CodeSonar Release 3.6 Release Notes

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.0p0 Hot Tips

CONFIDENTIAL

CodeSecure Inc

Release Notes

CodeSonar Release 3.6, patchlevel 0: Release Notes

Major New Features
Notes on Upgrading
Notes on Installing
Other New Features
Other Changes
Details

Major New Features

The major changes in this release are all in support of enhanced result understandability.

CodeSonar applies natural-language annotations to important source code locations in Warning Reports and Source Listings. These annotations include warning description boxes, control-flow and data annotations, and notifications at the locations of other warnings and of parse errors.
In consequence:
- CodeSonar no longer inserts its own code comments into displayed source files.
- Warning reports no longer have a Problems column or Preconditions/Postconditions sections.
- The "Trigger language" is no longer used.
The plug-in API has been modified and extended so that users can design their own annotations for custom warning classes, if desired.
Source code interactivity has been expanded:
- Hover over any procedure, variable, macro, or type name in the listing to view its definition in a definition window. Click to open a menu providing navigation options.
- Hover over any token to highlight all occurrences of that token in the source; click and select Stay highlighted from the menu that appears to make the highlighting 'sticky'.
- Whenever code has been elided, CodeSonar provides and links that you can click to see more context.
Source coloring and path highlighting has been tuned for improved clarity.
When you attempt to view a source file from a superseded analysis, CodeSonar will notify you that only the most recently analyzed version of the file is available, then display this newest version.
A new search term, similar, allows users to specify whether or not they want to see only representative warning instances.

Notes on Upgrading

You may want to see how the upgrade affected your analysis results.
If you have edited any configuration files, see the manual section on updating configuration files.
The Windows installer will not install CodeSonar in a directory that already exists. If you intend to install in the same location as a a previous version of CodeSonar, and you have edited any files in the installation directory, make copies of those files before you uninstall CodeSonar and delete the directory.
Existing analysis results will be preserved when you upgrade, provided that your hub directory is not located under the CodeSonar installation directory. (If it is, move it before you upgrade.)
The plug-in API has changed. If you have authored any of your own plug-ins and want to continue using them, you will need to update them.

Notes on Installing

The Installation manual section provides instructions for installing CodeSonar.

For Windows users without Administrator privileges, some additional steps are required. The simplest solution is to acquire these privileges, but if this is not possible then the additional steps are as follows. Note that non-Administrators are not able to create Windows services, so it will not be possible to run the CodeSonar hub or launch daemon as services.

Make sure you specify an installation directory for which you have write permission. Your home directory is usually a suitable candidate; Program Files usually is not.
If you want to run the CodeSonar build/analysis, an Administrator must install the device driver:
hookcs.exe --uninstall --install
This is not necessary if the installation is only being used to run a hub.

Other New Features

New Warning Class

There is one new warning class: High Risk Loop (disabled by default).

CWE Version

This version of CodeSonar uses CWE v1.8.1 (released April 5, 2010). Some warning class categories have been changed accordingly.

warning mnemonic	new CWE IDs	previous CWE IDs
ALLOC.DI	452, 675	452
ALLOC.RPF	465	none
BADFUNC.BO.STRCAT	120, 242, 251	120, 242
BADFUNC.BO.STRCATCHAINW	120, 242, 251	120, 242
BADFUNC.BO.STRCMP	120, 242, 251	120, 24
BADFUNC.BO.STRCPY	120, 242, 251	120, 24
BADFUNC.BO.STRLEN	120, 242, 251	120, 242
BADFUNC.BO.STRTRNS	120, 242, 251	120, 24
CONCURRENCY.DL	411, 764	411
CONCURRENCY.DU	411, 765	411
IO.DC	672, 675	672
IO.SOCK.STATE	666	none
LANG.CAST.FN	234,628,704	234,628
LANG.CAST.VALUE	172,704	172
LANG.CAST.VARARG	628,704	628
LANG.MEM.BO	120, 788	120, 121, 122, 126
LANG.MEM.BU	786	124, 127
LANG.STRUCT.NTAD	696	none
LANG.STRUCT.PBB	465	none
LANG.STRUCT.PPE	465	none
MISC.MEM.SU	789	none

Other Changes

The set of reserved Extension API attributes has changed.
There are changes to minimum system requirements:
- Windows XP now requires SP2 or later
- Windows 2000 is no longer supported.
SQLite is no longer used as the fallback database implementation, and is no longer supported

Details

Changes To Plug-In API

The CodeSonar Plug-In API has undergone a number of changes to support adding understandability information. If you have developed plug-ins that you wish to continue using, you will need to update them accordingly.

Several functions now have an extra argument:

Modified Function	Notes
csonar_report_warning() csonar_report_location_warning()	Now have an additional cs_report_flags parameter
codesonar:report-point-warning codesonar:report-location-warning	Now have an additional parameter that takes a list of POINT_FLAG.
codesonar:report-path-warning	The format required for the path parameter has changed. It is now a list of triples, where the third element of each triple is a list of PATH_FLAG (not a BOOLEAN).
codesonar:report-locations-warning	Now have an additional parameter that takes a list of LOCATIONS_FLAG.

Some C types have an additional field serving the same purpose:

Modified Type	Notes
cs_cfg_path_node_t cs_locations_node_t	Now have new flags field

Step paths do not have understandability information associated with them. If you wish to add understandability information to a warning based on step path S, then do the following.

Use csonar_step_path_to_list() to retrieve a cs_cfg_path_node_t* representation of S. Call this list L.
For each cs_cfg_path_node_t in L, set the flags and problem fields with the understandability information you want to associate with that path point (if any).
Report the warning with csonar_report_path_warning(), passing L as the warning_path parameter.

Scheme:

Use codesonar:step-path->list to retrieve a list representation of S. Call this L.
Augment every node of L so that it has the [path_point point_msg flags] format required for the path parameter of codesonar:report-path-warning, incorporating the messages and flags that you want to use. Call this augmented list P.
Report the warning with codesonar:report-path-warning, passing P as the path parameter.

Changes to Extension API

The set of reserved Extension API attributes has changed.

New reserved attributes: allocator, escaped, globalalloc_flags, localalloc_flags, locked, open, pool, recently_opened, ssocket, tocttou.
No longer reserved: dereferenced
Full set of reserved attributes is now: alloc, allocator, escaped, freed, globalalloc_flags, initialized, int, localalloc_flags, locked, open, pool, ralloc, recently_opened, ssocket, term, tocttou.