A Tour of C++ Modules in Visual Studio--Will Buik

By Adrien Hamelin | Oct 30, 2020 01:04 PM | Tags: community

Reading to use them?

A Tour of C++ Modules in Visual Studio

by Will Buik

From the article:

C++ module support has arrived in Visual Studio! Grab the latest Visual Studio Preview if you want to try it out. C++ modules can help you compartmentalize your code, speed up build times, and they work seamlessly, side-by-side with your existing code.

This preview only supports C++ modules in the IDE for MSBuild projects. While the MSVC toolset is supported by any build system, Visual Studio’s IDE support for CMake doesn’t support C++ modules yet. We will let you know once it is! As always, please try it out and let us know if you have any feedback...

Checking Clang 11 with PVS-Studio

By Andrey Karpov | Oct 27, 2020 05:23 AM | Tags: static code analysis sast pvs-studio open source llvm clang 11 clang bugs

It's no secret that compilers employ their own built-in static code analyzers, and those are developing as well. That's why we write articles every now and then to show that our static analyzer, PVS-Studio, can find bugs even inside compilers and that we are worth our salt.

Checking Clang 11 with PVS-Studio

by Andrey Karpov

From the article:

The programmer is using a modulo operation to get a random value of either 0 or 1. But the value 1 seems to confuse developers and make them write the classic anti-pattern in which the modulo operation is performed on 1 instead of 2. The X % 1 operation is meaningless as it always evaluates to 0.

Checking a Header-Only C++ Library Collection (awesome-hpp)

By Andrey Karpov | Oct 22, 2020 02:20 AM | Tags: sast pvs-studio open source devtool awesomehpp awesome-hpp

Somehow, we've happened to check most of the libraries making up a collection called "Awesome hpp". These are small header-only projects in C++. Hopefully, the information about the bugs we've found will help make the libraries better.

Checking a Header-Only C++ Library Collection (awesome-hpp)

by Andrey Karpov

From the article:

A note for library developers. You can use PVS-Studio to check open-source projects for free. To get a free license to use with your open-source project, please fill in this form.

Lay a strong foundation by writing secure C and C++ utilities

By ganncamp | Oct 21, 2020 06:37 AM | Tags: None

*nix systems assume you know what you're doing - even if you're doing something silly or dangerous. That's why you need to take extra precautions if you expect your code to be run as a privileged process.

Lay a strong foundation by writing secure C and C++ utilities

by G. Ann Campbell

From the article:

Libraries and system utilities form the foundations on which larger projects are built. So it's critical to make sure they, in particular, are secure. That's why we recently introduced five new rules for C++ and C to detect broken authentication and access control in *nix systems. The new rules fall into three categories: account validity, granting permissions, and changing directories.

SonarLint for Visual Studio adds secondary locations

By ganncamp | Oct 21, 2020 06:35 AM | Tags: None

The latest release of SonarLint for Visual Studio adds secondary locations to help you better understand the issues it raises in your C++ code. SonarLint is a free static analysis extension installable from the Visual Studio Marketplace. 

Visualizing issues with secondary locations

By Duncan Pocklington

From the article: 

All SonarLint issues specify a location in the code showing where the issue occurs. However, some of the more complex rules produce issues for which a single location is not enough to adequately explain why the issue has occurred. These more complex rules often identify additional locations in the code to help understand the problem. These additional locations are referred to as secondary locations.

Part 2: Upsetting Opinions about Static Analyzers

By Andrey Karpov | Oct 16, 2020 01:27 AM | Tags: volatile static code analysis pvs-studio false positives

By writing the article "Upsetting Opinions about Static Analyzers" we were supposed to get it off our chest and peacefully let it all go. However, the article unexpectedly triggered robust feedback. Unfortunately, the discussion went in the wrong direction, and now we will make a second attempt to explain our view of this situation.

Part 2: Upsetting Opinions about Static Analyzers

by Andrey karpov

From the article:

And started coming up with cases when it might be justified, which means that the PVS-Studio analyzer warning was a false-positive. Some speculations about the change in memory between two checks came into play which occurs due to:

• running parallel threads;
• signal/interrupt handlers;
• the variable X is a reference to the element A[0];
• hardware, such as performing DMA operations;
• and so on.

After heated debate on the analyzer's inability to comprehend all cases, they left to cut down forest with axes. In other words, they found an excuse why they could still avoid using a static code analyzer in their work.

Clang 11.0.0 Release Notes — Clang 11 documentation

By Adrien Hamelin | Oct 14, 2020 12:59 PM | Tags: community

The new version is here.

Clang 11.0.0 Release Notes — Clang 11 documentation

From the article:

This document contains the release notes for the Clang C/C++/Objective-C frontend, part of the LLVM Compiler Infrastructure, release 11.0.0. Here we describe the status of Clang in some detail, including major improvements from the previous release and new feature work. For the general LLVM release notes, see the LLVM documentation. All LLVM releases may be downloaded from the LLVM releases web site.

Upsetting Opinions about Static Analyzers

By Andrey Karpov | Oct 12, 2020 06:39 AM | Tags: static code analysis static analyzer pvs-studio data-flow analysis code analysis

Static analysis tools have advanced far over the time they've been around. They no longer resemble the "linters" that were in active use 20 years ago. But some programmers still view them as extremely primitive tools. And that's very sad.

Upsetting Opinions about Static Analyzers

by Andrey Karpov

From the article:

Of course, any modern static analyzer tracks the changes of variables' values. If a variable doesn't change, a warning is issued. If it does, no warning is issued. To ensure that, analyzers rely on data stream analysis. And that's exactly how PVS-Studio works. Let's take a look at the following synthetic example.

Winning the race against TOCTOU vulnerabilities in C & C++ -- Ann G. Campbell

By ganncamp | Oct 11, 2020 12:07 PM | Tags: None

Researchers were surprised to find that their Time of Check to Time of Use (TOCTOU) attack succeeded 85% of the time, even when the critical operations were "separated only by a few milliseconds."

To better understand this vunlerability and what you can do, read:

Winning the race against TOCTOU vulnerabilities in C & C++

by G. Ann Campbell

From the article:

With TOCTOU, the idea is that there's a window of opportunity between when a privileged program checks a file (Does the file exist? Are permissions okay for what we're about to do? …)  and when it operates on that file (Create the file. Write to the file. …). In that window, an attacker could replace the file with e.g. a symlink to `/etc/passwd`, and the operation you meant to perform on `/home/ann/tmp` happens to an important system file instead.

Broader coverage of C++ Core Guidelines & broken access control detection with SonarQube and SonarCl

By ganncamp | Oct 8, 2020 11:35 AM | Tags: None

SonarSource recently improved C++ analysis to provide even broader coverage of the C++ Core Guidelines and to add detection of broken access control vulnerabilities

C++ analyzer provides a broader coverage of the C++ Core Guidelines and detects broken access control security issues

By Alexandre Gigleux

From the article:

We’re proud to announce the following improvements to the C++ analyzer:

• security rules detecting broken authentication and access control issues
• broader coverage of the C++ Core Guidelines

Security Rules

We implemented 6 rules related to broken access control (incorrect permission assignments, privilege escalations, unprotected APIs …):