CodeSonar Release 6.1p0 Release Notes

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.0p0 Hot Tips

CONFIDENTIAL

CodeSecure Inc

Release Notes

CodeSonar Release 6.1, patchlevel 0: Release Notes

Official release date: August 4, 2021.

Notes on Upgrading
What's New
Customer Tickets Fixed

Notes on Upgrading

The database upgrades for CodeSonar 6.1 are significant.

Upgrading a large database may take several days.
If your hub uses a character encoding other than ASCII or UTF-8, we strongly recommend that you back up your hub before upgrading.

If you have made changes to any of your CodeSonar configuration files, you will need to upgrade those files as part of the upgrade process.

See Upgrading Configuration Files for instructions.
For some configuration files, the procedure includes steps that must be carried out before CodeSonar is upgraded.
If you are upgrading a CodeSonar installation that will be used by someone else:
- Determine the most appropriate person to upgrade the general template and compiler template configuration files.
  This will depend on local factors such as who usually makes changes to these files.
- Notify the other user that they will need to upgrade their general project and project-compiler configuration files for all projects.

Previous versions of some CodeSonar integrations are incompatible with this release of CodeSonar. You will need to upgrade the following integrations to use them with this release of CodeSonar.

The CodeSonar Jira Server Integration versions 2.04 and earlier are incompatible with this release of CodeSonar. A subsequent version of the plug-in will be compatible with this version of CodeSonar.
The CodeSonar / GitLab integration versions 1.1 and earlier are incompatible with this release of CodeSonar. A subsequent version of the plug-in will be compatible with this version of CodeSonar.

What's New

C# (.NET) Analysis	This version of CodeSonar re-introduces support of C# analysis.
Python 3	All uses of Python in CodeSonar have been upgraded to Python 3.
Warning Classes	There are many changes to the set of warning classes, including a large number of new C# warning classes.
CWE	This version of CodeSonar uses CWE v4.4 (released March 15, 2021).
TS17961 categories	The naming scheme for warning categories corresponding to the ISO/IEC TS 17961 "C Secure Coding Rules Technical Specification" has changed to TS17961:num-name, where num is a rule number and name is the short name of that rule. (Previously the naming scheme was TS17961:name.)
Configuration Parameters	There are several new configuration parameters, and two modified parameters.
Configuration Presets	New presets csharp_complete, csharp_deep, csharp_pedantic, csharp_security, barr_naming.
EDG Upgrade	CodeSonar now uses EDG version 6.2, released February 10, 2021.
C++ Support Improvements	All features of C++14 and C++17 are now fully supported. Support for C++20 has also been extended, with most features now fully supported. For more information, see C++ Support.
Java Build/Analysis	The default behavior of include options and exclude options has changed: if one of these options is specified with a pattern that does not match any files in the file system, the analysis will terminate with an error message. New option -no-abort-unmatched-pattern allows you to specify that analysis should continue in such cases.
Compiler Models	Several of the models have undergone general improvements and bug fixes.
codesonar dump_warnings.py	The codesonar dump_warnings.py command has three new options. --sarif and --src-root support download in SARIF format. -t specifies the maximum time (in seconds) the request is allowed to take.
Management Reports	There are several new predefined management report templates. Template metavariable syntax has changed for some metavariables.
New HTTP API functionality	Terms for visibility filters can now use filter names as an alternative to numeric filter IDs. See the HTTP API manual page for more information and examples.
API Changes	A number of additions, removals, and modifications.
AST Changes	There are new, modified, and deleted unnormalized C/C++ AST classes.
Deprecation Notice	The Windows 7 family of operating systems is no longer supported as of this CodeSonar release.
Release Status	CodeSonar 5.2p0 is now in sunset. CodeSonar 5.0 is now at end of life.

Details

C# Analysis [64-bit Windows only]

The CodeSonar C# analysis has been restored in this release, but differs in several important respects from the C# analysis available in versions 5.4 and earlier.

The C# analyses previously performed by "Standalone CodeSonar" (previously Julia) are now fully integrated into CodeSonar and there is no longer a separate tool. All build and analysis for C# code is now invoked directly through CodeSonar.
The cs-dotnet-scan command syntax and options have changed. See the Build and Analysis for C# Projects page for full details, including a number of example command lines.
There are many new warning classes for C# .
Many of the changes to configuration parameters in this release are directly related to the changes in the C# analysis.
The direct integration for FxCop has been removed. FxCop is no longer invoked by the C# build/analysis.

Note: While the C# build and analysis can be performed on 64-bit Windows machines only, analysis results can be submitted to a hub running on any platform.

Python 3

All uses of Python in CodeSonar have been upgraded to Python 3. In particular:

The hub now uses Python 3.
- Upgrading your hub to CodeSonar 6.1p0 will generally take longer than it has for other version upgrades. Large hubs may take several days.
- Hubs will more readily accommodate non-English character sets.
- Management report metavariable syntax has changed for some metavariables.
The Python executable shipped as $CSONAR/codesonar/bin/cspython is now a Python 3 executable.
Example Python scripts for the various scripting tasks have been upgraded to Python 3: use Python 3 to run example scripts (either your own copy or the $CSONAR/codesonar/bin/cspython executable.
The CodeSonar Python API has been upgraded to Python 3. See API: Modified, below, for more information.

Warning Classes

There are many changes to the set of warning classes.

C/C++	There are some new C/C++ warning classes, extending CodeSonar's MISRA and AUTOSAR coverage.
Java	There are two new Java warning classes. There are also a number of changes to existing Java warning classes.
C#	There are a large number of new C# warning classes.

New C/C++ Warning Classes

New C/C++ Warning Class	Mnemonic
Anonymous Namespace in Header File	LANG.STRUCT.DECL.ANH
Array to Pointer Decay	LANG.CAST.ARRAY.POINTER
Inappropriate Declaration in Global Namespace	LANG.STRUCT.DECL.GLOBAL
Method Default Value Mismatch	LANG.FUNCS.DEFAULT.OVERRIDE
Misplaced Using Declaration	LANG.STRUCT.USING.MDECL
Naming Style Violation	LANG.ID.STYLE
NULL Used as Integer	LANG.CAST.NULL.INT

New Java Warning Classes

Warning Class Name	Mnemonic	Previous Julia Checker.Warning
Inadequate Salt (Java)	JAVA.CRYPTO.SALT	Cryptography.InadequateSaltWarning
Static Field Too Visible (Java)	JAVA.CLASS.VIS.SFIELD	StaticFieldSecurity.StaticNonFinalFieldVisibilityIsTooWeakWarning

Modified Java Warning Classes

The class formerly named "== Always Fails (Java)" has been renamed to Impossible reference comparison (Java). Its mnemonic is still JAVA.REDUNDANT.EQF.
The following classes are now disabled by default.
- Unsafe Base64 Encoding (Java) (now requires JAVA_ANALYSIS_PEDANTIC_MODE=Yes)
- clone Subclass of Non-clonable (Java) (now requires JAVA_ANALYSIS_STRICT_MODE=Yes)
Several of the new configuration parameters in CodeSonar 6.1p0 control checking behavior for one or more Java warning classes. See the configuration parameter documentation for details.

New C# Warning Classes

There are many new C# warning classes, representing full integration of the Julia tool into CodeSonar.

The classes have been given new names and mnemonics as part of the integration.
- Mnemonics for all C# warning classes are of the form CSHARP.*.
- Names for all C# warning classes end with "(C#)".
In several cases, multiple Julia 'warnings' have been combined into a single CodeSonar warning class.
The following table shows the previous Julia checker and warning names corresponding to each warning class.
Where Julia warnings that were issued by both BasicInjection and Injection checkers have been combined into a single CodeSonar warning class, the degree of checking performed is controlled by new configuration parameter CSHARP_ANALYSIS_ADVANCED_INJECTION.

Warning Class Name	Mnemonic	Previous Julia Checker.Warning
== Always Fails Because Types Always Different (C#)	CSHARP.REDUNDANT.EQF.TYPE	BadEq.EqualsOnDisjointTypesWarning
Abs on random (C#)	CSHARP.MATH.ABSRAND	AbsOfRandom.AbsOfRandomWarning
Actual Parameter Element may be null (C#)	CSHARP.DEEPNULL.PARAM.EACTUAL	Nullness.ActualInnerNullWarning
Ambiguous Call from Inner Class (C#)	CSHARP.CLASS.ACIC	InnerClasses.AmbiguousCallFromInnerClassWarning
Anonymous LDAP Authentication (C#)	CSHARP.INSEC.LDAP.ANON	Authentication.AuthenticationSetToAnonymousWarning
Approximate e Constant (C#)	CSHARP.MATH.APPROX.E	Approximation.ApproximateEWarning
Approximate pi Constant (C#)	CSHARP.MATH.APPROX.PI	Approximation.ApproximatePIWarning
Assignment in Conditional (C#)	CSHARP.STRUCT.CONDASSIG	BadEq.AssigningInsteadOfComparingWarning
Asymmetric compareTo (C#)	CSHARP.COMPARE.CTO.ASSYM	CompareTo.AsymmetricalCompareToWarning
Bitwise AND on Boolean (C#)	CSHARP.STRUCT.BW.AND	ShortCircuit.NonShortCircuitANDWarning
Bitwise AND on Boolean Constant (C#)	CSHARP.STRUCT.BW.ANDC	ShortCircuit.ANDAgainstConstantWarning
Bitwise OR on Boolean (C#)	CSHARP.STRUCT.BW.OR	ShortCircuit.NonShortCircuitORWarning
Bitwise OR on Boolean Constant (C#)	CSHARP.STRUCT.BW.ORC	ShortCircuit.ORAgainstConstantWarning
Blocking in Critical Section (C#)	CSHARP.CONCURRENCY.STARVE.BLOCKING	Concurrency.BlockingCallInsideSynchronizationWarning
Broad Throws Clause (C#)	CSHARP.STRUCT.EXCP.BROAD	ExceptionHandlers.BroadThrowsClauseWarning
Call Might Return Null (C#)	CSHARP.NULL.RET.UNCHECKED	BasicNullness.MissingNullnessCheckOfReturnedValueWarning
Cast: Integer to Floating Point (C#)	CSHARP.CAST.FTRUNC	Approximation.CastIntegralComputationIntoFloatingPointWarning
Cast: int Computation to long (C#)	CSHARP.ARITH.OFLOW	Approximation.CastIntComputationIntoLongWarning
Certificate Added to Root Store (C#)	CSHARP.INSEC.CERT.RS	EncryptionAndSecurityConfig.PossibleCertificateAddedToRootStoreWarning
Class Enables Debug Features (C#)	CSHARP.DEBUG.CEDF	Production.DebugModeInProductionWarning
Closeable Not Closed (C#)	CSHARP.ALLOC.LEAK.NOTCLOSED	CloseResource.ResourceNotClosedAtEndOfMethodWarning
Closeable Not Stored (C#)	CSHARP.ALLOC.LEAK.NOTSTORED	CloseResource.CloseableNotStoredIntoLocalWarning
Code Injection (C#)	CSHARP.IO.INJ.CODE	Injection.CodeInjectionIntoFieldWarning, BasicInjection.CodeInjectionIntoFieldWarning, BasicInjection.CodeInjectionWarning, Injection.CodeInjectionWarning
Command Injection (C#)	CSHARP.IO.INJ.COMMAND	Injection.CommandInjectionWarning, Injection.CommandInjectionIntoFieldWarning, BasicInjection.CommandInjectionIntoFieldWarning, BasicInjection.CommandInjectionWarning
Comparison to Empty String (C#)	CSHARP.COMPARE.EMPTYSTR	BadEq.InefficientStringEmptynessTestWarning
Cross Site Scripting (C#)	CSHARP.IO.INJ.XSS	BasicInjection.XSSInjectionIntoFieldWarning, BasicInjection.XSSInjectionWarning, Injection.XSSInjectionIntoFieldWarning, Injection.XSSInjectionWarning
Cryptographic Algorithm with Risky Default Cipher (C#)	CSHARP.CRYPTO.CADRC	Cryptography.CryptographicAlgorithmWithRiskyDefaultCipherAlgorithmWarning
Cryptographic Algorithm with Weak Cipher (C#)	CSHARP.CRYPTO.CARC	Cryptography.CryptographicAlgorithmWithRiskyCipherAlgorithmWarning
Cryptographic Algorithm with Weak Hash (C#)	CSHARP.CRYPTO.CAWH	Cryptography.CryptographicAlgorithmWithWeakHashingAlgorithmWarning
DLL Injection (C#)	CSHARP.IO.INJ.DLL	BasicInjection.DLLInjectionWarning, Injection.DLLInjectionIntoFieldWarning, Injection.DLLInjectionWarning, BasicInjection.DLLInjectionIntoFieldWarning
DOS Injection (C#)	CSHARP.IO.INJ.DENIAL	BasicInjection.DOSInjectionIntoFieldWarning, Injection.DOSInjectionIntoFieldWarning, Injection.DOSInjectionWarning, BasicInjection.DOSInjectionWarning
Debug Call (C#)	CSHARP.DEBUG.CALL	Production.InadequateCallInProductionWarning
Debug Warning (C#)	CSHARP.DEBUG.LOG	Production.UseLogInsteadWarning
Defines equals but not hashCode (C#)	CSHARP.IDEF.EQUALSNOHC	EqualsHashCode.NoHashCodeWarning
Defines hashCode but not equals (C#)	CSHARP.IDEF.HCNOEQUALS	EqualsHashCode.NoEqualsWarning
Deprecated Cryptography Provider (C#)	CSHARP.CRYPTO.DEPRECATED	Cryptography.DeprecatedOrDeletedCryptographyProviderFieldWarning, Cryptography.DeprecatedOrDeletedCryptographyProviderMethodWarning
Deprecated Transfer Protocol (C#)	CSHARP.INSEC.DTP	EncryptionAndSecurityConfig.UnsafeTransferProtocolUsedInFieldWarning, EncryptionAndSecurityConfig.UnsafeTransferProtocolUsedInMethodWarning
Deserializable Class (C#)	CSHARP.CLASS.SER.DESER	Deserialization.DeserializableClassWarning
Disabled Input Validation (C#)	CSHARP.INSEC.DIV	EncryptionAndSecurityConfig.DisabledValidationInputInsideMethodWarning, EncryptionAndSecurityConfig.DisabledValidationInputInsideClassWarning
Double-Checked Locking (C#)	CSHARP.CONCURRENCY.LOCK.DCL	Concurrency.UnsafeLazyInitialisationWarning
Empty Branch Statement (C#)	CSHARP.STRUCT.EBS	UselessTest.UselessTestWarning
Empty Exception Handler (C#)	CSHARP.STRUCT.EXCP.EEH	ExceptionHandlers.EmptyExceptionHandlerWarning
Empty zip File Archived (C#)	CSHARP.STRUCT.ARCHIVE.EZF	Zip.EmptyZipEntryWarning
Exception Information Disclosure (C#)	CSHARP.DEBUG.ID	Production.InformationDisclosureWarning
Field Element may be null (deep) (C#)	CSHARP.DEEPNULL.EFIELD	Nullness.FieldInnerNullWarning
Field Never Read (C#)	CSHARP.STRUCT.URFIELD	FieldAccess.FieldNeverReadWarning
Field Never Written (C#)	CSHARP.STRUCT.UWFIELD	FieldAccess.FieldNeverWrittenWarning
Field may be null (deep) (C#)	CSHARP.DEEPNULL.FIELD	Nullness.FieldNullWarning
Field Too Visible (C#)	CSHARP.CLASS.VIS.FIELD	InstanceFieldSecurity.InstanceNonFinalFieldVisibilityIsTooWeakWarning, InstanceFieldVisibility.FieldVisibilityIsTooWeakWarning
Floating Point Equality (C#)	CSHARP.ARITH.FPEQUAL	Approximation.FloatComparisonWarning
Generic Exception Handler (C#)	CSHARP.STRUCT.EXCP.GEH	ExceptionHandlers.GenericExceptionHandlerWarning
Hardcoded Filename (C#)	CSHARP.HARDCODED.FNAME	Resources.HardcodedFileNameWarning
Hardcoded IP Address (C#)	CSHARP.HARDCODED.IP	EncryptionAndSecurityConfig.HardcodedIPWarning, EncryptionAndSecurityConfig.HardcodedIPAddressUsedInMethodWarning
Hardcoded Password (C#)	CSHARP.HARDCODED.PASSWD	Passwords.HardcodedPasswordWarning, Passwords.PossibleHardcodedPasswordPropagatedByCallsWarning
Hardcoded Random Seed (C#)	CSHARP.HARDCODED.SEED	Random.UseOfFixedSeedWarning
Hostname in Condition (C#)	CSHARP.INSEC.HIC	Authentication.HostNameInConditionWarning
Ignored Return Value (C#)	CSHARP.FUNCS.IRV	UnusedReturnValue.ReturnValueShouldBeUsedWarning
Ignored Return Value for Pure Function (C#)	CSHARP.FUNCS.IRV.PURE	UnusedReturnValue.UselessCallToAPureMethodWarning
Impossible Client Side Locking (C#)	CSHARP.CONCURRENCY.LOCK.ICS	Concurrency.ImpossibleClientSideLockingWarning
Impossible reference comparison (C#)	CSHARP.REDUNDANT.EQF	BadEq.ImpossibleEqualityWarning
Inadequate Salt (C#)	CSHARP.CRYPTO.SALT	Cryptography.InadequateSaltWarning
Inappropriate Exception Handler (C#)	CSHARP.STRUCT.EXCP.INAPP	ExceptionHandlers.InappropriateExceptionHandlerWarning
Inappropriate Instanceof (C#)	CSHARP.CLASS.IOF.BAD	UselessInstanceof.UnexpectedInstanceofWarning
Inefficient Bitwise AND (C#)	CSHARP.STRUCT.BW.ANDI	ShortCircuit.InefficientSameValueANDWarning
Inefficient Bitwise OR (C#)	CSHARP.STRUCT.BW.ORI	ShortCircuit.InefficientSameValueORWarning
Insecure Cookie (C#)	CSHARP.LIB.HTTP.COOKIE	Cookie.PossibleInsecureCookieCreationWarning, Cookie.InsecureCookieWarning
Insecure Key Derivation (C#)	CSHARP.CRYPTO.KEY	Cryptography.InsecureKeyDerivationFunctionWarning
Insecure Random Number Generator (C#)	CSHARP.LIB.RAND.FUNC	Random.InsecureRandomWarning
Insecure XSLT Execution (C#)	CSHARP.LIB.XML.INSEC_XSLT	Xml.InsecureXSLTExecutionWarning
Instanceof Always False (C#)	CSHARP.CLASS.IOF.F	UselessInstanceof.ImpossibleInstanceofWarning
Instanceof Always True (C#)	CSHARP.CLASS.IOF.T	UselessInstanceof.TautologicalInstanceofWarning
Method Disables Security Setting (C#)	CSHARP.INSEC.MDSS	EncryptionAndSecurityConfig.SafeSecuritySettingDisabledWarning
Method Enables Debug Features (C#)	CSHARP.DEBUG.MEDF	Production.DebugCallInProductionWarning
Method Names Differ Only in Case (C#)	CSHARP.ID.CASE.METHOD	BadExtension.CaseOverrideWarning
Method Should be final (C#)	CSHARP.CLASS.METH.NF	MethodCouldBeFinal.MethodShouldBeFinalWarning
Method Should be private (C#)	CSHARP.CLASS.VIS.METH.PRIV	MethodShouldBePrivate.MethodShouldBePrivateWarning
Method Should Not Return null (C#)	CSHARP.NULL.RET.NONNULL	BasicNullness.MethodShouldNotReturnNullWarning
Missing Authentication Annotation (C#)	CSHARP.INSEC.MAA	Authentication.UnauthenticatedWebAPIWarning
Missing Call to super (C#)	CSHARP.CLASS.MCS	CallSuper.CallSuperWarning
Missing Equals Override (C#)	CSHARP.IDEF.NOEQUALS	EqualsHashCode.SuspiciousInheritanceOfEqualsWarning
Missing synchronized Statement (C#)	CSHARP.CONCURRENCY.SYNC.MSS	GuardedBy.MissingSynchronizedWarning
Mutable Constant Field (C#)	CSHARP.TYPE.MCF	MutableConstantField.MutableConstantFieldWarning
Mutable Enumeration (C#)	CSHARP.TYPE.ME	ImproperField.MutableEnumWarning
Naming Style Violation (C#)	CSHARP.ID.STYLE	BadNames.BadClassNameWarning, BadNames.BadFieldNameWarning, BadNames.BadMethodNameWarning, BadNames.BadParameterNameWarning
Non-Object compareTo Parameter (C#)	CSHARP.COMPARE.CTO.NONOBJ	CompareTo.CompareToForNonObjectWarning
Non-overriding Method Signature (C#)	CSHARP.ID.BADOVERRIDE	BadExtension.ParametersOverrideWarning
Nonserializable Field (C#)	CSHARP.CLASS.SER.FNON	Serialization.NonSerializableFieldWarning
Nonserializable Field Element (C#)	CSHARP.CLASS.SER.ENON	Serialization.NonSerializableElementsOfFieldWarning
Nonserializable Outer Class (C#)	CSHARP.CLASS.SER.OCNON	Serialization.NonSerializableOuterClassWarning
Null Parameter Dereference (C#)	CSHARP.NULL.PARAM.ACTUAL	BasicNullness.ActualNullReflectionWarning, BasicNullness.ActualNullWarning
Null Pointer Dereference (C#)	CSHARP.NULL.DEREF	BasicNullness.SynchronizationOnNullWarning, BasicNullness.ArrayStoreIntoNullWarning, BasicNullness.GetFieldFromNullWarning, BasicNullness.VariableCanOnlyBeNullWarning, BasicNullness.ArrayLengthOfNullWarning, BasicNullness.PutFieldIntoNullWarning, BasicNullness.ArrayLoadFromNullWarning, BasicNullness.ThrowOfNullWarning, BasicNullness.CallOnNullWarning
Null Pointer Dereference (deep) (C#)	CSHARP.DEEPNULL.DEREF	Nullness.ArrayLengthOfNullWarning, Nullness.GetFieldFromNullWarning, Nullness.CallOnNullWarning, Nullness.ThrowOfNullWarning, Nullness.PutFieldIntoNullWarning, Nullness.SynchronizationOnNullWarning, Nullness.ArrayLoadFromNullWarning, Nullness.ArrayStoreIntoNullWarning
Password in Property File (C#)	CSHARP.HARDCODED.PASSWD.FILE	Passwords.PasswordInPropertyFileWarning
Possible XML External Entity Reference (C#)	CSHARP.LIB.XML.XXE	Xml.XXEAttackWarning
Potential Infinite Recursion (C#)	CSHARP.FUNCS.INFREC	InfiniteRecursion.InfiniteRecursionWarning
Redundant Call for Integral Argument (C#)	CSHARP.FUNCS.RED.INT	UselessCall.UselessCallForIntegralValueWarning
Redundant Call for String Argument (C#)	CSHARP.FUNCS.RED.STR	UselessCall.UselessCallWarning
Redundant Condition (C#)	CSHARP.STRUCT.RC	UselessTest.TestIsPredeterminedWarning
Reflection Bypasses Member Accessibility (C#)	CSHARP.CLASS.ACCESS.BYPASS	Reflection.MemberAccessibilityBypassWarning
Reflection Injection (C#)	CSHARP.IO.TAINT.REFLECTION	Injection.ReflectionInjectionIntoFieldWarning, BasicInjection.ReflectionInjectionIntoFieldWarning, BasicInjection.ReflectionInjectionWarning, Injection.ReflectionInjectionWarning
Reflection Modifies Member Accessibility (C#)	CSHARP.CLASS.ACCESS.MODIFY	Reflection.MemberAccessibilityChangeWarning
Return Value may Contain null Element (C#)	CSHARP.DEEPNULL.RET.EMETH	Nullness.MethodReturnsInnerNullWarning
Return Value may be null (C#)	CSHARP.DEEPNULL.RET.METH	Nullness.MethodReturnsNullWarning
Return null Array (C#)	CSHARP.NULL.RET.ARRAY	BasicNullness.ReturningNullForArrayWarning
Risky Cipher Algorithm (C#)	CSHARP.CRYPTO.RCA	Cryptography.RiskyCipherAlgorithmWarning
Risky Cipher Field (C#)	CSHARP.CRYPTO.RCF	Cryptography.RiskyCipherFieldWarning
Risky Class Cast (C#)	CSHARP.CLASS.CAST	Classcast.ClasscastOfFieldWarning, Classcast.ClasscastGenericWarning, Classcast.ClasscastOfMethodReturnWarning, Classcast.ClasscastOfFormalWarning
Risky Cryptographic Algorithm (C#)	CSHARP.CRYPTO.RA	Cryptography.RiskyCryptographicAlgorithmFieldWarning
Risky Cryptographic Field (C#)	CSHARP.CRYPTO.RF	Cryptography.RiskyCryptographicAlgorithmWarning
Risky array store (C#)	CSHARP.CLASS.CAST.ARRSTORE	Classcast.ArrayStoreWarning
SQL Injection (C#)	CSHARP.IO.INJ.SQL	BasicInjection.SqlInjectionWarning, Injection.SqlInjectionIntoFieldWarning, Injection.SqlInjectionWarning, BasicInjection.SqlInjectionIntoFieldWarning
Security Annotation Conflict (C#)	CSHARP.INSEC.SAC	EncryptionAndSecurityConfig.SecurityAnnotationConflictWarning
Shadowed Identifier (C#)	CSHARP.ID.SHADOW	BadExtension.FieldShadowedWarning, BadNames.MethodCalledAsAConstructorWarning, BadNames.ShadowedSuperclassNameWarning
Should Use == Instead of equals() (C#)	CSHARP.COMPARE.EQUALS	BadEq.EqualsWarning
Should Use equals() Instead of == (C#)	CSHARP.COMPARE.EQ	BadEq.EqualityWarning
Single-use Random Number Generator (C#)	CSHARP.LIB.RAND.NEW	Random.SuboptimalRandomNumberWarning
Static Field Assigned Non-Static (C#)	CSHARP.CLASS.STATICMOD	StaticFieldAccess.SetStaticInNonStaticWarning
Static Field Too Visible (C#)	CSHARP.CLASS.VIS.SFIELD	StaticFieldSecurity.StaticNonFinalFieldVisibilityIsTooWeakWarning
Synchronization on Interned String (C#)	CSHARP.CONCURRENCY.LOCK.ISTR	Concurrency.SynchronisationOnInternedStringWarning
Synchronization on static (C#)	CSHARP.CONCURRENCY.LOCK.STATIC	Concurrency.ExpensiveSynchronizationOnStaticWarning
Synchronous Call to Thread Body (C#)	CSHARP.CONCURRENCY.LOCK.SCTB	Concurrency.SynchronousCallToThreadBodyWarning
Tainted @Trusted Value (C#)	CSHARP.IO.TAINT.TRUSTED	BasicInjection.GenericInjectionIntoFieldWarning, BasicInjection.GenericInjectionWarning, Injection.GenericInjectionIntoFieldWarning, Injection.GenericInjectionWarning
Tainted Bundle (C#)	CSHARP.IO.TAINT.BUNDLE	Injection.TrustBoundaryViolationIntoFieldWarning, Injection.TrustBoundaryViolationWarning, BasicInjection.TrustBoundaryViolationWarning, BasicInjection.TrustBoundaryViolationIntoFieldWarning
Tainted Control (C#)	CSHARP.IO.TAINT.CONTROL	Injection.ControlInjectionIntoFieldWarning, BasicInjection.ControlInjectionIntoFieldWarning, BasicInjection.ControlInjectionWarning, Injection.ControlInjectionWarning
Tainted Expression Evaluation (C#)	CSHARP.IO.TAINT.EVAL	BasicInjection.EvalInjectionIntoFieldWarning, BasicInjection.EvalInjectionWarning, Injection.EvalInjectionIntoFieldWarning, Injection.EvalInjectionWarning
Tainted HTTP Response (C#)	CSHARP.IO.TAINT.HTTP	Injection.HttpResponseSplittingWarning, BasicInjection.HttpResponseSplittingWarning, Injection.HttpResponseInjectionIntoFieldWarning, BasicInjection.HttpResponseInjectionIntoFieldWarning
Tainted Hardware Device Property (C#)	CSHARP.IO.TAINT.DEVICE	BasicInjection.DeviceInjectionWarning, Injection.DeviceInjectionWarning, BasicInjection.DeviceInjectionIntoFieldWarning, Injection.DeviceInjectionIntoFieldWarning
Tainted LDAP Attribute (C#)	CSHARP.IO.TAINT.LDAP.ATTR	Injection.LDAPAttributeInjectionWarning, Injection.LDAPAttributeInjectionIntoFieldWarning, BasicInjection.LDAPAttributeInjectionIntoFieldWarning, BasicInjection.LDAPAttributeInjectionWarning
Tainted LDAP Filter (C#)	CSHARP.IO.TAINT.LDAP.FILTER	Injection.LDAPFilterInjectionWarning, BasicInjection.LDAPFilterInjectionWarning, Injection.LDAPFilterInjectionIntoFieldWarning, BasicInjection.LDAPFilterInjectionIntoFieldWarning
Tainted Log (C#)	CSHARP.IO.TAINT.LOG	Injection.LogForgingWarning, BasicInjection.LogForgingWarning, Injection.LogInjectionIntoFieldWarning, BasicInjection.LogInjectionIntoFieldWarning
Tainted Message (C#)	CSHARP.IO.TAINT.MESSAGE	BasicInjection.MessageInjectionIntoFieldWarning, BasicInjection.MessageInjectionWarning, Injection.MessageInjectionWarning, Injection.MessageInjectionIntoFieldWarning
Tainted Network Address (C#)	CSHARP.IO.TAINT.ADDR	BasicInjection.AddressInjectionWarning, BasicInjection.AddressInjectionIntoFieldWarning, Injection.AddressInjectionIntoFieldWarning, Injection.AddressInjectionWarning
Tainted Path (C#)	CSHARP.IO.TAINT.PATH	BasicInjection.PathInjectionIntoFieldWarning, Injection.PathInjectionIntoFieldWarning, Injection.PathInjectionWarning, BasicInjection.PathInjectionWarning
Tainted Regular Expression (C#)	CSHARP.IO.TAINT.REGEX	Injection.RegexInjectionIntoFieldWarning, BasicInjection.RegexInjectionIntoFieldWarning, BasicInjection.RegexInjectionWarning, Injection.RegexInjectionWarning
Tainted Resource (C#)	CSHARP.IO.TAINT.RESOURCE	Injection.ResourceInjectionWarning, BasicInjection.ResourceInjectionIntoFieldWarning, Injection.ResourceInjectionIntoFieldWarning, BasicInjection.ResourceInjectionWarning
Tainted Session (C#)	CSHARP.IO.TAINT.SESSION	Injection.SessionInjectionIntoFieldWarning, Injection.SessionInjectionWarning, BasicInjection.SessionInjectionIntoFieldWarning, BasicInjection.SessionInjectionWarning
Tainted URL (C#)	CSHARP.IO.TAINT.URL	Injection.URLInjectionWarning, Injection.URLInjectionIntoFieldWarning, BasicInjection.URLInjectionIntoFieldWarning, BasicInjection.URLInjectionWarning
Tainted XAML (C#)	CSHARP.IO.TAINT.XAML	Injection.XAMLInjectionIntoFieldWarning, Injection.XAMLInjectionWarning, BasicInjection.XAMLInjectionIntoFieldWarning, BasicInjection.XAMLInjectionWarning
Tainted XML (C#)	CSHARP.IO.TAINT.XML	BasicInjection.XMLInjectionIntoFieldWarning, BasicInjection.XMLInjectionWarning, Injection.XMLInjectionIntoFieldWarning, Injection.XMLInjectionWarning
Tainted Xpath (C#)	CSHARP.IO.TAINT.XPATH	Injection.XPathInjectionIntoFieldWarning, BasicInjection.XPathInjectionIntoFieldWarning, BasicInjection.XPathInjectionWarning, Injection.XPathInjectionWarning
Unchecked Parameter Dereference (C#)	CSHARP.STRUCT.UPD	BasicNullness.FormalNullWarning
Unchecked Parameter Dereference (deep) (C#)	CSHARP.STRUCT.DUPD	Nullness.FormalNullWarning
Unchecked Parameter Element Dereference (deep) (C#)	CSHARP.STRUCT.UPED	Nullness.FormalInnerNullWarning
Unguarded Field (C#)	CSHARP.CONCURRENCY.UG.FIELD	GuardedBy.UnguardedFieldWarning
Unguarded Method (C#)	CSHARP.CONCURRENCY.UG.METH	GuardedBy.UnguardedMethodOrConstructorWarning
Unguarded Parameter (C#)	CSHARP.CONCURRENCY.UG.PARAM	GuardedBy.UnguardedParameterWarning
Unnecessary Field (C#)	CSHARP.STRUCT.UNFLD	ImproperField.FieldIsOnlyUsedInConstructorsWarning, ImproperField.FieldIsOnlyUsedInStaticInitialiserWarning, ImproperField.UselessFieldUpdateWarning, ImproperField.FieldShouldBeReplacedByLocalsWarning
Unused Method (C#)	CSHARP.STRUCT.UUMETH	Deadcode.UncalledWarning
Unreachable Instruction (C#)	CSHARP.STRUCT.UC.INSTR	Deadcode.UnreachableInstructionWarning
Unsafe Base64 Encoding (C#)	CSHARP.CRYPTO.BASE64	Cryptography.UnsafeBase64EncodingWarning
Unused Class (C#)	CSHARP.STRUCT.UUCLASS	UnusedClass.UnusedClassWarning, Deadcode.ClassNeverInstantiatedWarning
Unused Field (C#)	CSHARP.STRUCT.UUFIELD	FieldAccess.FieldNeverUsedWarning
Unused Object (C#)	CSHARP.STRUCT.UUOBJ	UselessConstruction.UselessConstructionWarning
Unused Value: Actual Parameter (C#)	CSHARP.STRUCT.UUVAL.ACTUAL	UselessAssignment.AssignmentToUnreadParameterWarning
Unused Value: Variable (C#)	CSHARP.STRUCT.UUVAL.VAR	UselessAssignment.AssignmentToUnusedVariableWarning
Unused Value: Write to Parameter (C#)	CSHARP.STRUCT.UUVAL.PARAM	UselessAssignment.AssignmentToUnusedParameterWarning
Useless Assignment (C#)	CSHARP.STRUCT.UA	UselessAssignment.TautologicalAssignmentWarning
Useless Assignment to Default (C#)	CSHARP.STRUCT.UA.DEFAULT	UselessAssignment.UselessAssignmentToDefaultValueWarning
Useless Class Cast (C#)	CSHARP.CLASS.CAST.USELESS	Classcast.UselessClasscastWarning
Useless Synchronization (C#)	CSHARP.CONCURRENCY.LOCK.USELESS	Concurrency.UselessSynchronizationWarning
Useless null Test (C#)	CSHARP.DEEPNULL.UTEST	Nullness.UselessNullnessTestWarning
Useless null Test of Field (C#)	CSHARP.DEEPNULL.UTEST.FIELD	Nullness.UselessNullnessTestOfFieldWarning
Useless null Test of Parameter (C#)	CSHARP.DEEPNULL.UTEST.PARAM	Nullness.UselessNullnessTestOfFormalWarning
Useless null Test of Return Value (C#)	CSHARP.DEEPNULL.UTEST.RV	Nullness.UselessNullnessTestOfMethodReturnWarning
Useless volatile Modifier (C#)	CSHARP.CONCURRENCY.VOLATILE,	Concurrency.UselessVolatileModifierWarning, Concurrency.VolatileContainerFieldWarning, Concurrency.VolatileArrayFieldWarning
Weak Cryptographic Value (C#)	CSHARP.CRYPTO.VALUE	Cryptography.PossibleGenerationOfWeakCryptographicValuesWarning
Weak Hash Algorithm (C#)	CSHARP.CRYPTO.WHA	Cryptography.WeakHashingAlgorithmWarning
Weak Hash Algorithm Field (C#)	CSHARP.CRYPTO.WHAF	Cryptography.WeakHashingAlgorithmFieldWarning
clone Non-cloneable (C#)	CSHARP.CLASS.CLONE.CNC	Clone.CloneForNonCloneableWarning
clone Subclass of Non-clonable (C#)	CSHARP.CLASS.CLONE.SCNC	Clone.SubclassesMayBeClonedWarning
clone not final (C#)	CSHARP.CLASS.CLONE.NF	Clone.NonFinalCloneMethodWarning
compareTo in Non-Comparable Class (C#)	CSHARP.COMPARE.CTO.NONCOMP	CompareTo.CompareToInNonComparableWarning
compareTo without equals (C#)	CSHARP.IDEF.CTONOEQ	CompareTo.CompareToWithDefaultEqualsWarning
compareTo/equals mismatch (C#)	CSHARP.IDEF.CTOEQ	CompareTo.CompareToInconsistentWithEqualsWarning
equals Always Fails (C#)	CSHARP.REDUNDANT.EQUALSF	BadEq.ImpossibleEqualsWarning
equals Parameter Should Be Object (C#)	CSHARP.IDEF.EQUALS.NONOBJ	EqualsHashCode.EqualsNotAgainstObjectWarning
equals on Array (C#)	CSHARP.COMPARE.EQARRAY	BadEq.EqualsOnArraysWarning
null Passed to Method (deep) (C#)	CSHARP.DEEPNULL.PARAM.ACTUAL	Nullness.ActualNullWarning
toString on Array (C#)	CSHARP.TYPE.ARRAYTOSTRING	CallsOnArray.CallToToStringOnArrayWarning

Configuration Parameters

There are several new configuration parameters, and one modified configuration parameter.

New Configuration Parameters

New Parameter	Purpose
CSHARP_FLAGS_APPEND	Modify the set of options being passed to the C# build/analysis. (Restored now that C# build/analysis has been restored. )
CSHARP_FLAGS_PREPEND	Modify the set of options being passed to the C# build/analysis. (Restored now that C# build/analysis has been restored. )
CSHARP_ANALYSIS_ADVANCED_INJECTION	Specifies whether or not the C# build/analysis will perform advanced checking for injection-related issues.
CSHARP_ANALYSIS_CONCURRENCY_CALLS	When CSHARP_ANALYSIS_CONCURRENCY_GUARDS_MODE=byValue, specifies whether or not the analysis will treat method calls on guarded variables as dereferences of those variables.
CSHARP_ANALYSIS_CONCURRENCY_GUARDS_MODE	Specifies how checks for concurrency warning classes should interpret [GuardedBy] attributes.
CSHARP_ANALYSIS_DEEP_NULLNESS_CONSERVATIVE_CHECK	Specifies whether or not the analysis should treat all inputs received by the application as if they might be null.
CSHARP_ANALYSIS_ENABLE_ASSERTIONS	Specifies whether or not the C# build/analysis will treat assertion statements as if they are executed.
CSHARP_ANALYSIS_ENTRY_POINTS_MODE	Specifies how the C# build/analysis will determine the application's entry points: the methods that can be invoked by the runtime environment and that should be considered starting points of the analysis.
CSHARP_ANALYSIS_FAST_DEEP_CHECK	For C# warning classes whose checks can involve additional supporting analyses, specifies whether or not those additional analyses should be skipped (generally in order to save time).
CSHARP_ANALYSIS_FIELD_SENSITIVE	Specifies whether or not the C# build/analysis will track information about individual fields of each object.
CSHARP_ANALYSIS_FIELD_VISIBILITY	For C# warning classes related to field visibility, specifies the field visibility types that will be considered by the warning class checks.
CSHARP_ANALYSIS_FRAMEWORK	Inform the C# build/analysis about the runtime environment of the analyzed application.
CSHARP_ANALYSIS_INITIALIZATION_CHECK	Specifies whether or not a preliminary "class initialization analysis" will be performed before checks for those warning classes that may benefit from it.
CSHARP_ANALYSIS_JVM_CONCURRENCY	Specifies the number of CPUs that the JVM executing the C# analysis is allowed to use.
CSHARP_ANALYSIS_JVM_OPTIONS	Specify options to the JVM that will execute the C# build/analysis.
CSHARP_ANALYSIS_MAX_MEMORY	In combination with CSHARP_ANALYSIS_MEMORY_MANAGEMENT, specifies the maximum amount of memory that the C# build/analysis can use in megabytes (MiB).
CSHARP_LAUNCHER_MEMORY	Specifies the maximum amount of memory that the C# build/analysis launcher can use in megabytes (MiB).
CSHARP_ANALYSIS_MEMORY_MANAGEMENT	In combination with CSHARP_ANALYSIS_MAX_MEMORY, specifies how the C# build/analysis will manage its memory limit.
CSHARP_ANALYSIS_MERGE_CREATION_POINTS	Specifies whether or not the C# build/analysis will collapse bytecode instructions that create objects of the same type inside the same class.
CSHARP_ANALYSIS_PEDANTIC_MODE	Specifies whether or not CodeSonar should perform more pedantic checking for certain C# warning classes.
CSHARP_ANALYSIS_PREPROCESSING_TIMEOUT	Specifies a timeout (in seconds) for the preprocessing phase of the C# build/analysis.
CSHARP_ANALYSIS_STRICT_MODE	Specifies whether or not CodeSonar should perform stricter checking for certain C# warning classes.
CSHARP_ANALYSIS_TIMEOUT	Specifies a timeout (in seconds) for the overall C# build/analysis.
CSHARP_ANALYSIS_TRUST_DATABASE	Specifies whether or not the C# taint analysis should trust data that originates from database queries, rather than treating it as tainted.
CSHARP_ANALYSIS_TRUST_DEVICE	Specifies whether or not the C# taint analysis should trust data that originates from the specific device running the application, rather than treating it as tainted.
CSHARP_ANALYSIS_TRUST_ENVIRONMENT	Specifies whether or not the C# taint analysis should trust data that originates from the environment or from system properties, rather than treating it as tainted.
CSHARP_ANALYSIS_TRUST_EXTERNAL_STREAMS	Specifies whether or not the C# taint analysis should trust data that originates from external streams or sockets, rather than treating it as tainted.
CSHARP_ANALYSIS_TRUST_USER_INPUT	Specifies whether or not the C# taint analysis should trust data that originates from web requests or console input, rather than treating it as tainted.
CSHARP_LAUNCHER_JVM_OPTIONS	Customize the execution of the JVM that will execute the C# build/analysis launcher.
IDENTIFIER_NAMING_<ID_KIND>_PREFIX IDENTIFIER_NAMING_<ID_KIND>_SUFFIX IDENTIFIER_NAMING_<ID_KIND>_CASE IDENTIFIER_NAMING_<ID_KIND>_REGEX	Use the IDENTIFIER_NAMING_* family of parameters to define naming rules that identifiers of a particular ID_KIND must not violate. If a naming rule is violated, a Naming Style Violation warning will be issued.
JAVA_ANALYSIS_CONCURRENCY_CALLS	When JAVA_ANALYSIS_CONCURRENCY_GUARDS_MODE=byValue, specifies whether or not the analysis will treat method calls on guarded variables as dereferences of those variables.
JAVA_ANALYSIS_CONCURRENCY_GUARDS_MODE	Specifies how checks for concurrency warning classes should interpret @GuardedBy annotations.
JAVA_ANALYSIS_DEEP_NULLNESS_CONSERVATIVE_CHECK	Specifies whether or not the Java analysis should treat all inputs received by the application as if they might be null.
JAVA_ANALYSIS_FAST_DEEP_CHECK	For Java warning classes whose checks can involve additional supporting analyses, specifies whether or not those additional analyses should be skipped (generally in order to save time).
JAVA_ANALYSIS_FIELD_SENSITIVE	Specifies whether or not the Java build/analysis will track information about individual fields of each object.
JAVA_ANALYSIS_FIELD_VISIBILITY	For Java warning classes related to field visibility, specifies the field visibility types that will be considered by the warning class checks.
JAVA_ANALYSIS_INITIALIZATION_CHECK	Specifies whether or not a preliminary "class initialization analysis" will be performed before checks for those Java warning classes that may benefit from it.
JAVA_ANALYSIS_MERGE_CREATION_POINTS	Specifies whether or not the Java build/analysis will collapse bytecode instructions that create objects of the same type inside the same class.
JAVA_ANALYSIS_PEDANTIC_MODE	Specifies whether or not CodeSonar should perform more pedantic checking for certain Java warning classes.
JAVA_ANALYSIS_REQUIRE_ANDROID_MANIFEST	For Android checks that rely on manifest data, specifies whether or not at least one Android manifest must be submitted in order for the check to be performed.
JAVA_ANALYSIS_STRICT_MODE	Specifies whether or not CodeSonar should perform stricter checking for certain Java warning classes.
JAVA_ANALYSIS_TRUST_DATABASE	Specifies whether or not the Java taint analysis should trust data that originates from database queries, rather than treating it as tainted.
JAVA_ANALYSIS_TRUST_DEVICE	Specifies whether or not the Java taint analysis should trust data that originates from the specific device running the application, rather than treating it as tainted.
JAVA_ANALYSIS_TRUST_ENVIRONMENT	Specifies whether or not the Java taint analysis should trust data that originates from the environment or from system properties, rather than treating it as tainted.
JAVA_ANALYSIS_TRUST_EXTERNAL_STREAMS	Specifies whether or not the Java taint analysis should trust data that originates from external streams or sockets, rather than treating it as tainted.
JAVA_ANALYSIS_TRUST_USER_INPUT	Specifies whether or not the Java taint analysis should trust data that originates from web requests or console input, rather than treating it as tainted.

Modified Configuration Parameter

Parameter	Changes
JAVA_LAUNCHER_MEMORY	Factory setting now 512 (previously no factory setting).

Configuration Presets

There are several new configuration presets.

The new presets are as follows.

New Preset	Description
barr_naming	Check for violations of the naming rules in the Barr Group Embedded C Coding Standard; issue a Naming Style Violation warning for each such violation
csharp_complete	Enable all C# warning classes.
csharp_deep	Enable all C# warning classes that are disabled by default and classified as deep.
csharp_pedantic	Enable all C# warning classes that are disabled by default and classified as pedantic.
csharp_security	Enable all C# warning classes whose significance is "security".

EDG Upgrade

CodeSonar now uses EDG version 6.2, released February 10, 2021.

There are new front end options available:

Management Reports

New predefined management report templates
Template metavariable syntax change

New predefined management report templates

There are several new predefined management report templates.

AUTOSAR C++ 2014 Report. Analysis-scoped, contains charts and tables describing the analysis warnings whose classes are closely mapped to AUTOSAR AP 17-03 rules.
CERT-C Report. Analysis-scoped, contains charts and tables describing the analysis warnings whose classes are closely mapped to rules and recommendations in the SEI CERT C Coding Standard.
CERT-C++ Report. Analysis-scoped, contains charts and tables describing the analysis warnings whose classes are closely mapped to rules and recommendations in the SEI CERT C++ Coding Standard.
CERT Java Report. Analysis-scoped, contains charts and tables describing the analysis warnings whose classes are closely mapped to rules and recommendations in the SEI CERT Oracle Coding Standard for Java.
DISA v3r10 Report. Analysis-scoped, contains charts and tables describing the analysis warnings whose classes are closely mapped to 'findings' in the DISA Application Security and Development STIG version 3, release 10.
DISA v4r3 Report. Analysis-scoped, contains charts and tables describing the analysis warnings whose classes are closely mapped to 'findings' in the DISA Application Security and Development STIG version 4, release 3.
ISO IEC TA 17961 Report. Analysis-scoped, contains charts and tables describing the analysis warnings whose classes are closely mapped to one or more ISO/IEC TS 17961 rules ("C Secure Coding Rules Technical Specification").
JPL Report. Analysis-scoped, contains charts and tables describing the analysis warnings whose classes are closely mapped to JPL rules.
MISRA C 2004 Report. Analysis-scoped, contains charts and tables describing the analysis warnings whose classes are closely mapped to MISRA C:2004 rules.
MISRA C 2012 Report. Analysis-scoped, contains charts and tables describing the analysis warnings whose classes are closely mapped to MISRA C:2012 rules.
MISRA C++ 2008 Report. Analysis-scoped, contains charts and tables describing the analysis warnings whose classes are closely mapped to MISRA C++:2008rules.
Power of 10 Report. Analysis-scoped, contains charts and tables describing the analysis warnings whose classes are closely mapped to "Power of Ten" rules.

Template metavariable syntax change

Management report metavariables F, S, T should now be specified with calling syntax: {{F()}}, {{S()}}, {{T()}} (previously {{F}}, {{S}}, {{T}}, respectively). Syntax for all other documented metavariables is unchanged.

The predefined templates shipped with CodeSonar have been updated accordingly. If you have existing custom management report templates with occurrences of {{F}}}, {{S}}, or {{T}}, we recommend updating them so that you retain the expected numbering behavior: the old forms of these references will now always return zero (0).

API Changes

API: Modified

Python note. The upgrade to Python 3 includes the Python API for CodeSonar. In particular:

Python plug-ins will now be parsed as Python 3. You may need to update your plug-ins to modify any Python 2 syntax that is not accepted by Python 3.
The Python API now provides a __next__() method (previously next()) for all iterators.

	API Implementation			Notes
	C++	Python	C	Notes
Methods
	ast_field(ast_ordinal, const std::string &)	ast_field.__init__(ast_ordinal, str)	n/a	Can now additionally construct ast_field whose ast_field_type is BYTES.
Types
	Class func_attrs has new static public attribute func_attrs::DECLARED_STATIC.	Class func_attrs has new attribute func_attrs.DECLARED_STATIC.	New definition cs_func_attr_declared_static included in typdef cs_func_attrs.	A a statically-declared function or method.
	Class ast_field_type has new static public attribute ast_field_type::BYTES. Existing attributes ast_field_type::CONST_STR and ast_field_type::CONST_STR64 represent utf-8 encoded string	Class ast_field_type has new attribute ast_field_type.BYTES. Existing attributes ast_field_type.CONST_STR and ast_field_type.CONST_STR64 represent utf-8 encoded strings	Enumeration cs_ast_field_type has new symbol csft_bytes. Existing symbols csft_const_str, csft_const_str64 represent utf-8 encoded strings.	The new "bytes" AST field type represents unencoded data

Modified Class	Changes
cc:builtin-operation	new children :builtin-operation-kind, :is-clang-extension, :is-gnu-extension, :is-ms-extension deleted child :operands
cc:condition	new child :initialization
cc:namespace	new attribute :is-inline
cc:typeref	new attribute :is-using

Deleted Unnormalized C/C++ AST Classes

cc:builtin-offsetof
cc:gnu-builtin-operation
cc:has-assign
cc:has-copy
cc:has-finalizer
cc:has-trivial-copy
cc:has-trivial-destructor
cc:has-nothrow-assign
cc:has-nothrow-constructor
cc:has-nothrow-copy
cc:has-nothrow-move-assign
cc:has-trivial-assign
cc:has-trivial-constructor
cc:has-trivial-move-assign
cc:has-trivial-move-contructor
cc:has-user-destructor
cc:has-virtual-destructor
cc:intaddr
cc:is-abstract
cc:is-base-of
cc:is-class
cc:is-constructible
cc:is-convertible-to
cc:is-delegate
cc:is-destructible
cc:is-empty
cc:is-enum
cc:is-final
cc:is-interface-class
cc:is-literal-type
cc:is-nothrow-assignable
cc:is-nothrow-constructible
cc:is-nothrow-destructible
cc:is-pod
cc:is-polymorphic
cc:is-ref-array
cc:is-ref-class
cc:is-sealed
cc:is-simple-value-class
cc:is-standard-layout
cc:is-trivial
cc:is-trivially-assignable
cc:is-trivially-constructible
cc:is-trivially-copyable
cc:is-trivially-destructible
cc:is-union
cc:is-value-class
cc:microsoft-builtin-operation
cc:param-ref
cc:type-traits-builtin-operation
cc:types-compatible-p

Customer Tickets Fixed

NUMBER	NAME	NOTES
20150	Parse error: attributes are not allowed here (before linkage specification)	fixed
29579	Complier conf parameter EDG_FRONTEND_OPTIONS_APPEND += --cs_gnu_asm having issues	fixed
31246	Search strings can't be saved if they are too long	fixed
34318	MISRA FP (Rule 11.3): Cast: Object Pointers	fixed
37281	Parse Errors: identifier "cs_isnan" is undefined, identifier "cs_isnanf" is undefined, identifier "cs_isnanl" is undefined using iar compiler model and iccrx compiler	fixed
37286	[EDGcpfe/23704] boost templating issues	fixed
37290	Android 11+ hooking problem	fixed
37291	Documentation for android11 hooking workaround	fixed
38133	MISRA FP: Asymmetry between right and left shift for Inappropriate Operand Type	fixed
38629	False negative for data race in C++ (threads created by std::thread not recognized)	fixed
38665	Manual update for information regarding the analysis status 'Acquiring License'	Analysis state documentation updated.
39919	Small change in documentation for cslaunchd	Launch daemon documentation clarified.
39947	Windows build wizard overwriting changes made to conf file on next analysis	fixed
39967	Synthesized copy constructors and large arrays	fixed
39969	Internal error: assertion failed at: "exprutil.c"	fixed
40023	"\tt" characters showing up in conf file for iccarm.c.32.conf - CS 6.0p0	fixed
40106	Need to ignore -B flag for gcc like compiler models	fixed
40204	LANG.STRUCT.SW.BAD : Malformed switch Statement, FN for 'default' label not being first or last in the switch body	fixed
40307	Manual does not list MS Edge in the list of supported web browsers.	Microsoft Edge added to list of supported browsers.
41249	CS 5.3 - 6.0: Non-distinct Identifiers: External Names - not using conf file parameter SIGNIFICANCE_LEN_EXTERN when set, but defaulting to 31	fixed
41288	WARNING: The configuration file C:\Program Files\CodeSecure\CodeSonar-5.4p0-swyx\csurf\compiler_confs\cs-bin-scan.wildcard.32.conf does not exist, and could not find a suitable alternative.	fixed