sast

PVS-Studio 7.20: Unreal Engine, SAST, SCA

The bug related to Unreal Engine's inability to find PVS-Studio by the default path is finally fixed. Starting from Unreal Engine 5.0.3. you you can analyze projects without any workarounds. We've also enhanced the analysis of UE projects: you'll see more true warnings and fewer false ones.

PVS-Studio 7.20: Unreal Engine, SAST, SCA

by Sergey Vasiliev

From the article:

New diagnostics for C, C++:

  • V1086. Call of the 'Foo' function will lead to buffer underflow.
  • V1087. Upper bound of case range is less than its lower bound. This case may be unreachable.
  • V1088. No objects are passed to the 'std::scoped_lock' constructor. No locking will be performed. This can cause concurrency issues.
  • V1089. Waiting on condition variable without predicate. A thread can wait indefinitely or experience a spurious wake up.

CWE Top 25 2022. Review of changes

The CWE Top 25 list reflects the most serious software security weaknesses. I invite you to read the updated top list to become aware of the changes happened over the past year.

CWE Top 25 2022. Review of changes

by Mikhail Gelvih

From the article:

Below is a table of correspondence between the CWE Top 25 2022 list and the PVS-Studio diagnostic rules, divided by programming languages. You can always check the most up-to-date table with CWE Top 25 coverage on our website.

PVS-Studio 7.19: C++ analyzer now works better with QNX compilers and Unreal Engine 5

Recently, we have released a new PVS-Studio version — 7.19. In this note, we'll tell you about new features in the analyzer, the enhanced documentation, as well as what to read and... what to play.

PVS-Studio 7.19: what's new?

by Sergey Vasiliev

From the article:

Now, you can use PVS-Studio to analyze projects on Unreal Engine 5. For the most part, projects on UE 5 are analyzed in the same way as projects on UE 4. The difference is described in the documentation.

PVS-Studio 7.16, expanding the horizons: MISRA C, Visual Studio 2022, .NET 6

This is the latest release of PVS-Studio in 2021. With it, the PVS-Studio team accomplishes several important goals. Now, PVS-Studio supports Visual Studio 2022 (.NET 6, C# 10.0). We implemented all diagnostics categorized as Mandatory in MISRA C.

PVS-Studio 7.16, expanding the horizons: MISRA C, Visual Studio 2022, .NET 6

by Andrey Karpov

From the article:

PVS-Studio supports 80% of the MISRA C standard for safety and security. The tool fully covers the warnings categorized as Mandatory and most of the warnings from the Required category.

CWE Top 25 2021. What is it, what is it for and how is it useful for static analysis?

For the first time PVS-Studio provided support for the CWE classification in the 6.21 release. It took place on January 15, 2018. Years have passed since then and we would like to tell you about the improvements related to the support of this classification in the latest analyzer version.

CWE Top 25 2021. What is it, what is it for and how is it useful for static analysis?

by Mikhail Gelvih

From the article:

We have been using the CWE classification for PVS-Studio diagnostics for more than three years. Their number increases every year. In 2018, we covered only 94 points on the CWE list. Now it's almost 130. However, this article isn't about the total number of diagnostics. Let's talk about those that are included in the list of the most dangerous diagnostics in 2021. If you want to read the full list, you can get it in the "CWE compliance" section of our documentation.

Why do you need the MISRA Compliance report and how to generate one in PVS-Studio?

If you are strongly interested in MISRA and would like to understand whether your project meets one of the MISRA association's standards, there is a solution. It's name is MISRA Compliance.

Why do you need the MISRA Compliance report and how to generate one in PVS-Studio?

by Nikolay Mironov

From the article:

To make this simpler, let's take rule 1.1 that has the standard value of the category equal to Required. If you look at the table, you can see that acceptable compliance values for Required are Compliance or Deviations (I'll talk more about the meaning of these statuses later). This means that if your project complies with rule 1.1, or if it complies with this rule with some deviations - everything is fine and you can go to the next rule. If you get at least one hit in Violations or Disapplied, then the project does not comply with MISRA C 2012. If all rules have acceptable values only, congratulations! Your project complies with the MISRA C 2012 standard. If you have a hit in the red zone (the table above), you do not comply with the standard.

PVS-Studio 7.14: CLion, intermodular analysis, MISRA

The PVS-Studio team is increasing the number of diagnostics with each new release. Besides, we are improving the analyzer's infrastructure. This time we added the plugin for JetBrains CLion. Moreover, we introduced intermodular analysis of C++ projects and speeded up the C# analyzer core.

PVS-Studio 7.14: intermodular analysis in C++ and plugin for JetBrains CLion

by Andrey Karpov

From the article:

As the list below shows, most of the diagnostics that we currently implement are based on the MISRA C standard. We focused on the MISRA C support, and now PVS-Studio covers 60% of the standard. Soon, we plan to cover at least 80%. We also want to introduce the support of coding standards from the MISRA C Compliance.

PVS-Studio for JetBrains CLion: ad astra per aspera

The PVS-Studio analyzer already has plugins for such IDEs from JetBrains as Rider, IntelliJ IDEA and Android Studio. Somehow we missed another IDE - CLion. The time has come to make amends!

PVS-Studio for JetBrains CLion: ad astra per aspera

by Evgeniy Ovsyannikov, Sergey Vasiliev

From the article:

Here's an answer to the question that we are discussing - PVS-Studio and CLion collaboration will let us detect more errors at the writing code stage. CLion highlights the errors on the fly, but at the same time is limited in the analysis capabilities. PVS-Studio doesn't highlight errors immediately, but it can perform deeper analysis. Note that PVS-Studio has an incremental analysis – the mode that checks only the changed files.

Integrating PVS-Studio into uVision Keil

I've been using this scenario until one day I spent 3 days debugging a very unpleasant bug. The bug kept savagely appearing from time to time. It turned out to be a banal null pointer dereference. I quickly realized that PVS-Studio detects this bug. That was the final nail in the coffin of my patience! – and started integrating PVS-Studio into Keil.

Integrating PVS-Studio into uVision Keil

by Amomum

From the article:

Keil provides a weird feature – creating a project batch file. I still don't know the purpose of this feature. This batch file contains all the necessary information for PVS-Studio, and it's enabled with a single check mark! Unfortunately, this check mark also breaks the incremental build. That is, any compilation becomes a complete recompilation. It affects the build time, so, unfortunately, it's not an option for us.

Beta-Testing of PVS-Studio Plugin for JetBrains CLion

To fully test the plugin, you'll need to install both the beta plugin version and the C++ core beta version of the analyzer. There are several ways to install the plugin: from the official repository, from the repository on our site, or using Windows PVS-Studio installer. Below we'll tell you in detail how to do this.

Beta-Testing of PVS-Studio Plugin for JetBrains CLion

by Evgeniy Ovsyannikov, Paul Eremeev

From the article:

We usually recommend running full analysis regularly, such as once a day, at night. In addition to nightly analysis, we highly recommend checking new code immediately after writing it. This way you'll get the best advantage of using the analyzer. To do this, use incremental analysis, which works as follows. A project was changed, a developer runs a build. After successful compilation only modified files will be analyzed. Modified files are the ones that have been changed since the previous analysis.