Nox-Lumen MfgC / C++ static analysis
C/C++ L1 review pairs two skills aligned with MISRA / AUTOSAR / CERT expectations.
| Skill | Axis | One-liner |
|---|---|---|
| clang-tidy | Rules + modernization | bugprone / performance / modernize / cert / security checks |
| cppcheck | Bugs | Leaks / null deref / OOB / UB (no compile needed) |
clang-tidy
Role: LLVM-backed static analysis with very broad check catalog.
| Check family | Coverage |
|---|---|
bugprone-* | Classic bug shapes |
performance-* | Copies, inefficient containers |
modernize-* | C++11/14/17/20 upgrades |
cert-* | CERT secure coding |
cppcoreguidelines-* | C++ Core Guidelines |
clang-analyzer-* | Path-sensitive analyzer |
misra-* (third-party plugins) | MISRA C:2012 |
Prereq: compile_commands.json (CMake can emit easily).
Need references / call graphs?
clang-tidy / cppcheck focus on violations. For cross-file references, call chains, inheritance, enable code index · heavy tier so the compiler database drives accurate references / call graphs.
Triggers: “modernize C++”, “run clang-tidy”, “MISRA sweep”
cppcheck
Role: C/C++ bug finder without compilation (source-only).
| Signal | Example |
|---|---|
| Leaks | malloc without free, exception-path leaks |
| Null deref | if (!p) return; *p = 1; misuse |
| OOB | int a[5]; a[5] = 1; |
| UB | Overflow, uninitialized reads |
| Resource leaks | FDs, sockets, mutexes |
| API misuse | overlapping memcpy, bad printf formats |
Why use it
- No compiler environment (no
compile_commands.json) - Great for third-party or legacy trees
- Complements clang-tidy (finer rules vs easier setup)
Triggers: “memory leak scan”, “run cppcheck”, “buffer overflow check”
Run both
Overlap exists—enable both; merge to CodeEvidence for code-review L2.
Automotive usage
- standards-converter turns MISRA trim lists into
.clang-tidy - clang-tidy + cppcheck for L1
- code-review L2 against ISO 26262 requirements
- Post results via gerrit-integration