Source code review with Emacs [Part 1]

- Last Modified:

Series: "Source code review with Emacs"

I usually review C or Java code (big code bases) for vulnerabilities. My preferred tools for the task are Emacs, Sourcetrail, and Beyond Compare. All of these tools run on Linux without any problem.

Sourcetrail can be used to quickly identify the relationship between software components, and Emacs to navigate the code, take notes (in org-mode), and write any report (LaTeX). The main reason to use emacs and not other editors, is to take notes in org-mode; it is possible to include links to source code lines, add code snippets, include dot diagrams, export to PDF, etc.

This setup has been tested on Emacs 28-30.


Pros and Cons

What you should be able to do with this setup:

  • Quickly navigate the code
  • "grep" files
  • Use fuzzy matching to find information
  • Take notes efficiently: links and graphs

Pros:

  • Easy to install on new setups.
  • Notes with code syntax highlight.
  • Fuzzy matching. For everything.
  • You can use piped grep results within Emacs to quickly narrow down your searches.
  • Emacs is highly configurable.
  • Quickly to setup code for navigation, even if it is incomplete. Some editors will assume you are a developer, not a reviewer, and will break if not all code for a build is available.

Cons:

  • Is not trivial (AFAIK) to use compilation flags to limit searches or code display. The closer I have found is rtags, but it needs compilable code, which I don't usually have. This can be achieved in Eclipse pretty easily.
  • Languages with function overloads do not play correctly with the default ctags. You can use a Pygments backend though.
  • You will miss the smart part of IDEs.


Tools Installation

Needed Tools:

  • Linux
  • Silver searcher (ripgrep can also be used)
  • Emacs 28+
  • GNU global
  • Universal ctags
  • python-pygments

In general, operations on files on Windows is quite slow. Hence, searches and git operations are significantly slower than on Linux. These tools are available on Debian repositories. Hence, the setup is pretty easy to create on a virtual machine or WSL.

Pygments and Universal ctags are used as backend plugins for GNU global. The following command should work on a Debian terminal (tested on Debian 12):

apt-get install emacs silversearcher-ag global exuberant-ctags python3-pygments


Installing and Configuring Emacs Packages

Use-package

use-package is used to configure emacs packages. It has the benefit of installing the packages if they are not already installed. It makes it easy to move your Emacs setup to a new workstation.

First, setup the packages repositories. The following code needs to be added to your init file e.g. emacs.el. It sets the package repositories and ensure that use-package is already installed.

(require 'package) ;; You might already have this line
(add-to-list 'package-archives '("melpa" . "http://melpa.org/packages/"))

(when (< emacs-major-version 24)
  ;; For important compatibility libraries like cl-lib
  (add-to-list 'package-archives '("gnu" . "http://elpa.gnu.org/packages/")))
(package-initialize) ;; You might already have this line

;; Ensure that use-package is installed, otherwise, install it
(unless (package-installed-p 'use-package)
  (package-refresh-contents)
  (package-install 'use-package))

(eval-when-compile
  (require 'use-package))

;; Enable statistics to profile starting time
(setq use-package-compute-statistics t)

;; Install missing packages
(require 'use-package-ensure)
(setq use-package-always-ensure t)

If at any point the initialization of Emacs fails, you can run it as:

  emacs --debug-init

We can now use use-package to install the needed emacs packages.

  • helm
  • helm-gtags
  • helm-grep
  • helm-ag
  • ggtags
  • projectile
  • helm-projectile

We will start installing and configuring packages in Part 2.

This is a post in the "Source code review with Emacs" series.
Other posts in this series: