Home » Blog » Categories » Product News

Product News

SonarLint for Visual Studio adds secondary locations

By ganncamp | Oct 21, 2020 06:35 AM | Tags: None

The latest release of SonarLint for Visual Studio adds secondary locations to help you better understand the issues it raises in your C++ code. SonarLint is a free static analysis extension installable from the Visual Studio Marketplace. 

Visualizing issues with secondary locations

By Duncan Pocklington

From the article: 

All SonarLint issues specify a location in the code showing where the issue occurs. However, some of the more complex rules produce issues for which a single location is not enough to adequately explain why the issue has occurred. These more complex rules often identify additional locations in the code to help understand the problem. These additional locations are referred to as secondary locations.

Part 2: Upsetting Opinions about Static Analyzers

By Andrey Karpov | Oct 16, 2020 01:27 AM | Tags: volatile static code analysis pvs-studio false positives

By writing the article "Upsetting Opinions about Static Analyzers" we were supposed to get it off our chest and peacefully let it all go. However, the article unexpectedly triggered robust feedback. Unfortunately, the discussion went in the wrong direction, and now we will make a second attempt to explain our view of this situation.

Part 2: Upsetting Opinions about Static Analyzers

by Andrey karpov

From the article:

And started coming up with cases when it might be justified, which means that the PVS-Studio analyzer warning was a false-positive. Some speculations about the change in memory between two checks came into play which occurs due to:

  • running parallel threads;
  • signal/interrupt handlers;
  • the variable X is a reference to the element A[0];
  • hardware, such as performing DMA operations;
  • and so on.

After heated debate on the analyzer's inability to comprehend all cases, they left to cut down forest with axes. In other words, they found an excuse why they could still avoid using a static code analyzer in their work.

Clang 11.0.0 Release Notes — Clang 11 documentation

By Adrien Hamelin | Oct 14, 2020 12:59 PM | Tags: community

The new version is here.

Clang 11.0.0 Release Notes — Clang 11 documentation

From the article:

This document contains the release notes for the Clang C/C++/Objective-C frontend, part of the LLVM Compiler Infrastructure, release 11.0.0. Here we describe the status of Clang in some detail, including major improvements from the previous release and new feature work. For the general LLVM release notes, see the LLVM documentation. All LLVM releases may be downloaded from the LLVM releases web site.

Upsetting Opinions about Static Analyzers

By Andrey Karpov | Oct 12, 2020 06:39 AM | Tags: static code analysis static analyzer pvs-studio data-flow analysis code analysis

Static analysis tools have advanced far over the time they've been around. They no longer resemble the "linters" that were in active use 20 years ago. But some programmers still view them as extremely primitive tools. And that's very sad.

Upsetting Opinions about Static Analyzers

by Andrey Karpov

From the article:

Of course, any modern static analyzer tracks the changes of variables' values. If a variable doesn't change, a warning is issued. If it does, no warning is issued. To ensure that, analyzers rely on data stream analysis. And that's exactly how PVS-Studio works. Let's take a look at the following synthetic example.


 

Winning the race against TOCTOU vulnerabilities in C & C++ -- Ann G. Campbell

By ganncamp | Oct 11, 2020 12:07 PM | Tags: None

Researchers were surprised to find that their Time of Check to Time of Use (TOCTOU) attack succeeded 85% of the time, even when the critical operations were "separated only by a few milliseconds."

To better understand this vunlerability and what you can do, read:

Winning the race against TOCTOU vulnerabilities in C & C++

by G. Ann Campbell

From the article:

With TOCTOU, the idea is that there's a window of opportunity between when a privileged program checks a file (Does the file exist? Are permissions okay for what we're about to do? …)  and when it operates on that file (Create the file. Write to the file. …). In that window, an attacker could replace the file with e.g. a symlink to `/etc/passwd`, and the operation you meant to perform on `/home/ann/tmp` happens to an important system file instead.

Broader coverage of C++ Core Guidelines & broken access control detection with SonarQube and SonarCl

By ganncamp | Oct 8, 2020 11:35 AM | Tags: None

SonarSource recently improved C++ analysis to provide even broader coverage of the C++ Core Guidelines and to add detection of broken access control vulnerabilities

C++ analyzer provides a broader coverage of the C++ Core Guidelines and detects broken access control security issues

By Alexandre Gigleux

From the article:

We’re proud to announce the following improvements to the C++ analyzer:

  • security rules detecting broken authentication and access control issues
  • broader coverage of the C++ Core Guidelines


Security Rules

We implemented 6 rules related to broken access control (incorrect permission assignments, privilege escalations, unprotected APIs …):

Why it is important to apply static analysis for open libraries that you add to your project

By Andrey Karpov | Oct 2, 2020 01:48 PM | Tags: static code analysis static analysis open source code review code quality

If there are several options, it is useful to take time to analyze open libraries in order to choose the best one.

Why it is important to apply static analysis for open libraries that you add to your project

by Andrey Karpov

From the article:

Because of a typo, the original vector is returned, not the new scaledVector container. The same error occurs in the division operator. Facepalm. Again, these errors don't mean anything separately. Although, this is a hint that this library isn't used much and there is highly likely that there are other serious undetected errors in it.

False positives are our enemies, but may still be your friends -- Loic Joly

By ganncamp | Oct 2, 2020 10:44 AM | Tags: None

Insights into how static analysis rules are structured, why false positives exist, how they're fought, and why - hard as we try - they may always be with us. 

False positives are our enemies, but may still be your friends

By Loic Joly

About the article:

When writing a rule for static analysis, it’s possible that in some cases, the rule does not give the results that were expected. Unfortunately, naming a false positive is often far easier than fixing it. In this post, I’ll discuss how the different types of rules give rise to different types of false positives, which ones are easier to fix than others, and how you can help. I’ll end with insight into how issues that are false positives can still be true indicators that the code needs to change.

Getting timely, accurate feedback on your C++ from the SonarQube ecosystem -- G. Ann Campbell

By ganncamp | Oct 2, 2020 10:34 AM | Tags: None

The SonarQube ecosystem offers C++ developers feedback throughout the workflow: in-IDE for the individual, in PRs for peer review, and in SonarQube for the team

Getting timely, accurate feedback on your C++ from the SonarQube ecosystem

By G. Ann Campbell

From the article

Late feedback is a pain in the butt. Regardless of how it comes, hearing "that thing you did two weeks ago was wrong" is unwelcome at best. Good feedback is immediate, actionable and at least dispassionate, if not compassionate. That's why we help you integrate C++ static analysis throughout your workflow, so you and your team get the feedback you need when and where it's most useful. In this post, I'll walk through how SonarQube and SonarLint integrate smoothly into your workflow and your team to give you the right data at the right time and in the right place.

HPX V1.5.1 released -- STE||AR Group

By Hartmut Kaiser | Oct 1, 2020 06:21 PM | Tags: performance parallelism heterogeneous computing distributed computing concurrency c++20 c++17 c++14 c++11

The STE||AR Group has released V1.5.1 of HPX -- A C++ Standard library for parallelism and concurrency.

HPX V1.5.1 Released

The newest version of HPX (V1.5.1) is now available for download! This is a relatively small bug-fix release that fixes some problems we discovered in the 1.5.0 release.

    HPX is a general purpose parallel C++ runtime system for applications of any scale. It implements all of the related facilities as defined by the C++ Standard. As of this writing, HPX provides the only widely available open-source implementation of the new C++17 parallel algorithms. Additionally, HPX implements functionalities proposed as part of the ongoing C++ standardization process, such as large parts of the features related parallelism and concurrency as specified by the upcoming C++20 Standard, the C++ Concurrency TS, Parallelism TS V2, data-parallel algorithms, executors, and many more. It also extends the existing C++ Standard APIs to the distributed case (e.g. compute clusters) and for heterogeneous systems (e.g. GPUs).

    HPX seamlessly enables a new Asynchronous C++ Standard Programming Model that tends to improve the parallel efficiency of our applications and helps reducing complexities usually associated with parallelism and concurrency.