Cobra Static Code Analyzer

about papers manpages downloads

Cobra is a structural source code analyzer, fast enough that it can be used interactively. The tool prototype (Version 1.0) was developed at NASA's Jet Propulsion Laboratory late 2015, and released for general distribution about a year later.

Versions 2, 3, and 4 of the tool are extended versions that can handle interactive analyses of code bases with up to millions of lines of code, while supporting a significantly richer online query scripting language and a method for defining named pattern expressions as sets. It also comes with multi-core support for many types of queries, including a new set of cyber-security related checks.

Starting with Version 3, the Cobra code is distributed in open source form at

Cobra can analyze C, C++, Ada, and Python, and can relatively easily be retargeted for other languages. The distribution includes a collection of sample query libraries and scripts.

A new graphical user interface to Cobra, written in Tcl/Tk, is part of the current GitHub distribution (in the directory named gui and in the bin-directories). An overview of the GUI can be found here. The GUI assumes that you have Cobra Version 4.1 or later installed.

A comprehensive online tutorial and demo of Version 3.1 of Cobra is available at this link: Online Tutorial (about 165 minutes total, in 8 parts, with exercises). (The current Cobra version is 4.3, which has quite a few more extensions, but should be backward compatible with 3.1.)
If you just want to look at the demo, check this link: Demo (it's a little over 21 minutes).

For bug reports and additional information:
gholzmann atsign acm dot org