JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.
If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.
If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.
| CodeSonar® 9.0p0 Hot Tips | CONFIDENTIAL | CodeSecure Inc |
Official release date: March 29, 2021.
If you have made changes to any of your CodeSonar configuration files, you will need to upgrade those files as part of the upgrade process.
Launching the CodeSonar installer directly from Firefox on Windows 10 may prevent certain parts of the installer from functioning correctly. Instead, download the installer to a suitable location and run it from there.
| Java Analysis | The CodeSonar Java analysis has changed substantially in this release. |
|---|---|
| C# (.NET) Analysis | This version of CodeSonar does not support C# analysis. |
| Warning Classes | There are several new C/C++ warning classes. There are many new Java warning classes, representing full integration of the Julia tool into CodeSonar. |
| Visualization |
The original Java-based visualization tool has been removed.
The HTML5 Visualization has been extended. To visualize
analysis information, use the new HTML5 Visualization Tool or the Explore Callers/Explore Callers
(Source) functionality.
|
| Compiler Models | Several of the models have undergone general improvements and bug fixes. There are three new compiler models: armclang and iccrx, and iccv850. |
| Library Models | C and C++ library models have undergone a number of extensions and improvements. |
| Configuration Parameters | There are modifications to several configuration parameters. Configuration parameters specific to the now-removed FindBugsTM and PMD integrations have been deleted. |
| Configuration Presets | There are several new configuration presets, and the java_style preset has been deleted. |
| CWE | This version of CodeSonar uses CWE v4.3 (released December 10, 2020). |
| New Management Report Templates |
There are three new predefined management
report templates:
|
| EDG Upgrade | CodeSonar now uses EDG version 6.1. |
| C++17 Support | Structured bindings are now supported. |
| Android Support | Improved parsing and analysis for Android 11 and older. |
| Unreal Engine Support | Improved parsing and analysis for the Unreal Engine. |
| FreeBSD Compatibility |
CodeSonar is now compatible with FreeBSD 10 and 12.
|
| Warning Class Mapping Adjustments | The definition of broad mapping has changed: the set of all hierarchical descendants of closely mapped categories is included only in rare cases where they are all considered relevant. The CWE broad mapping is consequently smaller, but more meaningful, than previously. |
| AST Changes | There are a small number of new normalized and unnormalized C/C++ AST classes; one unnormalized C/C++ AST class has been modified. |
| GitLab Integration | A CodeSonar / GitLab integration is available. |
| Jira Integration | CodeSonar integration plug-ins are now available for versions 7.0.0-8.14.1 and 6.0-6.4.14. |
| Release Status | CodeSonar 5.0p0 and CodeSonar 5.0p1 are now in sunset. CodeSonar 4.5p2 is now at end of life. |
| Deprecation Notice | The Windows 7 family of operating systems will not be supported as of the next CodeSonar release. |
| No Longer Supported | Mac OS X and Solaris are not supported as of this release. |
The CodeSonar Java analysis has changed substantially in this release.
This version of CodeSonar does not support C# analysis. If you wish to analyze C# projects, use a previous (or future) version of CodeSonar.
There is a new warning category kind; there are also several new C/C++ warning classes and many new Java warning classes.
CodeSonar now provides mappings for the OWASP Top 10 Application Security Risks - 2017.
Relevant OWASP-2017 mappings for each warning class are displayed in the following locations.
The new owasp2017 preset enables all warning classes that are closely mapped to one or more members of this top ten list.
There are many new Java warning classes, representing full integration of the Julia tool into CodeSonar.
| Warning Class Name | Mnemonic | Previous Julia Checker.Warning |
|---|---|---|
| == Always Fails (Java) | JAVA.REDUNDANT.EQF | BadEq.ImpossibleEqualityWarning |
| == Always Fails Because Types Always Different (Java) | JAVA.REDUNDANT.EQF.TYPE | BadEq.EqualsOnDisjointTypesWarning |
| Abs on random (Java) | JAVA.MATH.ABSRAND | AbsOfRandom.AbsOfRandomWarning |
| Accessing File in Permissive Mode (Java) | JAVA.IO.PERM.ACCESS | FileAccess.FileAccessWithModeWorldWarning |
| Actual Parameter Element may be null (Java) | JAVA.DEEPNULL.PARAM.EACTUAL | Nullness.ActualInnerNullWarning |
| Address Injection (Java) | JAVA.IO.TAINT.ADDR | BasicInjection.AddressInjectionWarning, BasicInjection.AddressInjectionIntoFieldWarning |
| Ambiguous Call from Inner Class (Java) | JAVA.CLASS.ACIC | InnerClasses.AmbiguousCallFromInnerClassWarning |
| Android Leak (Java) | JAVA.ALLOC.LEAK.ANDROID | Leak.LeakThroughCallbackFieldWarning, Leak.LeakThroughFieldWarning, Leak.LeakThroughCallbackWarning, Leak.LeakThroughInnerClass |
| Android Message Injection (Java) | JAVA.IO.INJ.ANDROID.MESSAGE | PrivacyAndroid.MessageInjectionIntoFieldWarning, PrivacyAndroid.MessageInjectionWarning |
| Android URL Injection (Java) | JAVA.IO.INJ.ANDROID.URL | PrivacyAndroid.URLInjectionIntoFieldWarning, PrivacyAndroid.URLInjectionWarning |
| Anonymous LDAP Authentication (Java) | JAVA.INSEC.LDAP.ANON | Authentication.AuthenticationSetToAnonymousWarning |
| Approximate e Constant (Java) | JAVA.MATH.APPROX.E | Approximation.ApproximateEWarning |
| Approximate pi Constant (Java) | JAVA.MATH.APPROX.PI | Approximation.ApproximatePIWarning |
| Array Parameter Empty (Java) | JAVA.FUNCS.APE | InefficientConstruction.PassingEmptyArrayWarning |
| Assertion Contains Side Effects (Java) | JAVA.STRUCT.SE.ASSERT | SideEffects.SideEffectInAssertionWarning |
| Assignment in Conditional (Java) | JAVA.STRUCT.CONDASSIG | BadEq.AssigningInsteadOfComparingWarning |
| Asymmetric compareTo (Java) | JAVA.COMPARE.CTO.ASSYM | CompareTo.AsymmetricalCompareToWarning |
| Bitwise AND on Boolean (Java) | JAVA.STRUCT.BW.AND | ShortCircuit.NonShortCircuitANDWarning |
| Bitwise AND on Boolean Constant (Java) | JAVA.STRUCT.BW.ANDC | ShortCircuit.ANDAgainstConstantWarning |
| Bitwise OR on Boolean (Java) | JAVA.STRUCT.BW.OR | ShortCircuit.NonShortCircuitORWarning |
| Bitwise OR on Boolean Constant (Java) | JAVA.STRUCT.BW.ORC | ShortCircuit.ORAgainstConstantWarning |
| Blocking in Critical Section (Java) | JAVA.CONCURRENCY.STARVE.BLOCKING | Concurrency.BlockingCallInsideSynchronizationWarning |
| Broad Throws Clause (Java) | JAVA.STRUCT.EXCP.BROAD | ExceptionHandlers.BroadThrowsClauseWarning |
| Call Might Return Null (Java) | JAVA.NULL.RET.UNCHECKED | BasicNullness.MissingNullnessCheckOfReturnedValueWarning |
| Cast: Integer to Floating Point (Java) | JAVA.CAST.FTRUNC | Approximation.CastIntegralComputationIntoFloatingPointWarning |
| Cast: int Computation to long (Java) | JAVA.ARITH.OFLOW | Approximation.CastIntComputationIntoLongWarning |
| Certificate Added to Root Store (Java) | JAVA.INSEC.CERT.RS | EncryptionAndSecurityConfig.PossibleCertificateAddedToRootStoreWarning |
| Class Enables Debug Features (Java) | JAVA.DEBUG.CEDF | Production.DebugModeInProductionWarning |
| Closeable Not Closed (Java) | JAVA.ALLOC.LEAK.NOTCLOSED | CloseResource.ResourceNotClosedAtEndOfMethodWarning |
| Closeable Not Stored (Java) | JAVA.ALLOC.LEAK.NOTSTORED | CloseResource.CloseableNotStoredIntoLocalWarning |
| Code Injection (Java) | JAVA.IO.INJ.CODE | Injection.CodeInjectionIntoFieldWarning, BasicInjection.CodeInjectionIntoFieldWarning, BasicInjection.CodeInjectionWarning, Injection.CodeInjectionWarning |
| Command Injection (Java) | JAVA.IO.INJ.COMMAND | Injection.CommandInjectionWarning, Injection.CommandInjectionIntoFieldWarning, BasicInjection.CommandInjectionIntoFieldWarning, BasicInjection.CommandInjectionWarning |
| Comparison to Empty String (Java) | JAVA.COMPARE.EMPTYSTR | BadEq.InefficientStringEmptynessTestWarning |
| Cross Site Scripting (Java) | JAVA.IO.INJ.XSS | BasicInjection.XSSInjectionIntoFieldWarning, BasicInjection.XSSInjectionWarning, Injection.XSSInjectionIntoFieldWarning, Injection.XSSInjectionWarning |
| Cryptographic Algorithm with Risky Default Cipher (Java) | JAVA.CRYPTO.CADRC | Cryptography.CryptographicAlgorithmWithRiskyDefaultCipherAlgorithmWarning |
| Cryptographic Algorithm with Weak Cipher (Java) | JAVA.CRYPTO.CARC | Cryptography.CryptographicAlgorithmWithRiskyCipherAlgorithmWarning |
| Cryptographic Algorithm with Weak Hash (Java) | JAVA.CRYPTO.CAWH | Cryptography.CryptographicAlgorithmWithWeakHashingAlgorithmWarning |
| DLL Injection (Java) | JAVA.IO.INJ.DLL | BasicInjection.DLLInjectionWarning, Injection.DLLInjectionIntoFieldWarning, Injection.DLLInjectionWarning, BasicInjection.DLLInjectionIntoFieldWarning |
| DOS Injection (Java) | JAVA.IO.INJ.DENIAL | BasicInjection.DOSInjectionIntoFieldWarning, Injection.DOSInjectionIntoFieldWarning, Injection.DOSInjectionWarning |
| DOS injection (Java) | JAVA.IO.INJ.DENIAL | BasicInjection.DOSInjectionWarning |
| Debug Call (Java) | JAVA.DEBUG.CALL | Production.InadequateCallInProductionWarning |
| Debug Warning (Java) | JAVA.DEBUG.LOG | Production.UseLogInsteadWarning |
| Defines equals but not hashCode (Java) | JAVA.IDEF.EQUALSNOHC | EqualsHashCode.NoHashCodeWarning |
| Defines hashCode but not equals (Java) | JAVA.IDEF.HCNOEQUALS | EqualsHashCode.NoEqualsWarning |
| Deprecated Cryptography Provider (Java) | JAVA.CRYPTO.DEPRECATED | Cryptography.DeprecatedOrDeletedCryptographyProviderFieldWarning, Cryptography.DeprecatedOrDeletedCryptographyProviderMethodWarning |
| Deprecated Transfer Protocol (Java) | JAVA.INSEC.DTP | EncryptionAndSecurityConfig.UnsafeTransferProtocolUsedInFieldWarning, EncryptionAndSecurityConfig.UnsafeTransferProtocolUsedInMethodWarning |
| Deserializable Class (Java) | JAVA.CLASS.SER.DESER | Deserialization.DeserializableClassWarning |
| Deserializing Non-Serializable Class (Java) | JAVA.CLASS.SER.DNS | Deserialization.NonSerializableClassWithoutReadObjectWarning |
| Disabled Input Validation (Java) | JAVA.INSEC.DIV | EncryptionAndSecurityConfig.DisabledValidationInputInsideMethodWarning, EncryptionAndSecurityConfig.DisabledValidationInputInsideClassWarning |
| Double-Checked Locking (Java) | JAVA.CONCURRENCY.LOCK.DCL | Concurrency.UnsafeLazyInitialisationWarning |
| Empty Branch Statement (Java) | JAVA.STRUCT.EBS | UselessTest.UselessTestWarning |
| Empty Exception Handler (Java) | JAVA.STRUCT.EXCP.EEH | ExceptionHandlers.EmptyExceptionHandlerWarning |
| Empty jar File Archived (Java) | JAVA.STRUCT.ARCHIVE.EJF | Zip.EmptyJarEntryWarning |
| Empty zip File Archived (Java) | JAVA.STRUCT.ARCHIVE.EZF | Zip.EmptyZipEntryWarning |
| Exception Information Disclosure (Java) | JAVA.DEBUG.ID | Production.InformationDisclosureWarning |
| Field Element may be null (deep) (Java) | JAVA.DEEPNULL.EFIELD | Nullness.FieldInnerNullWarning |
| Field Never Read (Java) | JAVA.STRUCT.URFIELD | FieldAccess.FieldNeverReadWarning |
| Field Never Written (Java) | JAVA.STRUCT.UWFIELD | FieldAccess.FieldNeverWrittenWarning |
| Field may be null (deep) (Java) | JAVA.DEEPNULL.FIELD | Nullness.FieldNullWarning |
| Field Too Visible (Java) | JAVA.CLASS.VIS.FIELD | InstanceFieldSecurity.InstanceNonFinalFieldVisibilityIsTooWeakWarning, InstanceFieldSecurity.FieldVisibilityIsTooWeakWarning |
| Floating Point Equality (Java) | JAVA.ARITH.FPEQUAL | Approximation.FloatComparisonWarning |
| Fragment Injection (Java) | JAVA.IO.INJ.FRAGMENT | UseOfUncontrolledExternalData.FragmentInjectionWarning |
| Generic Exception Handler (Java) | JAVA.STRUCT.EXCP.GEH | ExceptionHandlers.GenericExceptionHandlerWarning |
| Hardcoded Filename (Java) | JAVA.HARDCODED.FNAME | Resources.HardcodedFileNameWarning |
| Hardcoded IP Address (Java) | JAVA.HARDCODED.IP | EncryptionAndSecurityConfig.HardcodedIPWarning, EncryptionAndSecurityConfig.HardcodedIPAddressUsedInMethodWarning |
| Hardcoded Password (Java) | JAVA.HARDCODED.PASSWD | Passwords.HardcodedPasswordWarning, Passwords.PossibleHardcodedPasswordPropagatedByCallsWarning |
| Hardcoded Random Seed (Java) | JAVA.HARDCODED.SEED | Random.UseOfFixedSeedWarning |
| Hostname in Condition (Java) | JAVA.INSEC.HIC | Authentication.HostNameInConditionWarning |
| Ignored Return Value (Java) | JAVA.FUNCS.IRV | UnusedReturnValue.ReturnValueShouldBeUsedWarning |
| Ignored Return Value for Pure Function (Java) | JAVA.FUNCS.IRV.PURE | UnusedReturnValue.UselessCallToAPureMethodWarning |
| Impossible Client Side Locking (Java) | JAVA.CONCURRENCY.LOCK.ICS | Concurrency.ImpossibleClientSideLockingWarning |
| Inappropriate Exception Handler (Java) | JAVA.STRUCT.EXCP.INAPP | ExceptionHandlers.InappropriateExceptionHandlerWarning |
| Inappropriate Instanceof (Java) | JAVA.CLASS.IOF.BAD | UselessInstanceof.UnexpectedInstanceofWarning |
| Ineffective Cleansing of Fragment Taint (Java) | JAVA.IO.TAINT.IC.FRAGMENT | UseOfUncontrolledExternalData.AllowAllFragmentsWarning |
| Inefficient Bitwise AND (Java) | JAVA.STRUCT.BW.ANDI | ShortCircuit.InefficientSameValueANDWarning |
| Inefficient Bitwise OR (Java) | JAVA.STRUCT.BW.ORI | ShortCircuit.InefficientSameValueORWarning |
| Inefficient Box-Unbox (Java) | JAVA.CLASS.BUB | InefficientConstruction.InefficientBoxUnboxWarning |
| Inefficient Instantiation (Java) | JAVA.CLASS.UI | InefficientConstruction.InefficientConstructionWarning |
| Inner Class Should be Static (Java) | JAVA.CLASS.ICSBS | InnerClasses.InnerClassShouldBeStaticWarning |
| Insecure Class Loader (Java) | JAVA.CLASS.ICL | ClassLoading.SubclassOfClassLoaderWarning |
| Insecure Cookie (Java) | JAVA.LIB.HTTP.COOKIE | Cookie.PossibleInsecureCookieCreationWarning, Cookie.InsecureCookieWarning |
| Insecure Key Derivation (Java) | JAVA.CRYPTO.KEY | Cryptography.InsecureKeyDerivationFunctionWarning |
| Insecure Random Number Generator (Java) | JAVA.LIB.RAND.FUNC | Random.InsecureRandomWarning |
| Insecure Socket Factory (Java) | JAVA.INSEC.SF | Unsafe Connection.InsecureSocketFactoryWarning |
| Insecure XSLT Execution (Java) | JAVA.LIB.XML.INSEC_XSLT | Xml.InsecureXSLTExecutionWarning |
| Insecure verifier Override for Hostname (Java) | JAVA.INSEC.HVO | Unsafe Connection.AllowAllHostnameVerifierWarning |
| Insecure verify Override for Certificate (Java) | JAVA.INSEC.CVO | Unsafe Connection.AllowAllTrustVerifierWarning |
| Instanceof Always False (Java) | JAVA.CLASS.IOF.F | UselessInstanceof.ImpossibleInstanceofWarning |
| Instanceof Always True (Java) | JAVA.CLASS.IOF.T | UselessInstanceof.TautologicalInstanceofWarning |
| JavaScript Enabled (Java) | JAVA.JS.JSE | JavascriptExecution.JavascriptEnabledWarning |
| JavaScript File Access from File URLs (Java) | JAVA.JS.FAFU | JavascriptExecution.AllowedFileAccessFromFileURLsByDefaultWarning, JavascriptExecution.AllowedFileAccessFromFileURLsWarning |
| LDAP Authentication Disabled (Java) | JAVA.INSEC.LDAP.DA | Ldap.LDAPAuthenticationDisabledWarning |
| Lambda Parameter may be null (Java) | JAVA.NULL.PARAM.LAMBDA | BasicNullness.LambdaParameterMightBeNullWarning |
| Method Disables Security Setting (Java) | JAVA.INSEC.MDSS | EncryptionAndSecurityConfig.SafeSecuritySettingDisabledWarning |
| Method Enables Debug Features (Java) | JAVA.DEBUG.MEDF | Production.DebugCallInProductionWarning |
| Method Names Differ Only in Case (Java) | JAVA.ID.CASE.METHOD | BadExtension.CaseOverrideWarning |
| Method Should be final (Java) | JAVA.CLASS.METH.NF | MethodCouldBeFinal.MethodShouldBeFinalWarning |
| Method Should be private (Java) | JAVA.CLASS.VIS.METH.PRIV | MethodShouldBePrivate.MethodShouldBePrivateWarning |
| Method Should Not Return null (Java) | JAVA.NULL.RET.NONNULL | BasicNullness.MethodShouldNotReturnNullWarning |
| Missing Authentication Annotation (Java) | JAVA.INSEC.MAA | Authentication.UnauthenticatedWebAPIWarning |
| Missing Call to super (Java) | JAVA.CLASS.MCS | CallSuper.CallSuperWarning |
| Missing Equals Override (Java) | JAVA.IDEF.NOEQUALS | EqualsHashCode.SuspiciousInheritanceOfEqualsWarning |
| Missing JavaScript Entry Point (Java) | JAVA.JS.MEP | JavascriptExecution.MissingJavascriptInterfaceAnnotationWarning |
| Missing JavaScript Execution (Java) | JAVA.JS.ME | JavascriptExecution.ExplicitJavascriptExecutionNotFoundWarning |
| Missing Serial Version Field (Java) | JAVA.CLASS.SER.UIDM | Serialization.MissingSerialVersionFieldWarning |
| Missing isValidFragment Override (Java) | JAVA.CLASS.OR.ISVALIDFRAGMENT | UseOfUncontrolledExternalData.ShouldBeOverriddenIsValidFragmentMethodWarning |
| Missing synchronized Statement (Java) | JAVA.CONCURRENCY.SYNC.MSS | GuardedBy.MissingSynchronizedWarning |
| Mutable Constant Field (Java) | JAVA.TYPE.MCF | MutableConstantField.MutableConstantFieldWarning |
| Mutable Enumeration (Java) | JAVA.TYPE.ME | ImproperField.MutableEnumWarning |
| Naming Style Violation (Java) | JAVA.ID.STYLE | BadNames.BadClassNameWarning, BadNames.BadFieldNameWarning, BadNames.BadMethodNameWarning, BadNames.BadParameterNameWarning |
| Non-Object compareTo Parameter (Java) | JAVA.COMPARE.CTO.NONOBJ | CompareTo.CompareToForNonObjectWarning |
| Non-overriding Method Signature (Java) | JAVA.ID.BADOVERRIDE | BadExtension.ParametersOverrideWarning |
| Nonserializable Field (Java) | JAVA.CLASS.SER.ENON | Serialization.NonSerializableFieldWarning |
| Nonserializable Field Element (Java) | JAVA.CLASS.SER.FNON | Serialization.NonSerializableElementsOfFieldWarning |
| Nonserializable Outer Class (Java) | JAVA.CLASS.SER.OCNON | Serialization.NonSerializableOuterClassWarning |
| Null Parameter Dereference (Java) | JAVA.NULL.PARAM.ACTUAL | BasicNullness.ActualNullReflectionWarning, BasicNullness.ActualNullWarning |
| Null Pointer Dereference (Java) | JAVA.NULL.DEREF | BasicNullness.SynchronizationOnNullWarning, BasicNullness.ArrayStoreIntoNullWarning, BasicNullness.GetFieldFromNullWarning, BasicNullness.VariableCanOnlyBeNullWarning, BasicNullness.ArrayLengthOfNullWarning, BasicNullness.PutFieldIntoNullWarning, BasicNullness.ArrayLoadFromNullWarning, BasicNullness.ThrowOfNullWarning, BasicNullness.CallOnNullWarning |
| Null Pointer Dereference (deep) (Java) | JAVA.DEEPNULL.DEREF | Nullness.ArrayLengthOfNullWarning, Nullness.GetFieldFromNullWarning, Nullness.CallOnNullWarning, Nullness.ThrowOfNullWarning, Nullness.PutFieldIntoNullWarning, Nullness.SynchronizationOnNullWarning, Nullness.ArrayLoadFromNullWarning, Nullness.ArrayStoreIntoNullWarning |
| Password in Property File (Java) | JAVA.HARDCODED.PASSWD.FILE | Passwords.PasswordInPropertyFileWarning |
| Permissive File Mode (Java) | JAVA.IO.PERM | FileAccess.FileWithWorldAccessibilityWarning</</td> |
| Possible XML External Entity Reference (Java) | JAVA.LIB.XML.XXE | Xml.XXEAttackWarning |
| Potential Infinite Recursion (Java) | JAVA.FUNCS.INFREC | InfiniteRecursion.InfiniteRecursionWarning |
| Potential LDAP Poisoning (Java) | JAVA.INSEC.LDAP.POISON | Ldap.LDAPPoisoningWarning |
| Redundant Call for Integral Argument (Java) | JAVA.FUNCS.RED.INT | UselessCall.UselessCallForIntegralValueWarning |
| Redundant Call for String Argument (Java) | JAVA.FUNCS.RED.STR | UselessCall.UselessCallWarning |
| Redundant Condition (Java) | JAVA.STRUCT.RC | UselessTest.TestIsPredeterminedWarning |
| Redundant Implements Clause (Java) | JAVA.CLASS.RI | BadExtension.RedundantImplementsWarning |
| Reflection Bypasses Member Accessibility (Java) | JAVA.CLASS.ACCESS.BYPASS | Reflection.MemberAccessibilityBypassWarning |
| Reflection Injection (Java) | JAVA.IO.TAINT.REFLECTION | Injection.ReflectionInjectionIntoFieldWarning, BasicInjection.ReflectionInjectionIntoFieldWarning, BasicInjection.ReflectionInjectionWarning, Injection.ReflectionInjectionWarning |
| Reflection Modifies Member Accessibility (Java) | JAVA.CLASS.ACCESS.MODIFY | Reflection.MemberAccessibilityChangeWarning |
| Return Value may Contain null Element (Java) | JAVA.DEEPNULL.RET.EMETH | Nullness.MethodReturnsInnerNullWarning |
| Return Value may be null (Java) | JAVA.DEEPNULL.RET.METH | Nullness.MethodReturnsNullWarning |
| Return null Array (Java) | JAVA.NULL.RET.ARRAY | BasicNullness.ReturningNullForArrayWarning |
| Return null Boolean (Java) | JAVA.NULL.RET.BOOL | BasicNullness.ReturningNullForBooleanWarning |
| Return null Optional (Java) | JAVA.NULL.RET.OPT | BasicNullness.ReturningNullForOptionalWarning |
| Risky Cipher Algorithm (Java) | JAVA.CRYPTO.RCA | Cryptography.RiskyCipherAlgorithmWarning |
| Risky Cipher Field (Java) | JAVA.CRYPTO.RCF | Cryptography.RiskyCipherFieldWarning |
| Risky Class Cast (Java) | JAVA.CLASS.CAST | Classcast.ClasscastOfFieldWarning, Classcast.ClasscastGenericWarning, Classcast.ClasscastOfMethodReturnWarning, Classcast.ClasscastOfFormalWarning |
| Risky Cryptographic Algorithm (Java) | JAVA.CRYPTO.RA | Cryptography.RiskyCryptographicAlgorithmFieldWarning |
| Risky Cryptographic Field (Java) | JAVA.CRYPTO.RF | Cryptography.RiskyCryptographicAlgorithmWarning |
| Risky JavaScript Interface (Java) | JAVA.JS.RI | JavascriptExecution.RiskyJavascriptInterfaceWarning |
| Risky array store (Java) | JAVA.CLASS.CAST.ARRSTORE | Classcast.ArrayStoreWarning |
| SQL Injection (Java) | JAVA.IO.INJ.SQL | BasicInjection.SqlInjectionWarning, Injection.SqlInjectionIntoFieldWarning, Injection.SqlInjectionWarning, BasicInjection.SqlInjectionIntoFieldWarning |
| Security Annotation Conflict (Java) | JAVA.INSEC.SAC | EncryptionAndSecurityConfig.SecurityAnnotationConflictWarning |
| Sensitive Data Cached (Java) | JAVA.MISC.SD.CACHE | SensitiveDataCaching.SensitiveDataExposureThroughCachingWarning |
| Sensitive Data Written to External Storage (Java) | JAVA.MISC.SD.EXT | SensitiveDataCaching.SensitiveDataStoredInExternalStorageWarning |
| Sensitive Data Written to Local File (Java) | JAVA.MISC.SD.FILE | SensitiveDataCaching.SensitiveDataStoredInFileWarning |
| Serialization Not Disabled (Java) | JAVA.CLASS.SER.ND | SerializationSecurity.SerializationNotDisabledWarning |
| Shadowed Identifier (Java) | JAVA.ID.SHADOW | BadExtension.FieldShadowedWarning, BadNames.MethodCalledAsAConstructorWarning, BadNames.ShadowedSuperclassNameWarning |
| Should Use == Instead of equals() (Java) | JAVA.COMPARE.EQUALS | BadEq.EqualsWarning |
| Should Use equals() Instead of == (Java) | JAVA.COMPARE.EQ | BadEq.EqualityWarning |
| Single-use Random Number Generator (Java) | JAVA.LIB.RAND.NEW | Random.SuboptimalRandomNumberWarning |
| Static Field Assigned Non-Static (Java) | JAVA.CLASS.STATICMOD | StaticFieldAccess.SetStaticInNonStaticWarning |
| Synchronization on Interned String (Java) | JAVA.CONCURRENCY.LOCK.ISTR | Concurrency.SynchronisationOnInternedStringWarning |
| Synchronization on static (Java) | JAVA.CONCURRENCY.LOCK.STATIC | Concurrency.ExpensiveSynchronizationOnStaticWarning |
| Synchronous Call to Thread Body (Java) | JAVA.CONCURRENCY.LOCK.SCTB | Concurrency.SynchronousCallToThreadBodyWarning |
| Tainted @Trusted Value (Java) | JAVA.IO.TAINT.TRUSTED | BasicInjection.GenericInjectionIntoFieldWarning, BasicInjection.GenericInjectionWarning, Injection.GenericInjectionIntoFieldWarning, Injection.GenericInjectionWarning |
| Tainted Bundle (Java) | JAVA.IO.TAINT.BUNDLE | Injection.TrustBoundaryViolationIntoFieldWarning, Injection.TrustBoundaryViolationWarning, BasicInjection.TrustBoundaryViolationWarning, BasicInjection.TrustBoundaryViolationIntoFieldWarning |
| Tainted Control (Java) | JAVA.IO.TAINT.CONTROL | Injection.ControlInjectionIntoFieldWarning, BasicInjection.ControlInjectionIntoFieldWarning, BasicInjection.ControlInjectionWarning, Injection.ControlInjectionWarning |
| Tainted Data in Vulnerable Method (Java) | JAVA.IO.TAINT.VULN | UseOfUncontrolledExternalData.ExternalDataInVulnerableMethodWarning |
| Tainted Expression Evaluation (Java) | JAVA.IO.TAINT.EVAL | BasicInjection.EvalInjectionIntoFieldWarning, BasicInjection.EvalInjectionWarning, Injection.EvalInjectionIntoFieldWarning, Injection.EvalInjectionWarning |
| Tainted HTTP Response (Java) | JAVA.IO.TAINT.HTTP | Injection.HttpResponseSplittingWarning, BasicInjection.HttpResponseSplittingWarning, Injection.HttpResponseInjectionIntoFieldWarning, BasicInjection.HttpResponseInjectionIntoFieldWarning |
| Tainted Hardware Device Property (Java) | JAVA.IO.TAINT.DEVICE | BasicInjection.DeviceInjectionWarning, Injection.DeviceInjectionWarning, BasicInjection.DeviceInjectionIntoFieldWarning, Injection.DeviceInjectionIntoFieldWarning |
| Tainted LDAP Attribute (Java) | JAVA.IO.TAINT.LDAP.ATTR | Injection.LDAPAttributeInjectionWarning, Injection.LDAPAttributeInjectionIntoFieldWarning, BasicInjection.LDAPAttributeInjectionIntoFieldWarning, BasicInjection.LDAPAttributeInjectionWarning |
| Tainted LDAP Filter (Java) | JAVA.IO.TAINT.LDAP.FILTER | Injection.LDAPFilterInjectionWarning, BasicInjection.LDAPFilterInjectionWarning, Injection.LDAPFilterInjectionIntoFieldWarning, BasicInjection.LDAPFilterInjectionIntoFieldWarning |
| Tainted Log (Java) | JAVA.IO.TAINT.LOG | Injection.LogForgingWarning, BasicInjection.LogForgingWarning, Injection.LogInjectionIntoFieldWarning, BasicInjection.LogInjectionIntoFieldWarning |
| Tainted Message (Java) | JAVA.IO.TAINT.MESSAGE | BasicInjection.MessageInjectionIntoFieldWarning, BasicInjection.MessageInjectionWarning, Injection.MessageInjectionWarning, Injection.MessageInjectionIntoFieldWarning |
| Tainted Network Address (Java) | JAVA.IO.TAINT.ADDR | Injection.AddressInjectionIntoFieldWarning, Injection.AddressInjectionWarning |
| Tainted Path (Java) | JAVA.IO.TAINT.PATH | BasicInjection.PathInjectionIntoFieldWarning, Injection.PathInjectionIntoFieldWarning, Injection.PathInjectionWarning, BasicInjection.PathInjectionWarning |
| Tainted Regular Expression (Java) | JAVA.IO.TAINT.REGEX | Injection.RegexInjectionIntoFieldWarning, BasicInjection.RegexInjectionIntoFieldWarning, BasicInjection.RegexInjectionWarning, Injection.RegexInjectionWarning |
| Tainted Resource (Java) | JAVA.IO.TAINT.RESOURCE | Injection.ResourceInjectionWarning, BasicInjection.ResourceInjectionIntoFieldWarning, Injection.ResourceInjectionIntoFieldWarning, BasicInjection.ResourceInjectionWarning |
| Tainted Session (Java) | JAVA.IO.TAINT.SESSION | Injection.SessionInjectionIntoFieldWarning, Injection.SessionInjectionWarning, BasicInjection.SessionInjectionIntoFieldWarning, BasicInjection.SessionInjectionWarning |
| Tainted URL (Java) | JAVA.IO.TAINT.URL | Injection.URLInjectionWarning, Injection.URLInjectionIntoFieldWarning, BasicInjection.URLInjectionIntoFieldWarning, BasicInjection.URLInjectionWarning |
| Tainted XAML (Java) | JAVA.IO.TAINT.XAML | Injection.XAMLInjectionIntoFieldWarning, Injection.XAMLInjectionWarning, BasicInjection.XAMLInjectionIntoFieldWarning, BasicInjection.XAMLInjectionWarning |
| Tainted XML (Java) | JAVA.IO.TAINT.XML | BasicInjection.XMLInjectionIntoFieldWarning, BasicInjection.XMLInjectionWarning, Injection.XMLInjectionIntoFieldWarning, Injection.XMLInjectionWarning |
| Tainted Xpath (Java) | JAVA.IO.TAINT.XPATH | Injection.XPathInjectionIntoFieldWarning, BasicInjection.XPathInjectionIntoFieldWarning, BasicInjection.XPathInjectionWarning, Injection.XPathInjectionWarning |
| Unchecked Parameter Dereference (Java) | JAVA.STRUCT.UPD | BasicNullness.FormalNullWarning |
| Unchecked Parameter Dereference (deep) (Java) | JAVA.STRUCT.DUPD | Nullness.FormalNullWarning |
| Unchecked Parameter Element Dereference (deep) (Java) | JAVA.STRUCT.UPED | Nullness.FormalInnerNullWarning |
| Unexpected Serial Version Field (Java) | JAVA.CLASS.SER.UIDU | Serialization.UnexpectedSerialVersionFieldWarning |
| Unguarded Field (Java) | JAVA.CONCURRENCY.UG.FIELD | GuardedBy.UnguardedFieldWarning |
| Unguarded Method (Java) | JAVA.CONCURRENCY.UG.METH, | GuardedBy.UnguardedMethodOrConstructorWarning |
| Unguarded Parameter (Java) | JAVA.CONCURRENCY.UG.PARAM | GuardedBy.UnguardedParameterWarning |
| Universal JavaScript Access from File URLs (Java) | JAVA.JS.UAFU | JavascriptExecution.AllowedUniversalAccessFromFileURLsByDefaultWarning, JavascriptExecution.AllowedUniversalAccessFromFileURLsWarning |
| Unnecessary Field (Java) | JAVA.STRUCT.UNFLD | ImproperField.FieldIsOnlyUsedInConstructorsWarning, ImproperField.FieldIsOnlyUsedInStaticInitialiserWarning, ImproperField.UselessFieldUpdateWarning, ImproperField.FieldShouldBeReplacedByLocalsWarning |
| Unnecessary Instantiation for GetClass (Java) | JAVA.CLASS.UIGC | InefficientConstruction.InefficientConstructionForGetClassWarning |
| Unused Method (Java) | JAVA.STRUCT.UUMETH | Deadcode.UncalledWarning |
| Unreachable Instruction (Java) | JAVA.STRUCT.UC.INSTR | Deadcode.UnreachableInstructionWarning |
| Unsafe Base64 Encoding (Java) | JAVA.CRYPTO.BASE64 | Cryptography.UnsafeBase64EncodingWarning |
| Untrusted Network Host (Java) | JAVA.IO.UT.HOST | Unsafe Connection.HostnameNotVerifiedWarning |
| Unused Class (Java) | JAVA.STRUCT.UUCLASS | UnusedClass.UnusedClassWarning, Deadcode.ClassNeverInstantiatedWarning |
| Unused Field (Java) | JAVA.STRUCT.UUFIELD | FieldAccess.FieldNeverUsedWarning |
| Unused Object (Java) | JAVA.STRUCT.UUOBJ | UselessConstruction.UselessConstructionWarning |
| Unused Value: Actual Parameter (Java) | JAVA.STRUCT.UUVAL.ACTUAL | UselessAssignment.AssignmentToUnreadParameterWarning |
| Unused Value: Variable (Java) | JAVA.STRUCT.UUVAL.VAR | UselessAssignment.AssignmentToUnusedVariableWarning |
| Unused Value: Write to Parameter (Java) | JAVA.STRUCT.UUVAL.PARAM | UselessAssignment.AssignmentToUnusedParameterWarning |
| Use of Hardware ID (Java) | JAVA.IO.HWID | Unsafe Connection.NotRecommendedHardwareIdFromFieldWarning, Unsafe Connection.NotRecommendedHardwareIdFromParameterWarning, Unsafe Connection.NotRecommendedHardwareIdWarning |
| Use of Insecure verify for Certificate (Java) | JAVA.INSEC.HVU | Unsafe Connection.BadHostnameVerifierWarning |
| Use of Insecure verify for Hostname (Java) | JAVA.INSEC.CVU | Unsafe Connection.BadTrustVerifierWarning |
| Useless Assignment (Java) | JAVA.STRUCT.UA | UselessAssignment.TautologicalAssignmentWarning |
| Useless Assignment to Default (Java) | JAVA.STRUCT.UA.DEFAULT | UselessAssignment.UselessAssignmentToDefaultValueWarning |
| Useless Class Cast (Java) | JAVA.CLASS.CAST.USELESS | Classcast.UselessClasscastWarning |
| Useless Synchronization (Java) | JAVA.CONCURRENCY.LOCK.USELESS | Concurrency.UselessSynchronizationWarning |
| Useless null Test (Java) | JAVA.DEEPNULL.UTEST | Nullness.UselessNullnessTestWarning |
| Useless null Test of Field (Java) | JAVA.DEEPNULL.UTEST.FIELD | Nullness.UselessNullnessTestOfFieldWarning |
| Useless null Test of Parameter (Java) | JAVA.DEEPNULL.UTEST.PARAM | Nullness.UselessNullnessTestOfFormalWarning |
| Useless null Test of Return Value (Java) | JAVA.DEEPNULL.UTEST.RV | Nullness.UselessNullnessTestOfMethodReturnWarning |
| Useless volatile Modifier (Java) | JAVA.CONCURRENCY.VOLATILE | Concurrency.UselessVolatileModifierWarning, Concurrency.VolatileContainerFieldWarning, Concurrency.VolatileArrayFieldWarning |
| Weak Cryptographic Value (Java) | JAVA.CRYPTO.VALUE | Cryptography.PossibleGenerationOfWeakCryptographicValuesWarning |
| Weak Hash Algorithm (Java) | JAVA.CRYPTO.WHA | Cryptography.WeakHashingAlgorithmWarning |
| Weak Hash Algorithm Field (Java) | JAVA.CRYPTO.WHAF | Cryptography.WeakHashingAlgorithmFieldWarning |
| clone Non-cloneable (Java) | JAVA.CLASS.CLONE.CNC | Clone.CloneForNonCloneableWarning |
| clone Subclass of Non-clonable (Java) | JAVA.CLASS.CLONE.SCNC | Clone.SubclassesMayBeClonedWarning |
| clone not final (Java) | JAVA.CLASS.CLONE.NF | Clone.NonFinalCloneMethodWarning |
| compareTo in Non-Comparable Class (Java) | JAVA.COMPARE.CTO.NONCOMP | CompareTo.CompareToInNonComparableWarning |
| compareTo without equals (Java) | JAVA.IDEF.CTONOEQ | CompareTo.CompareToWithDefaultEqualsWarning |
| compareTo/equals mismatch (Java) | JAVA.IDEF.CTOEQ | CompareTo.CompareToInconsistentWithEqualsWarning |
| equals Always Fails (Java) | JAVA.REDUNDANT.EQUALSF | BadEq.ImpossibleEqualsWarning |
| equals Parameter Should Be Object (Java) | JAVA.IDEF.EQUALS.NONOBJ | EqualsHashCode.EqualsNotAgainstObjectWarning |
| equals on Array (Java) | JAVA.COMPARE.EQARRAY | BadEq.EqualsOnArraysWarning |
| null Passed to Method (deep) (Java) | JAVA.DEEPNULL.PARAM.ACTUAL | Nullness.ActualNullWarning |
| toString on Array (Java) | JAVA.TYPE.ARRAYTOSTRING | CallsOnArray.CallToToStringOnArrayWarning |
There are several changes to the set of configuration parameters:
| New Parameter | Purpose |
|---|---|
| FORMAT_STRING_WARN_ON_EQUAL_SIZE | Specifies whether or not a Format String Type Error warning should be issued when integer kind of the type of an argument does not match the integer kind of the format string specifier, but the two integer kinds have equal sizes. |
| FORMAT_STRING_WARN_ON_SIGN_MISMATCH | Specifies whether or not a Format String Type Error warning should be issued when the sign of the type of an argument does not match the sign of the format string specifier. |
| JAVA_ANALYSIS_FRAMEWORK | Inform the Java build/analysis about the runtime environment of the analyzed application. |
| JAVA_ANALYSIS_ENTRY_POINTS_MODE | Specifies how the Java build/analysis will determine the application's entry points: the methods that can be invoked by the runtime environment and that should be considered starting points of the analysis. |
| JAVA_ANALYSIS_ENABLE_ASSERTIONS | Specifies whether or not the Java build/analysis will treat assertion statements as if they are executed. |
| JAVA_ANALYSIS_TIMEOUT | Specifies a timeout (in seconds) for the overall Java build/analysis. |
| JAVA_ANALYSIS_ADVANCED_INJECTION | Specifies whether or not the Java build/analysis will perform advanced checking for injection-related issues. |
| JAVA_ANALYSIS_JVM_OPTIONS | Specify options to the JVM that will execute the Java build/analysis. |
| JAVA_LAUNCHER_JVM_OPTIONS | Customize the execution of the JVM that will execute the Java build/analysis launcher. |
| JAVA_ANALYSIS_MAX_MEMORY | In combination with JAVA_ANALYSIS_MEMORY_MANAGEMENT, specifies the maximum amount of memory that the Java build/analysis can use. |
| JAVA_ANALYSIS_MEMORY_MANAGEMENT | In combination with JAVA_ANALYSIS_MAX_MEMORY, specifies how the Java build/analysis will manage its memory limit. |
| JAVA_ANALYSIS_JVM_CONCURRENCY | Specifies the number of CPUs that the JVM executing the Java analysis is allowed to use. |
| UNDER_BY_ONE | Specifies whether or not CodeSonar will report Buffer Underrun and Type Underrun warnings when there is a guard that almost contradicts the warning, but not quite, but simultaneously there is not evidence that the index can take on the dangerous value. |
| UNSIGNED_BRACKET_INEQUALITY | Specifies whether or not CodeSonar will infer that unsigned comparison against an upper bound also implies a lower bound of zero. |
| Parameter | Changes |
|---|---|
| FORMAT_STRING_CHECKER_CHECKED_FUNCS | Argument format has changed to accommodate more information, allowing this parameter to also specify checks for the new Format String Type Error warning class. |
| IGNORED_COMPILATIONS | This parameter no longer applies to Java analyses. The functionality has been replaced by Java build options: -exclude-artifacts and -exclude-sources. |
| UNFINISHED_CODE_TAGS | Additional strings have been added to the factory settings: BUG, LATER, HACK. |
The following configuration parameters are no longer available.
The following configuration parameters are not available in this release, but will return in a future release along with C# analysis capability.
There are several new configuration presets, and the java_style preset has been deleted.
The new presets are as follows.
| New Preset | Description |
|---|---|
| java_complete | Enable all Java warning classes. |
| java_deep | Enable all Java warning classes that are disabled by default and classified as deep. |
| java_pedantic | Enable all Java warning classes that are disabled by default and classified as pedantic. |
| java_security | Enable all Java warning classes whose significance is "security". |
| owasp2017 | Enable all warning classes (except those with mnemonic DIAG.*, which are diagnostic only) that are closely mapped to one or more of the OWASP Top Ten Application Security Risks - 2017. |
| sans-cwe2020 | Enable all warning classes that are closely mapped to one or more of the 2020 CWE/SANS Top 25 Most Dangerous Software Weaknesses. |
NOTE: This version of CodeSonar does not include warning class category mappings for the SEI CERT Oracle Coding Standard for Java, so the certjava preset will have no effect. CERT-Java mappings will be added in a future release.
Several of the models have undergone general improvements and bug fixes.
There are three new compiler models:
CodeSonar now uses EDG version 6.1.
There are new front end options available:
There are a small number of new unnormalized C/C++ AST classes and normalized C/C++ AST classes; one unnormalized C/C++ AST class has been modified.
| Modified Class | Changes |
|---|---|
| cc:variable | new child :binding-init |
| NUMBER | NAME | NOTES |
|---|---|---|
| 14185 | Codesonar cored: OOM (SF:11208) | fixed |
| 19598 | Parse Error: static_assert in IAR in C99 mode | fixed |
| 21156 | arm_neon types | fixed |
| 23549 | MSVC settings for the compiler model | fixed |
| 28149 | Verify that CodeSonar can analyze newly released Android Q 2020-12-0 | verified |
| 31172 | Crash: assertion failed at: "EDGCP-dist\src\overload.c", line 21279 | fixed |
| 31233 | Moving 100 projects from the hub root to a projecttree causes what seems to be an infinite loop with the message "Moving failed for ..." | fixed: large numbers of projects can now be moved |
| 33057 | Update Alerts page in the manual to include a screenshot of hub alerts | See updated manual page: Alerts. |
| 33747 | False Positive: Inappropriate Assignment Type | fixed |
| 33825 | Customer needs backport of bug 33747 fix in 5.3 | provided |
| 33911 | LANG.STRUCT.MISRS : Misplaced Return Statement false positive | fixed |
| 34089 | False Positive: Inappropriate Assignment Type warning when unsigned int and unsigned long in are both 32bits | fixed |
| 34133 | False Positive for Inappropriate Operand Type with respect to Misra2012:10.1. | fixed |
| 34147 | False Positive for Side Effects in Initializer List with respect to Misra2012:13.1 | fixed |
| 34159 | Buffer Overrun/Buffer Underrun false negative | fixed |
| 34261 | Feature Request: command-line option or command to compare analyses and get results as CSV or XML, etc. | Use codesonar dump_warnings.py with the --gained-since-previous-analysis or --lost-since-previous-analysis option. |
| 34293 | False positive: Body Is Not Compound Statement for 'else if' clause | fixed |
| 34327 | Expand documentation on updating configuration files to include requirement for "patch" tool. | See updated manual page: Upgrading Configuration Files. |
| 34998 | False positives: Inappropriate Operand Types; Mismatched Operand Types | The first of these was determined to be a true positive. The second is fixed. |
| 35001 | Hub Administrator can delete role "User", which can cause issues when upgrading the hub | fixed |
| 36486 | False positive due to C++ polymorphism: Cast: Object Pointer | fixed |
| 36809 | Amend documentation on upgrading a hub to account for different options available on Linux vs. Windows installations. | See updated manual page: Installation: Hub Setup: Upgrading an Existing Hub. |
| 36839 | DotnetFE: Update WARNING: Could not find the FxCop executable. Please specify its location using the --fxcop-path option. | CodeSonar is no longer integrated with FxCop. See C# (.NET) Analysis above for more information. |
| 37201 | LANG.STRUCT.MISRS : Misplaced Return Statement false positive | fixed (duplicate of 33911) |
| 37222 | Amend documentation on discovering thread entry points to note that the "Data Race" warning class must be enabled. | See updated manual page: Concurrency Models: Thread Entry Points. |
| 37231 | Crash with UNINITIALIZED_GLOBALS=Yes | fixed |
| 37232 | Verify that SARIF examples presented in manual work as specified. | verified |
| 37281 | Parse Errors: identifier "cs_isnan" is undefined, identifier "cs_isnanf" is undefined, identifier "cs_isnanl" is undefined using iar compiler model and iccrx compiler | fixed |
| 37329 | Feature Request: support Rowley CrossStudio 4.7.3 | Already supported: if you use Rowley CrossStudio, use the compiler driver 'cc' as stated in the Crossworks ARM documentation rather than calling the 'cc1.exe' compiler directly. |
| 38445 | Fatal Parse Error: WARNING: CodeSonar has encountered an error while running Java Analyzer: java returned 1 | fixed |
| 38630 | gcc compiler model doesn't recognize --include=foo.h | fixed |
| 39032 | Possible problem with the Java analysis | fixed; if no .class files are detected, a diagnostic is printed. |