If it is difficult to modify your build process to create a new build configuration, then you may need to create a build specification instead.
A build specification file is a summary that details how your application is built. In particular, it summarizes the steps needed to perform static security analysis and specifies the files to be processed and the compilation options to use. It also describes the pseudo object modules that must be linked to generate the analysis results and the librarian invocations that are needed to combine those pseudo object modules into static link libraries.
The Intel® Compiler provides utility programs to create and execute build specifications. Invoke any of these utilities with the -help switch to get a usage message or with the -version switch to identify the version.
Creating a Build Specification File
There are several ways to create a build specification. They are described here in order of convenience.
-
Run your normal (debug) build under the injection utility
The injection utility launches your build command as a child process, intercepts process creations, and generates a build specification file. Each time it sees an invocation of the compiler, librarian, or linker, it captures the command options and adds a corresponding command to the build specification file. Run the utility, as shown in the following:
inspxe-inject -save-spec <output build spec> -- <build command>
For example:
inspxe-inject -save-spec buildapp_sca.spec -- make debug
The injection utility automatically recognizes the following four compilers: the Intel® C++ compiler, the Intel® Fortran compiler, the Microsoft Visual C++* compiler, and the GNU* C++ compiler. The injection utility will not operate correctly if your build procedure invokes a compiler, librarian, or linker on another computer.
NoteIf your build procedure compiles or links files that are not part of your application, the resulting build specification file will also analyze those files. If you cannot avoid compiling unrelated source files during your build, edit the build specification file with a text editor to eliminate the unwanted compilation and link steps.
-
Modify your build procedure to "wrap" each compilation,
librarian, and linker step, then execute the modified build
You can modify your build program or script to invoke the compiler, librarian, or linker indirectly using the wrapper utility. The wrapper utility appends a single action to the build specification file that corresponds to a command. It then executes the specified command (unless the --no-run switch is supplied). At every point where your build program or script invokes the compiler, librarian, or linker, run the utility, as shown in the following:
inspxe-wrap -save-spec <output build spec> [-no-run] -- <command>
For example:
inspxe-wrap -save-spec buildapp_sca.spec -- icl $(CFLAGS) file1.c
NoteIf your build procedure compiles or links files that are not part of your application, you should not wrap these actions. Wrapping would include these actions in the build specification, which is undesirable.
NoteThe actions created by your instrumented build will be appended to the previous contents of the build specification. Therefore, before you execute your modified build, you should delete the output build specification file.
Using the Build Specification File
Once you have created a build specification, you can use it to perform static security analysis. Remember to update your build specification each time a file is added or removed from the project or when compilation options change. Otherwise, full analysis of your entire application will not occur.
To perform static security analysis from a build specification, use the following command line utility.
inspxe-runsc -spec-file <build spec> [<options>]
<options> represents additional options to be passed to the compilation (and link) steps.
If no options are specified, the option to enable static security analysis at level 3 is added by default.