CodeSonar Release 7.2p0 Release Notes

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.0p0 Hot Tips

CONFIDENTIAL

CodeSecure Inc

Release Notes

CodeSonar Release 7.2, patchlevel 0: Release Notes

Notes on Upgrading
What's New
Customer Tickets Fixed

Notes on Upgrading

Upgrading a CodeSonar hub to 7.2p0 will take longer than usual.

Schedule your hub upgrade for a time when hub downtime will not cause disruptions.
Deleting old analysis logs (or entire analyses) will help reduce the upgrade time.

If you are upgrading a hub that is configured with an SSO SAML authentication plug-in, see the note below.

If you have made changes to any of your CodeSonar configuration files, you will need to upgrade those files as part of the upgrade process.

See Upgrading Configuration Files for instructions.
For some configuration files, the procedure includes steps that must be carried out before CodeSonar is upgraded.
If you are upgrading a CodeSonar installation that will be used by someone else:
- Determine the most appropriate person to upgrade the general template and compiler template configuration files.
  This will depend on local factors such as who usually makes changes to these files.

The minimum CodeSonar version for direct upgrade to CodeSonar 7.0 or later is 4.1p0. If you have a hub that is running CodeSonar 4.0p2 or earlier, contact CodeSecure support for assistance in upgrading.

What's New

There are significant changes to role-based access control on the hub. These changes involve default role-permission assignments for built-in roles, and affect only new hubs started with CodeSonar 7.2 or later. An important consequence is that the special Anonymous user has almost no permissions by default, so a hub using these default settings will require authentication for operations such as performing an analysis or browsing analysis results.
Existing hubs are not affected, even if they are upgraded to CodeSonar 7.2 or later.
See RBAC Changes, below, for details.

HTTP API	The CodeSonar HTTP API has been transitioned to conform to the OpenAPI specification. HTTP API documentation is now served directly by the hub. View HTTP API documentation now See HTTP API documentation
RBAC	There are significant changes to role-based access control on the hub. These changes involve default role-permission assignments for built-in roles, and affect only new hubs started with CodeSonar 7.2 or later. Existing hubs are not affected, even if they are upgraded to CodeSonar 7.2 or later. See RBAC Changes, below, for details.
New Warning Classes	There are several new warning classes.
New hub-start options	There are several new options for the codesonar hub-start command: -allow-satellites, -https-redirect, -permissive, -tls-server-certkey, -tls-client-certkey.
Dark Mode	The CodeSonar web GUI now provides a dark mode option. Use the light/dark mode selector in the standard GUI header to switch between light and dark mode. The default color theme for the hub is specified on the Content tab of the Settings page.
Java Build/Analysis Changes	The Java build/analysis now supports Java 18: specify -framework java18.
C# Build/Analysis Changes	There are several changes to the C# build/analysis. In particular, .NET 6.0 is now supported, and MSBuild solution files (.sln) can now be provided as input.
Configuration Preset	There is one new configuration preset: sans-cwe2022. Enables all warning classes that are closely mapped to one or more of the 2022 CWE Top 25 Most Dangerous Software Weaknesses.
Configuration Parameters	There are several new configuration parameters, and changes to factory settings for some parameters.
SSO SAML Authentication	If you are upgrading a hub that is configured with an SSO SAML authentication plug-in, you will need to edit the corresponding configuration in your SSO identity provider.
Default Password Strength Requirements	The default password strength requirements for newly created hubs have been increased, as follows. Minimum length: 12 characters Minimum number of character classes (e.g. 'upper case', 'lower case', 'digit'): 3 Existing hubs are not affected.
Default HTTP Session Timeout	The default HTTP session timeout for newly created hubs is now 15 minutes (previously 60 minutes). You can change this setting on the HTTP tab of the Admin Settings page. Existing hubs are not affected.
codesonar bi_transfer.py	This is a new codesonar subcommand for transferring warning information from your CodeSonar hub to a business intelligence (BI) tool. For full details see codesonar bi_transfer.py: Transfer Warning Information to a Business Intelligence (BI) Tool. With CodeSonar factory settings, the only supported BI tool is Qlik. If you want to upload to a different tool, contact CodeSecure support.
Management Report Template	There is one new predefined management report template: SANS/CWE Top 25 2022 Report. Analysis-scoped; contains charts and tables describing the analysis warnings whose classes are closely mapped to each of the 2022 CWE Top 25 Most Dangerous Software Weaknesses.
Library Models	There are new library models for CoTaskMemAlloc and SysAllocString allocator/deallocator families.
CWE	This version of CodeSonar uses CWE v4.9, released October 13, 2022.
Hybrid Cloud with CodeSonar for Binaries	CodeSonar SaaS (Software as a Service) now supports CodeSonar for Binaries.
CodeSonar Plug-In for Eclipse	There are several changes to the CodeSonar plug-in for Eclipse.
CodeSonar Plug-in for Visual Studio	[Windows only] There are several changes to the CodeSonar plug-in for Visual Studio.
VS Code Extension	There is now a CodeSonar extension for Microsoft Visual Studio Code (VS Code). The extension is available in the VS Code marketplace. Documentation is provided in the extension's README.md file.
Release Status	For full information about release status for all current and past CodeSonar versions, see the Supported Product Versions page on the CodeSecure support site.

Details

New Warning Classes

C/C++
	Inappropriate Test of Error Code	LANG.ERRCODE.ITEST
	Missing Test of Error Code	LANG.ERRCODE.NOTEST
	Non-zero Error Code	LANG.ERRCODE.NZ
Java
	Weak Initialization Vector Value (Java)	JAVA.CRYPTO.WIV
	Weak Initialization Vector Field (Java)	JAVA.CRYPTO.WIVF
C#
	Weak Initialization Vector Value (C#)	CSHARP.CRYPTO.WIV
	Weak Initialization Vector Field (C#)	CSHARP.CRYPTO.WIVF

RBAC Changes

In summary:

Anyone has almost no permissions by default. This means that the special Anonymous user has almost no permissions by default, so a hub using default RBAC settings will require authentication for operations such as performing an analysis or browsing analysis results.
Many of the default permissions previously held by Anyone are now held by User.
Default permissions for Manager and Administrator have not changed.
Special user Anonymous no longer has special treatment with respect to the G_SIGN_IN permission.
- G_SIGN_IN is no longer one of the negated permissions for Anonymous.
- G_SIGN_IN permission is now required in order to authenticate as any user, including the special Anonymous user.
Authentication as an enabled user is now required to view hub pages, including documentation.

There is a new -permissive option to codesonar hub-start. If you specify this option when starting a brand new primary hub, default role-permission assignments for the Anyone role will be more extensive, consistent with default assignments in CodeSonar 7.1 and earlier. (The -permissive option has no effect when you use codesonar hub-start to restart an existing hub.)

For full details of the default role-permission assignments with and without the -permissive option, see Default Role-Permissions and Immutable Role-Permissions.

CodeSonar Plug-in for Visual Studio [Windows only]

There are several changes to the CodeSonar plug-in for Visual Studio.

The CodeSonar Project Properties dialog has multiple changes.
- New analysis management radio buttons allow you to choose between local-managed and remote-managed analysis, and to specify a remote launch daemon for the latter.
- The Allow Services checkbox is now only available when Local Analysis is selected.
- The Launchd Group and Launchd Key settings have been removed.
The plug-in now uses an Edge/Chromium browser widget (previously it used an Internet Explorer widget).
New prerequisite: the Microsoft Edge WebView2 runtime must be installed.

C# Build/Analysis Changes

There are several changes to the C# build/analysis.

.NET 6.0 is now supported: specify -framework net6.0.
MSBuild solution files (.sln) can now be provided as input.
New cs-dotnet-scan options -msbuild-solution, -msbuild-location, and -msbuild-property provide access to this functionality.
New cs-dotnet-scan option -csharp-source-level allows you to specify the language compliance level to be used in parsing C# source files.

CodeSonar Plug-in for Eclipse

There are several changes to the CodeSonar plug-in for Eclipse.

CodeSonar 7.2p0 supports Eclipse versions 4.19 (2021-03) through 4.25 (2022-09), official/supported releases only.
[Windows only] New prerequisite: the Microsoft Edge WebView2 runtime .
[Windows only] New setting "Use Microsoft Edge-based Web Browser views" in the CodeSonar Preferences allows you to specify that Eclipse must use an Edge browser widget. The Edge browser widget is required for the Warning view's Code tab.

Upgrading a Hub With Existing SSO SAML Authentication Plug-In

The schema for hub Assertion Consumer Service (ACS) URLs has changed. If you are upgrading a hub that is configured with an SSO SAML authentication plug-in, you will need to edit the corresponding configuration in your SSO identity provider (for example, Keycloak or Okta) to specify the updated ACS URL.

Once you have upgraded the hub, do the following as a user with G_ADMINISTER_USERS permission.

Navigate to the hub Authentication Services page.
Scroll if necessary to view the table entry for your SSO authentication service.
Copy the Assertion Consumer Service URL: this is the updated URL that you will be using.
Sign into your identity provider as a user with administrative permissions.

Update the ACS URL configured for your CodeSonar integration.
For example:

Okta	Open the Configure SAML tab for your CodeSonar App Integration. Populate the Single sign on URL field with the updated ACS URL.
Keycloak	Open the Settings page for your CodeSonar client. Populate the Master SAML Processing URL field with the updated ACS URL.

Save your changes.

Configuration Parameters

There are several new configuration parameters, and changes to factory settings for some parameters.

New Configuration Parameters

New Parameter	Purpose
ERRNO_SETTING_FUNCTIONS	Specifies the set of functions that are guaranteed to set errno when they encounter an error condition.
SEARCH_BOUND_NOISE_THRESHOLD	Control the "noisiness" of the path search.

Modified Configuration Parameters

Parameter	Factory Setting
LOOP_TAINT_TRANSFER	Yes (previously No)
TIME_LIMIT_LIVEVAR	60 (previously 8)

Customer Tickets Fixed

NUMBER	NAME	NOTES
CSO-1196, ZD-25013	Compiler model issue for cl6x, does not understand the --vtypes or --vectypes option causing parse errors	fixed
CSO-1200, ZD-26012	Non-Distinct External Name has wrong significance length	fixed
CSO-1255, ZD-26020	CodeSonar crash while invoking visitors during collecting constants	fixed
CSO-1444, ZD-26503, ZD-26580	Make location-less warnings work (C# and Java)	fixed
CSO-1711	On-line help only refers to Windows support for the Tasking compiler, but we also support Linux	Verified that Tasking compiler is compatible with Linux.
CSO-1786, ZD-26954	WARNING_FILTER += discard compilation_unit=demo.cpp doesnt have any effect	Warning Filter documentation updated for clarity.
CSO-1867	When viewing the analysis page warnings tab as JSON, the URLs provided do not exist	fixed
CSO-1875, ZD-27031	FP Buffer overrun due to incorrectly chosen array	fixed
CSO-1883, ZD-26955	False negative for warning class "Write to Read Only File"	fixed
CSO-1885, ZD-27020	CodeSonar build wizard issues when observing the build using st-stm32cubeide_1.8.0	fixed
CSO-1919, ZD-27076	Dotnet pattern matching fails to match inputs without emitting log/alert	fixed; log messages improved.
CSO-1940, ZD-26985	Add analysis Miscellaneous Error Alert for interruption/timeout in the Java analysis	fixed; informative error message added to user interface.
CSO-2022, ZD-27133	Segmentation Fault - misra.cpp: populate_typeref	fixed
CSO-2024, ZD-27138	Document how the hub settings and Okta settings correspond	Keycloak, Okta, and Authentication Plugin documentation pages have all been updated for clarity.
CSO-2030	VS Code IDE support page mentions 7.0p1, which should be 7.1	fixed; version has been corrected.
CSO-2060, ZD-27169	FN - expecting a "Type Mismatch" warning	New library models CoTaskMemFree, SysFreeString, SysAllocString, and ConvertStringToBSTR have been added to CodeSonar to detect the underlying issue.
CSO-2071, ZD-27157	Properly document in the FUSA Kit manual how to customise the FUSA scripts to use a custom compiler	Documentation added as code comment.
CSO-2076, ZD-27174	FP Buffer Overrun	fixed
CSO-2082, ZD-26980	dump_warnings.py not returning results when option "--gained-since-previous-analysis" is used and anonymous does not have analysis_warning_exists permissions	fixed
CSO-2088, ZD-27205	Update mcpcom compiler model parameter CS_TARG_SIZE_T_INT_KIND	fixed
CSO-2091, ZD-27192	qcc compiler model misses compiler argument for C++ standard	fixed