devsecops

PVS-Studio in the Clouds - Running the Analysis on Travis CI

At the moment, cloud CI systems are a highly-demanded service. In this article, we'll tell you how to integrate analysis of source code into a CI cloud platform with the tools that are already available in PVS-Studio. As an example we'll use the Travis CI service.

PVS-Studio in the Clouds - Running the Analysis on Travis CI

by Oleg Andreev

From the article:

Travis CI is a service for building and testing software that uses GitHub as a storage. Travis CI doesn't require changing of programming code for using the service. All settings are made in the file .travis.yml located in the root of the repository. We'll take LXC (Linux Containers) as a test project for PVS-Studio. It is a virtualization system at the operation system level for launching several instances of the Linux OS at one node. The project is small, but more than enough for demonstration.

PVS-Studio: Support of MISRA C and MISRA C++ Coding Standards

Starting with the version 6.27, the PVS-Studio static code analyzer can classify its warnings according to MISRA C and MISRA C++ standards. Due to support of these standards it has become possible to effectively use the analyzer to increase the level of security, portability and reliability of programs for embedded systems.

PVS-Studio: Support of MISRA C and MISRA C++ Coding Standards

by Andrey Karpov

From the article:

Such diagnosis can't be applied to already existing projects developed for Windows, Linux or macOS operating systems. For example, only one rule about curly brackets described above gives 1947 warnings of the V2507 diagnostic (MISRA C 15.6, MISRA C++ 6-4-1) for a WinMerge project. Still WinMerge is a small project! In total, only 250 000 lines of code in C and C# languages.

PVS-Studio 6.26 Released

This new release included many interesting improvements related to analysis of C and C++ code, about which we'd like to tell our users.

PVS-Studio 6.26 Released

by Andrey Karpov

From the article:

A developer believes that this is a bug in the compiler. Nevertheless, it is the author of the code who is wrong. The function does not work correctly due to the fact that undefined behavior occurs in it. The compiler follows that in the r variable a certain sum is calculated. Overflow of the r variable must not happen. Otherwise, it is undefined behavior, which doesn't have to be considered or taken into account by a compiler. So, the compiler thinks that since the value of r variable after ending the loop cannot be negative, then r & 0x7fffffff operation is not needed to reset the sigh bit and the compiler just returns the value of r variable from the function.

 

PVS-Studio as SAST solution

PVS-Studio is a static application security testing tool (SAST). In other words, the PVS-Studio analyzer detects not only typos, dead code and other errors, but also security weaknesses (potential vulnerabilities).

PVS-Studio as SAST solution

by Andrey Karpov

From the article:

Until recently, in our articles we have positioned PVS-Studio as a tool for detecting errors in code. While we almost never regarded PVS-Studio in a security context. We will try to remedy this situation and take a look at the tool in terms of testing of security applications and DevSecOps practices.

For the convenience of specialists who will use PVS-Studio as a SAST tool, the analyzer provides mappings for its warnings to Common Weakness Enumeration, SEI CERT Coding Standards, and also supports MISRA standard (currently in development).