Securing Legacy Apps: Source Code Scanners for C++ Builder 5

Static Analysis Guide: Source Code Scanners for C++Builder 5

Legacy development environments present unique challenges for modern software engineering. Borland C++Builder 5, released in 2000, relies on a proprietary compiler (BCC32) and specific language extensions like property, closure, and VCL (Visual Component Library) frameworks.

Standard modern static analysis tools often fail or generate massive false positives when encountering this syntax. This guide outlines how to implement static analysis for C++Builder 5 codebases to improve security, stability, and code quality.

Scenario 1: Native and Vintage Tools (Highest Compatibility)

If your primary goal is 100% compatibility with Borland’s custom language extensions without modifying your source code, vintage or specifically tailored tools are required.

Borland C++Builder Internal Warnings: The built-in BCC32 compiler features adjustable warning levels. Enable maximum warnings (-w flag) to catch basic type mismatches, uninitialized variables, and unused functions.

Cppcheck (Legacy Versions): Older open-source versions of Cppcheck can be configured to ignore Borland keywords using custom token defines. You can pass -Dproperty= or -Dclosure= to the command line so the parser does not choke on VCL code.

PC-Lint / FlexeLint (Gimpel Software): Historically, PC-Lint provided dedicated configuration files (co-borland.lnt) specifically tuned for Borland compilers. It accurately parses VCL extensions and tracks deep pointer logic, null pointer dereferences, and memory leaks.

Scenario 2: Modern Enterprise Scanners (Pre-Processing Required)

If you must integrate C++Builder 5 code into a modern corporate CI/CD pipeline, enterprise scanners can be used, but they require a compatibility layer.

SonarQube / Coverity / Helix QAC: These modern engines cannot parse Borland extensions natively. To use them, you must run a pre-processing script or use heavy macro definitions to strip or transform Borland-specific keywords into standard C++ before the scanner runs.

Implementation Strategy: Create a core header file filled with macros that redefine Borland keywords for the scanner engine only:

#ifdef ANALYZER #define __property #define __closure #define fastcall #endif Use code with caution.

VCL applications rely heavily on raw pointers (TStringList, TIniFile). Because C++Builder 5 predates modern smart pointers (std::unique_ptr), tools must track explicit delete calls inside try/finally blocks. 2. Object Ownership Confusions

VCL components often take an Owner parameter in their constructor (e.g., new TButton(this)). The owner handles memory freeing. Scanners must differentiate between components managed by the VCL framework and raw heap allocations that require manual deletion. 3. Buffer Overflows

Legacy code heavily utilizes unsafe CRT functions like strcpy, sprintf, and gets. Static scanners should flag these instantly and recommend safer alternatives like snprintf or VCL AnsiString built-in methods. Implementation Steps

Audit the Codebase: Identify all instances of non-standard Borland keywords.

Select the Engine: Choose PC-Lint for deep local analysis, or Cppcheck with defines for a budget-friendly pipeline.

Create the Mock Header: Map out the macro definitions to neutralize fastcall, published, and property declarations.

Establish a Baseline: Run the first scan. Expect thousands of warnings. Filter out stylistic warnings and isolate critical memory or security defects.

Automate: Integrate the tool into your build scripts via command-line interfaces.

To help tailor this approach to your specific development environment, please consider the following questions regarding your deployment plans.

What specific static analysis tool (e.g., SonarQube, Cppcheck, PC-Lint) are you planning or hoping to use?

Are you integrating this scanner into a modern CI/CD automated pipeline, or will developers run it locally?