CodeSonar Release 6.2, patchlevel 0: Release Notes

Official release date: December 15, 2021.

Notes on Upgrading

If you have made changes to any of your CodeSonar configuration files, you will need to upgrade those files as part of the upgrade process.

What's New

Warning Classes C/C++: There are several new warning classes, two warning classes have been modified, and one class has been deleted.

Java and C#: For some warning classes, warning reports now have more detailed explanations with more events. DISA-4r3 mappings are now available for Java and C# warning classes.
Jira Cloud There is now a Jira Cloud integration for CodeSonar.
Compatibility Improvements CodeSonar is now compatible with Windows 11 and Windows Server 2022.
Deleting Analysis Logs There is now functionality for deleting logs for multiple analyses in a single operation, and for autodeleting logs from past analyses.
codesonar dump_warnings.py The --sarif and --fail-if-more-warnings-than options can now be specified in the same codesonar dump_warnings.py command.
Expanded HTTP API documentation New pages describing mechanisms for interacting with the hub without utilizing the user interface.
Custom Hub Authentication Plug-Ins You can now implement an SSO-based custom authentication plug-in by implementing a custom wrapper class whose methods include get_user_from_request(), sso_redirect(), and get_notes().
Database Upgrade CodeSonar now uses PostgresSQL 13.
The instructions for backing up and restoring a hub database have changed slightly. Specifically, the modifications to postgresql.conf in step 11 of A: Prepare the Hub for Backup now include line
wal_keep_size = 160
instead of line
wal_keep_segments = 10
GUI Changes Several GUI page types have new functionality.
Authentication Plug-Ins There is a new SSO SAML authentication plug-in shipped with CodeSonar. Two new tasks provide detailed instructions for specific SSO products.
Configuration Parameters There are three new configuration parameters.
New User Administration functionality The Users page now displays user IP address and most recent sign in timestamp. These fields allow hub administrators to determine active hub users. There is a new Task: See Active Hub Users in the manual.
Eclipse Plug-in The CodeSonar plug-in for Eclipse now supports the import of analysis results from other languages (beyond C, C++, and Java).

Note that hook mode is only supported for C, C++, and Java.
Compiler Models The cosmic compiler model now handles +-prefixed command arguments. The +sprec argument has additional handling in the model; all other +-prefixed arguments are ignored.

Details

Warning Classes

New C/C++ Warning Classes

Several of these warning classes provide coverage for SEI CERT C and C++ coding standards.

New C/C++ Warning Class Mnemonic
Comparison of Unrelated Pointers LANG.STRUCT.CUP
delete with Non-Virtual Destructor LANG.STRUCT.DNVD
Implicit Lambda Capture LANG.LAMBDA.CAPTURE
Initialization Cycle LANG.STRUCT.INIT.CYCLE
Input After Output Without Positioning IO.IOWOP
Lambda Has No Parameter List LANG.LAMBDA.MPL
Lambda Has No Return Type LANG.LAMBDA.MRT
Local Variable Passed to Thread CONCURRENCY.LOCALARG
Multiple Accesses of Atomic CONCURRENCY.MAA
Object Slicing LANG.CAST.OBJSLICE
Out of Order Member Initializers LANG.STRUCT.INIT.OOMI
Output After Input Without Positioning IO.OIWOP
Return from noreturn LANG.STRUCT.RFNR
Subtraction of Unrelated Pointers LANG.STRUCT.SUP
Unordered Initialization LANG.STRUCT.INIT.UNORDERED
Unreachable Catch LANG.STRUCT.UCTCH
Virtual and Non-Virtual Base Class LANG.TYPE.BCVNV
Virtual Base Class LANG.TYPE.BCV
Virtual Base Class not In Diamond LANG.TYPE.BCVNID
Virtual Call in Constructor LANG.STRUCT.VCALL_IN_CTOR
Virtual Call in Destructor LANG.STRUCT.VCALL_IN_DTOR

Modified C/C++ Warning Classes

Checks for the Cast Alters Value (LANG.CAST.VALUE) warning classes have been extended. Warnings of this class will now also be issued when a value V is cast to enumeration type, but V is not a valid value for that enumeration.

Similarly, Coercion Alters Value warnings will now also be issued when a value V is coerced to enumeration type, but V is not a valid value for that enumeration.

Deleted C/C++ Warning Classes

There is no longer a Free Non-Heap Variable (ALLOC.FNH) warning class. Code that previously triggered warnings of this class will now trigger Type Mismatch warnings.

Deleting Analysis Logs

There are several new options for deleting analysis logs.

GUI Changes

Page Type Changes
Analysis Search Results New Remove Logs buttons above and below table provide access to functionality for deleting logs from multiple analyses.

Remove Analysis buttons are available both above and below the table of results (previously below only).
Authentication Services Two modifications due to the new SSO SAML plug-in:
  • The form for adding a new service now includes an SSO SAML option.
  • Entries for SSO SAML services in the table of current services contain an additional Setting up this SAML Integration in Your IdP section that provides the information needed to configure the SSO identity provider (IdP) to work with CodeSonar.
Project New Remove Logs button below table provides access to functionality for deleting logs from multiple analyses.

The Analysis Settings section provides controls for setting up autodeletion for analysis logs.
Project Search Results Remove Project and Move Project buttons are available both above and below the table of results (previously below only).
Sign In If one or more SSO authentication services are installed, there will be an additional page tab for each such service.

Configuration Parameters

There are three new configuration parameters.

New Configuration Parameters

New Parameter Purpose
ARRAY_CTOR_CALL_LIMIT Specifies an upper bound on the number of constructor calls CodeSonar is willing to make for each end of an array.
REACHABILITY_DUMP_FILE Specifies an output file for diagnostic reachability information.
OBJSLICE_WARN_NEW_MEMBER_ONLY Specifies whether Object Slicing warnings should be issued only in the case where the derived class has additional data members not found in the converted-to base class.

Customer Tickets Fixed

NUMBER NAME NOTES
24183 Issues with annotations and the JIRA integration fixed
29579 SF case 00014305 - complier conf parameter EDG_FRONTEND_OPTIONS_APPEND += --cs_gnu_asm having issues fixed
37281 Parse Errors: identifier "cs_isnan" is undefined, identifier "cs_isnanf" is undefined, identifier "cs_isnanl" is undefined using iar compiler model and iccrx compiler fixed
37286 [EDGcpfe/23704] Harman boost templating issues fixed
41236 GHS ccrh850 native build fails under CS 5.4 when using section map fixed
41796 MISC.CPE : Copy-Paste Error: copy paste checker reports "CopyPasteErrorChecker warning: X unknown rule cases fixed
41798 LANG.STRUCT.BNC Body Is Not Compound Statement - false positive fixed
42073 GreenHills ecomppc compiler model, CodeSonar (v5.4p0) is ignoring the -I- Header file search option fixed
42124 LANG.CAST.PC.PV, Conversion: Void Pointer to Object Pointer, redefinition of NULL causing warning, should this be part of the exception for NULL fixed
42282 Streaming replication ("warm standby") - FATAL: could not connect to the primary server: libpq is incorrectly linked to backend functions fixed
42374 MISRA C:2012 11.9 - Coercion: Integer Constant to Pointer - FP - CS 6.0 fixed
42666 MISRA: Variable Could be const FP fixed
42690 LANG.TYPE.VCBC score is 100 fixed
42727 Configuration tool error in 6.1p0 - when selecting option 1 and the hub is locked down so anonymous does not have hub_info permissions fixed
42730 FP: 2$Buffer Overrun fixed
44474 [EDGcpfe/24768] clang++/g++ compat: constexpr (tzlaine-parser) fixed