CodeSonar Release 7.4p0 Release Notes

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.0p0 Hot Tips

CONFIDENTIAL

CodeSecure Inc

Release Notes

CodeSonar Release 7.4, patchlevel 0: Release Notes

Notes on Upgrading
What's New
Customer Tickets Fixed

Notes on Upgrading

The minimum CodeSonar version for direct upgrade to CodeSonar 7.4 or later is 5.4p0. If you have a hub that is running CodeSonar 5.3p0 or earlier, contact CodeSecure support for assistance in upgrading.

If you have made changes to any of your CodeSonar configuration files, you will need to upgrade those files as part of the upgrade process.

See Upgrading Configuration Files for instructions.
For some configuration files, the procedure includes steps that must be carried out before CodeSonar is upgraded.
If you are upgrading a CodeSonar installation that will be used by someone else:
- Determine the most appropriate person to upgrade the general template and compiler template configuration files.
  This will depend on local factors such as who usually makes changes to these files.

What's New

Warning Classes	There are several new warning classes for C/C++, Java, and C#. Functionality for existing C/C++ warning classes Inconsistent Function Declarations and Inconsistent Object Declarations has been extended.
JSF++	There is a new warning category kind: JSF++. JSF++ categories correspond to guidelines in the Joint Strike Fighter Air Vehicle C++ Coding Standards.
Configuration Tool	[CodeSonar SaaS only] When you select main menu item 1 "Install, connect to existing hub", and specify a SaaS hub to connect to, the configuration questions now include one about whether you would like to default to performing analyses using the SaaS cloud instead of your own resources. Previously, the configuration tool always behaved as if the answer to this question was "No".
New codesonar analyze option	One new option. -srcroot path/to/basedir: when warning information from this analysis is exported in SARIF format, source file paths will be expressed relative to path/to/basedir.
GUI Changes	Two changes: Warning Search Results pages can now always be exported in SARIF format (previously, SARIF export was only available if the search scope was a single analysis). The Authentication Services page has a new Auth User field in the form for configuring a service. The Edit Authentication Service page has a new Auth User field in the form for modifying a service configuration.
Authentication Services Configuration	When you configure a hub to use a third-party authentication service, an authorizing user must now be specified. The authentication service will only be able to perform hub operations that the authorizing user has permission to perform. If you are upgrading a hub that is already configured to use one or more third-party authentication services, the authorizing user for these services will be set to Administrator. In general, we recommend setting the Authorizing User as follows. CodeSonar SaaS: the user account that is configuring the authentication service. otherwise: special user Administrator
CWE	This version of CodeSonar uses CWE v4.11, released April 27, 2023.
codesonar dump_warnings.py	There are several changes to the behavior of the codesonar dump_warnings.py subcommand.
Configuration Presets	New presets misra2012-0, misra2012-1, misra2012-2, misra2012-3, misra2012-4 each enable the warning classes that are mapped to a rule in the indicated edition of MISRA C:2012. New presets jsf++ and jsf++_inc enable warning classes that are mapped to guidelines in the Joint Strike Fighter Air Vehicle C++ Coding Standards.
Configuration Parameters	New configuration parameter SRCROOT_PATHS: specifies base directories for the CodeSonar SARIF generator to use when relativizing file paths.
MISRA C:2012 Editions	CodeSonar now separately tracks the various editions of MISRA C:2012.
HTTP API	HTTP endpoints that produce SARIF listings now have a new optional parameter: "detail".
SARIF Export	SARIF export functionality has been extended. SARIF export is now available for arbitrary sets of warnings (previously, it was only available for warnings from a single analysis. You can now specify a detail level for SARIF exported through codesonar dump_warnings.py or the HTTP API.
AST Changes	There is one modified normalized C/C++ AST class, and five modified unnormalized C/C++ AST classes. There is also a new helper enumeration.
Performance Improvements	CodeSonar will generally run faster than previously in environments where ulimit -n is above 10000.
Custom Authenticator API	There are several changes. The return value for get_user_from_request() no longer has a return_state field. The conf_data argument to sso_redirect() must be included as a POST field named RelayState in the IdP response to the hub.
RBAC Changes	There are some changes to the RBAC permission requirements for third-party authentication services. Accessing the Authentication Services page now requires G_MANAGE_USERS permission (previously G_ADMINISTER_USERS). Accessing the Edit Authentication Service page now requires user control over the current template user (if any) as well as over the user currently specified for the new authorizing user property. Adding or modifying an authentication service now requires user control over the template user (if any) as well as over the user specified for the new authorizing user property. (In addition, the authorizing user must have user control over the template user).
C# Build/Analysis Note	The -msbuild-solution option is suitable for use with Visual Studio 2017 and later only. It cannot be used with the CodeSonar Plug-in for Visual Studio (regardless of version).
TLS Root Certificates	The TLS root certificates have been updated.
Database Upgrade	CodeSonar now uses PostgreSQL 15.
Linux Support	glibc versions before 2.11.3 are no longer supported.
Jira Server Note	Atlassian is retiring its Jira Server offering. The CodeSonar integration for Jira Server will thus no longer be available. This does not affect Jira Cloud.
Deprecation Notices	CodeSonar warning class mappings to the "Build Security In" (BSI) taxonomy are deprecated as of this release. Mappings to BSI:* categories will be removed in the next release.

Warning Classes

There are several new warning classes for C/C++, Java, and C#.

Functionality for two existing C/C++ warning classes has been extended:

Inconsistent Function Declarations warnings are now also issued if a function has multiple declarations with different parameter names (including any names in the function return type, if that return type is a function pointer). In addition, warnings will now be issued if there are multiple inconsistent declarations in the same compilation unit (previously only issued if there were inconsistent declarations across different compilation units).
Inconsistent Object Declarations warnings can now be issued if there are multiple inconsistent declarations in the same compilation unit (previously only issued if there were inconsistent declarations across different compilation units). They are also now issued if any function pointer in the declaration is declared with different parameter names.

	New Warning Classes	Mnemonic
C/C++
	File Open for Both Read and Write	IO.BRAW
	High Cyclomatic Complexity	LANG.METRIC.VG_P
	Inappropriate C Atomic Initialization	CONCURRENCY.C_ATOMIC.INIT
Java
	Clone Call to Super is Missing (Java)	JAVA.CLASS.CLONE.CCSM
	Comparison to Class Names (Java)	JAVA.COMPARE.EQUALS.CN
	Cross Site Scripting In Error Message Web Page (Java)	JAVA.IO.INJ.XSS.EMWP
	Direct Thread Usage in Http Servlet (Java)	JAVA.INSEC.HTTP.DTU
	Execution After Redirect (Java)	JAVA.INSEC.EAR
	Explicit Finalize (Java)	JAVA.FUNCS.EF
	Format String Injection (Java)	JAVA.IO.INJ.FMT
	Hardcoded Cryptographic Key (Java)	JAVA.HARDCODED.KEY
	Missing Required Cryptographic Step (Java)	JAVA.CRYPTO.MRCS
	Mutable Public Static Final Array (Java)	JAVA.TYPE.MPSFA
	Open Redirect (Java)	JAVA.IO.TAINT.HTTP.OR
	Tainted Allocation Size (Java)	JAVA.IO.TAINT.SIZE
	Unsafe Session Expiration Time (Java)	JAVA.INSEC.USET
	Use of Same Seed (Java)	JAVA.INSEC.SS
C#
	Comparison to Class Names (C#)	CSHARP.COMPARE.EQUALS.CN
	Cross Site Scripting In Error Message Web Page (C#)	CSHARP.IO.INJ.XSS
	Execution After Redirect (C#)	CSHARP.INSEC.EAR
	Format String Injection (C#)	CSHARP.IO.INJ.FMT
	Hardcoded Cryptographic Key (C#)	CSHARP.HARDCODED.KEY
	Missing Required Cryptographic Step (C#)	CSHARP.CRYPTO.MRCS
	Mutable Public Static Final Array (C#)	CSHARP.TYPE.MPSFA
	Open Redirect (C#)	CSHARP.IO.TAINT.HTTP.OR
	Tainted Allocation Size (C#)	CSHARP.IO.TAINT.SIZE
	Unsafe Session Expiration Time (C#)	CSHARP.INSEC.USET
	Use of Same Seed (C#)	CSHARP.INSEC.SS

New Warning Category Kind: JSF++

CodeSonar now provides mappings for the Joint Strike Fighter Air Vehicle C++ Coding Standards.

Relevant JSF++ mappings for each warning class are displayed in the following locations.

Manual pages about JSF++ mappings: close mapping, broad mapping.
CSV files:
- close mapping: JSF++-mapping.csv
- broad mapping: JSF++-mapping-broad.csv
The manual pages for individual warning classes that are closely mapped to one or more JSF++ guidelines.
Warning reports for warnings whose warning class is closely mapped to one or more JSF++ guidelines.

There are two new related presets :

The new jsf++ preset enables all warning classes that are closely mapped to one or more JSF++ guidelines
The new jsf++_inc preset enables all warning classes that are closely mapped to one or more JSF++ guidelines and are supported in incremental analysis.

MISRA C:2012 Editions

CodeSonar now separately tracks the various editions of MISRA C:2012.

The tables describing the close and broad mappings for MISRA C:2012 now include a column describing the applicable editions for each rule.
The corresponding CSV files Misra2012-mapping.csv and Misra2012-mapping-broad.csv also contain this new column.
New presets misra2012-0, misra2012-1, misra2012-2, misra2012-3, misra2012-4 each enable the warning classes that are mapped to a rule in the indicated edition of MISRA C:2012.
Existing preset misra2012 now enables warning classes that are mapped to a rule in the latest edition of MISRA C:2012. For this version of CodeSonar, the latest edition is [4] MISRA C:2012 Amendment 4 Updates for ISO/IEC 9899:2011/2018 Phase 3 — Multi-threading and atomics.
Existing presets misra2012_inc, misra, misra_inc are similarly now defined with respect to the latest version of MISRA C:2012.

More-detailed version tracking for MISRA C:2012 will be added in a future version.
Edition tracking for other category kinds may be added in a future version.

SARIF Export

SARIF export functionality has been extended.

SARIF export is now available for arbitrary sets of warnings (previously, it was only available for warnings from a single analysis.
- Warning Search Results pages can now always be exported in SARIF format.
- codesonar dump_warnings.py no longer restricts use of the --sarif option to single-analysis contexts.
You can now specify a detail level for SARIF exported through codesonar dump_warnings.py or the HTTP API.

codesonar dump_warnings.py

There are several changes to the behavior of the codesonar dump_warnings.py subcommand.

New option --sarif-detail allows you to specify whether you want to omit the relatedLocations and codeFlows field for faster SARIF output.
The --sarif option can now be used for any set of warnings (previously, it could only be used for warnings from exactly one analysis).
- --sarif can now be used in combination with --search.
- --sarif can now be used in combination with --gained-since-previous-analysis and --lost-since-previous-analysis.

The following option combinations will now cause the command to fail with an error.

Combination Now Causes Failure	Previous Behavior
--format and --show-column	--format was ignored.
--format and any of the output type options {--csv, --json, --sarif}	--format was ignored.
more than one of {--csv, --json, --sarif}	Failure only if --sarif was specified in combination with another output type, otherwise --csv was used.
--sarif and --sort	--sort was ignored.
--sarif and --show-column	--show-column was ignored.
--src-root when --sarif not specified	--src-root was ignored.

HTTP API

HTTP endpoints that produce SARIF listings now have a new optional parameter: "detail".

detail=brief : produce SARIF output that omits the relatedLocations and codeFlows fields. This will generally be faster than the default setting.
detail=default : produce SARIF output that includes these fields.

The affected endpoints are:

/analysis/analysis_id.sarif
/search.sarif
/warninginstance/warninginstance_id.sarif
/analysis/analysis_id-allwarnings.sarif (deprecated in favor of /search.sarif)
/warning_detail_search.sarif (deprecated in favor of /analysis/analysis_id.sarif)

AST Changes

There is one modified normalized C/C++ AST class.

c:= : new attribute :atomic-kind.

There are five modified unnormalized AST classes.

cc:abstract-decl : new attribute :in-file-scope; field :declared-storage-class is now a child (previously an attribute).
cc:param-type : new attribute :name.
cc:routine-type : new attribute :storage-class.
cc:routine : attribute listing the declarations associated with a definition is now labeled :decls (previously :routine-decls).
cc:variable : attribute listing the declarations associated with a definition is now labeled :decls (previously :variable-decls).

There is also a new helper enumeration: atomic_kind.

Customer Tickets Fixed

NUMBER	NAME	NOTES
CSO-2273, ZD-27442	Document how to reassign hub service to another user	Documentation added.
CSO-2305	FP: Conversion: Pointer to Incomplete	fixed
CSO-2430, ZD-27449	Compiler model update for _Float16	fixed
CSO-2433, ZD-27545	CodeSonar, need to add more information to log output for message: Cannot open file for build output	fixed
CSO-2437	Mistake in the Qlik integration manual	Documentation updated.
CSO-2508, ZD-27585	Update SARIF to include "Significance" and "Warning ID" information	fixed
CSO-2510, ZD-27641	"Default Role for Saved Resources" dropdown doesnt offer a newly created, user attached role, as a choice	fixed
CSO-2550, ZD-27719	Keil armcc missing definition for __promise keyword	fixed
CSO-2568, ZD-27686	getting "Too Many Parse Errors" because of arm_neon.h version, compiler arm-elina-linux-gnueabi-g++	fixed
CSO-2603, ZD-27755	FN - Buffer Overrun related to std::vector::operator[]	fixed
CSO-2617, ZD-27702	Manual update: provide more information on how the -msbuild option operates	Documentation updated.
CSO-2637, ZD-27740	FE crash	fixed
CSO-2640, ZD-27819	Binary analysis not finding entry point	fixed
CSO-2649, ZD-27907	parse error related to iccarm use of short enums	fixed
CSO-2669, ZD-27961	issues when compiling with IAR 9.32.1, and using the vprintf function	fixed
CSO-2675, ZD-27986	IAR 9.32.1 and conditional detection of linkage	fixed
CSO-2705, ZD-28104	Update manual documentation for BackupRestoreDBTLS.htm	Documentation updated.
CSO-2828, ZD-28240	Hub Exception if Anonymous does not have G_SIGN_IN	fixed
CSO-2868, ZD-28277	Pylint errors in Python analysis	fixed
CSO-2882, ZD-28319	Error when using '-remote-archive' option when you did not use '-launchd-home' with your 'install-launchd' command	fixed
CSO-2892, ZD-28347	ccppc.exe - Parse error: static_assert(sizeof(size_t) == 8, "This code is for 64-bit size_t.");	fixed
CSO-2895, ZD-28174	Recover hub after a failed upgrade	fixed
CSO-2902, ZD-28317	Setting up remote-managed/remote-requested launchd groups when running concurrent analyses	There is a new manual page: Task: Set Up and Perform a Remote-Managed Analysis.
CSO-2956, ZD-28455	SaaS hub - customer able to escalate privileges because of SSO configuration	fixed
CSO-2961, ZD-28465	dump_warnings.py with option "--gained-since-previous-analysis" returns CS_INTERNAL_ERROR_CONNECTION_FAILED, 0	fixed
CSO-2962	The description of CodeSonar for Libraries is out of date	fixed; documentation updated.
CSO-2983, ZD-28499	Typo in Okta Setup Documentation	fixed

Note. This page contains references to HTTP API documentation, which is served directly by the hub and cannot be accessed via a file:// URL. For active HTTP API documentation links, start a hub (if one is not already running), then open the manual from the hub.