devsecops

PVS-Studio 7.13: Blame Notifier, MISRA

The list of diagnostics supported by MISRA and AUTOSAR continues to grow. We've expanded the Blame Notifier utility's capabilities. The analysis of Ninja projects on Windows has been enhanced and now involves the JSON Compilation Database.

PVS-Studio 7.13

by Andrey Karpov

From the article:

  • The C++ analyzer provides enhanced support of Ninja projects on Windows using JSON Compilation Database (compile_commands.json).
  • The C++ PVS-Studio analyzer spends 10% less time checking source files with the use of the Clang compiler.
  • To check C++ and C# Visual Studio PVS-Studio_Cmd.exe projects, you can pass the suppression file directly. Before this, you could add suppressed warnings only at the projects and solution level.

PVS-Studio 7.12 New Features for Finding Safety and Security Threats

At the moment, PVS-Studio is developing not only as a static analyzer searching for code quality defects (quality control solution) but also as a solution for searching for security and safety defects.

PVS-Studio 7.12 New Features for Finding Safety and Security Threats

by Nikolay Mironov, Paul Eremeev

From the article:

Well, to waste no time, let's point out the additions right away. So, here is what's new, safe, and cool in PVS-Studio:

  • New diagnostic groups OWASP ASVS and The AUTOSAR C++14 Coding Guidelines have been added to the analyzer. Previously, the compliance of PVS-Studio diagnostic rules with these standards was available only on our website. Now we have more than 50 new diagnostic rules!
  • Now the analyzer shows information about the compliance of the warnings with the SEI CERT Coding Standard. This information formerly was available only on the PVS-Studio website.
  • The interface of our plugins for Visual Studio, JetBrains Rider, and IntelliJ IDEA has been improved to ease the work with analyzer messages that have safety and security standards identifiers.
  • New diagnostic groups (OWASP, AUTOSAR) in PlogConverter are supported.
  • New diagnostics (OWASP, AUTOSAR) are supported in SonarQube at the tag level. We classified our diagnostic rules by OWASP Top 10.

PVS-Studio 7.11 Release: IAR Arm, Diagnostics, FREE-FREE-FREE-FREE

This is the press release of the New Year's version of the PVS-Studio 7.11 analyzer. Since the new version includes only a few enhancements, let's take this opportunity to recall the options for free PVS-Studio use.

PVS-Studio 7.11 Release: IAR Arm, Diagnostics, FREE-FREE-FREE-FREE

by Andrey Karpov

From the article:

Support of the IAR Arm compilers is now available in the pvs-studio-analyzer utility. This family of compilers was previously supported only in the CLMonitor.exe utility on Windows. Now users of PVS-Studio for Linux can check the code written for these compilers as well. We added interception of compiler calls via ld-linux to the pvs-studio-analyzer utility.

PVS-Studio 7.10 Release: OWASP, AUTOSAR, SARIF

We develop PVS-Studio not only as a classic code analyzer, but also in the direction of Security and Safety. In this regard, we've started working on the support of the OWASP and AUTOSAR C++14 standards. To facilitate PVS-Studio integration into other code quality control tools, we supported analyzer results conversion to the SARIF format.

PVS-Studio 7.10 Release: OWASP, AUTOSAR, SARIF

by Andrey Karpov

From the article:

Utilities for converting PVS-Studio analysis results (PlogConverter.exe for Windows and plog-converter for Linux\macOS) now support conversion to SARIF (Static Analysis Results Interchange Format). SARIF is a universal open format for presenting the results of tools that search for errors, safety and security defects. This format is supported by many static analyzers and allows you to combine various code quality control tools in a single ecosystem.

PVS-Studio 7.09

Therefore, most likely, now each release will be followed by a special note so that users don't miss changes that may be useful to them. What's interesting is that from now on we won't just list everything that was added or improved. Rather, now on the contrary, the purpose is to highlight the most important features in the news to avoid having just a boring list of changes.

PVS-Studio 7.09

by Andrey Karpov

From the article:

New general analysis diagnostics:

  •     V1059. Macro name overrides a keyword/reserved name. This may lead to undefined behavior.
  •     V1060. Passing 'BSTR ' to the 'SysAllocString' function may lead to incorrect object creation.
  •     V1061. Extending 'std' or 'posix' namespace may result in undefined behavior.
  •     V1062. Class defines a custom new or delete operator. The opposite operator must also be defined.
  •     V1063. The modulo by 1 operation is meaningless. The result will always be zero.

ModernCppStarter & PVS-Studio Static Code Analyzer

One of the ways to improve software quality is to check source code with static analysis tools. This section explains how to use the PVS-Studio analyzer to check projects built on ModernCppStarter. We provide a free license for open-source projects.

ModernCppStarter & PVS-Studio Static Code Analyzer

by PVS-Studio Team

From the article:

plog-converter will convert the report into the errorfile format (similar to GCC's messages), which can be conveniently viewed in a terminal window and the IDE. You can also have the report converted to an HTML file by using the -t fullhtml flag. Use the flags -a and -d to filter diagnostics. Run the plog-converter --help command to view the full list of available options.

 

PVS-Studio 7.05

We're glad to offer to your attention a quick overview of the PVS-Studio 7.05 code analyzer release. The analyzer is enriched with twenty new diagnostics and infrastructure improvements.

PVS-Studio 7.05

by Andrey Karpov

From the article:

The Blame Notifier utility meant to notify developers about the analysis results is now available on all platforms supported by the analyzer (Windows, Linux, macOS). Blame Notifier uses the information from the version control system (SVN, Git, Mercurial) to identify the person who wrote the code that triggered an analyzer warning.

PVS-Studio in the Clouds - Running the Analysis on Travis CI

At the moment, cloud CI systems are a highly-demanded service. In this article, we'll tell you how to integrate analysis of source code into a CI cloud platform with the tools that are already available in PVS-Studio. As an example we'll use the Travis CI service.

PVS-Studio in the Clouds - Running the Analysis on Travis CI

by Oleg Andreev

From the article:

Travis CI is a service for building and testing software that uses GitHub as a storage. Travis CI doesn't require changing of programming code for using the service. All settings are made in the file .travis.yml located in the root of the repository. We'll take LXC (Linux Containers) as a test project for PVS-Studio. It is a virtualization system at the operation system level for launching several instances of the Linux OS at one node. The project is small, but more than enough for demonstration.

PVS-Studio: Support of MISRA C and MISRA C++ Coding Standards

Starting with the version 6.27, the PVS-Studio static code analyzer can classify its warnings according to MISRA C and MISRA C++ standards. Due to support of these standards it has become possible to effectively use the analyzer to increase the level of security, portability and reliability of programs for embedded systems.

PVS-Studio: Support of MISRA C and MISRA C++ Coding Standards

by Andrey Karpov

From the article:

Such diagnosis can't be applied to already existing projects developed for Windows, Linux or macOS operating systems. For example, only one rule about curly brackets described above gives 1947 warnings of the V2507 diagnostic (MISRA C 15.6, MISRA C++ 6-4-1) for a WinMerge project. Still WinMerge is a small project! In total, only 250 000 lines of code in C and C# languages.

PVS-Studio 6.26 Released

This new release included many interesting improvements related to analysis of C and C++ code, about which we'd like to tell our users.

PVS-Studio 6.26 Released

by Andrey Karpov

From the article:

A developer believes that this is a bug in the compiler. Nevertheless, it is the author of the code who is wrong. The function does not work correctly due to the fact that undefined behavior occurs in it. The compiler follows that in the r variable a certain sum is calculated. Overflow of the r variable must not happen. Otherwise, it is undefined behavior, which doesn't have to be considered or taken into account by a compiler. So, the compiler thinks that since the value of r variable after ending the loop cannot be negative, then r & 0x7fffffff operation is not needed to reset the sigh bit and the compiler just returns the value of r variable from the function.