Static code analysis is typically used as part of improving software security during the development phase. Two main topics related to static code analysis are covered in this chapter. First, static code analysis can be used to detect weakness patterns and vulnerabilities in the software early during development. Second, static code analysis can be used to check the code for compliance to various coding guidelines such as CERT (Computer Emergency Response Team), MISRA (Motor Industry Software Reliability Association), and AUTOSAR (AUTomotive Open System ARchitecture) coding guidelines. These measures can help automotive organizations address security, safety, and quality concerns early in the software development lifecycle. Analyzing the software code can be performed at any stage of the software development once some code is available; however, the earlier this activity is performed, the lower the costs for an organization to detect and fix vulnerabilities and defects in the software. More details about where static code analysis fits into the software development lifecycle is explained in Chapter 2.

Regarding the first topic of using static code analysis to find weakness patterns and vulnerabilities in the software, the approaches and tools for the automotive industry and for automotive software are similar to other industries and other software, and are therefore discussed in ...