March 19-21, Madrid, Spain
April 1-4, Bristol, UK
June 16-21, Sofia, Bulgaria
By Andrey Karpov | May 16, 2020 05:40 AM | Tags: static analyzer sonarqube sast pvs-studio devops cwe
The purpose of this article is to give a general overview of the features of the PVS-Studio static analyzer.
PVS-Studio 7.07: Features Overview
by Ekaterina Nikiforova
From the article:
The next command I'd like to talk about is called "Display CWE Codes in Output Window". PVS-Studio is a static application security testing (SAST) tool, which means its warnings can be classified according to the Common Weakness Enumeration (CWE).
By Andrey Karpov | Apr 17, 2020 02:10 AM | Tags: visual c++ pvs-studio concepts c++20
The PVS-Studio team is now working remotely and continuing to actively develop the product by adding new features and diagnostics. We write articles, for example, about the GCC 10 check or the DeepCode review. Sure, we continue pushing out releases.
PVS-Studio 7.07
by Svyatoslav Razmyslov
From the article:
In between the analyzer releases, Microsoft pushed out several updates for the Visual C++ compiler, which comprised initial support of the C++20 standard, for example, concepts. Unfortunately, when running the analyzer some users stumbled upon the error V003 - Unrecognized error found. We're glad to inform that this error is fixed in PVS-Studio 7.07. Concepts are supported.
By Andrey Karpov | Mar 5, 2020 01:49 PM | Tags: pvs-studio platformio embedded
Recently, the PlatformIO development environment of embedded systems has supported PVS-Studio. In this article, you'll find out how to check your code with the static analyzer on the example of open project.
PVS-Studio Integration in PlatformIO
by Alexey Govorov
From the article:
In the /arduino/AP_Utils/examples/ directory, there are several examples of programs for configuring and running the hexapod, we'll use servo_test.ino. Basically, the program for Arduino is created as sketches in the INO format, which in this case is not quite suitable. In order to make the correct .cpp file from it, it is usually enough to change the file extension, add the #include <Arduino.h> header at the beginning, and make sure that functions and global variables are declared before accessing them.
By Andrey Karpov | Dec 19, 2019 07:47 AM | Tags: pvs-studio open source bugs
Another year is drawing to an end, and it's a perfect time to make yourself a cup of coffee and reread the reviews of bugs collected across open-source projects over this year.
Top 10 Bugs Found in C++ Projects in 2019
by Maxim Zvyagintsev
From the article:
float yScale = 1.0 / tan((3.141592538 / 180.0) * fov / 2);There's a tiny typo in the Pi number (3,141592653...): the number "6" is missing at the 7th decimal place.
By Andrey Karpov | Oct 4, 2019 01:30 AM | Tags: tool static code analysis sast pvs-studio education
We provide several options for free PVS-Studio licensing, including the ones for open projects. Specifically for educational purposes, in case if student's works aren't open, the best option is to add the following comment to the code.
For professors' note: use PVS-Studio to get students familiar with code analysis tools
by Andrey Karpov
From the article:
The PVS-Studio analyzer can be regarded as a fine example of a modern static code analysis tool. First, it's a great example to show the abilities of static analysis tools in detecting errors and security defects. Second, you can demonstrate its integration into the software development cycle to enable continuous code control. In its example, you can show integration with such systems as Jenkins, TeamCity, Azure DevOps, SonarQube, Travis CI and others.
By Andrey Karpov | Aug 6, 2019 02:00 AM | Tags: static code analysis sast pvs-studio linux devtool devops
There are different ways to install PVS-Studio under Linux, depending on your distro type. The most convenient and preferred method is to use the repository, since it allows auto-updating the analyzer upon releasing new versions.
Getting Started with the PVS-Studio Static Analyzer for C++ Development under Linux
by Yuri Minaev
From the article:
Besides strace, you can base the analysis on the compile_commands.json (JSON Compilation Database) file. Many build systems have built-in means of exporting compilation commands, or you could use the BEAR utility to do this. Here's the command to launch the analysis in this case: pvs-studio-analyzer analyze –f /path/to/compile_commands.json
By Andrey Karpov | Jun 28, 2019 12:12 PM | Tags: travis ci sast pvs-studio docker devsecops
At the moment, cloud CI systems are a highly-demanded service. In this article, we'll tell you how to integrate analysis of source code into a CI cloud platform with the tools that are already available in PVS-Studio. As an example we'll use the Travis CI service.
PVS-Studio in the Clouds - Running the Analysis on Travis CI
by Oleg Andreev
From the article:
Travis CI is a service for building and testing software that uses GitHub as a storage. Travis CI doesn't require changing of programming code for using the service. All settings are made in the file .travis.yml located in the root of the repository. We'll take LXC (Linux Containers) as a test project for PVS-Studio. It is a virtualization system at the operation system level for launching several instances of the Linux OS at one node. The project is small, but more than enough for demonstration.
By Andrey Karpov | Dec 10, 2018 05:25 AM | Tags: pvs-studio misra c++ misra c misra devtools devsecops devops
Starting with the version 6.27, the PVS-Studio static code analyzer can classify its warnings according to MISRA C and MISRA C++ standards. Due to support of these standards it has become possible to effectively use the analyzer to increase the level of security, portability and reliability of programs for embedded systems.
PVS-Studio: Support of MISRA C and MISRA C++ Coding Standards
by Andrey Karpov
From the article:
Such diagnosis can't be applied to already existing projects developed for Windows, Linux or macOS operating systems. For example, only one rule about curly brackets described above gives 1947 warnings of the V2507 diagnostic (MISRA C 15.6, MISRA C++ 6-4-1) for a WinMerge project. Still WinMerge is a small project! In total, only 250 000 lines of code in C and C# languages.
By Andrey Karpov | Nov 21, 2018 02:00 AM | Tags: static code analysis pvs-studio c++ bugs
The PVS-Studio analyzer is gradually becoming more complicated but these changes can be hardly described in a Release-history. For example, this year we have consistently implemented symbolic computations in the analyzer. This is why it was agreed to write a note on algorithms and technologies, which PVS-Studio now uses to search for errors and potential vulnerabilities.
Technologies used in the PVS-Studio code analyzer for finding bugs and potential vulnerabilities
by Andrey Karpov
From the article:
Here a mixture of technologies is working: data flow analysis, symbolic execution, and automatic method annotation (we will cover this technology in the next section). The analyzer sees that X variable is used in the Div function as a divisor. On this basis, a special annotation is built for the Div function. Further it is taken into account that in the function a range of values [0..4] is passed as the X argument. The analyzer comes to a conclusion that a division by 0 has to occur.
By Andrey Karpov | Oct 18, 2018 04:50 AM | Tags: waf undefined behavior pvs-studio gcc devsecops devops auto
This new release included many interesting improvements related to analysis of C and C++ code, about which we'd like to tell our users.
PVS-Studio 6.26 Released
by Andrey Karpov
From the article:
A developer believes that this is a bug in the compiler. Nevertheless, it is the author of the code who is wrong. The function does not work correctly due to the fact that undefined behavior occurs in it. The compiler follows that in the
rvariable a certainsumis calculated. Overflow of thervariable must not happen. Otherwise, it is undefined behavior, which doesn't have to be considered or taken into account by a compiler. So, the compiler thinks that since the value of r variable after ending the loop cannot be negative, thenr & 0x7fffffffoperation is not needed to reset the sigh bit and the compiler just returns the value ofrvariable from the function.