devsecops

PVS-Studio 7.25: support for latest versions of Qt Creator, Rider, and more

PVS-Studio 7.25 has been released. In this version, we implemented the support of Qt Creator 10 and Rider 2022.2.3 (and higher), updated the libraries used by the analyzer, enhanced the documentation — and that's not all!

PVS-Studio 7.25: support for latest versions of Qt Creator, Rider, and more

by Nikita Lipilin

From the article:

When checking C++ projects that use MSBuild, PVS-Studio did not use the full power of Intel's 12th generation processors (for example, i7-12700, i9-12900). Apparently, the analysis processes were running only on energy-saving cores, while the rest remained idle. In the new version of PVS-Studio, the error has been fixed. Now the analyzer fully loads the processors and works much faster.

CWE Top 25 2022. Review of changes

The CWE Top 25 list reflects the most serious software security weaknesses. I invite you to read the updated top list to become aware of the changes happened over the past year.

CWE Top 25 2022. Review of changes

by Mikhail Gelvih

From the article:

Below is a table of correspondence between the CWE Top 25 2022 list and the PVS-Studio diagnostic rules, divided by programming languages. You can always check the most up-to-date table with CWE Top 25 coverage on our website.

Why do you need the MISRA Compliance report and how to generate one in PVS-Studio?

If you are strongly interested in MISRA and would like to understand whether your project meets one of the MISRA association's standards, there is a solution. It's name is MISRA Compliance.

Why do you need the MISRA Compliance report and how to generate one in PVS-Studio?

by Nikolay Mironov

From the article:

To make this simpler, let's take rule 1.1 that has the standard value of the category equal to Required. If you look at the table, you can see that acceptable compliance values for Required are Compliance or Deviations (I'll talk more about the meaning of these statuses later). This means that if your project complies with rule 1.1, or if it complies with this rule with some deviations - everything is fine and you can go to the next rule. If you get at least one hit in Violations or Disapplied, then the project does not comply with MISRA C 2012. If all rules have acceptable values only, congratulations! Your project complies with the MISRA C 2012 standard. If you have a hit in the red zone (the table above), you do not comply with the standard.

PVS-Studio 7.13: Blame Notifier, MISRA

The list of diagnostics supported by MISRA and AUTOSAR continues to grow. We've expanded the Blame Notifier utility's capabilities. The analysis of Ninja projects on Windows has been enhanced and now involves the JSON Compilation Database.

PVS-Studio 7.13

by Andrey Karpov

From the article:

  • The C++ analyzer provides enhanced support of Ninja projects on Windows using JSON Compilation Database (compile_commands.json).
  • The C++ PVS-Studio analyzer spends 10% less time checking source files with the use of the Clang compiler.
  • To check C++ and C# Visual Studio PVS-Studio_Cmd.exe projects, you can pass the suppression file directly. Before this, you could add suppressed warnings only at the projects and solution level.

PVS-Studio 7.12 New Features for Finding Safety and Security Threats

At the moment, PVS-Studio is developing not only as a static analyzer searching for code quality defects (quality control solution) but also as a solution for searching for security and safety defects.

PVS-Studio 7.12 New Features for Finding Safety and Security Threats

by Nikolay Mironov, Paul Eremeev

From the article:

Well, to waste no time, let's point out the additions right away. So, here is what's new, safe, and cool in PVS-Studio:

  • New diagnostic groups OWASP ASVS and The AUTOSAR C++14 Coding Guidelines have been added to the analyzer. Previously, the compliance of PVS-Studio diagnostic rules with these standards was available only on our website. Now we have more than 50 new diagnostic rules!
  • Now the analyzer shows information about the compliance of the warnings with the SEI CERT Coding Standard. This information formerly was available only on the PVS-Studio website.
  • The interface of our plugins for Visual Studio, JetBrains Rider, and IntelliJ IDEA has been improved to ease the work with analyzer messages that have safety and security standards identifiers.
  • New diagnostic groups (OWASP, AUTOSAR) in PlogConverter are supported.
  • New diagnostics (OWASP, AUTOSAR) are supported in SonarQube at the tag level. We classified our diagnostic rules by OWASP Top 10.

PVS-Studio 7.11 Release: IAR Arm, Diagnostics, FREE-FREE-FREE-FREE

This is the press release of the New Year's version of the PVS-Studio 7.11 analyzer. Since the new version includes only a few enhancements, let's take this opportunity to recall the options for free PVS-Studio use.

PVS-Studio 7.11 Release: IAR Arm, Diagnostics, FREE-FREE-FREE-FREE

by Andrey Karpov

From the article:

Support of the IAR Arm compilers is now available in the pvs-studio-analyzer utility. This family of compilers was previously supported only in the CLMonitor.exe utility on Windows. Now users of PVS-Studio for Linux can check the code written for these compilers as well. We added interception of compiler calls via ld-linux to the pvs-studio-analyzer utility.

PVS-Studio 7.10 Release: OWASP, AUTOSAR, SARIF

We develop PVS-Studio not only as a classic code analyzer, but also in the direction of Security and Safety. In this regard, we've started working on the support of the OWASP and AUTOSAR C++14 standards. To facilitate PVS-Studio integration into other code quality control tools, we supported analyzer results conversion to the SARIF format.

PVS-Studio 7.10 Release: OWASP, AUTOSAR, SARIF

by Andrey Karpov

From the article:

Utilities for converting PVS-Studio analysis results (PlogConverter.exe for Windows and plog-converter for Linux\macOS) now support conversion to SARIF (Static Analysis Results Interchange Format). SARIF is a universal open format for presenting the results of tools that search for errors, safety and security defects. This format is supported by many static analyzers and allows you to combine various code quality control tools in a single ecosystem.

PVS-Studio 7.09

Therefore, most likely, now each release will be followed by a special note so that users don't miss changes that may be useful to them. What's interesting is that from now on we won't just list everything that was added or improved. Rather, now on the contrary, the purpose is to highlight the most important features in the news to avoid having just a boring list of changes.

PVS-Studio 7.09

by Andrey Karpov

From the article:

New general analysis diagnostics:

  •     V1059. Macro name overrides a keyword/reserved name. This may lead to undefined behavior.
  •     V1060. Passing 'BSTR ' to the 'SysAllocString' function may lead to incorrect object creation.
  •     V1061. Extending 'std' or 'posix' namespace may result in undefined behavior.
  •     V1062. Class defines a custom new or delete operator. The opposite operator must also be defined.
  •     V1063. The modulo by 1 operation is meaningless. The result will always be zero.

ModernCppStarter & PVS-Studio Static Code Analyzer

One of the ways to improve software quality is to check source code with static analysis tools. This section explains how to use the PVS-Studio analyzer to check projects built on ModernCppStarter. We provide a free license for open-source projects.

ModernCppStarter & PVS-Studio Static Code Analyzer

by PVS-Studio Team

From the article:

plog-converter will convert the report into the errorfile format (similar to GCC's messages), which can be conveniently viewed in a terminal window and the IDE. You can also have the report converted to an HTML file by using the -t fullhtml flag. Use the flags -a and -d to filter diagnostics. Run the plog-converter --help command to view the full list of available options.

 

PVS-Studio 7.05

We're glad to offer to your attention a quick overview of the PVS-Studio 7.05 code analyzer release. The analyzer is enriched with twenty new diagnostics and infrastructure improvements.

PVS-Studio 7.05

by Andrey Karpov

From the article:

The Blame Notifier utility meant to notify developers about the analysis results is now available on all platforms supported by the analyzer (Windows, Linux, macOS). Blame Notifier uses the information from the version control system (SVN, Git, Mercurial) to identify the person who wrote the code that triggered an analyzer warning.