JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.
If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.
If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.
| CodeSonar® 9.0p0 Hot Tips | CONFIDENTIAL | CodeSecure Inc |
Official release date: August 15, 2018.
If you are upgrading from a version before 4.5: When you upgrade your hub, you will be prompted to set the password for the special Administrator hub user account when the hub restarts. This will replace the previous Administrator password. You can reuse your previous Administrator password if it meets the hub password requirements specified in the Settings: Password Policy tab.
| RBAC Roles are Securable Resources | RBAC Roles are now securable resources, with access controlled by the ROLE_* permissions. |
|---|---|
| C# Analysis | CodeSonar can now build and analyze projects based on C# projects. |
| Contemplate ThreadSafe Integration Discontinued | The ability to buy additional licensing to extend the CodeSonar Java analysis to include Contemplate ThreadSafe analysis has been discontinued. |
| Eclipse Integration Extended | Restrictions that applied in previous releases have been addressed. |
| New Visual Studio Integration | The CodeSonar plug-in for Visual Studio allows users to build and analyze CodeSonar projects and examine analysis results from within Microsoft Visual Studio. For more information, see CodeSonar Plug-in for Visual Studio. |
| Warning Classes | C/C++: A number of new warning classes related to math
library usage. C#: A suite of new warning classes corresponding to FxCop rules. This version of CodeSonar uses CWE v3.1 (released March 29, 2018). |
| Copy-Paste Error Plug-in |
CodeSonar v5.0p0 introduces a checker for errors introduced by
copying and pasting C and C++ code. These errors are reported
as warnings of class "Copy-Paste Error".
In this version, the check is provided by a plug-in and activated using the cperror preset. In future versions, the check will be available in the standard CodeSonar analysis (rather than in a plug-in) and the "Copy-Paste Error" documentation will be in the CodeSonar manual. More information is available in the CodeSonar Customer Community: select Advanced Features from the list of help topics, then Copy-Paste Error Plug-in from the subtopic list on the Advanced Features page. |
| Configuration parameters | Parameter JAVA_ENABLE_THREADSAFE has been removed. Several new parameters have been added. |
| Presets | Preset java_threadsafe has
been removed. New preset intro disables some warning classes that are less likely to indicate serious defects. |
| Build/Analysis Options |
Several changes:
|
| C/C++ Parser Upgrade | CodeSonar now uses EDG version 4.14. This entails some changes to C and C++ ASTs. |
| Compiler Models | Changes in several models. |
| Search Languages | New analysis search language term type state-condition supports search by
Analysis
State. Analysis State has been added to the set of fields
compared against when an analysis
search term is a plain word or quoted string. New warning search language field-name fingerprint supports search by warning Fingerprint. Fingerprint has been added to the set of fields compared against when a warning search term is a plain word or quoted string. |
| API Changes | A number of additions, removals, and modifications. |
| New SARIF Importer Plug-in | See section SARIF Importer for details. |
| greppo.py and fb.py Removed | The greppo.py and fb.py scripts are no longer provided or supported. The fb.py script has long been superseded by the inclusion of the FindBugs analysis in CodeSonar. |
| No Longer Supported | Windows Vista is no longer supported as of this release. |
| Future Notification | The Scheme API and Scheme Console will be removed in the next release. Please contact CodeSecure if this will cause problems for you. |
RBAC Roles are now securable resources, with access controlled by the ROLE_* permissions.
Full access to all operations on roles is also still conferred by the G_ADMINISTER_USERS permission, so you can continue to manage RBAC roles in the same way you did for previous CodeSonar versions if you want to.
However, it is now possible to grant permission to edit role-permission and user assignments for individual roles without needing to assign the G_ADMINISTER_USERS permission.
For example, suppose a hub has a project called ProjectA, with a role called ProjA that provides access to ProjectA and is assigned to all users who are working on that project. To delegate assignment/unassignment of the ProjA role to someone who does not have the special Administrator role, an administrator might create a new role called ProjAManager and assign it permission ROLE_ASSIGN for ProjA. When a new user starts working on ProjectA, anyone with the ProjAManager role can assign them the ProjA role without needing to go through a hub administrator. Similarly, if a user stops working on Project A, anyone with the ProjAManager role can remove ProjA from the user's set of assigned roles.
CodeSonar can now build and analyze projects based on Microsoft C# assembly files. Warnings are generated by running third-party tool FxCop. In future releases, other third-party C# tools will be integrated.
CodeSonar C# projects can be built and analyzed on Windows machines only, although results can be submitted to a hub on any platform.
For details see the following new manual sections.
The ability to buy additional licensing to extend the CodeSonar Java analysis to include Contemplate ThreadSafe analysis has been discontinued.
In consequence, the following have also been removed.
Restrictions that applied to the Eclipse integration in previous releases have been addressed.
The CodeSonar plug-in for Visual Studio allows users to build and analyze CodeSonar projects and examine analysis results from within Visual Studio.
Changes to the set of available CodeSonar warning classes are as follows.
| Class Name | Mnemonic |
|---|---|
| Arctangent Domain Error | MATH.DOMAIN.ATAN |
| Argument Too High | MATH.DOMAIN.TOOHIGH |
| Argument Too Low | MATH.DOMAIN.TOOLOW |
| cosh on High Number | MATH.RANGE.COSH.TOOHIGH |
| cosh on Low Number | MATH.RANGE.COSH.TOOLOW |
| Floating Point Domain Error | MATH.DOMAIN |
| Floating Point Range Error | MATH.RANGE |
| Gamma on Zero | MATH.RANGE.GAMMA |
| Logarithm on Negative Value | MATH.DOMAIN.LOG |
| Logarithm on Zero | MATH.RANGE.LOG |
| Undefined Power of Zero | MATH.DOMAIN.POW |
| Raises FE_INVALID | MATH.DOMAIN.FE_INVALID |
| Use of drem | BADFUNC.FLOAT.DREM |
| Use of gamma | BADFUNC.FLOAT.GAMMA |
The mnemonic for class sqrt on Negative Value is now MATH.DOMAIN.SQRT (previously MATH.SQRT.NEG).
Several configuration parameters have been added; one has been removed.
| Parameter Added | Notes |
|---|---|
| CSHARP_FLAGS_APPEND | Supports the new C# analysis. |
| CSHARP_FLAGS_PREPEND | Supports the new C# analysis. |
| Parameter Removed | Notes |
|---|---|
| JAVA_ENABLE_THREADSAFE | Contemplate ThreadSafe integration has been discontinued. |
There are several changes to compiler models.
| Model | Changes | |
|---|---|---|
| iar | IAR compiler model | Improved handling for -e option. |
| dcc | Wind River C/C++ compiler driver model | -D and -U options now evaluated in order of appearance (previously all instances of -D were processed before any -U instances). |
| API Implementation | Modification | |||
|---|---|---|---|---|
| C++ | Python | C | Scheme | |
| class locations_node | class locations_node | struct cs_locations_node_t | n/a |
Now encapsulates both a start and an end line (previously only
a single line). Consequences:
|
| locations_node::locations_node() | locations_node.__init__() | n/a | n/a | Constructor overload that takes both start and end columns must now also take both start and end lines (previously only took one line). |
| warningclass::report() (code span overloads) |
warningclass.report() (code span overloads) |
csonar_report_location_span_warning() csonar_report_location_span_warning_in_pdg() |
BZ:19080 | Functions for reporting a warning with a code span location now take two line number arguments (previously only took one). |
| - | - | - | codesonar:create-warningclass | New force-path? parameter; location? parameter still present but ignored. |
| API Implementation | Notes | |||
|---|---|---|---|---|
| C++ | Python | C | Scheme | |
| warningclass_flags::LOCATION | warningclass_flags.LOCATION | csonar_bcf_location | n/a | Association with a path is now determined by choice of warning reporting function, unless overridden by new "force path" flag. |
| locations_node::get_line() | locations_node.get_line() | n/a | n/a | Use new procedures for getting start and end lines from a locations node. |
| locations_node_flags::NO_STYLE0 | locations_node_flags.NO_STYLE0 | cslnf_no_style0 | :no-style0 | Use new STYLE0 flag when style0 is required. |
| Unnormalized C and C++ ASTs |
Two changes:
|
|||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Normalized C and C++ ASTs | no changes |
| NUMBER | NAME | NOTES |
|---|---|---|
| 4049 | [PCH] Unable to find includes with MS precompiled headers | fixed |
| 7676 | Document C++ language support status | See manual section C++ Support. |
| 8461 | Parse Error: Frontend cannot open source files with non-ascii characters | fixed |
| 13748 | "Hub address" validation does not check for interface:port | fixed |
| 16411 | Internal error in MISRA check: typeref "..." not found in scope at ... | fixed |
| 16427 | LANG.TYPE.IAT false positive when assigning bool in g++ | fixed |
| 16879 | Eclipse for Java analysis munges the auxclasspath | fixed |
| 17152 | LANG.STRUCT.DECL.IF false positive for class/struct member functions | fixed |
| 17251 | assign2author is not RBAC capable | fixed |
| 17566 | ALLOC.UAF/LANG.MEM.UVAR false positive | fixed |
| 17645 | Add ability to search analyses by State | Added field-name state to analysis search language. |
| 17709 | [EDGcpfe/18590] EDG does not parse __attribute__((overloadable)) from clang | fixed |
| 18034 | Support /kernel flag for Visual Studio | fixed |
| 18060 | Feature Request: Document excluded warning classes for SYSTEM_INCLUDE_PATHS | See SYSTEM_INCLUDE_PATHS documentation. |
| 18085 | LANG.STRUCT.PPE false positive on volatile int | fixed |
| 18103 | assign2author expects sandboxes to be on the same machine as the Hub | fixed |
| 18242 | LANG.CAST.PC.CONST2PTR false positive for C++ nullptr | fixed |
| 18266 | LANG.CAST.PC.CRVQ false positive in library models | fixed |
| 18290 | Thread entry points/callers not detected | fixed |
| 18453 | LANG.STRUCT.DECL.IF false positive for class/struct member functions | fixed |
| 18468 | LANG.STRUCT.DEF.NOEXT false positive for C++ templates | fixed |
| 18500 | False Positive: reference vs value IR confusion in try/catch AST | fixed |
| 18506 | Front End terminates with return 4 with GreenHills compiler model | fixed |
| 18536 | [EDGcpfe/19337] Use of _Generic: in C++ | fixed |
| 18620 | [EDGcpfe/19758] Assertion failed: at: "EDGCP-dist/src/lower_name.c", line 2671 | fixed |
| 18637 | Crash at clang::csirgen::Point::setSourcePP() because of empty sourcepp | fixed |
| 18652 | ALLOC.LEAK false negative with pointer arithmetic | fixed; set WARN_MORE_LOOP_LEAKS=Yes to see leak warnings on paths that iterate around a loop multiple times (otherwise they are suppressed). |
| 18723 | diab compiler model and overlapping defines | fixed |
| 18809 | LANG.STRUCT.DECL.ML false positives | fixed |
| 18825 | Floating point checks and FLOAT_IS_ADVERSARIAL not compatible | FLOAT_IS_ADVERSARIAL documentation extended to clarify incompatibility. |
| 18865 | Document how to run the Windows Installer silently | See Installing or Upgrading CodeSonar: Silent Installation (Windows manuals only). |
| 18972 | Halstead file metrics are not accurate | fixed |
| 19001 | Add ability to search warnings by Fingerprint | Added field-name fingerprint to warning search language. |
| 19017 | Support iccarm -e flag | fixed |
| 19173 | Renesas shc compiler model not parsing all include directive forms | fixed |
| 19175 | IntegrityError when deleting a saved search | fixed |
| 19219 | overflow and underflow 'false negatives' | Documentation for overflow/underflow warning classes extended to clarify that warnings are reported on use of the suspicious value as a size argument to a function, rather than on computation. |
| 19290 | Thread entry points/callers not detected | fixed |
| 19311 | [EDGcpfe/17984] Crash: Front end assertion triggered with gcc 7.3 variant implementation | fixed |
| 19330 | LANG.STRUCT.DEF.FDH false positive for C++ implicitly generated functions | fixed |
| 19356 | Parse log summary missing from PDF report | fixed |
| 19410 | PostgreSQL configuration for continuous archiving | Manual updated so that Task: Back Up and Restore a Hub Database reflects PostgreSQL upgrade consequences: set wal_level to replica when establishing continuous archiving. |
| 19559 | Parse error in Android M: expression must have pointer-to-class type __atomic_store(&__a->__a_value, &__val,...) | fixed |