sast

PVS-Studio 7.09

Therefore, most likely, now each release will be followed by a special note so that users don't miss changes that may be useful to them. What's interesting is that from now on we won't just list everything that was added or improved. Rather, now on the contrary, the purpose is to highlight the most important features in the news to avoid having just a boring list of changes.

PVS-Studio 7.09

by Andrey Karpov

From the article:

New general analysis diagnostics:

  •     V1059. Macro name overrides a keyword/reserved name. This may lead to undefined behavior.
  •     V1060. Passing 'BSTR ' to the 'SysAllocString' function may lead to incorrect object creation.
  •     V1061. Extending 'std' or 'posix' namespace may result in undefined behavior.
  •     V1062. Class defines a custom new or delete operator. The opposite operator must also be defined.
  •     V1063. The modulo by 1 operation is meaningless. The result will always be zero.

PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agents

Static code analysis is most effective when changing a project, as errors are always more difficult to fix in the future than at an early stage. We continue expanding the options for using PVS-Studio in continuous development systems. This time, we'll show you how to configure pull request analysis using self-hosted agents in Microsoft Azure DevOps, using the example of the Minetest game.

PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agents

by Alexey Govorov

From the article:

The result is a build system based on MSBuild for C++, with Chocolatey for installing PVS-Studio, CMake, and Git. Vcpkg is built for convenient management of the libraries that the project depends on. Also, we have to download the latest version of the Azure Pipelines Agent. To initialize the agent from the ENTRYPOINT Docker file, the PowerShell script 'entrypoint.ps1' is called, to which you need to add the URL of the project's "organization", the token of the agent pool, and the PVS-Studio license parameters....


 

 

PVS-Studio 7.07: Features Overview

The purpose of this article is to give a general overview of the features of the PVS-Studio static analyzer.

PVS-Studio 7.07: Features Overview

by Ekaterina Nikiforova

From the article:

The next command I'd like to talk about is called "Display CWE Codes in Output Window". PVS-Studio is a static application security testing (SAST) tool, which means its warnings can be classified according to the Common Weakness Enumeration (CWE).
 

PVS-Studio 7.05

We're glad to offer to your attention a quick overview of the PVS-Studio 7.05 code analyzer release. The analyzer is enriched with twenty new diagnostics and infrastructure improvements.

PVS-Studio 7.05

by Andrey Karpov

From the article:

The Blame Notifier utility meant to notify developers about the analysis results is now available on all platforms supported by the analyzer (Windows, Linux, macOS). Blame Notifier uses the information from the version control system (SVN, Git, Mercurial) to identify the person who wrote the code that triggered an analyzer warning.

For professors' note: use PVS-Studio to get students familiar with code analysis tools

We provide several options for free PVS-Studio licensing, including the ones for open projects. Specifically for educational purposes, in case if student's works aren't open, the best option is to add the following comment to the code.

For professors' note: use PVS-Studio to get students familiar with code analysis tools

by Andrey Karpov

From the article:

The PVS-Studio analyzer can be regarded as a fine example of a modern static code analysis tool. First, it's a great example to show the abilities of static analysis tools in detecting errors and security defects. Second, you can demonstrate its integration into the software development cycle to enable continuous code control. In its example, you can show integration with such systems as Jenkins, TeamCity, Azure DevOps, SonarQube, Travis CI and others.

Getting Started with the PVS-Studio Static Analyzer for C++ Development under Linux

There are different ways to install PVS-Studio under Linux, depending on your distro type. The most convenient and preferred method is to use the repository, since it allows auto-updating the analyzer upon releasing new versions.

Getting Started with the PVS-Studio Static Analyzer for C++ Development under Linux

by Yuri Minaev

From the article:

Besides strace, you can base the analysis on the compile_commands.json (JSON Compilation Database) file. Many build systems have built-in means of exporting compilation commands, or you could use the BEAR utility to do this. Here's the command to launch the analysis in this case: pvs-studio-analyzer analyze –f /path/to/compile_commands.json

 

Why Static Analysis Can Improve a Complex C++ Codebase

Gradually and imperceptibly we get the situation when C++ projects’ complexity becomes extreme. Unfortunately, now a C++ programmer can’t be on his own.

Why Static Analysis Can Improve a Complex C++ Codebase

by Andrey Karpov

From the article:

Analyzers know more than even professional developers. It has become too difficult to take into account and remember all the nuances when writing code. For instance, if you haven’t specifically read about it, you’ll never guess that calls to memset function for clearing private data sometimes disappear, as from a compiler’s point of view, a call to memset function is redundant. Meanwhile, it is a serious security defect CWE-14 that is detected literally everywhere.

PVS-Studio in the Clouds - Running the Analysis on Travis CI

At the moment, cloud CI systems are a highly-demanded service. In this article, we'll tell you how to integrate analysis of source code into a CI cloud platform with the tools that are already available in PVS-Studio. As an example we'll use the Travis CI service.

PVS-Studio in the Clouds - Running the Analysis on Travis CI

by Oleg Andreev

From the article:

Travis CI is a service for building and testing software that uses GitHub as a storage. Travis CI doesn't require changing of programming code for using the service. All settings are made in the file .travis.yml located in the root of the repository. We'll take LXC (Linux Containers) as a test project for PVS-Studio. It is a virtualization system at the operation system level for launching several instances of the Linux OS at one node. The project is small, but more than enough for demonstration.

PVS-Studio as SAST solution

PVS-Studio is a static application security testing tool (SAST). In other words, the PVS-Studio analyzer detects not only typos, dead code and other errors, but also security weaknesses (potential vulnerabilities).

PVS-Studio as SAST solution

by Andrey Karpov

From the article:

Until recently, in our articles we have positioned PVS-Studio as a tool for detecting errors in code. While we almost never regarded PVS-Studio in a security context. We will try to remedy this situation and take a look at the tool in terms of testing of security applications and DevSecOps practices.

For the convenience of specialists who will use PVS-Studio as a SAST tool, the analyzer provides mappings for its warnings to Common Weakness Enumeration, SEI CERT Coding Standards, and also supports MISRA standard (currently in development).