JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.
If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.
If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.
| CodeSonar® 9.0p0 Hot Tips | CONFIDENTIAL | CodeSecure Inc |
If you are upgrading from a version before 4.5: When you upgrade your hub, you will be prompted to set the password for the special Administrator hub user account when the hub restarts. This will replace the previous Administrator password. You can reuse your previous Administrator password if it meets the hub password requirements specified in the Settings: Password Policy tab.
| SARIF | CodeSonar now has functionality for both importing and exporting warning reports in Static Analysis Results Interchange Format (SARIF). |
|---|---|
| Scheme Removed | All use of the Scheme programming language has been removed, including the Scheme Console and Scheme API. |
| GUI Changes | Several changes. |
| Warning Classes |
New warning class Copy-Paste Error; changes to existing warning
class Ignore Return Value.
|
| Configuration Parameter Changes | There have been multiple changes to the available configuration parameters, including new parameters, removed parameters, and modifications to existing parameters. |
| API Changes | A number of additions, removals, and modifications. |
| AST Changes | One new unnormalized AST class: cc:ctp-integer-pack |
| EDG Upgrade | CodeSonar now uses EDG version 5.0. This provides better C++17 support (fewer parse errors). There are also some useful new front end options. |
| Windows Subsystem for Linux (WSL) Note | CodeSonar 5.1 will execute under Windows Subsystem for Linux, but will not be reliable or supported until the following WSL bug is fixed: WSL issue #1927. This bug can lead to intermittent silent data corruption, crashes, and other unpredictable outcomes. |
| No Longer Supported | Support for Windows Vista was discontinued at version 5.0p0. |
| Search | Several of the search languages now support regular-expression based searching. |
| Presets | The thorough preset now includes settings for TAINT_MAX_MODIFIED_VALUES, TAINT_MAX_CHECKED_INPUTS_PER_PROCEDURE, TAINT_MAX_EXPRESSION_COMPLEXITY, and TAINT_MAX_SET_CARDINALITY. |
| Metrics | The Distinct Operators (n1) and Distinct Operands (n2) metrics are no longer available at "file" or "directory" granularity. |
| Python Build/Analysis | It is now possible to build and analyze CodeSonar projects based on Python source files. See Build and Analysis for Python Projects for details. |
| Importing Other File Types | It is now possible to bring files into the CodeSonar project in cases where CodeSonar does not provide built-in handling and analysis. See Importing Other File Types to CodeSonar for details. |
| Clang Static Analyzer Compatibility | It is now possible to build and analyze a project based in whole or in part on one or more invocations of the Clang Static Analyzer. See CodeSonar and the Clang Static Analyzer for details. |
| CodeSonar Plug-in for Visual Studio | A number of bugs in the CodeSonar Plug-in for Visual Studio have been fixed. |
CodeSonar now has functionality for both importing and exporting warning reports in Static Analysis Results Interchange Format.
SARIF is now an available output format for the Analysis: Warnings and Warning Report pages. The output file has extension .sarif and conforms to SARIF v2.0.0-csd.2.beta.2018-11-28.
You can import SARIF files from any source during the CodeSonar build/analysis, provided that the files conform to SARIF v2.0.0-csd.2.beta.2018-11-28. For details, see SARIF Importer for CodeSonar.
All use of the Scheme programming language has been removed. The following are therefore no longer available.
There is one new warning class: Copy-Paste Error
With factory settings, the Ignored Return Value warning class has a broader range of enforced checks. Additionally, the set of configuration parameters that can be used to tune this analysis has been extended: see below for details.
| New Parameter | Purpose | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| PARAMETER_EVALUATION_ORDER | Specifies the order of evaluation of actual parameters. Replaces previous BUILD_OPTIONS += -parameter-evaluation-order {left-to-right, right-to-left} setting. |
|||||||||||||||
| RETAIN_UNNORMALIZED_C_AST | Specifies whether or not CodeSonar will keep the full
unnormalized AST information associated with a C/C++
project. Replaces previous BUILD_OPTIONS += -retain-unnormalized-c-ast {yes, no} setting. |
|||||||||||||||
| CSHARP_JULIA_ARGS | Specify default options to pass to Julia when it is is invoked as part of the C# build/analysis. | |||||||||||||||
| CSHARP_JULIA_ANALYSIS_ARGS | Specify default options to pass to the Julia analysis (but not result retrieval from a past Julia analysis) when it is is invoked as part of the C# build/analysis. | |||||||||||||||
| JAVA_JULIA_ARGS | Specify default options to pass to Julia when it is is invoked as part of the Java build/analysis. | |||||||||||||||
| JAVA_JULIA_ANALYSIS_ARGS | Specify default options to pass to the Julia analysis (but not result retrieval from a past Julia analysis) when it is is invoked as part of the Java build/analysis. | |||||||||||||||
| RETURN_CHECKER_CHECKED_PURE_FUNCS RETURN_CHECKER_BUILT_IN_CHECKED_FUNCS |
Specify functions to check
for ignored return values. Each parameter has slightly
different purpose and handling. The following table summarizes
the options.
|
| Modified Parameter | Changes |
|---|---|
| FORMAT_STRING_CHECKER_IGNORED_FUNCS | Additional factory settings: this may result in a decrease in reported Format String warnings. |
| RETURN_CHECKER_IGNORED_FUNCS | Rules both added and removed from the set of factory
settings: this may result in a change in reported Ignored Return
Value warnings. Many of the functions previously specified with this parameter are now specified with new parameter RETURN_CHECKER_BUILT_IN_CHECKED_PURE_FUNCS: that is, they will trigger warnings if their return value is ignored on all paths. |
| RETURN_CHECKER_CHECKED_FUNCS | Now used only for user-specified functions with side effects: several new parameters have been introduced for use in other cases. |
| Deleted Parameter | Notes |
|---|---|
| BUILD_OPTIONS | The main build options of interest—-retain-unnormalized-c-ast and -parameter-evaluation-order—have been replaced by configuration parameters RETAIN_UNNORMALIZED_C_AST and PARAMETER_EVALUATION_ORDER, respectively. If you were using other build options and now have no way to specify them, visit CodeSecure support for assistance. |
| API Implementation | Modification | ||
|---|---|---|---|
| C++ | Python | C | |
| class xform_expr xform_expr::xform_expr() |
class xform_expr xform_expr.__init__() |
struct cs_xform_expr | Now represents an expression of the form (ax+b)/c (previously ax+b) and additionally encapsulates a mode in which the expression should be evaluated. C++ constructor and Python initializers have new optional arguments.. |
| step_xform::query() | step_xform.query() | csonar_xform_query() | lhs_post and rhs_post arguments dropped; this functionality (and more) is now provided through the query mode. |
| procedure::local_symbols() | procedure.local_symbols() | cs_pdg_locals_iter_first | Now succeed when called with/on an undefined function. The resulting iterator has one element: the synthesized variable containing the return value of the undefined function. |
The Scheme API implementation has been completely removed. In addition, the following functions have been removed from other API implementations.
| API Implementation | Notes | ||
|---|---|---|---|
| C++ | Python | C | |
| step_xform::pre_bounds step_xform::post_bounds |
step_xform.pre_bounds step_xform.post_bounds |
csonar_xform_query_pre_bounds() csonar_xform_query_post_bounds() |
Replaced by single 'bounds' function for each API implementation. |
CodeSonar now uses EDG verson 5.0. This provides better C++17 support (fewer parse errors).
There are also some useful new front end options:
new front end options:
The following search languages now support regular-expression based searching with new operators imatch-condition (equivalent to the PostgreSQL ~* operator) and ilike-condition (equivalent to the PostgreSQL ILIKE operator).
| NUMBER | NAME | NOTES |
|---|---|---|
| 5622 | Document automatic extraction of results from the hub | New tasks added to manual: Download Warnings from an Analysis with a Shell Script and Download Warnings from an Analysis with a Windows Batch (.bat) File. |
| 18352 | understanding constexpr in the analysis | fixed |
| 18474 | Parse errors: C++17 optional construct | fixed |
| 18727 | Document: How to find Hubs using a floating license server | Instructions for how to identify hubs using a floating license server added to the manual. |
| 18815 | Call edges missing for superclass constructors and global initialization | fixed |
| 19020 | Expanded documentation of the cs-java-scan option -sourcepath | See cs-java-scan options documentation. |
| 19551 | EDG not handling a clang extension allowing non-POD subobjects to be initialized | fixed |
| 19587 | IAR compmodel analyzes wrong file with -dlib_config | fixed |
| 19652 | Update CodeSonar hot standby documentation | Hub backup documentation updated to include instructions for service accounts. |
| 19659 | Feature request: Line usage summary information for eval licenses | fixed; line usage summary now displayed regardless of license restrictions. |
| 19667 | Document: state of support for Windows Subsystem for Linux | System Requiments updated. |
| 19676 | C# front end crashes when path contains international characters | fixed |
| 19743 | iccarm using C99 as default | fixed; Default to using the C99 standard when using IAR 7.0+ |
| 19823 | Document: Add full regex capability to all uses of the search language | Various manual pages updated. See Search above. |
| 19829 | In the Charting Wizard, the Options tab, no documentation of the Sample field | Charting Wizard Documentation now includes Sample and Sample Size fields. |
| 19832 | Feature Request: Expand settings in the thorough preset to include more taint related settings | Documentation for Thorough preset expanded. |
| 19853 | Visual Studio plugin does not detect compilations done by other compilers | fixed |
| 19901 | Documentation suggestion for SOURCE_PATTERN_REPLACEMENT | Documentation expanded for the SOURCE_PATTERN_REPLACEMENT configuration parameter. |
| 19915 | cs-dotnet-scan.csharp.32.conf file not included in installers | fixed |
| 19937 | Analysis clouds that mix IPv4 and IPv6 can produce surprising failures | fixed |
| 19960 | Feature Request: Request for build server patch level information for each release | Build server patch level information now provided in System Requirements page. |
| 19977 | IAR compiler model and the --cpu command line argument | fixed; -m recognized as an alias for --memory_model. |
| 19986 | SQLAlchemy url escaping issues | fixed |
| 19999 | Microsoft Visual Studio and custom make projects | fixed |
| 20013 | Surprising interaction between Thread Entry Point warning class and FORCE_THREAD_ENTRY_POINT | Documentation expanded for Thread Entry Point and the THREAD_ENTRY_METHOD_NAMES configuration parameter. |
| 20080 | ecomppc compiler model requires source file to be last argument | fixed |
| 20110 | Example doesn't work for Potential Timebomb | Enabling instructions for Potential Timebomb corrected. |
| 20112 | FP: Incorrect essential type for nullptr in Mismatched Operand Type | fixed |
| 20137 | Slow warning set comparison on hubs of certain size ranges | fixed |
| 20145 | Finish and register ccppc compiler model | fixed |
| 20223 | MISRA FP: "Non-const String Literal" in C++ code | fixed |
| 20224 | MISRA FP: "Inappropriate Assignment Type" in C++ with typedef'd anonymous enums | fixed |
| 20225 | MISRA FP: "Inappropriate Assignment Type" with C++ scoped enums | fixed |
| 20238 | size is incomplete for local array of size 0 | fixed |
| 20281 | IAR compiler model regression - --IDE2 and --IDE3 flag handling | fixed |
| 20561 | Mishandling of -conf-file command line argument to codesonar by front end | fixed |
| 20702 | VisualDSP compiler model and response files | fixed |