Get the latest critical update information for Log4j vulnerability. See how to address the issue with Parasoft guidance. Learn More >>
The Motor Industry Software Reliability Association (MISRA) refers to the widely adopted and legendary coding standard for C and C++ languages. MISRA provides a comprehensive set of coding guidelines that focuses on protecting applications against known safety violations and security vulnerabilities. The Association classifies guidelines as either a “rule” or a “directive.”
A rule comes with a complete description of the coding requirement, and through static analysis, developers can use it to check that source code complies with a guideline without the need to seek out any other information. A directive, on the other hand, offers an important prescription or development guidance for developers to follow when it’s generally not possible for them to perform a check for compliance.
MISRA is a consortium of automotive-related industries that came together in the early 1990s as a result of the United Kingdom’s Safety Critical Systems Research Programme. The U.K. government instituted this program to address some of the challenges that the automobile industry faced due to auto and truck makers increasing the use of software in the manufacture and operation of road vehicles. Parasoft is a member of the MISRA consortium.
For C development, the latest MISRA C: 2012 standard supports C90, C99, C11, and C18 language specifications. The current version, MISRA C: 2012 (sometimes written as MISRA C 2012 or MISRA C2012), has evolved over several years, and Amendment 2 to MISRA C: 2012 was published in 2020. Amendment 3 is projected to be released in 2022. For the C++ programming language, the current MISRA standard is MISRA C++ 2008.
Note: MISRA is a set of rules for secure coding, not for testing APIs (application programming interfaces).
“MISRA”, “MISRA C” and the triangle logo are registered trademarks of The MISRA Consortium Limited. ©The MISRA Consortium Limited, 2021. All rights reserved.
When developers implement MISRA guidelines, it helps them deliver safe, secure, and reliable code that has everlasting benefits. MISRA compliance impacts your product’s success and longevity while reducing labor costs and time to market.
Deploy Parasoft’s suite of products to conduct static analysis of code no matter which development environment you work in.
When it comes to MISRA compliance, we recommend several highly beneficial practices. Here is a list of some of the methods to consider.
A great thing about proposing MISRA compliance is that security teams can introduce and use the guidelines at any software development phase of a project, and the guidelines are effective even if a project is incomplete and partially coded.
The biggest challenge with introducing MISRA compliance is that a large amount of code can produce a large number of warnings. Therefore, companies should focus on getting the team productive as soon as possible when integrating MISRA compliance into a project.
Companies should also concentrate on minimizing the possibility of the static analysis warnings overwhelming the team. As achieving MISRA compliance becomes part of the developers’ daily routine, the developers can analyze results quicker and fix bugs more efficiently.
It’s also important to consider the maturity of the product under development, as this impacts the way the company can adopt MISRA compliance.
The primary approach to adopting MISRA compliance for these projects is called “acknowledge and defer.” Since developers are adding little new code, all of the safety bugs and security vulnerabilities they discover add to the existing technical debt.
The recommended approach to MISRA compliance is called “a line in the sand” approach. At a high level, this approach means developers improve new code as they develop it while deferring less critical warnings as technical debt.
Developers can integrate MISRA compliance in their development environments from the start, ensuring a high standard of quality code as they write it. The approach to adoption in this case is aptly named “greenfield.”
Parasoft C/C++test detects complex MISRA compliance runtime-like problems early in the development stage — without the need to execute costly runtime tests. C/C++test analyzes the execution paths through the code and finds MISRA compliance issues, like null pointer dereferencing, division by zero, memory leaks, and security vulnerabilities, such as arithmetic on a pointer operand, buffer overflows, unreachable code, and stdlib system function.
Users can view results from C/C++test’s MISRA compliance in Parasoft’s dynamic reporting dashboard, enabling automated post-processing and advanced reporting strategies using historical data. It’s easy to see MISRA compliance results across builds over time, even when working with large codebases and legacy code where visibility into the code is typically challenging so you can quickly focus on the quality of the newly added code.
With widgets that automatically track MISRA compliance, users get a dynamic view into the software compliance process, and can easily produce automatic reports for code audits and certification goals.
Incorporate into your software implementation phase a TÜV certified solution that analyzes your code to the MISRA standard for known safety and application security violations.
In modern Agile development, you can also automate MISRA analysis and compliance into your continuous integration and continuous delivery (CI/CD) workflow. Make sure to understand all identified violations and make certain to address them all. If there are any deviations, thoroughly document them as required by the MISRA standard.
Lastly, you need to present the following artifacts for MISRA compliance certification.
The latest version, MISRA C:2012, has evolved over several years and includes 158 MISRA C rules and 17 directives for a total of 175 guidelines. Amendment 2 to MISRA C:2012, published in 2020, expanded the standard by 2 rules.
Static analysis is the process of examining source code without execution, usually for the purposes of finding bugs or evaluating code safety, security, and reliability. This means software teams and software security teams can use static analysis on partially complete code, libraries, and third-party source code.
Static analysis tools help teams conform to coding standards such as MISRA C/C++, AUTOSAR C++ 14, SEI CERT, or your own custom configuration.