JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.
If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.
If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.
| CodeSonar® 9.0p0 Hot Tips | CONFIDENTIAL | CodeSecure Inc |
The minimum CodeSonar version for direct upgrade to CodeSonar 7.0 is 4.1p0. If you have a hub that is running CodeSonar 4.0p2 or earlier, contact CodeSecure support for assistance in upgrading.
If you have made changes to any of your CodeSonar configuration files, you will need to upgrade those files as part of the upgrade process.
| CWE | This version of CodeSonar uses CWE v4.6, released October 28, 2021. |
|---|---|
| Warning Classes | There are several new warning classes. There is also a new warning category kind: OWASP-2021. |
| New Management Report Templates |
There are two new predefined management
report templates:
|
| User Search | You can now search for hub user accounts. |
| GUI Changes | A number of new GUI page types, along with modifications to existing page types. |
| Output Formats |
Tabular data available in the CodeSonar hub can now also be
exported in JSON format.
|
| CWE | This version of CodeSonar uses CWE v4.6, released October 28,
2021. The list of 2021 CWE Top 25 Most Dangerous Software Weaknesses has been released: CodeSonar has a corresponding new configuration preset and new management report template to provide focus on warnings in this list. |
| codesonar dump_warnings.py | The codesonar dump_warnings.py command has three new options: --project-name, --metrics-csv, and --metrics-xml. |
| codesonar transcode_annotations.py |
This is a new codesonar
subcommand that converts a file of warning annotations
exported from a hub running CodeSonar 6.0 (or earlier) to a
format suitable for importing into a hub running CodeSonar 6.1
(or later).
The main use case is updating hub annotation encoding in hubs that have been directly or gradually upgraded to CodeSonar 6.1 or later and previously used non-ASCII encodings for some or all annotations, because such annotations are not automatically transcoded during the upgrade process. The transcode_annotations.py subcommand is also suitable for any other case where you have exported annotations from an older hub and wish to import them into a newer one. |
| Configuration Parameters | There are several new configuration parameters and two deleted configuration parameters. |
| API Changes | There are a small number of new API functions. |
| C# Build/Analysis | There are two new cs-dotnet-scan options: -assembly-kind and -encoding. |
| LDAP Authentication Plug-In | The LDAP authentication plug-in shipped with CodeSonar has a new, optional Role Mapping List configuration option for specifying mappings from LDAP groups to CodeSonar role assignments, and an Enable automatic role-mapping? configuration option for specifying whether or not these mappings are currently active. |
| SSO SAML Authentication Plug-In | The SSO SAML authentication plug-in shipped with CodeSonar now supports mapping IdP roles to CodeSonar role assignments. The Configure Keycloak (SSO) Hub Authentication and Configure Okta (SSO) Hub Authentication sections have been updated with IdP-specific role mapping instructions. |
| Custom Authenticator Functionality | Custom authentication plug-ins can now use an optional 'roles' entry in the return value for get_user()/get_user_from_cert()/get_user_from_request() to specify roles that should be assigned to a user on behalf of the plug-in. |
| Visual Studio Plugin | Previously, analysis user settings were saved into the msbuild project file (.vcxproj or .csproj). Settings in this file would be propagated to source control. Settings will now be saved into the .suo file. The .suo file can be found under the .vs project subdirectory and is not generally added to source control. |
| Distributed Analysis On Windows | CodeSonar 6.2 had a bug that meant a remote-requesting analysis master running on Windows could not obtain analysis slaves from different launch daemons unless a workaround was engaged. Without the workaround, such analyses may have run slower, or in some cases may have failed to make progress at all. This bug has now been fixed. |
| C++ Support Improvements | Support for C++20 has been extended. For more information, see C++ Support. |
| Java Support Improvements |
The CodeSonar Java analysis is now suitable for Java source and
binaries targeting Java 1.1-17. java15, java16, and java17 are now valid settings for:
|
| AST Changes | There are two new unnormalized C/C++ AST classes, and one modified normalized C/C++ AST class. |
| EDG Upgrade | CodeSonar now uses EDG version 6.3, released December 14, 2021. |
| Release Status | For full information about release status for all current and past CodeSonar versions, see the Supported Product Versions page on the CodeSecure support site. |
There are several new warning classes and some modified warning classes. There is also a new warning category kind.
| Modified C/C++ Warning Class | Notes |
|---|---|
| various | [C++ only] The CodeSonar analysis now considers self-assignment problems when analyzing operator= function members. A number of different kinds of problems can arise from self-assignment, so a number of different warning classes are affected by this change. The most common warning classes for self-assignment problems include the following. |
CodeSonar now provides mappings for the OWASP Top 10 2021.
Relevant OWASP-2021 mappings for each warning class are displayed in the following locations.
The new owasp2021 preset enables all warning classes that are closely mapped to one or more members of this top ten list.
Checks for Format String and Ignore Return Value warnings now use a different statistical test (the "one-sided Wilson test") to identify functions for which warnings of these classes should be issued.
This version of CodeSonar adds support for searching in a new domain: Users. Search results in this domain correspond to hub user accounts.
The Users search domain is supported by existing search infrastructure:
There are a number of GUI changes in this version of CodeSonar.
| User Search Results | Presents the results of a search in the Users domain (new functionality). |
|---|
| Usernames, Users | Now provide user search functionality through the simple search tool. The Visible Users filter is now present, and is applied to table contents. |
|---|
There are several new configuration parameters and two deleted configuration parameters.
| New Parameter | Purpose |
|---|---|
| FORMAT_STRING_CHECKER_CONFIDENCE | Specifies the confidence interval for statistically identifying functions that are usually passed a format string in the k'th parameter position for some k. |
| FORMAT_STRING_CHECKER_DISCARD_CONFIDENCE | Specifies the confidence interval for statistically determining that a candidate Format String warning can be discarded immediately (that is, before all function calls have been analyzed). |
| LOOP_ONLY_FUNCS | Used by new Inappropriate Call Outside Loop warning class to specify functions whose calls should be enclosed in a loop. |
| PASS_OVER_TRUST_BOUNDARY_CHECKED_FUNCS | Specifies a function/argument combination for functions that pass data over trust boundaries. Used by new Padding Passed Across a Trust Boundary warning class. |
| RETURN_CHECKER_CONFIDENCE | Specifies the confidence interval for statistically identifying functions whose return value is usually checked. |
| RETURN_CHECKER_DISCARD_CONFIDENCE | Specifies the confidence interval for statistically determining that a candidate Ignored Return Value warning can be discarded immediately (that is, before all function calls have been analyzed). |
| TYPE_OVERRUN_ON_LAST_ARRAY_FIELD | Specifies whether or not Type Overrun warnings will be issued for a variable length array at the end of a class, struct, or union. |
| Deleted parameter | Notes |
|---|---|
| FORMAT_STRING_CHECKER_SAMPLE_SIZE | Use new parameters FORMAT_STRING_CHECKER_CONFIDENCE and FORMAT_STRING_CHECKER_DISCARD_CONFIDENCE to specify the (one-sided) Wilson test confidence intervals for including or discarding, respectively, checks for uncontrolled format strings in a specific argument position on a specific function. |
| RETURN_CHECKER_SAMPLE_SIZE | Use new parameters RETURN_CHECKER_CONFIDENCE and RETURN_CHECKER_DISCARD_CONFIDENCE to specify the (one-sided) Wilson test confidence intervals for including or discarding, respectively, checks for ignoring the return value of a specific function. |
There are two new configuration presets:
| New Preset | Description |
|---|---|
| owasp2021 | Enable all warning classes (except those with mnemonic DIAG.*, which are diagnostic only) that are closely mapped to one or more of the OWASP Top Ten Application Security Risks - 2021. |
| sans-cwe2021 | Enable all warning classes that are closely mapped to one or more of the 2021 CWE Top 25 Most Dangerous Software Weaknesses. |
There are two new/modified API functions.
| New Function | Purpose | ||
|---|---|---|---|
| C++ | Python | C | |
| step_path::step_path(const step_path&) | step_path.__init__(step_path) | csonar_step_path_copy() | Copy of a step path object. |
| ~step_path::step_path() | n/a | csonar_step_path_destroy() | Destroy a step path object. |
CodeSonar now uses EDG version 6.3, released December 14, 2021.
There are new front end options available:
The front end has been updated to emulate more recent versions of the GCC, Clang, and Microsoft Visual Studio compilers by default. The default versions are now as follows.
There are two new unnormalized C/C++ AST classes, and one modified normalized C/C++ AST class.
The c:enum class now has a :type-is-fixed attribute.
| NUMBER | NAME | NOTES |
|---|---|---|
| 46465 | Distributed analysis: msgpass_connect() failed: Connection refused | fixed; see Distributed Analysis On Windows, above. |
| CSO-950 | The "cosmic" compiler model combined with a "hc12" compiler needs support for compiler flags that start with "+" | Improved documentation. |
| CSO-968 | Update manual to include ways to view old analysis source code information | Added FAQ entry to manual. |
| CSO-984 | Add example to LANG.STRUCT.RC.html and link to Normalization.html | Added example to LANG.STRUCT.RC documentation. |
| CSO-1168 | Update Notices page | fixed |
| CSO-1173 | Database upgrade error: Exception Value:(psycopg2.errors.UndefinedColumn) column "default_encoding_xml" of relation "cs_globaldata" does not exist | fixed |
| CSO-1197 | upgrade OpenSSL | fixed; OpenSSL upgraded to version 3.0.1. |
| CSO-1202 | IAR parse errors, resolve before by library model, but the model does not work for IAR version 8.40.1 | fixed |
| CSO-1205 | Remove TLS 1.0/1.1 from CodeSonar- | fixed; Added a mechanism whereby users can disable support for specific TLS versions. |
| CSO-1221 | CodeSonar 6.0p2 Windows installer does not have cs-java-scan in the installer | fixed |
| CSO-1226 | Parse error in Boost | Fixed a parse error in a particular combination of operating system, compiler, and boost version. |
| CSO-1235 | Exception Type:UnicodeDecodeError happening after 5.3 to 6.2p2 upgrade | fixed |
| CSO-1236 | Backport BZ: 46271 to unblock customer | fixed |
| CSO-1244 | CodeSonar fails to detect compiler during parsing | Improved documentation. |
| CSO-1252 | Parse errors: ecomppc.exe (GHS) | fixed |
| CSO-1256 | Update manual to reflect the versions of browsers CodeSonar supports | System Requirements page lists supported browsers. |
| CSO-1264 | Front End catastrophic error reported by customer using CodeSonar 6.2p2 | fixed |
| CSO-1284 | math.h-related compatibility issues with a particular version of the Renesas compiler iccrx.exe | fixed |
| CSO-1285 | Parse errors related to qcc intrinsic types in ARM neon headers | fixed |
| CSO-1295 | Mapping for ISO/IEC TS 17961 Rule 5.33 needs to be updated | fixed |
| CSO-1296 | Update manual information for "Task: Set Up Automated Annotation Mirroring" | Improved Task: Set Up Automated Annotation Mirroring documentation. |
| CSO-1298 | CodeSonar 6.2 - exception when accessing parse log | fixed |
| CSO-1303 | Update manual Welcome page to include C# | Manual Welcome page updated. |
| CSO-1314 | Warning instance, ALLOC.SIZE.IOFLOW, message text needs to use parenthesis for correct reading of information | fixed |
| CSO-1340 | Eclipse plug-in: Unable to connect to CodeSonar hub | fixed |
| CSO-1349 | cs-dotnet-scan option '-cs-verbosity' does not work | fixed |
| CSO-1359 | Severe warning raised by C# frontend parsing event declarations | fixed |