Product News

Checking Clang 11 with PVS-Studio

It's no secret that compilers employ their own built-in static code analyzers, and those are developing as well. That's why we write articles every now and then to show that our static analyzer, PVS-Studio, can find bugs even inside compilers and that we are worth our salt.

Checking Clang 11 with PVS-Studio

by Andrey Karpov

From the article:

The programmer is using a modulo operation to get a random value of either 0 or 1. But the value 1 seems to confuse developers and make them write the classic anti-pattern in which the modulo operation is performed on 1 instead of 2. The X % 1 operation is meaningless as it always evaluates to 0.

Checking a Header-Only C++ Library Collection (awesome-hpp)

Somehow, we've happened to check most of the libraries making up a collection called "Awesome hpp". These are small header-only projects in C++. Hopefully, the information about the bugs we've found will help make the libraries better.

Checking a Header-Only C++ Library Collection (awesome-hpp)

by Andrey Karpov

From the article:

A note for library developers. You can use PVS-Studio to check open-source projects for free. To get a free license to use with your open-source project, please fill in this form.

Lay a strong foundation by writing secure C and C++ utilities

*nix systems assume you know what you're doing - even if you're doing something silly or dangerous. That's why you need to take extra precautions if you expect your code to be run as a privileged process.

Lay a strong foundation by writing secure C and C++ utilities

by G. Ann Campbell

From the article:

Libraries and system utilities form the foundations on which larger projects are built. So it's critical to make sure they, in particular, are secure. That's why we recently introduced five new rules for C++ and C to detect broken authentication and access control in *nix systems. The new rules fall into three categories: account validity, granting permissions, and changing directories.

SonarLint for Visual Studio adds secondary locations

The latest release of SonarLint for Visual Studio adds secondary locations to help you better understand the issues it raises in your C++ code. SonarLint is a free static analysis extension installable from the Visual Studio Marketplace. 

Visualizing issues with secondary locations

By Duncan Pocklington

From the article: 

All SonarLint issues specify a location in the code showing where the issue occurs. However, some of the more complex rules produce issues for which a single location is not enough to adequately explain why the issue has occurred. These more complex rules often identify additional locations in the code to help understand the problem. These additional locations are referred to as secondary locations.

Part 2: Upsetting Opinions about Static Analyzers

By writing the article "Upsetting Opinions about Static Analyzers" we were supposed to get it off our chest and peacefully let it all go. However, the article unexpectedly triggered robust feedback. Unfortunately, the discussion went in the wrong direction, and now we will make a second attempt to explain our view of this situation.

Part 2: Upsetting Opinions about Static Analyzers

by Andrey karpov

From the article:

And started coming up with cases when it might be justified, which means that the PVS-Studio analyzer warning was a false-positive. Some speculations about the change in memory between two checks came into play which occurs due to:

  • running parallel threads;
  • signal/interrupt handlers;
  • the variable X is a reference to the element A[0];
  • hardware, such as performing DMA operations;
  • and so on.

After heated debate on the analyzer's inability to comprehend all cases, they left to cut down forest with axes. In other words, they found an excuse why they could still avoid using a static code analyzer in their work.

Clang 11.0.0 Release Notes — Clang 11 documentation

The new version is here.

Clang 11.0.0 Release Notes — Clang 11 documentation

From the article:

This document contains the release notes for the Clang C/C++/Objective-C frontend, part of the LLVM Compiler Infrastructure, release 11.0.0. Here we describe the status of Clang in some detail, including major improvements from the previous release and new feature work. For the general LLVM release notes, see the LLVM documentation. All LLVM releases may be downloaded from the LLVM releases web site.

Upsetting Opinions about Static Analyzers

Static analysis tools have advanced far over the time they've been around. They no longer resemble the "linters" that were in active use 20 years ago. But some programmers still view them as extremely primitive tools. And that's very sad.

Upsetting Opinions about Static Analyzers

by Andrey Karpov

From the article:

Of course, any modern static analyzer tracks the changes of variables' values. If a variable doesn't change, a warning is issued. If it does, no warning is issued. To ensure that, analyzers rely on data stream analysis. And that's exactly how PVS-Studio works. Let's take a look at the following synthetic example.


 

Winning the race against TOCTOU vulnerabilities in C & C++ -- Ann G. Campbell

Researchers were surprised to find that their Time of Check to Time of Use (TOCTOU) attack succeeded 85% of the time, even when the critical operations were "separated only by a few milliseconds."

To better understand this vunlerability and what you can do, read:

Winning the race against TOCTOU vulnerabilities in C & C++

by G. Ann Campbell

From the article:

With TOCTOU, the idea is that there's a window of opportunity between when a privileged program checks a file (Does the file exist? Are permissions okay for what we're about to do? …)  and when it operates on that file (Create the file. Write to the file. …). In that window, an attacker could replace the file with e.g. a symlink to `/etc/passwd`, and the operation you meant to perform on `/home/ann/tmp` happens to an important system file instead.

Broader coverage of C++ Core Guidelines & broken access control detection with SonarQube and SonarCl

SonarSource recently improved C++ analysis to provide even broader coverage of the C++ Core Guidelines and to add detection of broken access control vulnerabilities

C++ analyzer provides a broader coverage of the C++ Core Guidelines and detects broken access control security issues

By Alexandre Gigleux

From the article:

We’re proud to announce the following improvements to the C++ analyzer:

  • security rules detecting broken authentication and access control issues
  • broader coverage of the C++ Core Guidelines


Security Rules

We implemented 6 rules related to broken access control (incorrect permission assignments, privilege escalations, unprotected APIs …):

Why it is important to apply static analysis for open libraries that you add to your project

If there are several options, it is useful to take time to analyze open libraries in order to choose the best one.

Why it is important to apply static analysis for open libraries that you add to your project

by Andrey Karpov

From the article:

Because of a typo, the original vector is returned, not the new scaledVector container. The same error occurs in the division operator. Facepalm. Again, these errors don't mean anything separately. Although, this is a hint that this library isn't used much and there is highly likely that there are other serious undetected errors in it.