ code
Users can expertly and efficiently harden their software with Parasoft’s comprehensive security testing solution for C/C++. A comprehensive solution that includes support for cybersecurity standards, and tooling designed to help users tackle the root cause behind software security failures and achieve secure-by-design for today’s connected device software.

Parasoft’s static code analysis technology provides high-quality results on the broadest range of security defect types. With over 2500 static analysis rules, Parasoft is able to detect not only security defects in the code, but also pinpoint the root cause engineering issues that led to such vulnerabilities. Reported violations contain metadata that includes severity, stack traces, and parameter values that lead to the reported issue, as well as mitigation advice to fix the code properly. This industry-leading support for static analysis rules and standards fully supports a secure-by-design approach to software development.

Static analysis security warnings and coding standard violations are reported in a variety of ways depending on the needs of the individual and organization. Developers can get violations reported directly in their IDE where they are working, with full documentation and the ability to repair, suppress, reassign, and defer violations. Managers are given a powerful web interface that provides details in the form of customizable reports, dashboards, historical trends, compliance and audit data, and powerful expandable analytics.

Parasoft has implemented all of the major application security standards, such as SEI CERT C/C++, CWE (Common Weakness Enumeration) coding guidelines, UL 2900, and OWASP, along with security-specific dashboards for each that help users understand risk and prioritization of outstanding violations/vulnerabilities/security defects.

Parasoft has the most comprehensive support for the CERT standard. The Parasoft configuration uses behind-the-scenes data maps that deliver a CERT-centric view, and all violations are reported using CERT identifiers natively. It’s the easiest out-of-the-box configuration available from any SAST vendor. In addition, Parasoft has implemented CERT’s unique set of metadata for each guideline that includes factors used in determining risk and prioritization of static analysis findings, so all violations contain information about probability of exploit, difficulty and cost of remediation, and severity if exploited.

Parasoft also supports the CWE coding guidelines. Configurations are available not only for the “Top 25” most common dangerous issues, but also for the CWE CUSP. Once a team has mitigated the critical vulnerabilities in the CWE Top 25, the CUSP configuration is a great second step before moving on to the full CWE guidelines. In addition, both the Top 25 and CUSP are core elements of the UL 2900 standard, so complying with them helps prepare products for deployment in an IoT ecosystem.

Parasoft provides CWE-centric dashboards and reports so that violations are reported based on CWE identifiers, making it easy to understand what you’re working on as well as proving compliance to meet necessary regulations. Parasoft leverages data from CWE to help prioritize and categorize SAST findings based on their potential impact downstream.

Parasoft enables you to not only find existing vulnerabilities, but harden your code with solid secure coding standards that reduce the number of CVEs (Common Vulnerabilities and Exposures) in your code/application/device. Analysis can run directly in the developer’s chosen IDE, on a build server, and directly as part of the CI/CD pipeline, giving the developer results when and where the need them while providing management with the necessary understanding to minimize security risk and breeze through security audits.

Features

Static analysis for security

• Parasoft enables users to find the root coding issues that create vulnerabilities in the application before testing even begins. Advanced analysis traces data input to usage in potentially exploitable locations in the code via data flow analysis.

Security-focused reports

• Security-focused analytics help users understand the risk of an application before release, by prioritizing security findings based on industry research from CWE and CERT. Put large reports into perspective by selecting violations based on their potential impact in the field, the prevalence of attacks of this type, the cost to remediate, and more.

Support for security coding standards

• Developers use Parasoft C/C++test to enforce important cybersecurity standards like CERT, CWE, UL 2900, and OWASP, to ensure that the software is built securely. Easily prove audit compliance by using Parasoft’s advanced compliance reports that show which rules have been used, when they were run, and what their state is, with markers for approved variance. Because these reports are specific to the user’s implemented coding standards, they also help teams quickly identify progress during development. For example, if you’re using CERT, you see all violations based on the CERT ID rather than an internal tool rule ID number.

Intelligent analytics for a pragmatic approach to security

• Parasoft helps users create a sustainable security strategy by collecting information from different sources across the entire development process, and finding the patterns that are most dangerous. Parasoft gathers a variety of information based on metrics, new vs. legacy code, the results of other tests, the risk scores from security standards, and more, and then helps you dial in on the results that matter the most.

Benefit from the Parasoft Approach

Move past testing into hardening

• Most SAST tools focus on finding potential defects rather than code that could be exploited, filling them with false negatives. Parasoft’s engineering approach prioritizes building security into the application, supported by identifying code that is worrisome and rules for coding best practices. By supporting all of the different models of static analysis, users can move past testing into engineering and truly harden their code against security intrusions.

Know where you stand with security coding standards

• Parasoft provides a complete, standard-centric view for understanding where you stand with cybersecurity coding standards. You don’t have to try to map rules to a standard, figure out which findings violated which standard, and then produce a custom report for audits. Instead, you get complete visibility, automatically, to understand which rules you used to meet the standard, which violations were fixed, and which were allowed variance.

Prioritize findings based on cybersecurity research

• Parasoft leads the market in implementing application security risk scoring from organizations like CWE and CERT, who focus on issues such as the downstream problems caused by specific violations. Normally a developer would need to understand the importance of, for example, a buffer overflow, and communicate that to management. Instead, users can rely on Parasoft’s technical impact scores that are based not on the code, but on the inherent level of the problem, the likelihood of it being exploited, and the cost to remediate it.

---

Functional Safety & Compliance

Software Testing for Functional Safety in C/C++ Applications
Parasoft’s solution for functional safety enables organizations to meet the testing and software quality requirements stemming from standards documents such as ISO 26262, EN 50128, IEC 61508, and DO-178B/C. Parasoft enables teams to automate the testing practices and qualification process mandated by these standards, and dramatically reduces the intensive manual effort that is otherwise necessary.

Functional safety standards mandate numerous testing practices for the software verification and validation process. Implementing the V&V process in accordance with safety standards can pose a significant challenge due to the number of different testing technologies that need to be orchestrated, so Parasoft C/C++test simplifies this requirement by providing everything you need to test your C and C++ code in one integrated, TÜV SÜD-certified solution.

Parasoft’s solution for safety-critical software provides a unique combination of features that help users address all main testing requirements imposed by safety standards with minimal effort. Instead of spending resources implementing, integrating, and maintaining independent solutions, Parasoft users can spend more time delivering safe and high-quality projects.

For example, Parasoft C/C++test enables developers to perform static code analysis for various coding standards (i.e. MISRA, CERT, AUTOSAR,CWE, JSF, etc.), unit testing and system level testing with fault injection, and code coverage monitoring (statement, branch, MC/DC, call, etc.), without leaving their IDE. Testing results can be reviewed immediately inside the user’s development environment or on a centralized reporting dashboard, where advanced analytics are performed on the aggregated test data.

Parasoft C/C++test includes dedicated integrations with leading embedded software development environments, such as Arm Development Studio, TI Code Composer, Wind River Workbench, Green Hills Software Multi, and many others. These integrations support the execution of tests on target hardware or simulators to increase reliability and fidelity of testing results, which is required for compliance with functional-safety standards.

Parasoft greatly reduces the risk and effort required for tool qualification. In addition to being able to apply the TÜV certification (when applicable), users benefit from extra automation in performing the tool qualification process, using Parasoft’s dedicated Qualification Kits, which guide users through all important steps of the procedure and automates most of the tedious manual work that is typically required.

Features

Software testing to support safety-critical guidelines

• Parasoft C/C++test provides support for a broad range of testing methodologies required to achieve compliance with safety standards. Whether this is static code analysis, unit testing, code coverage, or fault injection testing, it can all be satisfied with Parasoft C/C++test.
• Static Analysis
  Static analysis is directly or indirectly required by all software safety standards to assure that source code is free from defects and code constructs that bring a high risk of undefined behavior. Parasoft provides pre-configured Compliance Packs, so you can get a preconfigured set of static analysis checkers for the coding guidelines you need (i.e. MISRA, JSF, AUTOSAR, CERT C/C++, CWE, UL 2900, and HIC++), as well as dedicated reporting that displays your static analysis results according to the specific categorizations and grouping defined by the standard you’re using, along with automatically generating the reports needed for audits.
• Unit Testing
  Unit testing is required to demonstrate that low level software requirements were correctly implemented. With unit testing, it is much easier to focus on a small unit of the source code such as function or method and create a set of test cases that demonstrate that all essential requirements for this software component were correctly implemented.
• Code Coverage
  Code coverage demonstrates the completeness of unit, integration, and system level testing. Standards require different types of coverage metrics depending on the risk level associated with the projects. Parasoft supports all required metrics, from statement, line, function, call, and branch, to the most complex MC/DC.The integration between coverage tool and unit testing framework enables developers to quickly find the gaps in their testing process and improve their test suites, to improve productivity and eliminate frustration in development.

Compliance reports and dashboards

• Reporting is essential for organizations to document that all testing practices were performed to the required level. Parasoft’s comprehensive reporting system helps you generate clear and detailed reports that are easy to analyze by development teams, as well as external organizations auditing the development process.
• Parasoft Compliance Packs provide dynamic industry-specific dashboards and widgets that increase visibility into the compliance progress and automatically generate compliance documentation that adheres to categorizations of the specific coding standard you’re using. Detailed unit testing reports provide complete information about executed test cases, which includes stubs configuration and status of executed assertions, and enables reviewers to understand the testing status without looking into the source code.
• Requirements traceability is required by functional safety standards to demonstrate that all requirements were implemented and covered with tests, and that the level of testing corresponds with the risk level (SIL, ASIL, SL) associated with the given software component. By integrating tightly with Requirements Management Systems, Parasoft enables users to automatically generate reports demonstrating testing results in the context of requirements.

Tool Qualification

• Tool Qualification is a mandatory process required by functional safety standards, for all tools that contribute to the safety-critical product or that automate or eliminate a verification activity. Tool qualification requirements depend on the specific standard and risk level associated with the project. In many situations, a TÜV certification is sufficient. In case of projects with higher levels of risk, users can use Parasoft’s Tool Qualification Kit.
• TÜV SÜD certification for Projects with Lower Level of Risk (i.e. ASIL A/B, SIL 1/2): Parasoft C/C++test is certified by TÜV SÜD as suitable for use when developing safety critical systems. This certification complies with tool qualification requirements from safety standards such as ISO 26262 or IEC 61508. TÜV certification simplifies the process of tool implementation for projects with a lower level of risk.
• Tool Qualification Kits for Projects with Higher Level of Risk (i.e. ASIL D, SIL 4, SL A): Parasoft’s Qualification Kit automates a significant part of the tool qualification process, reducing the amount of manual work and eliminating this distraction from software teams. Parasoft C/C++test is supported with a dedicated qualification kit that complies with safety standards requirements for tool qualification. Out-of-the-box, Parasoft’s Tool Qualification Kit supports the following standards: ISO 26262, IEC 61508, DO 178B/C, DO 330, and EN50128 with derivatives. A unique dedicated Qualification Support Tool guides users through all the steps required to qualify the tool and automates the majority of tedious manual work required to qualify the tool, including executing the test cases from the exhaustive test suite provided together with the Qualification Kit.

Benefit from the Parasoft Approach

Reduce risk with multiple testing technologies integrated in one tool

• The comprehensiveness of Parasoft C/C++test translates into increased developer efficiency when developing applications with functional safety requirements. Developers can focus on their core activities, without having to learn, integrate, and qualify several tools, and tool integrators or architects don’t have to spend time implementing interfaces between tools for exchanging data and generating uniform reports. Instead, they get all of it from Parasoft out-of-the-box.

Reduce testing effort with a proven test suite designed specifically for safety-critical applications

• When performing unit testing or runtime memory monitoring, all components required to build the test binary, including the test cases for tested code stimulation and stubs, are expressed in form of source code and can be versioned and inspected. This approach is superior to other tools, in which the stimulation for tested code is sent at runtime from the host and requires additional conversions before assigning to the variables in memory. C/C++test removes this unnecessary layer and assures that state of the memory before executing tests is constructed in the same way as in the production system.

Eliminate overhead for compliance

• Parasoft provides team-wide data integration, convenient reporting customized to different coding standards, and advanced analytics through Parasoft’s award-winning Process Intelligence Engine. Users benefit from the ability to aggregate information across multiple different sources (i.e. source code or requirements management systems, testing tools, or ALMs) for unique data analytics, helping focus efforts in the most productive way. Teams can increase productivity by monitoring trends in the development process, and easily generate reports that comply with industry standards such as “MISRA Compliance: 2016.”

---

Reporting & Analytics

Flexible and Dynamic Reporting and Analytics for C/C++ Software Testing
Parasoft’s extensive reporting capabilities bring the results of Parasoft C/C++test into context. Test results can be quickly accessed by developers directly in the IDE, reports can be automatically generated as part of CI builds and printed for code audits in safety-critical organizations, and results from across builds can be aggregated into Parasoft’s web-based reporting system (giving the team a detailed view without requiring access to the code within their IDE). In the reporting dashboard, Parasoft’s Process Intelligence Engine helps managers understand the quality of a project over time, illustrating the impact of change after each new code change, and integrating with the overall toolchain and providing advanced analytics that pinpoint areas of risk.

Parasoft C/C++test helps teams efficiently understand results from software testing by reporting and analyzing results in multiple ways.

Directly in the developer’s IDE, users can view:

• Static analysis findings (warnings and coding standard violations)
• Unit testing details (passed/failed assertions, exceptions with stack traces, info/debug messages)
• Runtime analysis failures (with allocation stack traces)
• Code coverage details (percentage values, code highlights, including coverage-test case correlation)
• Change impact analysis that demonstrates the indicates which tests have failed or need retesting based on recent code changes.

From Parasoft’s centralized reporting dashboard, users can view all of the above plus the additional:

• Aggregated visual reporting of the entire project status through dynamic dashboards with customizable reporting widgets
• Deep-dive information from each dashboard element
• Granular filtering and advanced analytics
• File and source code access with traces for unit test results and static analysis warning and coding standard violations
• Report generation and compliance evaluation

The Quality Tasks view in the IDE makes it easy for developers to sort and filter the results (i.e. group per file, per rule, per project, etc.). Developers can make annotations directly in the source code editors to correlate issues with the source code, and for better understanding the context of reported issues and how to apply a fix. Code coverage information is presented as visual highlights displaying directing the code editors, together with percentage values (for project, file, and function) in a dedicated Coverage view.

Analysis results for both IDE and command line workflows can also be exported to standard HTML and PDF reports, for local reporting. For safety-critical software development, C/C++test provides an additional dedicated report format that provides details about unit test case configuration and the log of results from test execution, so the user has a complete report of how the test case was constructed and what happened during runtime.

For team collaboration, C/C++test publishes analysis results to a centralized server so developers can access results from automated runs and project managers can quickly assess the quality of the project. Reported results (static analysis findings, metric analysis details, unit testing details, code coverage details, and source code details) are stored with a build identifier, for full traceability between the results and the build.

Features

IDE-based reporting

• Parasoft C/C++test provides dedicated views and source code annotations/markers directly in the IDE (Eclipse, Visual Studio), so developers can access results from C/C++test (i.e. static analysis violations, unit testing failures, code coverage information) without leaving the IDE to efficiently analyze results, apply corrections, and re-execute tests quickly.

Web-based reporting

• When integrating into CI/CD workflows, Parasoft users benefit from a centralized and flexible web-based interface for browsing results. The dynamic, web-based reporting dashboard includes customizable reporting widgets, source code navigation, advanced filtering, and advanced analytics from Parasoft’s Process Intelligence Engine. Users can access historical data and trends, apply baselining and test impact analysis, as well as integrate with external systems (e.g. for test-requirements traceability).

Test Impact Analysis

• For each and every test performed, including manual, system level or UI-based, tests are recorded for not just test/fail and results but also their coverage impact on the code base. Each additional test is overlaid on this existing information, creating a complete picture of test success and coverage. As code is changed, the impact is clearly visible on the underlying record, highlighting tests that now fail or code that is now untested. Raising this information in various degrees of detail allows developers and testers to quickly identify what needs to be altered/fixed for the next test run.

Risk-based assessment on test improvements

• In addition to change impact analysis, static analysis can be used to highlight areas of the code that appear more risky than others. Risk can take the form of highly complex code, or an unusually high number of coding standard violations or a high number of reported static analysis warnings. These are areas of code that may require additional test coverage and even refactoring.

Functional-safety reporting

• Parasoft C/C++test provides specific reporting capabilities suited to functional-safety development, for example the following reports:
  • Unit Testing Execution Details Tests to Requirements Traceability
  • Test to Code Coverage Traceability
• Industry-specific Compliance Packs provide a dedicated, standard-driven report template to help teams comply with industry standards and provide automatically-generated reports required for code audits.

Benefit from the Parasoft Approach

Manage compliance with efficiency, visibility, and ease

• Instead of just providing static analysis checkers with basic reporting and trends visualization, Parasoft’s solution for coding standards compliance provides a complete framework for building a stable and sustainable compliance process.
• In addition to standard reporting, Parasoft provides a dedicated compliance reporting module that gives users a dynamic view into the compliance process. Users can see results grouped according to categorizations from the original coding standard, manage the deviations process, and generate compliance documents required for code audits and certification as defined by the MISRA Compliance:2016 specification.

Reduce the overhead of testing

• With a unified reporting framework, Parasoft C/C++test efficiently provides multiple testing methodologies required by the functional safety standards including static analysis, unit testing, and code coverage.
• Consistent reporting, cumulatively presenting results from the multiple testing techniques, reduce the overhead of testing activities and simplify code audits and the certification process, eliminating the need for users to manually process reportings to build documentation for the certification process.
• Focus testing effort to where it’s needed by eliminating extraneous testing and guesswork from test management. Reduce the costs of testing while improving test outcomes with better tests, more coverage, and streamlined test execution. With Parasoft, you can minimize the impact of changes by efficiently managing the change itself.

Pinpoint priority and risk between new and legacy code

• Parasoft’s Process Intelligence Engine enables users to look at the changes between two builds, to understand, for example, the level of code coverage or static analysis violations on the code that has been modified between development iterations, different releases, or an incremental development step from the baseline set on the legacy code.
• Teams can converge on better quality over time by not only improving test coverage but by reducing the potential risky code. The technical debt due to untested code, missed coding guidelines and potential bugs and security vulnerabilities can be reduced gradually build by build. Using the information provided by Parasoft tools, teams can focus in on the riskiest code for better testing and maintenance.

---

Latest Release and Feature Summary

Parasoft C/C++test 10.4.3 Released Dec 3, 2019

Parasoft C/C++test 10.4.3 introduces the enhanced Automotive Compliance Pack, including complete coverage for required/automated guidelines from AUTOSAR C++ 14.

We have spent a lot of time and effort to provide the best support for AUTOSAR C++ compliance on the market, but Parasoft C/C++test 10.4.3 is not only about AUTOSAR C++. We also beefed up the security compliance pack by adding new, enhanced rule sets for the latest editions of CWE Top 25/On The Cusp lists (released in September), as well as OWASP Top 10. We enhanced our unit testing framework by adding new options for stubs, we added more integration support, and more. Read on to get more details!

Automotive compliance pack with 100% coverage for AUTOSAR C++14 required/automated guidelines
In the last months, I had many customer visits in Silicon Valley, Europe (Germany mainly), and Japan. In almost all of these places, customers and prospects emphasized the importance of continuous static analysis support for the AUTOSAR C++ 14 standard, in the long term relationship with Parasoft as the static analysis technology vendor. Especially as this standard continues to evolve under MISRA wings to support C++ 17 and C++ 20.

Parasoft has been the fastest to react to the AUTOSAR C++ 14 evolution, and provides the most comprehensive support for the guidelines from the standard. The 10.4.3 release of Parasoft C/C++test brings a new batch of checkers, which offers complete support for required/automated guidelines from the standard.

Parasoft C/C++test, along with its Automotive Compliance Pack, is now the only solution on the market offering 100% coverage for required/automated guidelines, which are the core guidelines in the standard meant for enforcement with static analysis technology. Teams usually start deploying the AUTOSAR C++ 14 compliance process using a subset of required/automated guidelines, which makes support for those guidelines critical. Below you can see a table showing some statistics of Parasoft coverage for the standard:

In addition to the critical required/automated guidelines, AUTOSAR C++ contains a subset of rules for which enforcement can be only partially-automated or cannot be automated (non-automated). In many situations, static analysis can provide a reasonable level of support, even for those guidelines that cannot be fully automated – to reduce the burden of manual code reviews. We decided to take this pragmatic approach, and our AUTOSAR C++ compliance solution includes support for selected  partially or non-automated guidelines.

If you are interested in getting more details regarding Parasoft’s support for the AUTOSAR C++ 14 standard, you can view the full mapping here.

Security compliance pack with new enhanced rulesets for CWE

With the 10.4.3 release, Parasoft C/C++test is the first tool on the market that supports the latest edition (version 3.4) of CWE Top 25 and On The Cusp, that were released by MITRE on September 18, 2019. In the security world, the short turnaround time is critical to react to the always-changing landscape of threats. Parasoft C/C++test implemented static analysis checkers that cover the CWE top 25  and On The Cusp and enabled organization with a solution to find and eliminate the most frequent and severe security weaknesses.

What makes Parasoft unique is that our support for security is comprehensive. We support security testing not only for C/C++ development but also for other technologies. In the latest Jtest and dotTEST release, you can find some more interesting information about CWE support for Java and C#.

In addition to the popular CWE Top 25 and On The Cusp, the latest release of Parasoft C/C++test provides a  new rule set and test configuration for OWASP Top 10, which replaces the legacy test configuration and brings enhanced accuracy of the checkers.

Facilitating UL 2900 cybersecurity standard compliance for medical industry

The UL 2900 cybersecurity standard is recognized by the FDA, making it a good choice if you’re working on medical devices. To achieve the required level of cybersecurity for the system, the standard requires you to run static analysis for OWASP Top 10, CWE Top 25, and CWE On The Cusp. With the 10.4.3 release, Parasoft C/C++test supports now a combination of the static analysis checkers that can automate the source code scans against the weaknesses included in the latest editions of those lists, making it an excellent choice for any organization trying to achieve FDA approval and protect their product from cybersecurity threats.

Enhancements in the stubbing framework

Stubbing is one of the most valuable features of our unit testing framework. In every release we are adding something new to make better and even easier to use. The 10.4.3 release provides an additional option for user stubs that configure them by default to work in so-called “proxy mode.”

The new option is provided to minimize the interference between different developers adding stubs for their test cases in uncoordinated way, which can cause unintentional changes in the test cases results . With the new option selected, user-stubs stubs will  automatically detect if original function is present, and invoke it by default. The stub will activate alternative behavior only if a test case specific behavior will be intentionally provided. With this option developer can safely add a stub for an existing symbol without breaking her college test cases that rely on original definition. And the beauty of this feature is that new stubs are smart to detect if original definition is present in the test binary or not. If original definition of the stubbed function will be excluded from the test binary, stub will reconfigure itself and return the default value instead of performing the proxy call.

You can learn more about this new feature here.

Support for new environments!

Last but not least, we worked very hard to provide support for new development environments. Let me mention some of the most important environments that we now support in the 10.4.3 release:

• Visual Studio 2019 with C/C++ compiler
• GNU GCC 9
• QNX SDP 7.0 with the latest release of Momentics IDE and compilers for x86 and Arm
• IAR ARM 8.22 (functional safety edition)
• IAR ARM 8.40

Looking into the future

The 10.4.3 release was initially planned to be focused on the enhancements for the unit testing framework. Reacting to the pressure from the market, we decided to change our plans. We were getting a number of requests from our automotive customers (autonomous driving guys mainly to be honest…) to finalize our support for required/automated guidelines from the AUTOSAR C++ standard. The pressure for compliance is growing as the autonomous driving systems are becoming more mature and closer to the release. And for a long time, there was no static analysis tool on the market that supports 100% of the critical guidelines. Now that C/C++test provides this missing functionality to the market, we can switch our focus back to unit testing and start working on some exciting enhancements. We plan to release the next version of the C/C++test, with some of these new features, at the end of Q1 2020, or the beginning of Q2.

---

Technical Specifications

Below are the Parasoft C/C++test Technical Specifications:

Supported Host Platforms

• Windows
• Linux

Supported Tool Chains / Environments

• Altium/Tasking
• ARM
• Eclipse IDE for C/C++ Developers
• GreenHills
• IAR
• Keil
• Microsoft
• National Instruments
• QNX
• Renasas
• Texas Instruments
• WindRiver

Build Management

• GNU make
• Bazel
• Sun make
• Microsoft nmake
• ElectricAccelerator

Continuous Integration

• Bamboo
• Jenkins
• TeamCity

Source Control

• AccuRev SCM
• Borland StarTeam
• CVS
• Git
• IBM Rational ClearCase
• IBM Rational Synergy
• Mercurial
• Microsoft Team Foundation Server
• Microsoft Visual SourceSafe
• Perforce SCM
• Serena Dimensions
• Subversion (SVN)

Coverage Metric Generation

• Function
• Call
• Line
• Statement
• Block
• Path
• Decision
• Simple Condition
• MCDC

Deployment Options

Parasoft C/C++test can be deployed in different ways to serve your needs:

• Desktop/IDE
• Build/CI Integration

Feel free to contact E-SPIN for your specific operation or project requirement, so we can assist you on the exact requirement in the packaged solutions that you may require for your operation or project needs. From software to value added services such as computing hardware, 3rd party complementary software, training and managed services.