CodeSonar Release 7.3p0 Release Notes

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.0p0 Hot Tips

CONFIDENTIAL

CodeSecure Inc

Release Notes

CodeSonar Release 7.3, patchlevel 0: Release Notes

Notes on Upgrading
What's New
Customer Tickets Fixed

Notes on Upgrading

The minimum CodeSonar version for direct upgrade to CodeSonar 7.0 or later is 4.1p0. If you have a hub that is running CodeSonar 4.0p2 or earlier, contact CodeSecure support for assistance in upgrading.

If you have made changes to any of your CodeSonar configuration files, you will need to upgrade those files as part of the upgrade process.

See Upgrading Configuration Files for instructions.
For some configuration files, the procedure includes steps that must be carried out before CodeSonar is upgraded.
If you are upgrading a CodeSonar installation that will be used by someone else:
- Determine the most appropriate person to upgrade the general template and compiler template configuration files.
  This will depend on local factors such as who usually makes changes to these files.

What's New

Remote Daemon Mode	This release introduces finer-grained control over remote-managed vs local-managed analysis.
HTTP API	Full documentation for all query parameters is now available at http://host:port/install/third-party/swagger-ui/ (for hub running at http://host:port). Documented constraints on parameter values (often expressed as types) are enforced using a built-in web application firewall for enhanced security. The OpenAPI document is available for two OpenAPI specification versions: openapi-3.1.0.json openapi-3.0.3.json
New codesonar analyze options	Two new options. -property propkey propval: adds user-assigned property propkey to the analysis, with value propval. This is part of the new user-assigned analysis properties feature. -remote-archive archive-launchd: when the analysis transitions to daemon mode, transfer data and control to the analysis launch daemon specified by archive-launchd (remote daemon mode).
New codesonar install-launchd option	One new option. -foreground: execute the cslaunchd process in the foreground instead of spinning off a background process.
New C# build/analysis option	One new option. -msbuild-os-target os-targ: if -msbuild-solution is specified and the specified solution has multiple target framework projects with OS-specific Target Framework Monikers, CodeSonar will analyze only the project or projects whose target framework is os-targ.
codesonar dump_warnings.py changes	There are several changes to the behavior of the codesonar dump_warnings.py subcommand.
Configuration Tool Changes	Some of the steps for configuration tool main menu items 1 ("Install, connect to existing hub") and 2 ("Install, create hub") have been reordered.
Warning Classes	C/C++: There are many new warning classes. The Uninitialized Variable class now includes attempts to use the value of a moved-from variable (C++ only). C#: There are several new warning classes and one deleted warning class.
Java Build/Analysis Changes	The majority of analysis work now takes place in the analysis phase (previously the majority of work took place in the build phase). If you are performing a remote-managed analysis, the majority of processing will therefore take place on the remote system. For remote-managed SaaS analysis, the majority of processing will take place in the cloud. The Java build/analysis now supports Java 19: specify -framework java19.
C# Build/Analysis Changes	The majority of analysis work now takes place in the analysis phase (previously the majority of work took place in the build phase). If you are performing a remote-managed analysis, the majority of processing will therefore take place on the remote system. For remote-managed SaaS analysis, the majority of processing will take place in the cloud. The C# build/analysis now supports .NET 7.0: specify -framework net7.0.
Configuration Parameters	There are several new configuration parameters.
User-Assigned Analysis Properties	You can now associate arbitrary properties (as key-value pairs) with each analysis.
codesonar analysis_id.py	This is a new codesonar subcommand that prints (to stdout) the analysis ID for the most recent analysis performed in a given analysis directory. This is useful when you are performing an automated task that needs an analysis ID to access analysis information on the hub. For full details see codesonar analysis_id.py: Print Analysis ID from the Specified Analysis Directory.
Authentication Plug-In Changes	The LDAP (Active Directory), and Windows Login authentication plug-ins now obtain a canonical version of the user's name from the external service and use that as the hub user account username, instead of using the name as it was input by the user. Most commonly, this avoids an issue where some case insensitive authentication services gave rise to multiple hub user accounts whose usernames are different casings of the canonical name.
CWE	This version of CodeSonar uses CWE v4.10, released January 31, 2023.
GUI Changes	There are several additions to the CodeSonar Web GUI as part of the new user-assigned analysis properties feature.
Metrics	There are some adjustments to the set of HIS metrics.
Analysis Search Language Project Search Language	The analysis search language and project search language now include property-condition terms. This is part of the new user-assigned analysis properties feature.
Eclipse Plug-In	The project properties dialog now includes a Conf File field.
New Compiler Model	There is one new compiler model: icc78k, for the IAR Renesas 78k compiler.
API Changes	There are a small number of changes to the CodeSonar Plug-in API.
AST Changes	There are three new unnormalized C/C++ AST classes, and one modified unnormalized C/C++ AST class. There are also several changes to the available helper enumerations.
EDG Upgrade	CodeSonar now uses EDG version 6.4, released October 25, 2022.
TLS Root Certificates	The TLS root certificates have been updated.
Release Status	For full information about release status for all current and past CodeSonar versions, see the Supported Product Versions page on the CodeSecure support site.

Details

Remote Daemon Mode

This release introduces finer-grained control over remote-managed vs local-managed analysis.

Previously, the same analysis launch daemon was used both in the analysis phase and after the analysis transitioned to daemon mode.

If the analysis phase was local-managed, daemon mode was also local-managed.
If the analysis phase was remote-managed, daemon mode was also remote-managed with the same analysis launch daemon.

If an analysis specifies the new -remote-archive archive-launchd option, data and control are now transferred to the remote analysis launch daemon specified by archive-launchd when the analysis transitions to daemon mode. This can be useful for archiving the analysis directory so that analysis-specific information such as source files will continue to be available after the local copy has been deleted or overwritten.

-remote	-remote-archive	Behavior
(none)	(none)	Analysis phase and daemon mode are both local-managed.
(none)	-remote-archive archive-launchd	Analysis phase is local-managed. When the analysis transitions to daemon mode: the analysis launch daemon changes to a launch daemon matching archive-launchd, the analysis directory is moved to a location under the home directory for the updated analysis launch daemon.
-remote analysis-launchd	(none)	Analysis phase and daemon mode are both remote-managed. The analysis launch daemon and analysis directory do not change when the analysis transitions to daemon mode.
-remote analysis-launchd	-remote-archive archive-launchd	Analysis phase and daemon mode are both remote-managed. When the analysis transitions to daemon mode: the analysis launch daemon changes to a launch daemon matching archive-launchd, the analysis directory is moved to a location under the home directory for the updated analysis launch daemon. If -remote A and -remote-archive A are specified with identical value A, the same launch daemon will be used for both analysis phase and daemon mode. (If -remote A and -remote-archive B are specified with non-identical values, the hub will select the launch daemons for analysis phase and daemon mode independently. If there is overlap between A and B then the same launch daemon may be selected for both, but this is not guaranteed.)

New configuration parameter REMOTE_DAEMON_LAUNCHD provides the same functionality as the -remote-archive option. If both are specified, -remote-archive takes precedence.

Similarly, new parameter REMOTE_ANALYSIS_LAUNCHD provides the same functionality as -remote.

codesonar dump_warnings.py changes

There are several changes to the behavior of the codesonar dump_warnings.py subcommand.

The --hide-column option is no longer available.
If you specify one or more columns with --show-column, only those columns will be retrieved. If you don't specify --show-column, a default set of columns will be retrieved.
(Previously, columns in the default were always retrieved unless explicitly removed with --hide-column.)
Sort conditions specified with --sort "ascending:colname" or --sort "descending:colname" operate independently of the set of retrieved columns.
(Previously, colname was implicitly added to the set of retrieved columns.)
Most column names have changed.

Warning Classes

C/C++:

There are many new C/C++ warning classes.
The Uninitialized Variable class now includes attempts to use the value of a variable that has been left in a moved-from state after applying a move constructor or move assignment (C++ only, requires MOVED_FROM_UV_CHECK_ENABLED=Yes).

C#: The set of Visual Studio Roslyn checkers has changed, so there are a number of new C# warning classes and one deleted C# warning class.

New C/C++ Warning Classes

New Warning Class	Mnemonic
Implicit Type	LANG.STRUCT.DECL.IMPT
Inappropriate Argument Type	LANG.TYPE.IARGT
Indeterminate Order of Evaluation	LANG.STRUCT.SE.IOE
Mismatched Argument Types	LANG.TYPE.MAT
No Previous Declaration	LANG.STRUCT.DECL.MISSINGDECL
Read Past Null Terminator	MISC.MEM.RPNT
Returned Pointer Not Treated as const	LANG.STRUCT.RPNTC
sizeof Array Parameter	LANG.TYPE.SAP
Use of Alignas	LANG.STRUCT.ALIGNAS
Use of Alignof	LANG.STRUCT.ALIGNOF
Use of C Atomic	CONCURRENCY.C_ATOMIC
Use of C Generic	LANG.STRUCT.C_GENERIC
Use of L_tmpnam_s	BADMACRO.L_TMPNAM_S
Use of Noreturn	LANG.FUNCS.NORETURN
Use of TMP_MAX_S	BADMACRO.TMP_MAX_S
Use of Thread Local	CONCURRENCY.THREADLOCAL
Use of abort_handler_s	BADFUNC.ABORT_HANDLER_S
Use of asctime_s	BADFUNC.ASCTIME_S
Use of bsearch_s	BADFUNC.BSEARCH_S
Use of constraint_handler_t	BADFUNC.CONSTRAINT_HANDLER_T
Use of ctime_s	BADFUNC.CTIME_S
Use of fopen_s	BADFUNC.FOPEN_S
Use of fprintf_s	BADFUNC.FPRINTF_S
Use of freopen_s	BADFUNC.FREOPEN_S
Use of fscanf_s	BADFUNC.FSCANF_S
Use of fwprintf_s	BADFUNC.FWPRINTF_S
Use of fwscanf_s	BADFUNC.FWSCANF_S
Use of getenv_s	BADFUNC.GETENV_S
Use of gets_s	BADFUNC.GETS_S
Use of gmtime_s	BADFUNC.GMTIME_S
Use of ignore_handler_s	BADFUNC.IGNORE_HANDLER_S
Use of localtime_s	BADFUNC.LOCALTIME_S
Use of mbsrtowcs_s	BADFUNC.MBSRTOWCS_S
Use of mbstowcs_s	BADFUNC.MBSTOWCS_S
Use of memcpy_s	BADFUNC.MEMCPY_S
Use of memmove_s	BADFUNC.MEMMOVE_S
Use of memset_s	BADFUNC.MEMSET_S
Use of printf_s	BADFUNC.PRINTF_S
Use of qsort_s	BADFUNC.QSORT_S
Use of scanf_s	BADFUNC.SCANF_S
Use of set_constraint_handler_s	BADFUNC.SET_CONSTRAINT_HANDLER_S
Use of snprintf_s	BADFUNC.SNPRINTF_S
Use of snwprintf_s	BADFUNC.SNWPRINTF_S
Use of sprintf_s	BADFUNC.SPRINTF_S
Use of sscanf_s	BADFUNC.SSCANF_S
Use of strcat_s	BADFUNC.STRCAT_S
Use of strcpy_s	BADFUNC.STRCPY_S
Use of strerror_s	BADFUNC.STRERROR_S
Use of strerrorlen_s	BADFUNC.STRERRORLEN_S
Use of strncat_s	BADFUNC.STRNCAT_S
Use of strncpy_s	BADFUNC.STRNCPY_S
Use of strnlen_s	BADFUNC.STRNLEN_S
Use of strtok_s	BADFUNC.STRTOK_S
Use of swprintf_s	BADFUNC.SWPRINTF_S
Use of swscanf_s	BADFUNC.SWSCANF_S
Use of tmpfile_s	BADFUNC.TMPFILE_S
Use of tmpnam_s	BADFUNC.TMPNAM_S
Use of vfprintf_s	BADFUNC.VFPRINTF_S
Use of vfscanf_s	BADFUNC.VFSCANF_S
Use of vfwprintf_s	BADFUNC.VFWPRINTF_S
Use of vfwscanf_s	BADFUNC.VFWSCANF_S
Use of vprintf_s	BADFUNC.VPRINTF_S
Use of vscanf_s	BADFUNC.VSCANF_S
Use of vsnprintf_s	BADFUNC.VSNPRINTF_S
Use of vsnwprintf_s	BADFUNC.VSNWPRINTF_S
Use of vsprintf_s	BADFUNC.VSPRINTF_S
Use of vsscanf_s	BADFUNC.VSSCANF_S
Use of vswprintf_s	BADFUNC.VSWPRINTF_S
Use of vswscanf_s	BADFUNC.VSWSCANF_S
Use of vwprintf_s	BADFUNC.VWPRINTF_S
Use of vwscanf_s	BADFUNC.VWSCANF_S
Use of wcrtomb_s	BADFUNC.WCRTOMB_S
Use of wcscat_s	BADFUNC.WCSCAT_S
Use of wcscpy_s	BADFUNC.WCSCPY_S
Use of wcsncat_s	BADFUNC.WCSNCAT_S
Use of wcsncpy_s	BADFUNC.WCSNCPY_S
Use of wcsnlen_s	BADFUNC.WCSNLEN_S
Use of wcsrtombs_s	BADFUNC.WCSRTOMBS_S
Use of wcstok_s	BADFUNC.WCSTOK_S
Use of wcstombs_s	BADFUNC.WCSTOMBS_S
Use of wctomb_s	BADFUNC.WCTOMB_S
Use of wmemcpy_s	BADFUNC.WMEMCPY_S
Use of wmemmove_s	BADFUNC.WMEMMOVE_S
Use of wprintf_s	BADFUNC.WPRINTF_S
Use of wscanf_s	BADFUNC.WSCANF_S

New C# Warning Classes

There are a number of new Roslyn-detected warning classes.

New Warning Class	Mnemonic
'ThreadStatic' only affects static fields (C#)	ROSLYN.USAGE.CA2259
Improper 'ThreadStatic' field initialization (C#)	ROSLYN.RELIABILITY.CA2019
Insecure XSLT script processing (C#)	ROSLYN.SECURITY.CA3076
Possible multiple enumerations of 'IEnumerable' collection (C#)	ROSLYN.PERFORMANCE.CA1851
Prefer 'Clear' over 'Fill' (C#)	ROSLYN.PERFORMANCE.CA1855
Prefer static 'HashData' method over 'ComputeHash' (C#)	ROSLYN.PERFORMANCE.CA1850
Prefer the 'IDictionary.TryGetValue(TKey, out TValue)' method (C#)	ROSLYN.PERFORMANCE.CA1854
Prevent from behavioral change (C#)	ROSLYN.RELIABILITY.CA2020
Property, type, or attribute requires runtime marshalling (C#)	ROSLYN.INTEROPERABILITY.CA1420
Seal internal types (C#)	ROSLYN.PERFORMANCE.CA1852
Specify a culture or use an invariant version (C#)	ROSLYN.GLOBALIZATION.CA1311
This method uses runtime marshalling even when the 'DisableRuntimeMarshallingAttribute' is applied (C#)	ROSLYN.INTEROPERABILITY.CA1421
Unnecessary call to 'Dictionary.ContainsKey(key)' (C#)	ROSLYN.PERFORMANCE.CA1853
Use correct type parameter (C#)	ROSLYN.USAGE.CA2260
Validate platform compatibility - obsoleted APIs (C#)	ROSLYN.INTEROPERABILITY.CA1422

Deleted C# Warning Class

The "Insecure XSLT script processing. (C#)" class has been deleted and replaced by Insecure XSLT script processing (C#).

Configuration Parameters

There are several new configuration parameters, and one modified parameter.

New Configuration Parameters

New Parameter	Purpose
MOVED_FROM_UV_CHECK_ENABLED	Specifies whether objects left in moved-from state by a move constructor or move assignment should be considered uninitialized when performing checks for Uninitialized Variable.
MOVED_FROM_UV_WHITELIST	Specifies exceptions to the Uninitialized Variable checks on moved-from objects (when enabled). In particular, specifies classes whose objects will not be treated as uninitialized after they have been moved from.
OVERRIDE_COMPILER_CONF	Specifies whether or not compiler models will override type kinds specified in the compiler-specific configuration file with information obtained by invoking the native compiler.
PRJ_FILES_SIZE_PREDICTION_LINEAR_MODEL_INTERCEPT PRJ_FILES_SIZE_PREDICTION_LINEAR_MODEL_SLOPE	For remote-managed analyses, specify the parameters in the linear model used to estimate the disk requirements for the analysis directory.
READ_PAST_NTERM_CONSERVATIVE_CHECK	Specifies that Read Past Null Terminator warnings should only be issued when comparing arrays having "essentially char type".
REMOTE_ANALYSIS_LAUNCHD	Specifies that the CodeSonar analysis phase should be remotely managed, using the specified launch daemon.
REMOTE_DAEMON_LAUNCHD	Specifies that the CodeSonar analysis should be remotely managed after it transitions to daemon mode, using the specified launch daemon.

Modified Configuration Parameter

Parameter INVOKE_COMPILER_FIRST is now available on all systems (previously Windows-only).

User-Assigned Analysis Properties

You can now associate arbitrary user-assigned properties(as key-value pairs) with each analysis.

Use the new -property option to specify a user-assigned property at build/analysis time.
There are several additions to the CodeSonar Web GUI.
- The Analysis page now includes a Properties section where you can view and edit (add/delete/modify) the user-assigned properties.
- Each user-assigned property associated with at least one analysis on the hub is now available as a table column in the following GUI pages.
The analysis search language and project search language now include property-condition terms.

Metrics

There are some adjustments to the set of metrics computed by CodeSonar.

New Metrics

Metric Description	Metric Tag
Comment Density	COMF
Nesting Level	STMIF
Number of Comment Blocks	NCOMM
Number of Statements in Function (Variant 1)	STST1
Number of Statements in Function (Variant 2)	STST2
Number of Statements in Function (Variant 3)	STST3
Statement Path Count	STPTH
Static Path Count	NPATH

Modified Metrics

Metric Class Change	Notes
The metric class with description "Number of Function Calls" now has tag CALLS.	Previously tag was STSUB.
The metric class with tag CALLING now has description "Number of Calling Functions", and computes the number of distinct callers of a function.	Previously description was "Number of Called Functions", and the metric class had corresponding semantics.

API Changes

There are a small number of changes to the CodeSonar Plug-In API.

Change	API Implementation
Change	C++	Python	C
New point kind preexit.	point_kind::PREEXIT	point_kind.PREEXIT	cs_vertex_kind_preexit added to enum cs_vertex_kind
New point kind preexit.	procedure::prexit_point()	procedure.preexit_point()	cs_pdg_preexit_vertex()
Metric class "allowed" check.	compunit_metricclass::allowed()	compunit_metricclass.allowed()	csonar_metricclass_allowed()
	procedure_metricclass::allowed()	procedure_metricclass.allowed()
	project_metricclass::allowed()	project_metricclass.allowed()
	sfile_metricclass::allowed()	sfile_metricclass.allowed()
Metric class "always discarded" check.	compunit_metricclass::always_discarded()	compunit_metricclass.always_discarded()	csonar_metricclass_always_discarded()
	procedure_metricclass::always_discarded()	procedure_metricclass.always_discarded()
	project_metricclass::always_discarded()	project_metricclass.always_discarded()
	sfile_metricclass::always_discarded()	sfile_metricclass.always_discarded()

AST Changes

There are three new unnormalized C/C++ AST classes:

There is one modified unnormalized C/C++ AST class.

cc:variable : new attributes :declared-type, :variable-decls

There are also several changes to the available helper enumerations.

Helper enumeration flt_kind has new members float16, stdfloat16, stdfloat32, stdfloat64, float80, float128, stdfloat128.
Helper enumeration attribute_kind has new members attribute_saddr, attribute_unavailable, attribute_using_if_exists.

EDG Upgrade

CodeSonar now uses EDG version 6.4, released October 25, 2022.

There are new front-end options available:

--cs_case_range: Enable GNU case ranges.
--cs_ms_asm: Enable Microsoft-style ASM syntax.

There is improved support for C++20, and some support for C++23.

Customer Tickets Fixed

NUMBER	NAME	NOTES
CSO-1195, ZD-25046	MISRA FP (Rule 8.5, C++ 3-2-..., not in AST): Missing External Declaration with simple cases	fixed
CSO-2089, ZD-27192	Parse errors using QNX qcc compiler	fixed
CSO-2171, ZD-27291	Incorrect sample code in documentation	fixed
CSO-2172, ZD-27293	Regressions in MISRA rule 7.2 -- Different behaviour in 5.3 vs 7.0	fixed
CSO-2180, ZD-27292, ZD-27338	False positives in our documentation example	fixed
CSO-2197, ZD-27306	GPP compiler model having issues with precompiled header	fixed
CSO-2294, ZD-27462	Documentation update: IGNORED_COMPILATIONS parameter needs an example for Windows directory name that has spaces	Documentation updated.
CSO-2312, ZD-27515	Visual Studio Code IDE plugin issue	fixed
CSO-2313, ZD-27531	[Documentation update] dump_warnings.py page, example 3, should only use warning filter names and not IDs	Documentation updated.
CSO-2315, ZD-27488	CodeSonar problem with icch8	fixed
CSO-2430, ZD-27449	Compiler model update for _Float16	fixed
CSO-2450	Link to allwarnings.xml docs from appropriate locations	fixed; multiple links added to manual.
CSO-2489, ZD-27599	dump_warnings.py does not show column specified when the option --gained-since-previous-analysis is used	fixed
CSO-2527, ZD-27554	parse errors in system headers with mingw g++	fixed
CSO-2542, ZD-27280	CodeSonar manual update needed for the 'relocate' command	Documentation updated.
CSO-2550, ZD-27719	Keil armcc missing definition for __promise keyword	fixed
CSO-2555, ZD-27730	add Warning Class "Weak Cryptographic Value (C#) " to OWASP 2021 preset and the manuals	fixed; Documentation updated.
CSO-2556, ZD-27735	parse errors for cl2000.exe compiler but of the use of case ranges, GNU extension	fixed
CSO-2558, ZD-27743	"An unexpected error has occurred." when trying to export a 7.2 custom report	fixed
CSO-2568, ZD-27686	"Too Many Parse Errors" because of arm_neon.h version, compiler arm-elina-linux-gnueabi-g++	fixed
CSO-2608, ZD-27759	Built-in functions for NIOS II need to be included in compiler model	fixed
CSO-2621, ZD-27872	FP: Missing External Declaration	fixed

Note. This page contains references to HTTP API documentation, which is served directly by the hub and cannot be accessed via a file:// URL. For active HTTP API documentation links, start a hub (if one is not already running), then open the manual from the hub.