CodeSonar Release 4.0 Release Notes

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.0p0 Hot Tips

CONFIDENTIAL

CodeSecure Inc

Release Notes

CodeSonar Release 4.0, patchlevel 0: Release Notes

What's New
Customer Tickets Fixed

What's New

Taint Analysis	CodeSonar now includes a taint analysis that tracks the influence of untrusted data on program execution.
Management Reporting	New management reporting functionality provides user-customizable overviews of information from the CodeSonar hub in PDF, HTML, and XML formats.
Eclipse Plug-In	The CodeSonar plug-in for Eclipse allows users to build and analyze CodeSonar projects and examine analysis results from within Eclipse. For more information, see CodeSonar Plug-in for Eclipse.
Visualization Tool Changes	We introduce the notion of visualization mode. The format of the Info panel has changed.
Warning Classes	A number of new warning classes, with particular focus on tainted value tracking and other security concerns.
CWE Version	This version of CodeSonar uses CWE version 2.6, published February 19, 2014.
Auto-Deletion for Old Analyses	Users can configure the CodeSonar hub to automatically delete analyses that are no longer of interest: older than a fixed threshold, superseded by some number of more-recent analyses, or a combination of the two. The conditions for automatic deletion can be specified on a hub-wide or per-project basis, and individual analyses can be exempted from automatic deletion. For more information, see GUI Reference: Analysis Auto-Deletion.
Expanded Search Functionality	Users can now search for projects or analyses.
GUI Changes	A number of new GUI page types, along with modifications to existing page types.
Path Exploration and Checking	CodeSonar now provides on-demand feasibility checking for the paths leading to a warning location. New GUI page types Explore Callers (Source), Explore Callers (Warning), Extended Warning Report, and Search Callers support this functionality. For more information, see Warning Paths and Path Checking.
Decision-Procedure Refinement	CodeSonar's existing analysis result refinement and feasibility checking has been expanded with additional, decision-procedure-based refinement functionality.
Satellite Hubs	It is now possible to start satellite hubs, which do not have their own hub databases, but instead use the hub database belonging to an associated primary hub. For details, see Satellite Hubs.
Library Model Improvements	The library models shipped with CodeSonar have been extended to account for target-specific behaviors. There are many new models, including models for Mac OS X kernel, OpenMP, and LDAP functions.
Contemplate Integration	With additional licensing, the Java analysis can now be extended to include Contemplate ThreadSafe.
New Java Build Options	Several new options for building/analyzing Java projects.
Metrics	Three new built-in metrics, and some changes to metric-related API functions and configuration parameters.
Rank Computation	Changes to the way warning rank is computed; functionality for user customization.
Compiler Models	There are several new compiler models. The Texas Instruments cl6x compiler model has been expanded to serve as a model for additional Texas Instruments compilers. All compiler models define macro __CODESONAR__=1 for CodeSonar projects.
Configuration Parameters	A number of configuration parameters, and modifications to several existing parameters.
API Changes	A number of new API functions. Some plug-in API function names have changed. This version of CodeSonar has beta-level support for a further set of API interfaces in C++, C#, Java, and Python.
AST Changes	Several new normalized and unnormalized C/C++ AST classes, and some minor changes to existing classes.
EDG Upgrade	CodeSonar now uses EDG version 4.8. This provides better C++11 support (fewer parse errors). There are also some useful new front end options.
Concurrency Checking Improvements	Improvements to CodeSonar concurrency checking have eliminated some false positives and false negatives. There are also many new concurrency models.
Assorted Improvements	A number of fixes and component upgrades. Reductions in false positives and false negatives. Compatibility with more STL versions. Various third-party packages have been upgraded.
[Windows only] Important note for users of Symantec Endpoint Protection versions 12.0 and higher: an issue in these versions of Symantec Endpoint Protection can cause problems such that the CodeSonar build/analysis (and possibly other parts of the OS) hangs, attempts to kill spawncs.exe fail, and rebooting is impossible except by pressing the computer's power button. Symantec is working on the issue and expects to fix it later in 2014. Our recommended workaround is to uninstall the "Application and Device Control" component of Symantec Endpoint Protection.

Taint Analysis

CodeSonar now includes a taint analysis that tracks the influence of untrusted data on program execution.

Source code displayed in the following CodeSonar GUI locations is colored to show tainted values in the code.
A number of new C/C++ warning classes make use of the taint analysis.
There are three new built-in taint metrics, all with procedure granularity: Is Taint Sink, Is Taint Source, Propagates Taint. These can be displayed in the CodeSonar visualization tool using the built-in mechanism for metric display.
The CodeSonar Extension API provides programmatic access to taint analysis functionality for use in creating custom checks or extending the coverage of existing checks.

Management Reports

CodeSonar has new management report functionality. Some key features:

Predefined templates for hub-wide, single-project, and single-analysis reports.
PDF, HTML, and XML report formats.
Generate a report directly from the corresponding Home, Project, or Analysis page.
Create and modify templates using the management report template editor.
Import/export functionality for templates.

Management Report Tasks:

Visualization Tool Changes

We introduce the notion of visualization mode: every visualization tool tab is in either basic mode or warning mode, depending on the context in which it was opened. Warning mode tabs have an additional panel - the Warning Path panel - providing path checking functionality and a link to the warning report.

The format of the information presented in the Info panel has changed. For details of the new format, see Visualization Tool Reference: Info Panel.

Warning Classes

New C/C++ Warning Classes

Class	Mnemonic	Enabled by default?
Addition Overflow of Allocation Size	ALLOC.SIZE.ADDOFLOW	no
Addition Overflow of Size	MISC.MEM.SIZE.ADDOFLOW	no
Assignment in Conditional	LANG.STRUCT.CONDASSIG	no
Command Injection	IO.INJ.COMMAND	YES
Empty for Statement	LANG.STRUCT.EBS	YES
Encryption without Padding	MISC.CRYPTO.NOPAD	YES
Format String Injection	IO.INJ.FMT	YES
Hardcoded Authentication	HARDCODED.AUTH	YES
Hardcoded Crypto Key	HARDCODED.KEY	YES
Hardcoded Crypto Salt	HARDCODED.SALT	YES
Hardcoded DNS Name	HARDCODED.DNS	no
LDAP Injection	IO.INJ.LDAP	YES
Leftover Debug Code	LANG.STRUCT.DBG	no
Library Injection	IO.INJ.LIB	YES
Multiplication Overflow of Allocation Size	ALLOC.SIZE.MULOFLOW	no
Multiplication Overflow of Size	MISC.MEM.SIZE.MULOFLOW	no
Plaintext Storage of Password	MISC.PWD.PLAIN	YES
SQL Injection	IO.INJ.SQL	YES
Subtraction Underflow of Allocation Size	ALLOC.SIZE.SUBUFLOW	no
Subtraction Underflow of Size	MISC.MEM.SIZE.SUBUFLOW	no
Tainted Allocation Size	IO.TAINT.SIZE	no
Tainted Configuration Setting	IO.TAINT.CONF	no
Tainted Filename	IO.TAINT.FNAME	no
Tainted Network Address	IO.TAINT.ADDR	no
Tainted Write	IO.TAINT.WRITE	no
Use of SO_REUSEADDR	IO.SOCK.REUSE	YES
Truncation of Allocation Size	ALLOC.SIZE.TRUNC	no
Truncation of Size	MISC.MEM.SIZE.TRUNC	no

New Java Warning Classes

There are new Java warning classes corresponding to Contemplate ThreadSafe rules.

Mnemonic Changes

Class	New Mnemonic	Previous Mnemonic
Integer Overflow of Allocation Size	ALLOC.SIZE.IOFLOW	ALLOC.IOAS
Unreasonable Size Argument	MISC.MEM.SIZE.BAD	MISC.MEM.SU

Other Warning Class Changes

A new, more-sensitive variant of the Buffer Overrun class has been added. The variant is disabled by default (regular Buffer Overrun checking is still enabled by default). To enable it, add the following WARNING_FILTER rule to the project configuration file.

WARNING_FILTER += allow class="2$Buffer Overrun"

Expanded Search Functionality

This version of CodeSonar adds support for searching in two new domains: Analyses and Projects.

domain	search results are...	...each linked to
Analyses	Analyses	the corresponding Analysis page.
Projects	Projects	the Analysis page for the most recent analysis of the project.

These new domains are supported by the same infrastructure as the existing domains (Warnings, Files, Procedures, Metrics, Code).

The Advanced Search and Saved Searches pages now have additional Analyses and Projects tabs.
The domain/scope menu includes options for these domains where appropriate.
There is an analysis search language and a project search language.
There are analysis search results and project search results page types.
Visibility filters "Visible Analyses" and "Visible Projects" apply to appropriate page types, with visibility defaults for new and anonymous users controlled through the Admin Settings page.

GUI changes

There are a number of GUI changes in this version of CodeSonar.

New GUI Page Types

Analysis Search Results	Presents the results of a search in the Analyses domain (new functionality).
Explore Callers (Source)	Allows users to interactively explore the possible execution paths to a selected source location (new functionality).
Explore Callers (Warning)	Allows users to interactively explore the possible execution paths to a warning location (new functionality).
Extended Warning Report	Has all the properties and functionality of a standard warning report, but covers an extended version of the warning's core path.
Management Report Template Editor	Provides functionality for defining new management report templates and modifying existing templates.
Project Search Results	Presents the results of a search in the Projects domain (new functionality).
Search Callers	Allows users to search the paths to a warning, and displays the results.

Modified GUI Page Types

Admin Settings	The Hub Settings tab has a new "Allow satellite hubs?" setting. The Warning Defaults tab has been removed, and its contents moved to the new Analysis Settings tab. The new Analysis Settings tab has the following contents. [Priority \| Finding \| State] for New Warnings selectors (previously on Warning Defaults tab) Share annotations between projects checkbox (previously on Warning Defaults tab). Functionality for setting up global analysis auto-deletion contraints. The Visibility Defaults tab has new settings reflecting the two new search domains: Visible Projects for New and Anonymous Users Visible Analyses for New and Anonymous Users
Advanced Search	Has new Projects and Analyses tabs, for searching in those domains.
Analysis	New Reports section with links for generating analysis-scope management reports and creating/editing management report templates. Analysis Details section now provides functionality for protecting the analysis from auto-deletion.
Home	New Reports section with links for generating hub-scope management reports and creating/editing management report templates. The table of projects has a larger set of available columns, and some column labels have changed.
Project	New Analysis Settings section with functionality for viewing and modifying the analysis auto-deletion settings for the project. New Reports section with links for generating project-scope management reports and creating/editing management report templates. The table of analyses has a larger set of available columns.
Saved Searches	Has new Projects and Analyses tabs, for saved searches in those domains.
Source Listing	Taint marking is applied to the code. A highlight legend is available. Click the line number at a function entry point, then select Explore this function (lite) from the pop-up menu that opens to navigate to an Explore Callers (Source) page for the function.
Warning Report	Warning Details section now provides links to Search Callers and Explore Callers (Warning) pages for the warning. Taint marking is applied to the code excerpt. A highlight legend is available.

Decision Procedure Refinement

Decision procedure refinement aims to filter out some warnings that cannot occur in practice. CodeSonar uses decision procedure refinement in two contexts:

The CodeSonar analysis will perform decision procedure refinement on the core path for each warning. Configuration file parameters provide user control over the treatment of warnings that are determined to be unfeasible, the treatment of warnings for which the decision procedure times out, and the timeout itself.
Decision procedure refinement is also applied during extended path checking.

There are two styles of refinement available: "exact" and "approximate". It can be beneficial to enable both forms of refinement, because the sets of warnings that each can dismiss are incomparable. In this case, the two refinement phases are carried out in sequence.

In exact refinement, the analysis runs the decision procedure on each warning path, handling procedures and loops by splitting the path into separate segments and checking them independently. Exact refinement is controlled by configuration file parameters DP_REFINEMENT_EXACT, DP_REFINEMENT_EXACT_TIMEOUT, DP_REFINEMENT_EXACT_DISMISS, and DP_REFINEMENT_EXACT_DISMISS_TIMEOUT.
In approximate refinement, the analysis runs the decision procedure on each warning path, handling procedures and loops by converting their summaries into SMT formulas. Approximate refinement is controlled by configuration file parameters DP_REFINEMENT_APPROXIMATE, DP_REFINEMENT_APPROXIMATE_TIMEOUT, DP_REFINEMENT_APPROXIMATE_DISMISS, and DP_REFINEMENT_APPROXIMATE_DISMISS_TIMEOUT.

The effects of exact refinement differ from those of approximate refinement.

Exact refinement is less likely to produce false negatives than approximate refinement.
If timeouts are disabled, exact refinement is more likely to produce false positives than approximate refinement. If they are not disabled, there is no predictable relationship between false positive rates for the two.
Approximate refinement typically entails larger decision problems, and with more free variables, than exact refinement. The approximate refinement problems can therefore be significantly more expensive to solve than the exact ones.

Contemplate Integration

With additional licensing, the Java analysis can now be extended to include Contemplate ThreadSafe.

There are new Java warning classes corresponding to Contemplate ThreadSafe rules. Relevant CWE IDs are included in the categories list for each class.
New build options -enable-threadsafe and --threadsafe apply to the Contemplate ThreadSafe analysis.

New Java Build/Analysis Options

There are several new options available for the Java build/analysis.

This release introduces new configuration parameters JAVA_FLAGS_APPEND and JAVA_FLAGS_PREPEND - in most cases we recommend that you specify Java build options through these parameters, rather than directly in your build command.

-keep-raw-output	Instructs CodeSonar to keep the raw output from FindBugs, PMD, and Contemplate ThreadSafe. The raw output will be stored in the /path/to/project-name.prj_files/JFE_X directory.
-findbugs-enable-experimental	Experimental FindBugs warning classes are now disabled by default in the Java analysis. To enable them, use this build/analysis option.
-enable-threadsafe	Enables the Contemplate ThreadSafe analysis (if licensed).
--threadsafe	Specifies command-line options to be passed through to Contemplate ThreadSafe.

Metrics

There are three new built-in metrics, and some changes to metric-related API functions and configuration parameters.

New Built-in Metrics

There are three new built-in metrics, all of which describe taint phenomena.

Metric Changes

The the metric property previously labeled "metric name" is now labeled "metric tag".
- Corresponding plug-in API function names have changed.
  - C: csonar_metric_name() is renamed to csonar_metric_tag()
  - Scheme: codesonar:metric-name is renamed to codesonar:metric-tag
Configuration parameter METRIC_WARNING_RANK is deprecated in favor of METRIC_WARNING_BASE_RANK. See Rank Computation below for more information.

Compiler Models

All compiler models now define macro __CODESONAR__=1 for CodeSonar projects. Use __CODESONAR__ in preference to __CSURF__.

The following models have been added/extended.

cl6x	expanded	model forTexas Instruments TMS320C6000 Optimizing C/C++ Compiler has been expanded to work with armcl, cl430, cl470, cl55, or cl2000. Use COMPILER_MODELS rules to instruct CodeSonar to use the cl6x model for those compilers.
chc12	new	model for Freescale CodeWarrior for HC12 compiler.
iccgeneric	new	generic model for use with IAR compilers that are not modeled by the iccarm, iccm32c, or icc430 models.
mwccmcf	new	model for Freescale CodeWarrior for ColdFire compiler.
qcc	new	model for QNX SDP C/C++ compiler.
visualdsp	new	model for VisualDSP++ compilers for SHARC, TigerSHARC and Blackfin processors.

Rank Computation

CodeSonar computes and reports Rank in order to suggest a review order for warnings: warnings with a smaller Rank value before warnings with a larger Rank value.

Rank is a composite of several factors:

The likelihood that the warning represents a true positive.
The severity of the problem being warned about; in particular, whether it is security-related.
The complexity of the warning, with more-complex warnings generally receiving larger Rank values than less-complex warnings - more-complex warnings take longer to review and diagnose, so it is typically preferable to address less-complex warnings first.

Rank is determined as follows:

CodeSonar determines the base rank for the warning.
- For warning classes defined using configuration file BAD_FUNCTION_* rules, the base rank is specified by BAD_FUNCTION_BASE_RANK.
- For warning classes defined using configuration file METRIC_WARNING_* rules, the base rank is specified by METRIC_WARNING_BASE_RANK.
- For warning classes defined using the CodeSonar Plug-in API, the base rank is specified as an argument to csonar_create_warningclass() (C) / codesonar:create-warningclass (Scheme).
- For Java warnings reported by PMD, the base rank is scaled from the PMD priority value.
- For Java warnings reported by FindBugs^™, the base rank is scaled from the Findbugs rank value.
- For other built-in warning classes, the base rank is computed internally by CodeSonar.
Starting with this base rank, CodeSonar applies all the adjustment rules in $CSONAR/codesonar/py/hub/codesonar/rank_rules.py whose @pattern matches the properties of the warning.
The resulting value is the Rank.

You can use the CodeSonar SQL query mechanism to investigate Rank values on the hub. For example, to see the Rank distributions for different warning classes in the analysis with Analysis ID 5:

select cs_warningclass.label_xml, 
       min(cs_warninginstance.rank),
       avg(cs_warninginstance.rank), 
       stddev(cs_warninginstance.rank),
       count(cs_warninginstance.rank) 
  from cs_warninginstance,
       cs_warninginstdata, 
       cs_warningclass 
  where cs_warninginstance.data_id=cs_warninginstdata.id and
        cs_warningclass.id=cs_warninginstdata.warningclass_id and
        analysis_id=5
  group by cs_warningclass.label_xml 
  order by min(cs_warninginstance.rank)

Previously-existing rank-related configuration file parameters have been deprecated in favor of new parameters with the same functionality but more explicit names that clarify their roles in rank computation.

BAD_FUNCTION_RANK is deprecated in favor of BAD_FUNCTION_BASE_RANK.
METRIC_WARNING_RANK is deprecated in favor of METRIC_WARNING_BASE_RANK.

Configuration Parameters

New Configuration Parameters

Parameter	Purpose
BAD_FUNCTION_BASE_RANK	Replaces BAD_FUNCTION_RANK (now deprecated).
CSHARP_PLUGIN_DOTNET_VERSION CSHARP_PLUGINS	Handling for C# plug-ins. (See New API Languages below.)
DISABLED_TAINT_KINDS	Specifies a set of taint kinds that should be ignored by the taint analysis.
DIV_BY_ZERO_CRASHES	Specifies whether integer division by zero terminates execution or merely results in an unknown value.
DIV_OVERFLOW_CRASHES	Specifies whether signed integer division overflow (e.g., -1 / MIN_INT) should be treated as if it terminates execution, when using 32-bit or wider division.
DP_REFINEMENT_APPROXIMATE DP_REFINEMENT_APPROXIMATE_DISMISS DP_REFINEMENT_APPROXIMATE_DISMISS_TIMEOUT DP_REFINEMENT_APPROXIMATE_TIMEOUT	Specify various aspects of "approximate" decision procedure refinement.
DP_REFINEMENT_EXACT DP_REFINEMENT_EXACT_DISMISS DP_REFINEMENT_EXACT_DISMISS_TIMEOUT DP_REFINEMENT_EXACT_TIMEOUT	Specify various aspects of "exact" decision procedure refinement.
HARDCODED_ARGS_REGEX HARDCODED_ARGS_LIST HARDCODED_ARGS_CLASS_NAME HARDCODED_ARGS_CATEGORIES HARDCODED_ARGS_BASE_RANK	Used together to specify functions with arguments that should never be hardcoded, and warnings to issue if hardcoded arguments are used.
JAVA_FLAGS_APPEND JAVA_FLAGS_PREPEND	Specifies options to append/prepend to the list passed to the Java build/analysis command.
JAVA_ENABLE_FINDBUGS	Specifies whether FindBugs should be run by default during Java analyses.
JAVA_ENABLE_PMD	Specifies whether PMD should be run by default during Java analyses.
JAVA_ENABLE_THREADSAFE	Specifies whether Contemplate ThreadSafe should be run (if licensed) by default during Java analyses.
JAVA_PLUGIN_CLASSES JAVA_PLUGIN_CLASSPATH JAVA_PLUGIN_JVM	Handling for Java plug-ins. (See New API Languages below.)
LOOP_COUNTER_DISTRUST	Specifies how suspicious CodeSonar should be about the value of loop counters in loops whose exact iteration counts are not known.
MAX_ALLOCATION_SIZE	Specifies the largest allocation size that can be successfully satisfied on the target platform.
MAX_FAILED_UNITS_OF_WORK	Specifies how many units of work may be failed before the master should terminate the analysis.
MEMORY_PER_ANALYSIS_PROCESS	An estimate of how much physical memory (in megabytes) each analysis process will use.
METRIC_WARNING_BASE_RANK	Replaces METRIC_WARNING_RANK (now deprecated).
NULL_POINTER_DEREF_CRASHES	Specifies whether dereferences of addresses below the NULL_POINTER_THRESHOLD will terminate execution.
OVERFLOWN_SIZE_UPPER_BOUND	Specifies an upper bound on the allowed "size" in some integer overflow warning classes. If the resulting "size" will always exceed the upper bound, then the warning will be dropped.
TAINT_MAX_CHECKED_INPUTS_PER_PROCEDURE	For the taint analysis, specifies how many inputs to a procedure can be checked at call sites.
TAINT_MAX_CHECKED_TAINT_KINDS_PER_PROCEDURE	For the taint analysis, specifies the maximum number of taint kinds for which there can be checks against a single procedure's inputs.
TAINT_MAX_EXPRESSION_COMPLEXITY	For the taint analysis, a threshold for expression complexity.
TAINT_MAX_MODIFIED_VALUES	For the taint analysis, specifies a per-procedure bound on the number of modified values (outputs) that CodeSonar will keep track of in procedure summaries.
TAINT_MAX_SET_CARDINALITY	For the taint analysis, specifies the maximum size of a points-to set.
TAINT_TRIGGER_ON_GLOBALS	For the taint analysis, specifies whether to track global variables.
TIME_LIMIT_DATA_RACE_PATH_SEARCH_PER_PROCEDURE	Milliseconds the analysis may spend per procedure on data race search.
TRACK_TAINTED_VALUES	For the taint analysis, specifies the level of tainted-value tracking performed.

Changes to Existing Configuration Parameters

Parameter	Changes
BAD_FUNCTION_RANK	Deprecated in favor of BAD_FUNCTION_BASE_RANK.
MAX_CHECK_COMPLEXITY	Factory setting is now 10.
MAX_EXPRESSION_COMPLEXITY	Factory setting is now 24. Note also that expression complexity in the taint analysis is bounded instead by TAINT_MAX_EXPRESSION_COMPLEXITY.
MAX_MODIFIED_VALUES	Note that the number of modified values in the taint analysis is bounded instead by TAINT_MAX_MODIFIED_VALUES.
METRIC_FILTER	New <matcher>: =~ (Boost-style regular expression match)
METRIC_WARNING_RANK	Deprecated in favor of METRIC_WARNING_BASE_RANK.
NON_TERMINATING_LOOP_MARK	Factory setting no longer excludes loops of the form for(;;){...} and while(1){...} from Potential Unbounded Loop checks.
PLUGINS	Can now also be used to load Python plug-ins. (See New API Languages below.)
WARNING_FILTER	New <rule>s: line_contents <matcher> <string> listing_xml <matcher> <string> (replaces path_listing <matcher> <string>) path_start_procedure <matcher> <string> path <matcher> <string> Modified <rule>s: file <matcher> <string> now matches against the basename of the warning end point file, not the full path. An alert will be generated if path separators are found in a file rule New <matcher>: =~ (Boost-style regular expression match)

API changes

API changes are described below.

New API languages
Extension API Changes
Plug-In API Changes
General Purpose API Changes

[BETA] New API languages

This version of CodeSonar has beta-level support for a further set of API interfaces in C++, C#, Java, and Python. For information, see the notes on API Languages.

Extension API

There are several new functions and prototypes.

Function	Notes
cs_untrusted_untainted_value()	Provides a statically unknowable, tainted integer that will be treated as adversarial, but does not carry any taint.
cs_untrusted_value()	Provides a statically unknowable, tainted integer that will be treated as adversarial. We recommend cs_untrusted_value() over CSM_INPUT_SOURCE() in all situations; CSM_INPUT_SOURCE() will likely be deprecated in a future version.
CSM_SETS_ERRNO_TO_NONZERO()	Models the setting of errno to some non-zero value.
csonar_bounded_value()	Use to specify bounds on a value.
CSONAR_DEFINE_TAINT_SOURCE() csonar_assert_taint_enabled() csonar_assert_taint_disabled() csonar_string_taint() csonar_taint_clear_ <NAME_OF_ATTRIBUTE> csonar_taint_mux() csonar_taint_sink() csonar_taint_source_kname() csonar_taint_source_any() csonar_taint_source_any_no_time() csonar_taint_transfer() csonar_taint_union2 () .. csonar_taint_union9() csonar_wcstring_taint()	Provide programmatic access to taint tracking functionality. For more information, see Taint Models.

Plug-In API

Changes to the C version of the Plug-In API.

New C Plug-In API functions
	csonar_access_path_operator_name()	Get the name of a cs_access_path_operator.
	csonar_analysis_mode_name()	Get the name of a csonar_analysis_mode.
	csonar_multiprocess_mode_name()	Get the name of a csonar_multiprocess_mode.
	csonar_create_warningclass_ex()	Creates a new warning class, passes it back in an out-parameter and returns a cs_result.
	csonar_csonar_metric_flags()	Retrieve the flags for a cs_metricclass_t.
	csonar_csonar_metric_tag()	Replaces csonar_metric_name()
	csonar_warningclass_lookup_by_name()	Get the cs_metricclass_t with the specified name.
	csonar_warningclass_name()	Get the name of the specified warning class.
	csonar_xform_query_result_name()	Get the name of a cs_xform_query_result.
	csonar_xform_operator_name()	Get the name of a cs_xform_operator.
Modified C Plug-In API functions
	csonar_add_abs_loc_visitor() csonar_add_cache_cleanup_visitor() csonar_add_global_abs_loc_drop_visitor() csonar_add_pdg_bottom_up_finish_visitor() csonar_add_pdg_bottom_up_visitor() csonar_add_pdg_drop_visitor() csonar_add_pdg_finish_visitor() csonar_add_pdg_vertex_bottom_up_visitor() csonar_add_pdg_vertex_visitor() csonar_add_pdg_visitor() csonar_add_program_bottom_up_visitor() csonar_add_program_finish_visitor() csonar_add_program_drop_finish_visitor() csonar_add_program_drop_visitor() csonar_add_program_visitor() csonar_add_setup_visitor() csonar_add_sf_finish_visitor() csonar_add_sf_visitor() csonar_add_sfi_finish_visitor() csonar_add_sfi_visitor() csonar_add_step_bottom_up_visitor() csonar_add_uid_drop_visitor() csonar_add_uid_finish_visitor() csonar_add_uid_visitor()	All now: take a cs_visitor_ctx_t argument where previously they took visitor_ctx_t return cs_result (previously returned void)
	csonar_report_metric_file() csonar_metric_getvalue_file() csonar_metric_retract_file()	Now all take cs_sf arguments where previously they took cs_sfid.
	csonar_warningclass_lookup()	Now takes two arguments (previously took one).
Deleted C Plug-In API functions
	csonar_metric_name()	Replaced by csonar_csonar_metric_tag().

Changes to the Scheme version of the Plug-In API.

New Scheme Plug-In API functions
	codesonar:metric-flags	Retrieve the flags for a METRIC_CLASS.
	codesonar:metric-tag	Replaces codesonar:metric-name.
	codesonar:warningclass-lookup-by-name	Find the WARNINGCLASS with the specified name.
Modified Scheme Plug-In API functions
	codesonar:metric-get-value codesonar:metric-retract codesonar:report-metric	Now all take SF arguments where previously they took SFID.
Deleted Scheme Plug-In API functions
	codesonar:metric-name	Replaced by codesonar:metric-tag.

General Purpose API Changes

New General Purpose API functions
	cs_abs_loc_friendly_string()	Get the user-friendly variable name of a cs_abs_loc.
	cs_abs_loc_hash_seed()	Seeded hash function for cs_abs_loc.
	cs_abs_loc_represented_string_string()	Get the string representation of a cs_abs_loc.
	cs_abs_loc_string()	Get the variable name of a cs_abs_loc.
	cs_abs_loc_temp_source_string()	Given a temporary variable cs_abs_loc, get a string containing the pretty-printed unnormalized C/C++ AST for that cs_abs_loc.
	cs_ast_field_type_name()	Get a string representation of a cs_ast_field_type.
	cs_ast_pattern_incr()	Increment the reference count for a cs_ast_pattern.
	cs_ast_string()	Get a pretty-printed version of a cs_ast.
	cs_basic_block_cfg_edge_set_empty()	Check: is the specified cs_const_basic_block_cfg_edge_set empty?
	cs_basic_block_cfg_edge_set_member()	Check: is the specified cs_basic_block_cfg_edge_set a member of the specified cs_const_basic_block_cfg_edge_set?
	cs_cfg_edge_set_empty()	Check: is the specified cs_cfg_edge_set empty?
	cs_cfg_edge_set_member()	Check: is the specified cs_cf_edge a member of the specified cs_cfg_edge_set?
	cs_edge_label_string()	Get the string representation of a cs_edge_label.
	cs_labeled_pdg_edge_set_empty()	Check: is the specified cs_labeled_pdg_edge_set empty?
	cs_labeled_pdg_edge_set_member()	heck: is the specified cs_labeled_pdg_edge a member of the specified cs_labeled_pdg_edge_set?
	cs_language_name()	Retrieve the name of a cs_language.
	cs_metric_get_dependencies() (Scheme: metric-get-dependencies)	For a derived metric, get a list of the metrics whose values are used to compute the metric
	cs_metric_tag()	Replaces cs_metric_name().
	cs_pdg_edge_set_cardinality()	Return the number of elements in a cs_pdg_edge_set.
	cs_pdg_edge_set_empty()	Check: is the specified cs_const_pdg_edge_set empty?
	cs_pdg_edge_set_member()	Check: is the specified cs_pdg_edge a member of the specified cs_const_pdg_edge_set?
	cs_pdg_friendly_string()	Get the user-friendly name of the procedure associated with a cs_pdg.
	cs_pdg_string()	Get the name of the procedure associated with a cs_pdg.
	cs_pdg_vertex_condition_number()	Given a cs_pdg_vertex, get its condition number.
	cs_pdg_vertex_source_pp()	Given a cs_pdg_vertex, get a string containing a pretty printed version of the vertex.
	cs_pdg_vertex_source_pp_string()	Given a cs_pdg_vertex, return a string containing a pretty printed version of the vertex.
	cs_pdg_vertex_string()	Get a string representation of a cs_pdg_vertex, containing information useful for debugging.
	cs_scratchpad_bytes()	Get the current size of the scratchpad.
	cs_scratchpad_resize()	Set the size of the scratchpad.
	cs_sf_string()	Get the absolute path name for a source file.
	cs_sfid_hash_seed()	Seeded hash function for cs_sfid.
	cs_sfid_string()	Get the absolute path name for a source file instance.
	cs_uid_filename_string()	Get the absolute path name for a compilation unit.
	cs_uid_language_string()	Get the name of a compilation unit's language.
	cs_xref_query_iter_first() cs_xref_query_iter_next() cs_xref_query_iter_close()	For iterating over the results of a cs_xref_query.
Modified General Purpose Plug-In API functions
	cs_file_language() cs_uid_create()	Now take cs_language arguments where previously they took cs_string or cs_const_string (and sometimes additional capacity arguments as well).
	cs_metric_register_file_closure() cs_metric_create_derived() cs_metric_getvalue_file() typedef cs_metric_calc_file_fn_t typedef cs_metric_should_use_file_fn_t	Type signature changes.
	cs_abs_loc_set_create() cs_basic_block_set_create()	Return CS_ERROR_CODESURFER_ONLY when called from CodeSonar with cs_set_kind_trie as the set_kind argument.
	cs_f_pred() cs_f_succ() cs_pdg_vertex_cfg_predecessors() cs_pdg_vertex_cfg_successors() cs_pdg_vertex_inter_sources() cs_pdg_vertex_inter_targets() cs_pdg_vertex_set_create() cs_pdg_vertex_set_cycle() cs_s_chop() cs_s_fast_chop() cs_s_forward_slice() cs_s_forward_slice_in() cs_s_forward_slice_out() cs_s_predecessors() cs_s_slice() cs_s_slice_in() cs_s_slice_out() cs_s_successors() cs_s_truncated_chop() cs_s_var_chop() cs_s_var_fast_chop() cs_s_var_forward_slice() cs_s_var_predecessors() cs_s_var_slice() cs_s_var_successors() cs_s_var_truncated_chop() cs_set_interest_sets()	Always return CS_ERROR_CODESURFER_ONLY when called from CodeSonar.
Deleted General-Purpose API functions
	cs_metric_name() (Scheme: metric-name)	Replaced by cs_metric_tag(). (Scheme: metric-tag)

AST changes

Unnormalized C/C++ ASTs

New classes

alignof expressions	cc:alignof cc:alignof-type cc:alignof-expr
type traits	cc:is-destructible cc:is-final cc:is-nothrow-assignable cc:is-nothrow-destructible cc:is-trivially-assignable cc:is-trivially-constructible cc:is-trivially-destructible
C++/CLI boxing /unboxing	cc:box cc:handle-to-box cc:unbox cc:unbox-lvalue
for statements	cc:enhanced-for cc:range-based-for
noexcept expressions	cc:ctp-noexcept cc:noexcept
Other constructs	cc:braced-init-list cc:cli-subscript cc:ctp-destructor cc:delegation-constructor-init cc:gcnew cc:handle-to cc:pragma-weak

Field changes.

The following classes have one or more new fields.
cc:for-each : most fields now belong to new class cc:enhanced-for (and thus are inherited by cc:for-each).

Hierarchy changes.

New class cc:enhanced-for is now the superclass of cc:for-each.

Normalized C/C++ ASTs

New classes

alignof expressions	c:alignof c:alignof-expr c:alignof-type
noexcept expressions	c:noexcept-expr
(for internal use)	c:csm-field-exists c:csm-named-value c:csm-type c:csm-type-qualifiers

Field changes. The following classes have one or more new fields.

EDG Upgrade

CodeSonar now uses EDG version 4.8. This provides better C++11 support (fewer parse errors).

There are also some useful new front end options:

new front end options:

Customer Tickets Fixed

2882	Comparing large unsigned ints doesn't work	fixed
5285	FP: Unsigned required to be negative	fixed
6781	FP: Redundant Condition due to treating unsigned short as signed	fixed
8417	Add instructions to use CodeSonar with Hudson and Jenkins	see manual sections Using CodeSonar With Hudson, Using CodeSonar With Jenkins
8765	FP: leak with std::shared_ptr	fixed
9298	Add description for WARNING_FILTER rules	see manual section Compiler-Independent Configuration File Parameters: WARNING_FILTER
9339	Rename WARNING_FILTER categories to match search languag	see Changes to Existing Configuration Parameters above
10319	Hub interprets "anon sessions" : 0 as unlimited anonymous sessions	fixed
10399	NullPointerException with null charset name for input source charset	fixed
10475	Bad derived metric should generate alert	fixed
10529	cshub start service failure if denied access to stdout.txt	fixed
10533	FN: buffer overrun with std::array and std::copy	fixed
10560	Preserve raw FindBugs and PMD output	see New Java Build/Analysis Options above
10671	bad error_msg.txt reference	fixed
10749	ir_query_initialize_once unconditionally checks for a debug license	fixed