sast

Getting Started with the PVS-Studio Static Analyzer for C++ Development under Linux

There are different ways to install PVS-Studio under Linux, depending on your distro type. The most convenient and preferred method is to use the repository, since it allows auto-updating the analyzer upon releasing new versions.

Getting Started with the PVS-Studio Static Analyzer for C++ Development under Linux

by Yuri Minaev

From the article:

Besides strace, you can base the analysis on the compile_commands.json (JSON Compilation Database) file. Many build systems have built-in means of exporting compilation commands, or you could use the BEAR utility to do this. Here's the command to launch the analysis in this case: pvs-studio-analyzer analyze –f /path/to/compile_commands.json

 

Why Static Analysis Can Improve a Complex C++ Codebase

Gradually and imperceptibly we get the situation when C++ projects’ complexity becomes extreme. Unfortunately, now a C++ programmer can’t be on his own.

Why Static Analysis Can Improve a Complex C++ Codebase

by Andrey Karpov

From the article:

Analyzers know more than even professional developers. It has become too difficult to take into account and remember all the nuances when writing code. For instance, if you haven’t specifically read about it, you’ll never guess that calls to memset function for clearing private data sometimes disappear, as from a compiler’s point of view, a call to memset function is redundant. Meanwhile, it is a serious security defect CWE-14 that is detected literally everywhere.

PVS-Studio in the Clouds - Running the Analysis on Travis CI

At the moment, cloud CI systems are a highly-demanded service. In this article, we'll tell you how to integrate analysis of source code into a CI cloud platform with the tools that are already available in PVS-Studio. As an example we'll use the Travis CI service.

PVS-Studio in the Clouds - Running the Analysis on Travis CI

by Oleg Andreev

From the article:

Travis CI is a service for building and testing software that uses GitHub as a storage. Travis CI doesn't require changing of programming code for using the service. All settings are made in the file .travis.yml located in the root of the repository. We'll take LXC (Linux Containers) as a test project for PVS-Studio. It is a virtualization system at the operation system level for launching several instances of the Linux OS at one node. The project is small, but more than enough for demonstration.

PVS-Studio as SAST solution

PVS-Studio is a static application security testing tool (SAST). In other words, the PVS-Studio analyzer detects not only typos, dead code and other errors, but also security weaknesses (potential vulnerabilities).

PVS-Studio as SAST solution

by Andrey Karpov

From the article:

Until recently, in our articles we have positioned PVS-Studio as a tool for detecting errors in code. While we almost never regarded PVS-Studio in a security context. We will try to remedy this situation and take a look at the tool in terms of testing of security applications and DevSecOps practices.

For the convenience of specialists who will use PVS-Studio as a SAST tool, the analyzer provides mappings for its warnings to Common Weakness Enumeration, SEI CERT Coding Standards, and also supports MISRA standard (currently in development).