CodeSonar Release 7.1p0 Release Notes

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.0p0 Hot Tips

CONFIDENTIAL

CodeSecure Inc

Release Notes

CodeSonar Release 7.1, patchlevel 0: Release Notes

Notes on Upgrading
What's New
Customer Tickets Fixed

Notes on Upgrading

The minimum CodeSonar version for direct upgrade to CodeSonar 7.0 or later is 4.1p0. If you have a hub that is running CodeSonar 4.0p2 or earlier, contact CodeSecure support for assistance in upgrading.

If you have made changes to any of your CodeSonar configuration files, you will need to upgrade those files as part of the upgrade process.

See Upgrading Configuration Files for instructions.
For some configuration files, the procedure includes steps that must be carried out before CodeSonar is upgraded.
If you are upgrading a CodeSonar installation that will be used by someone else:
- Determine the most appropriate person to upgrade the general template and compiler template configuration files.
  This will depend on local factors such as who usually makes changes to these files.

What's New

Hybrid Cloud	This release introduces CodeSonar SaaS (Software as a Service) as an additional deployment model.
New codesonar analyze options	Two new options. -remote analysis-launchd: perform a remotely-managed analysis with analysis launch daemon specified by analysis-launchd. -wait: the codesonar analyze process will wait to return until the analysis completes, the analysis stalls, or the codesonar analyze process or the analysis launch daemon loses its connection to the hub. This can be useful in cases where subsequent commands wish to inspect the final analysis results.
New codesonar install-launchd options	Use the -launchd-home and -launchd-quota options to specify the location and maximum permitted size, respectively, of the launch daemon's Home Directory.
New Windows Build Wizard field	Use the Analysis field on screen 1 to choose between local-managed and remote-managed analysis, and to specify a remote launch daemon for the latter.
CodeSonar Plug-In for Eclipse Changes	There are several changes to the CodeSonar Project Properties dialog. New analysis management radio buttons allow you to choose between local-managed and remote-managed analysis, and to specify a remote launch daemon for the latter. The Allow Services checkbox is now only available when Local Analysis is selected. The Launchd Group field is no longer present.
RBAC Changes	There are three new permissions, and the permission requirements for various operations have changed.
Incrementality Note	The new remote-managed analysis variant can be invoked to update and analyze a project based on an incremental build of the underlying software project. However, the remote-managed analysis phase does not currently take full advantage of incrementality: The build phase rebuilds only those parts of the CodeSonar project that have changed (that is, incrementality is fully supported in this phase). The analysis phase analyzes the entire CodeSonar project (rather than only those parts affected by the changes). There is therefore little or no time saving. Full support for incremental, remote-managed analysis will be added in a future release.
Java Build/Analysis Changes	The Java analysis will now submit warnings to the hub for ordinary and sourceless artifacts without corresponding source code, unless specifically instructed otherwise. There are two new cs-java-scan options: -import-require-source and -java-source-level.
C# Build/Analysis Changes	The C# analysis will now submit warnings to the hub for ordinary and sourceless artifacts without corresponding source code, unless specifically instructed otherwise. There is one new cs-dotnet-scan option: -import-require-source.
HIS Metrics	There are five new built-in metrics and a new preset to enable those metrics.
GUI Changes	Various pages have additional functionality; RBAC permission requirements for accessing some pages and functionality have changed.
Warning Classes	There are many new warning classes. A large number of new C# warning classes in support of the new, experimental Roslyn-detected C# warnings functionality. Several new C/C++ warning classes.
Roslyn-detected C# warnings (Experimental)	There is new, experimental C# analysis functionality that invokes the .NET Compiler Platform (Roslyn) analyzers from Visual Studio and issues a CodeSonar warning for each rule violation detected by an analyzer.
CWE	This version of CodeSonar uses CWE v4.8, released June 28, 2022.
TASKING Compiler Model	The tasking compiler model (for modeling the behavior of the TASKING TriCore, PCP, and C166/ST10 compilers) is now available on Windows and Linux platforms (previously Windows only).
Configuration Presets	There are several new presets for selectively enabling various of the new Roslyn-detected C# warning classes, and one for enabling the five new Hersteller Initiative Software (HIS) metrics (see HIS Metrics, below, for more information).
Configuration Parameters	There are several new configuration parameters.
API Changes	There are a small number of new API functions.
AST Changes	There are two new unnormalized C/C++ AST classes.
SARIF Output for Warning Search Results	For warning searches whose scope is a single analysis, warning search results can now be output in SARIF format. A SARIF output link is now available on the Warning Search Results page in such cases. There is a new /warning_detail_search.sarif endpoint for the CodeSonar HTTP API.
VS Code Extension	An extension for Microsoft Visual Studio Code (VS Code) will be available at the Visual Studio Marketplace shortly. The extension will allow you to view the results of a single analysis or compare the results of two analyses in VS Code.
Deprecation Notices	Support for Internet Explorer is deprecated as of this release. The HTML5 Visualization Tool visualization feature will be deprecated at the end of 2023. The 'graphical (lite)' visualization provided by the Explore Callers GUI page type will continue to be available.
Release Status	For full information about release status for all current and past CodeSonar versions, see the Supported Product Versions page on the CodeSecure support site.

Details

CodeSonar SaaS

This release introduces CodeSonar SaaS (Software as a Service) as an additional deployment model.

With CodeSonar SaaS:

CodeSecure will host your hub and a set of analysis machines. Backup and certain other maintenance activities will be taken care of for you.
Your CodeSonar build/analysis is automatically managed in two phases.
1. CodeSonar builds your project on your local machine, as previously.
2. Once the project is built, CodeSonar uploads your project files to the SaaS hub, which initiates a remote-managed, distributed analysis of your project.

Users with on-premise CodeSonar deployments can also take advantage of the remote-managed analysis capability.

This manual provides a Quick Start (CodeSonar SaaS) page.

Remote-Managed vs Local-Managed Analysis

This release introduces a distinction between remote-managed and local-managed analysis. Previously all analyses were local-managed.

An analysis that specifies a remote analysis launch daemon with the new -remote analysis-launchd option (or via the corresponding Windows Build Wizard or Eclipse Plug-In functionality) will be remote-managed.

The CodeSonar project build phase runs locally to collect all necessary information about the project and store it in the project build directory.
At the beginning of the CodeSonar project analysis phase, data and control are transferred to the analysis launch daemon specified by analysis-launchd. This is the case even if analysis-launchd identifies a launch daemon on the local machine.
1. CodeSonar uploads the entire project build directory to the hub.
2. The hub sends the project build directory to the remote analysis launch daemon for analysis.
3. The remote analysis launch daemon stores its own copy of the project build directory: this copy is the project analysis directory.
4. The analysis launch daemon initiates the CodeSonar analysis, operating on the project analysis directory.

Project analysis directory information and deletion

In remote-managed analyses the project analysis directory is located with the remote analysis launch daemon. This is not necessarily on the build machine, and for SaaS analyses is on an external network. New features provide visibility and control over the project analysis directory though the hub, for both remote-managed and local-managed analyses.

Project analysis directory information is now available in several GUI page types: Analysis, Analysis Cloud, Analysis Search Results, Project.
You can delete project analysis directories via the hub.
- For a specific analysis: from the corresponding Analysis page.
- For selected analyses: from the Analysis Search Results and Project pages.
- There is also functionality for auto-deleting project analysis directories.

Remote analysis launch daemons

The analysis launch daemon for a remotely-managed analysis must be set up with a home directory. The project analysis directory is stored under this home directory.

For remote analysis...

... in CodeSonar SaaS deployments: specify a remote analysis launch daemon from your SaaS hub's saas launchd group. This group is populated with analysis launch daemons that have been set up with home directories within the SaaS deployment.
... on your own hardware: specify a remote analysis launch daemon that you (or someone else at your organization) have set up with a home directory. To set up a launch daemon with a home directory, use the -launchd-home option with codesonar install-launchd. You can optionally specify a maximum permitted size for this directory with -launchd-quota.

Role-Based Access Control

There are a number of changes to CodeSonar's Role Based Access Control.

New RBAC Permissions

There are three new permissions: one global (G_*) permission, and two ROLE_* permissions.

New Permission	Notes
G_MANAGE_USERS	Manage user accounts and permissions, but without the complete control provided by G_ADMINISTER_USERS. This permission is designed to provide sufficient privileges to perform all SaaS hub management operations that are not provided by CodeSecure. G_MANAGE_USERS only provides assign/unassign control for a subset of the global (G_*) permissions: see the list of global permissions for full details. In general, a role that is assigned G_ADMINISTER_USERS should also be assigned G_MANAGE_USERS.
ROLE_DELETE	Delete a role.
ROLE_EXISTS	See a role in menus and tables of available roles.

New built-in role

There is a new built-in role: Manager. The default Manager role-permissions provide a range of user management privileges. By default, no user has the Manager role.

User control

We introduce the notion of user control. User control over a specific hub user account requires one of the following sets of permissions.

G_ADMINISTER_USERS
or
G_MANAGE_USERS and ROLE_ADMINISTER R for every role R that the user is assigned.

With user control over a hub user account U, you can do the following.

Modify U's Password, Email, Email Alerts, Default Role, User Certificates, and Visibility Defaults.
Delete U.
Choose U as the template user when creating a new user account.
Set U as the default template user for the hub.
Sign in as U (from the Sign In tab of the Account Editor).

Permissions for creating hub user accounts

Users with G_MANAGE_USERS permission can create new hub user accounts (provided they also have G_CREATE_USER permission) with the set of available template users restricted to those over which the creating user has user control. If this set is empty, the template user will be the default template user.

Creating a new role

New roles can now be created by users with G_MANAGE_USERS permission.

When you create a new role, you must now specify a "controlling role". If you don't have G_ADMINISTER_USERS permission, you can only specify a controlling role that you are currently assigned.

The controlling role will be assigned all ROLE_* permissions for the new role

These permission assignments are mutable, and can be modified from the Role (Resource) Role-Permissions page for the new role.
This is the only effect of the Controlling Role.

Java Build/Analysis Changes

The Java analysis will now submit warnings to the hub for sourceless artifacts without corresponding source code, unless specifically instructed otherwise.

For ordinary artifacts and sourceless artifacts (specified with -include-artifacts and -include-sourceless-artifacts, respectively), warnings will be submitted to the hub if either of the following are true.
- The corresponding source code is available and specified with -include-sources.
  or
- The corresponding source code is not available, and there is at least one sourceless artifact, and new option -import-require-source is not specified.
  Because source code is not available, the warnings in this case are presented with reduced detail.
Previously, warnings were never submitted to the hub for artifacts without corresponding source code.
For libraries and signatures (specified with -include-libraries and -include-signatures, respectively), warnings are never submitted to the hub.
- This is the same behavior as previously.
- New option -import-require-source has no effect on behavior for libraries or signatures.

New cs-java-scan options

There are two new options for cs-java-scan.

-import-require-source: for ordinary artifacts and sourceless artifacts (specified with -include-artifacts and -include-sourceless-artifacts, respectively), specifies that warnings should only be submitted to the hub if the corresponding source code is available and specified with -include-sources.
Has no effect on behavior for other artifact types.
-java-source-level: specifies the language compliance level to be used in parsing Java source files.

C# Build/Analysis Changes

The C# analysis will now submit warnings to the hub for sourceless artifacts without corresponding source code, unless specifically instructed otherwise.

For ordinary artifacts and sourceless artifacts (specified with -include-artifacts and -include-sourceless-artifacts, respectively), warnings will be submitted to the hub if either of the following are true.
- The corresponding source code is available and specified with -include-sources.
  or
- The corresponding source code is not available, and there is at least one sourceless artifact, and new option -import-require-source is not specified.
  Because source code is not available, the warnings in this case are presented with reduced detail.
Previously, warnings were never submitted to the hub for artifacts without corresponding source code.
For libraries and signatures (specified with -include-libraries and -include-signatures, respectively), warnings are never submitted to the hub.
- This is the same behavior as previously.
- New option -import-require-source has no effect on behavior for libraries or signatures.

New cs-dotnet-scan option

There is one new option for cs-dotnet-scan.

-import-require-source. For ordinary artifacts and sourceless artifacts (specified with -include-artifacts and -include-sourceless-artifacts, respectively), specifies that warnings should only be submitted to the hub if the corresponding source code is available and specified with -include-sources.
Has no effect on behavior for other artifact types.

Hersteller Initiative Software (HIS) Metrics

There are five new built-in metrics, all from the set described in
H. Kuder. HIS source code metrics. Technical Report HIS-SC-Metriken.1.3.1-e, Herstellerinitiative Software, April 2008. Version 1.3.1.

These metrics are not computed by default, and have procedure granularity only.

Metric Description	Metric Tag
Number of Called Functions	CALLING
Number of Function Calls	STSUB
Number of goto Statements	GOTO
Number of Formal Parameters	PARAM
Number of Returns	RETURN

New preset his_metrics enables these five metrics.

GUI Changes

GUI Page Type	Changes
Account Editor	Access to page and functionality now requires user control over the corresponding hub user account (previously G_ADMINISTER_USERS only.)
Analysis	Analysis Details section has two new parts. Machines provides information about the machines performing the build and analysis phases. If the analysis is still running, it also provides a kill this analysis link (requires ANALYSIS_TERMINATE permission for the analysis). .prj_files provides information about the project analysis directory, along with a remove .prj_files link for deleting the directory (requires ANALYSIS_READ, ANALYSIS_DELETE, and ANALYSIS_TERMINATE permission for the analysis).
Analysis Cloud	New table columns Space Quota, Space Used, Disk Space Available, Home.
Analysis Cloud Active Jobs	New table columns Master Launchd Path, Master Launchd ID, Master Launchd Key, Slave Launchd Path, Slave Launchd ID, Slave Launchd Key.
Analysis Search Results	New table columns Build Machine, .prj_files Location, .prj_files Size, .prj_files Exists Renamed table column Analysis Machine (previously "Machine") New Remove .prj_files button for deleting project analysis directories from selected analyses (requires ANALYSIS_READ, ANALYSIS_DELETE, and ANALYSIS_TERMINATE permission for those analyses).
Authentication Services	When adding a new authentication service that is permitted to create new hub user accounts, users with G_MANAGE_USERS permission can choose the template user for new accounts from a restricted set as described above.
Bulk Add Users	Page access now requires G_CREATE_USER Options for selecting template user for new accounts depends on permissions as described above. (Previously page access and all functionality required G_ADMINISTER_USERS.)
Create Account	Users with G_MANAGE_USERS permission can choose the template user for new accounts from a restricted set as described above.
Global Role-Permissions	Page access is no longer restricted. Users with G_ADMINISTER_USERS will see all hub roles in the table of roles. Otherwise, a role R will only be visible if the user has ROLE_READ R. Role-permission assignments for global permissions are restricted as follows. Users with G_ADMINISTER_USERS can modify (mutable) role-permission assignments for all global permissions. Users with G_MANAGE_USERS (and not G_ADMINISTER_USERS) can modify (mutable) role-permission assignments for some global permissions, but not the most powerful ones. In particular, they cannot assign or unassign G_ADMINISTER_USERS permission. Assignment requirements for each global permission are described in the list of global permissions. Users with neither G_ADMINISTER_USERS nor G_MANAGE_USERS cannot modify global role-permission assignments. (Previously page access and all functionality required G_ADMINISTER_USERS.)
Project	New table columns Build Machine, .prj_files Location, .prj_files Size, .prj_files Exists Renamed table column Analysis Machine (previously "Machine") New Remove .prj_files button for deleting project analysis directories from selected analyses (requires ANALYSIS_READ, ANALYSIS_DELETE, and ANALYSIS_TERMINATE permission for those analyses).
Resource Role-Permissions	Users with G_ADMINISTER_USERS will see all hub roles in the table of roles. Otherwise, a role R will only be visible if the user has ROLE_READ R. (Previously all table rows visible to users with page access.)
Roles	Page access is no longer restricted. Users with G_ADMINISTER_USERS will see all hub roles in the table of roles. Otherwise, a role R will only be visible if the user has ROLE_EXISTS R, or is currently assigned role R. Users with G_ADMINISTER_USERS can delete any (deletable) role R, otherwise deletion requires ROLE_DELETE R. Users with G_ADMINISTER_USERS or G_MANAGE_USERS permission can create new roles. The form to Create a New Role now includes a new Controlling Role field. (Previously page access and all functionality required G_ADMINISTER_USERS.)
Role Ancestors	Users with G_ADMINISTER_USERS can delete any (deletable) role R, otherwise deletion requires ROLE_DELETE R (previously G_ADMINISTER_USERS only). Users with G_ADMINISTER_USERS can modify any (mutable) ancestor assignment for role R, otherwise modification requires both ROLE_WRITE R and ROLE_ASSIGN A for the added/removed ancestor A (previously G_ADMINISTER_USERS only).
Role Users	Users with G_ADMINISTER_USERS can delete any (deletable) role R, otherwise deletion requires ROLE_DELETE R (previously G_ADMINISTER_USERS only). Users with G_ADMINISTER_USERS can assign/unassign any (mutably-assigned) role R, otherwise assigning/unassigning requires ROLE_ASSIGN R (previously G_ADMINISTER_USERS only).
Settings, Admin Settings	Analysis tab has new hub-wide auto-deletion controls for project analysis directories.
Users	Access now requires G_ADMINISTER_USERS or G_MANAGE_USERS permission (previously G_ADMINISTER_USERS only).
User Roles	Access now requires G_LIST_USERS permission. Users with G_ADMINISTER_USERS will see all hub roles in the table of roles. Otherwise, a role R will only be visible if the user has ROLE_READ R. Users with G_ADMINISTER_USERS can assign/unassign any (mutably-assigned) role R, otherwise assigning/unassigning requires ROLE_ASSIGN R. (Previously page access and all functionality required G_ADMINISTER_USERS.)
Warning Search Results	If search scope is a single analysis, SARIF output is now available.

Warning Classes

Several new C/C++ warning classes.
A large number of new C# warning classes in support of the new, experimental Roslyn-detected C# warnings functionality.

New C/C++ Warning Classes

New C/C++ Warning Class Name	Mnemonic
Modification of Standard Namespaces	LANG.STRUCT.DECL.SNM
Use of catch	LANG.STRUCT.EXCP.CATCH
Use of throw	LANG.STRUCT.EXCP.THROW

New warning classes for Roslyn-detected C# warnings

Warnings of these classes are detected in C# source code via the new, experimental Roslyn-detected C# warnings functionality.
There is a warning class for each Roslyn code quality analysis rule.

Note: Classes are in this set not enabled by the csharp_complete, csharp_deep, csharp_pedantic, or csharp_security preset. There are separate presets for enabling various sets of Roslyn-detected classes.

New C# Warning Class Name	Mnemonic
'Buffer.BlockCopy' expects the number of bytes to be copied for the 'count' argument (C#)	ROSLYN.RELIABILITY.CA2018
Abstract types should not have public constructors (C#)	ROSLYN.DESIGN.CA1012
All members declared in parent interfaces must have an implementation in a DynamicInterfaceCastableImplementation-attributed interface (C#)	ROSLYN.USAGE.CA2256
Argument passed to TaskCompletionSource constructor should be TaskCreationOptions enum instead of TaskContinuationOptions enum (C#)	ROSLYN.USAGE.CA2247
Assigning symbol and its member in the same statement (C#)	ROSLYN.USAGE.CA2246
Attribute string literals should parse correctly (C#)	ROSLYN.USAGE.CA2243
Avoid 'StringBuilder' parameters for P/Invokes (C#)	ROSLYN.PERFORMANCE.CA1838
Avoid dead conditional code (C#)	ROSLYN.MAINTAINABILITY.CA1508
Avoid empty interfaces (C#)	ROSLYN.DESIGN.CA1040
Avoid excessive class coupling (C#)	ROSLYN.MAINTAINABILITY.CA1506
Avoid excessive complexity (C#)	ROSLYN.MAINTAINABILITY.CA1502
Avoid excessive inheritance (C#)	ROSLYN.MAINTAINABILITY.CA1501
Avoid excessive parameters on generic types (C#)	ROSLYN.DESIGN.CA1005
Avoid hardcoded SslProtocols values (C#)	ROSLYN.SECURITY.CA5398
Avoid hardcoding SecurityProtocolType value (C#)	ROSLYN.SECURITY.CA5386
Avoid infinite recursion (C#)	ROSLYN.RELIABILITY.CA2011
Avoid uninstantiated internal classes (C#)	ROSLYN.PERFORMANCE.CA1812
Avoid unmaintainable code (C#)	ROSLYN.MAINTAINABILITY.CA1505
Avoid unsealed attributes (C#)	ROSLYN.PERFORMANCE.CA1813
Avoid unused private fields (C#)	ROSLYN.PERFORMANCE.CA1823
Avoid using cref tags with a prefix (C#)	ROSLYN.DOCUMENTATION.CA1200
Avoid zero-length array allocations (C#)	ROSLYN.PERFORMANCE.CA1825
Call async methods when in an async method (C#)	ROSLYN.PERFORMANCE.CA1849
CancellationToken parameters must come last (C#)	ROSLYN.DESIGN.CA1068
Collection properties should be read only (C#)	ROSLYN.USAGE.CA2227
Consider calling ConfigureAwait on the awaited task (C#)	ROSLYN.RELIABILITY.CA2007
Consider using 'StringBuilder.Append(char)' when applicable (C#)	ROSLYN.PERFORMANCE.CA1834
Consider using 'string.Contains' instead of 'string.IndexOf' (C#)	ROSLYN.USAGE.CA2249
Declare types in namespaces (C#)	ROSLYN.DESIGN.CA1050
Define accessors for attribute arguments (C#)	ROSLYN.DESIGN.CA1019
Disposable fields should be disposed (C#)	ROSLYN.USAGE.CA2213
Disposable types should declare finalizer (C#)	ROSLYN.USAGE.CA2216
Dispose methods should call SuppressFinalize (C#)	ROSLYN.USAGE.CA1816
Dispose methods should call base class dispose (C#)	ROSLYN.USAGE.CA2215
Dispose objects before losing scope (C#)	ROSLYN.RELIABILITY.CA2000
Do Not Add Archive Item's Path To The Target File System Path (C#)	ROSLYN.SECURITY.CA5389
Do Not Add Certificates To Root Store (C#)	ROSLYN.SECURITY.CA5380
Do Not Add Schema By URL (C#)	ROSLYN.SECURITY.CA3061
Do Not Call Dangerous Methods In Deserialization (C#)	ROSLYN.SECURITY.CA5360
Do Not Catch Corrupted State Exceptions (C#)	ROSLYN.SECURITY.CA2153
Do Not Disable Certificate Validation (C#)	ROSLYN.SECURITY.CA5359
Do Not Disable HTTP Header Checking (C#)	ROSLYN.SECURITY.CA5365
Do Not Disable Request Validation (C#)	ROSLYN.SECURITY.CA5363
Do Not Disable SChannel Use of Strong Crypto (C#)	ROSLYN.SECURITY.CA5361
Do Not Serialize Types With Pointer Fields (C#)	ROSLYN.SECURITY.CA5367
Do Not Use Account Shared Access Signature (C#)	ROSLYN.SECURITY.CA5375
Do Not Use Broken Cryptographic Algorithms (C#)	ROSLYN.SECURITY.CA5351
Do Not Use Deprecated Security Protocols (C#)	ROSLYN.SECURITY.CA5364
Do Not Use Digital Signature Algorithm (DSA) (C#)	ROSLYN.SECURITY.CA5384
Do Not Use Weak Cryptographic Algorithms (C#)	ROSLYN.SECURITY.CA5350
Do Not Use Weak Key Derivation Function With Insufficient Iteration Count (C#)	ROSLYN.SECURITY.CA5387
Do Not Use XslTransform (C#)	ROSLYN.SECURITY.CA5374
Do not always skip token validation in delegates (C#)	ROSLYN.SECURITY.CA5405
Do not assign a property to itself (C#)	ROSLYN.USAGE.CA2245
Do not call BinaryFormatter.Deserialize without first setting BinaryFormatter.Binder (C#)	ROSLYN.SECURITY.CA2301
Do not call overridable methods in constructors (C#)	ROSLYN.USAGE.CA2214
Do not call ToImmutableCollection on an ImmutableCollection value (C#)	ROSLYN.RELIABILITY.CA2009
Do not catch general exception types (C#)	ROSLYN.DESIGN.CA1031
Do not create tasks without passing a TaskScheduler (C#)	ROSLYN.RELIABILITY.CA2008
Do not declare event fields as virtual (C#)	ROSLYN.DESIGN.CA1070
Do not declare protected member in sealed type (C#)	ROSLYN.DESIGN.CA1047
Do not declare static members on generic types (C#)	ROSLYN.DESIGN.CA1000
Do not declare visible instance fields (C#)	ROSLYN.DESIGN.CA1051
Do not define finalizers for types derived from MemoryManager<T> (C#)	ROSLYN.RELIABILITY.CA2015
Do not deserialize with JavaScriptSerializer using a SimpleTypeResolver (C#)	ROSLYN.SECURITY.CA2321
Do not deserialize with JsonSerializer using an insecure configuration (C#)	ROSLYN.SECURITY.CA2329
Do not deserialize without first setting NetDataContractSerializer.Binder (C#)	ROSLYN.SECURITY.CA2311
Do not disable ServicePointManagerSecurityProtocols (C#)	ROSLYN.SECURITY.CA5378
Do not disable token validation checks (C#)	ROSLYN.SECURITY.CA5404
Do not duplicate indexed element initializations (C#)	ROSLYN.USAGE.CA2244
Do not expose generic lists (C#)	ROSLYN.DESIGN.CA1002
Do not hard-code certificate (C#)	ROSLYN.SECURITY.CA5403
Do not hard-code encryption key (C#)	ROSLYN.SECURITY.CA5390
Do not hide base class methods (C#)	ROSLYN.DESIGN.CA1061
Do not ignore method results (C#)	ROSLYN.PERFORMANCE.CA1806
Do not initialize unnecessarily (C#)	ROSLYN.PERFORMANCE.CA1805
Do not lock on objects with weak identity (C#)	ROSLYN.RELIABILITY.CA2002
Do not mark enums with FlagsAttribute (C#)	ROSLYN.USAGE.CA2217
Do not name enum values 'Reserved' (C#)	ROSLYN.NAMING.CA1700
Do not overload equality operator on reference types (C#)	ROSLYN.DESIGN.CA1046
Do not pass literals as localized parameters (C#)	ROSLYN.GLOBALIZATION.CA1303
Do not pass types by reference (C#)	ROSLYN.DESIGN.CA1045
Do not prefix enum values with type name (C#)	ROSLYN.NAMING.CA1712
Do not raise exceptions in finally clauses (C#)	ROSLYN.USAGE.CA2219
Do not raise exceptions in unexpected locations (C#)	ROSLYN.DESIGN.CA1065
Do not raise reserved exception types (C#)	ROSLYN.USAGE.CA2201
Do not use 'OutAttribute' on string parameters for P/Invokes (C#)	ROSLYN.INTEROPERABILITY.CA1417
Do not use 'WaitAll' with a single task (C#)	ROSLYN.PERFORMANCE.CA1843
Do not use 'WhenAll' with a single task (C#)	ROSLYN.PERFORMANCE.CA1842
Do not use Count() or LongCount() when Any() can be used (C#)	ROSLYN.PERFORMANCE.CA1827
Do not use CountAsync() or LongCountAsync() when AnyAsync() can be used (C#)	ROSLYN.PERFORMANCE.CA1828
Do not use CreateEncryptor with non-default IV (C#)	ROSLYN.SECURITY.CA5401
Do not use DataSet.ReadXml() with untrusted data (C#)	ROSLYN.SECURITY.CA2351
Do not use DataTable.ReadXml() with untrusted data (C#)	ROSLYN.SECURITY.CA2350
Do not use Enumerable methods on indexable collections (C#)	ROSLYN.PERFORMANCE.CA1826
Do not use ReferenceEquals with value types (C#)	ROSLYN.RELIABILITY.CA2013
Do not use TypeNameHandling values other than None (C#)	ROSLYN.SECURITY.CA2326
Do not use deprecated SslProtocols values (C#)	ROSLYN.SECURITY.CA5397
Do not use insecure JsonSerializerSettings (C#)	ROSLYN.SECURITY.CA2327
Do not use insecure deserializer BinaryFormatter (C#)	ROSLYN.SECURITY.CA2300
Do not use insecure deserializer LosFormatter (C#)	ROSLYN.SECURITY.CA2305
Do not use insecure deserializer NetDataContractSerializer (C#)	ROSLYN.SECURITY.CA2310
Do not use insecure deserializer ObjectStateFormatter (C#)	ROSLYN.SECURITY.CA2315
Do not use insecure randomness (C#)	ROSLYN.SECURITY.CA5394
Do not use obsolete key derivation function (C#)	ROSLYN.SECURITY.CA5373
Do not use stackalloc in loops (C#)	ROSLYN.RELIABILITY.CA2014
Ensure BinaryFormatter.Binder is set before calling BinaryFormatter.Deserialize (C#)	ROSLYN.SECURITY.CA2302
Ensure Certificates Are Not Added To Root Store (C#)	ROSLYN.SECURITY.CA5381
Ensure HttpClient certificate revocation list check is not disabled (C#)	ROSLYN.SECURITY.CA5400
Ensure JavaScriptSerializer is not initialized with SimpleTypeResolver before deserializing (C#)	ROSLYN.SECURITY.CA2322
Ensure Key Derivation Function algorithm is sufficiently strong (C#)	ROSLYN.SECURITY.CA5379
Ensure NetDataContractSerializer.Binder is set before deserializing (C#)	ROSLYN.SECURITY.CA2312
Ensure Sufficient Iteration Count When Using Weak Key Derivation Function (C#)	ROSLYN.SECURITY.CA5388
Ensure Use Secure Cookies In ASP.NET Core (C#)	ROSLYN.SECURITY.CA5383
Ensure auto-generated class containing DataSet.ReadXml() is not used with untrusted data (C#)	ROSLYN.SECURITY.CA2361
Ensure that JsonSerializer has a secure configuration when deserializing (C#)	ROSLYN.SECURITY.CA2330
Ensure that JsonSerializerSettings are secure (C#)	ROSLYN.SECURITY.CA2328
Enum Storage should be Int32 (C#)	ROSLYN.DESIGN.CA1028
Enums should have zero value (C#)	ROSLYN.DESIGN.CA1008
Enums values should not be duplicated (C#)	ROSLYN.DESIGN.CA1069
Events should not have 'Before' or 'After' prefix (C#)	ROSLYN.NAMING.CA1713
Exceptions should be public (C#)	ROSLYN.DESIGN.CA1064
Forward the 'CancellationToken' parameter to methods (C#)	ROSLYN.RELIABILITY.CA2016
Generic interface should also be implemented (C#)	ROSLYN.DESIGN.CA1010
HttpClients should enable certificate revocation list checks (C#)	ROSLYN.SECURITY.CA5399
Identifier contains type name (C#)	ROSLYN.NAMING.CA1720
Identifiers should differ by more than case (C#)	ROSLYN.NAMING.CA1708
Identifiers should have correct prefix (C#)	ROSLYN.NAMING.CA1715
Identifiers should have correct suffix (C#)	ROSLYN.NAMING.CA1710
Identifiers should not contain underscores (C#)	ROSLYN.NAMING.CA1707
Identifiers should not have incorrect suffix (C#)	ROSLYN.NAMING.CA1711
Identifiers should not match keywords (C#)	ROSLYN.NAMING.CA1716
Implement IDisposable Correctly (C#)	ROSLYN.DESIGN.CA1063
Implement IEquatable when overriding Object.Equals (C#)	ROSLYN.DESIGN.CA1066
Implement serialization constructors (C#)	ROSLYN.USAGE.CA2229
Implement standard exception constructors (C#)	ROSLYN.DESIGN.CA1032
Initialize reference type static fields inline (C#)	ROSLYN.PERFORMANCE.CA1810
Initialize value type static fields inline (C#)	ROSLYN.USAGE.CA2207
Insecure DTD processing in XML (C#)	ROSLYN.SECURITY.CA3075
Insecure Processing in API Design, XmlDocument and XmlTextReader (C#)	ROSLYN.SECURITY.CA3077
Insecure XSLT script processing. (C#)	ROSLYN.SECURITY.CA3076
Instantiate argument exceptions correctly (C#)	ROSLYN.USAGE.CA2208
Interface methods should be callable by child types (C#)	ROSLYN.DESIGN.CA1033
Invalid entry in code metrics rule specification file (C#)	ROSLYN.MAINTAINABILITY.CA1509
Mark ISerializable types with serializable (C#)	ROSLYN.USAGE.CA2237
Mark assemblies with CLSCompliant (C#)	ROSLYN.DESIGN.CA1014
Mark assemblies with ComVisible (C#)	ROSLYN.DESIGN.CA1017
Mark enums with FlagsAttribute (C#)	ROSLYN.DESIGN.CA1027
Mark Verb Handlers With Validate Antiforgery Token (C#)	ROSLYN.SECURITY.CA3147
Mark assemblies with NeutralResourcesLanguageAttribute (C#)	ROSLYN.PERFORMANCE.CA1824
Mark assemblies with assembly version (C#)	ROSLYN.DESIGN.CA1016
Mark attributes with AttributeUsageAttribute (C#)	ROSLYN.DESIGN.CA1018
Mark members as static (C#)	ROSLYN.PERFORMANCE.CA1822
Members defined on an interface with the 'DynamicInterfaceCastableImplementationAttribute' should be 'static' (C#)	ROSLYN.USAGE.CA2257
Miss HttpVerb attribute for action methods (C#)	ROSLYN.SECURITY.CA5395
Move pinvokes to native methods class (C#)	ROSLYN.DESIGN.CA1060
Named placeholders should not be numeric values (C#)	ROSLYN.USAGE.CA2253
Nested types should not be visible (C#)	ROSLYN.DESIGN.CA1034
Non-constant fields should not be visible (C#)	ROSLYN.USAGE.CA2211
Normalize strings to uppercase (C#)	ROSLYN.GLOBALIZATION.CA1308
Operator overloads have named alternates (C#)	ROSLYN.USAGE.CA2225
Operators should have symmetrical overloads (C#)	ROSLYN.USAGE.CA2226
Overload operator equals on overriding value type Equals (C#)	ROSLYN.USAGE.CA2231
Override Object.Equals(object) when implementing IEquatable<T> (C#)	ROSLYN.DESIGN.CA1067
Override equals and operator equals on value types (C#)	ROSLYN.PERFORMANCE.CA1815
Override methods on comparable types (C#)	ROSLYN.DESIGN.CA1036
P/Invokes should not be visible (C#)	ROSLYN.INTEROPERABILITY.CA1401
Parameter count mismatch (C#)	ROSLYN.RELIABILITY.CA2017
Parameter names should match base declaration (C#)	ROSLYN.NAMING.CA1725
Pass system uri objects instead of strings (C#)	ROSLYN.USAGE.CA2234
Potential reference cycle in deserialized object graph (C#)	ROSLYN.SECURITY.CA5362
Prefer 'AsSpan' over 'Substring' (C#)	ROSLYN.PERFORMANCE.CA1846
Prefer Dictionary.Contains methods (C#)	ROSLYN.PERFORMANCE.CA1841
Prefer IsEmpty over Count (C#)	ROSLYN.PERFORMANCE.CA1836
Prefer jagged arrays over multidimensional (C#)	ROSLYN.PERFORMANCE.CA1814
Prefer strongly-typed Append and Insert method overloads on StringBuilder (C#)	ROSLYN.PERFORMANCE.CA1830
Prefer the 'Memory'-based overloads for 'ReadAsync' and 'WriteAsync' (C#)	ROSLYN.PERFORMANCE.CA1835
Properties should not be write only (C#)	ROSLYN.DESIGN.CA1044
Properties should not return arrays (C#)	ROSLYN.PERFORMANCE.CA1819
Property names should not match get methods (C#)	ROSLYN.NAMING.CA1721
Provide ObsoleteAttribute message (C#)	ROSLYN.DESIGN.CA1041
Provide a parameterless constructor that is as visible as the containing type for concrete types derived from 'System.Runtime.InteropServices.SafeHandle' (C#)	ROSLYN.INTEROPERABILITY.CA1419
Provide correct 'enum' argument to 'Enum.HasFlag' (C#)	ROSLYN.USAGE.CA2248
Provide correct arguments to formatting methods (C#)	ROSLYN.USAGE.CA2241
Provide memory-based overrides of async methods when subclassing 'Stream' (C#)	ROSLYN.PERFORMANCE.CA1844
Providing a 'DynamicInterfaceCastableImplementation' interface in Visual Basic is unsupported (C#)	ROSLYN.USAGE.CA2258
Remove empty Finalizers (C#)	ROSLYN.PERFORMANCE.CA1821
Rethrow to preserve stack details (C#)	ROSLYN.USAGE.CA2200
Review SQL queries for security vulnerabilities (C#)	ROSLYN.SECURITY.CA2100
Review cipher mode usage with cryptography experts (C#)	ROSLYN.SECURITY.CA5358
Review code for DLL injection vulnerabilities (C#)	ROSLYN.SECURITY.CA3011
Review code for LDAP injection vulnerabilities (C#)	ROSLYN.SECURITY.CA3005
Review code for SQL injection vulnerabilities (C#)	ROSLYN.SECURITY.CA3001
Review code for XAML injection vulnerabilities (C#)	ROSLYN.SECURITY.CA3010
Review code for XML injection vulnerabilities (C#)	ROSLYN.SECURITY.CA3009
Review code for XPath injection vulnerabilities (C#)	ROSLYN.SECURITY.CA3008
Review code for XSS vulnerabilities (C#)	ROSLYN.SECURITY.CA3002
Review code for file path injection vulnerabilities (C#)	ROSLYN.SECURITY.CA3003
Review code for information disclosure vulnerabilities (C#)	ROSLYN.SECURITY.CA3004
Review code for open redirect vulnerabilities (C#)	ROSLYN.SECURITY.CA3007
Review code for process command injection vulnerabilities (C#)	ROSLYN.SECURITY.CA3006
Review code for regex injection vulnerabilities (C#)	ROSLYN.SECURITY.CA3012
Review visible event handlers (C#)	ROSLYN.SECURITY.CA2109
Seal methods that satisfy private interfaces (C#)	ROSLYN.SECURITY.CA2119
Set HttpOnly to true for HttpCookie (C#)	ROSLYN.SECURITY.CA5396
Set ViewStateUserKey For Classes Derived From Page (C#)	ROSLYN.SECURITY.CA5368
Specify CultureInfo (C#)	ROSLYN.GLOBALIZATION.CA1304
Specify IFormatProvider (C#)	ROSLYN.GLOBALIZATION.CA1305
Specify StringComparison for clarity (C#)	ROSLYN.GLOBALIZATION.CA1307
Specify StringComparison for correctness (C#)	ROSLYN.GLOBALIZATION.CA1310
Specify marshaling for P/Invoke string arguments (C#)	ROSLYN.GLOBALIZATION.CA2101
Static holder types should be Static or NotInheritable (C#)	ROSLYN.DESIGN.CA1052
Template should be a static expression (C#)	ROSLYN.USAGE.CA2254
Test for NaN correctly (C#)	ROSLYN.USAGE.CA2242
Test for empty strings using string length (C#)	ROSLYN.PERFORMANCE.CA1820
The 'ModuleInitializer' attribute should not be used in libraries (C#)	ROSLYN.USAGE.CA2255
This API requires opting into preview features (C#)	ROSLYN.USAGE.CA2252
Type names should not match namespaces (C#)	ROSLYN.NAMING.CA1724
Types should not extend certain base types (C#)	ROSLYN.DESIGN.CA1058
Types that own disposable fields should be disposable (C#)	ROSLYN.DESIGN.CA1001
URI-like parameters should not be strings (C#)	ROSLYN.DESIGN.CA1054
URI-like properties should not be strings (C#)	ROSLYN.DESIGN.CA1056
URI-like return values should not be strings (C#)	ROSLYN.DESIGN.CA1055
Unsafe DataSet or DataTable in auto-generated serializable type can be vulnerable to remote code execution attacks (C#)	ROSLYN.SECURITY.CA2362
Unsafe DataSet or DataTable in deserialized object graph can be vulnerable to remote code execution attacks (C#)	ROSLYN.SECURITY.CA2354
Unsafe DataSet or DataTable in serializable type (C#)	ROSLYN.SECURITY.CA2353
Unsafe DataSet or DataTable in serializable type can be vulnerable to remote code execution attacks (C#)	ROSLYN.SECURITY.CA2352
Unsafe DataSet or DataTable type found in deserializable object graph (C#)	ROSLYN.SECURITY.CA2355
Unsafe DataSet or DataTable type in web deserializable object graph (C#)	ROSLYN.SECURITY.CA2356
Use 'Environment.CurrentManagedThreadId' (C#)	ROSLYN.PERFORMANCE.CA1840
Use 'Environment.ProcessId' (C#)	ROSLYN.PERFORMANCE.CA1837
Use 'Environment.ProcessPath' (C#)	ROSLYN.PERFORMANCE.CA1839
Use 'ThrowIfCancellationRequested' (C#)	ROSLYN.USAGE.CA2250
Use 'string.Equals' (C#)	ROSLYN.USAGE.CA2251
Use AsSpan or AsMemory instead of Range-based indexers (C#)	ROSLYN.PERFORMANCE.CA1832
Use AsSpan or AsMemory instead of Range-based indexers for getting Span of an array (C#)	ROSLYN.PERFORMANCE.CA1833
Use AsSpan or AsMemory instead of Range-based indexers when appropriate (C#)	ROSLYN.PERFORMANCE.CA1831
Use Container Level Access Policy (C#)	ROSLYN.SECURITY.CA5377
Use CreateEncryptor with the default IV (C#)	ROSLYN.SECURITY.CA5402
Use DefaultDllImportSearchPaths attribute for P/Invokes (C#)	ROSLYN.SECURITY.CA5392
Use Integral Or String Argument For Indexers (C#)	ROSLYN.DESIGN.CA1043
Use Length/Count property instead of Count() when available (C#)	ROSLYN.PERFORMANCE.CA1829
Use PascalCase for named placeholders (C#)	ROSLYN.NAMING.CA1727
Use Rivest-Shamir-Adleman (RSA) Algorithm With Sufficient Key Size (C#)	ROSLYN.SECURITY.CA5385
Use Secure Cookies In ASP.NET Core (C#)	ROSLYN.SECURITY.CA5382
Use SharedAccessProtocol HttpsOnly (C#)	ROSLYN.SECURITY.CA5376
Use ValueTasks correctly (C#)	ROSLYN.RELIABILITY.CA2012
Use XmlReader for 'DataSet.ReadXml()' (C#)	ROSLYN.SECURITY.CA5366
Use XmlReader for 'XmlSchema.Read()' (C#)	ROSLYN.SECURITY.CA5371
Use XmlReader for 'XmlSerializer.Deserialize()' (C#)	ROSLYN.SECURITY.CA5369
Use XmlReader for XPathDocument constructor (C#)	ROSLYN.SECURITY.CA5372
Use XmlReader for XmlValidatingReader constructor (C#)	ROSLYN.SECURITY.CA5370
Use antiforgery tokens in ASP.NET Core MVC controllers (C#)	ROSLYN.SECURITY.CA5391
Use char literal for a single character lookup (C#)	ROSLYN.PERFORMANCE.CA1847
Use events where appropriate (C#)	ROSLYN.DESIGN.CA1030
Use generic event handler instances (C#)	ROSLYN.DESIGN.CA1003
Use literals where appropriate (C#)	ROSLYN.PERFORMANCE.CA1802
Use nameof to express symbol names (C#)	ROSLYN.MAINTAINABILITY.CA1507
Use ordinal string comparison (C#)	ROSLYN.GLOBALIZATION.CA1309
Use properties where appropriate (C#)	ROSLYN.DESIGN.CA1024
Use span-based 'string.Concat' (C#)	ROSLYN.PERFORMANCE.CA1845
Use the LoggerMessage delegates (C#)	ROSLYN.PERFORMANCE.CA1848
Use valid platform string (C#)	ROSLYN.INTEROPERABILITY.CA1418
Validate arguments of public methods (C#)	ROSLYN.DESIGN.CA1062
Validate platform compatibility (C#)	ROSLYN.INTEROPERABILITY.CA1416

Roslyn-detected C# warnings (Experimental)

There is new, experimental functionality that invokes the .NET Compiler Platform (Roslyn) analyzers from Visual Studio and issues a CodeSonar warning for each rule violation detected by an analyzer.

We divide the C# warning classes shipped with CodeSonar into two groups.

CodeSonar-detected C# classes: detected directly by CodeSonar (CSHARP.* mnemonics).
Roslyn-detected C# classes: detected by Visual Studio Roslyn checkers invoked by CodeSonar (ROSLYN.* mnemonics).

There are many new Roslyn-detected C# warning classes associated with this feature: see the list above.

Several new presets are provided to enable various subsets of the Roslyn-detected C# warning classes.

See Experimental: Roslyn-Detected C# Warning Classes for more information.

New Configuration Presets

New preset his_metrics enables the five new Hersteller Initiative Software (HIS) metrics.

There are also several new presets that selectively enable various of the new Roslyn-detected C# warning classes, corresponding to rulesets in microsoft.codeanalysis.netanalyzers 6.0.0.

New Preset	Corresponding microsoft.codeanalysis.netanalyzers 6.0.0 ruleset
csharp_roslyn_allrulesdefault	AllRulesDefault
csharp_roslyn_allrulesenabled	AllRulesEnabled
csharp_roslyn_designrulesdefault	DesignRulesDefault
csharp_roslyn_globalizationrulesdefault	GlobalizationRulesDefault
csharp_roslyn_interoperabilityrulesdefault	InteroperabilityRulesDefault
csharp_roslyn_maintainabilityrulesdefault	MaintainabilityRulesDefault
csharp_roslyn_performancerulesdefault	PerformanceRulesDefault
csharp_roslyn_portedfromfxcoprulesdefault	PortedFromFxCopRulesDefault
csharp_roslyn_reliabilityrulesdefault	ReliabilityRulesDefault
csharp_roslyn_usagerulesdefault	UsageRulesDefault

Configuration Parameters

There are several new configuration parameters.

New Configuration Parameters

New Parameter	Purpose
ALWAYS_EXPAND_FUNCTIONS	Specify certain functions by name that should always be expanded when CALL_SITE_EXPANSIONS is not None.
EXPLORE_SELF_ASSIGNMENT	Specify whether or not the analysis should explore the possibility of self assignment.
LOOP_TAINT_TRANSFER	Specify whether or not the analysis should transfer taint to loop variables when they are compared to tainted values.
MAX_CLOBBERED_FIELDS	When a non-const pointer to an object escapes analysis, specifies a bound on the number of transitive fields of that object that the analysis should treat as potentially changed to an unknown value.
MAX_COPIED_FIELDS	Specify a bound on the number of transitive fields of a type (such as a class or struct) that the CodeSonar analysis will copy by-value when simulating a corresponding by-value copy operation in the software under analysis.
TAINT_BLOCK_PROPAGATION_FUNCS	Specify how a function propagates data, and the taint on that # data, into a structured memory block.
TIME_LIMIT_LIVEVAR	Bounds the time that the analysis can spend figuring out live variables in a single procedure.

API Changes

There are two new API functions.

API: New Functions

There are new C++ and Python API functions for obtaining and using for compilation unit IDs. In C, a compilation unit is already represented as an integer cs_uid.

New Function			Purpose
C++	Python	C	Purpose
project::find_compunit()	project.find_compunit()	n/a	Retrieve a compilation unit given its ID.
compunit::id()	compunit.get_id()	n/a	Get the ID for a compilation unit.

AST Changes

There are two new unnormalized C/C++ AST classes:

Customer Tickets Fixed

NUMBER	NAME	NOTES
CSO-985	ti_intrinsics.h causes parse errors with some configurations from cl6x.exe	fixed
CSO-1032	Function Pointer failure on member variable	fixed
CSO-1223	CS 6.2p2 armcc compiler not keeping pace with later revisions of ARM compiler. V4 (RVCT) OK, V5 broken, likely V6 broken	fixed
CSO-1327	IAR compiler models need to detect the IAR IDE language conformance settings	fixed
CSO-1531	False Positive	fixed
CSO-1594	Parse errors: TI cl2000 v20.2.4 compiler	fixed
CSO-1614	Add more examples for IGNORED_COMPILATIONS regarding the targeting of directories	Additional examples added to documentation.
CSO-1632	Subsequent runs without -clean do not retract warnings properly	fixed
CSO-1650	Remove limitation to 255 chars of "Redundant Condition" warning message	fixed
CSO-1654	Invalid cookie blocks operations	fixed
CSO-1656	Hub: Exception Value:<built-in function jsondecode>	fixed
CSO-1684	Update .Net compatibility mappings to support .Net Standard on .NET 6.0	fixed
CSO-1685	Side-effects of unsupported assemblies to impact the analysis of other assemblies.	fixed
CSO-1692	"expression must have a constant value" parse error with Arms armcc V5.04	fixed
CSO-1704	Arm armcc V5.x "the size of an array must be greater than zero" parse error	fixed
CSO-1742	Warning Processors: Input and Output Mistakes in manual	Documentation has been corrected.
CSO-1800	The use of the option '-project', gives permission denied error if a slash is used for targeting the project like: '-project /project-name'	fixed