CodeSonar Release 8.0p0 Release Notes

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar Release 8.0, patchlevel 0: Release Notes

The minimum CodeSonar version for direct upgrade to CodeSonar 7.0 or later is 4.1p0. If you have a hub that is running CodeSonar 4.0p2 or earlier, contact CodeSecure support for assistance in upgrading.

CodeSonar is now a product of CodeSecure, Inc. There are several consequences for upgrading from CodeSonar 7.4 or earlier.

If you use the CodeSonar plug-in for Eclipse, uninstall and then reinstall the plug-in after upgrading CodeSonar.
See also the Eclipse plug-in change notes below.

If you use the CodeSonar plug-in for Visual Studio, uninstall and then reinstall the plug-in after upgrading CodeSonar.
See also the Visual Studio plug-in change notes below.

[Windows only] The default installation directory on Windows is now C:\Program Files\CodeSecure\CodeSonar.
You may need to manually update your PATH to include C:\Program Files\CodeSecure\CodeSonar\bin.

The names of some plug-in API elements have changed. See API Changes, below, for details.

The names of some environment variables have changed.
If you have code (such as automation) that depends on any of CodeSonar's environment variables, check env_vars.csv for the current names and update your code if necessary.

If you have made changes to any of your CodeSonar configuration files, you will need to upgrade those files as part of the upgrade process.

See Upgrading Configuration Files for instructions.

For some configuration files, the procedure includes steps that must be carried out before CodeSonar is upgraded.

If you are upgrading a CodeSonar installation that will be used by someone else:

Determine the most appropriate person to upgrade the general template and compiler template configuration files.
This will depend on local factors such as who usually makes changes to these files.

If you have previously installed the CodeSonar plug-in for Visual Studio or CodeSonar plug-in for Eclipse, upgrade those installations after upgrading CodeSonar.

CodeSecure	CodeSonar is now a product of CodeSecure, Inc. In some cases this may mean that you need to take additional steps when upgrading: see the notes on upgrading above for details.
Warning Classes	There are several new C/C++ warning classes. The mnemonic for existing warning class Use of C Generic is now LANG.STRUCT.CGEN (previously LANG.STRUCT.C_GENERIC). The warning class previously named "Inappropriate Argument Type" is now named Inappropriate Argument to memcmp and its mnemonic is now LANG.TYPE.IARGT.MEMCMP (previously LANG.TYPE.IARGT).
GUI	There is a new User Sessions page type, and there are several changes to the Settings and Account Editor page types.
Sessions	A single hub user account can now have multiple simultaneous associated sessions. The global licensed user sessions and licensed anonymous sessions limits are still enforced. Additional, customizable per-user and user-pool limits are now provided to help prevent individual users from monopolizing too many sessions (whether by accident or otherwise). There is a new User Sessions page type. This shows the current sessions for a hub user, and provides functionality for creating and deleting sessions. HTTP API functionality for creating sessions has been extended. Bearer token authentication can be used to authenticate CodeSonar operations with respect to a session. For more information, see User Sessions and Anonymous Sessions.
Bearer Token Authentication	Authenticated codesonar subcommands and HTTP API operations can now be authenticated with respect to a session by presenting that session's bearer token. The expected use case is for automated operations that are noninteractive or unattended, such as continuous integration or nightly scripts. There are new command line authentication options, which are used in combination for bearer authentication: -auth bearer -hubbearerfile bearerfile The HTTP API Authentication documentation describes how to authenticate HTTP API operations with a bearer token. For more information, see User Sessions and Anonymous Sessions: Bearer Authentication
Kubernetes deployment	We now provide Helm charts and templates for deploying CodeSonar on a Kubernetes cluster.
codesonar generate_hubpwfile.py	This is a new codesonar subcommand for interactively generating a password file. The password file can then be supplied with the -hubpwfile option to any codesonar subcommands that require hub authentication. For full details see codesonar generate_hubpwfile.py: Interactively Generate a Hub Password File.
Configuration Parameters	A configuration parameter has been renamed: MAX_CONCURRENT_BUILD_PROCESSES (previously MAX_CONCURRENT_PARSE_PROCESSES)
Plug-in for Eclipse	The plug-in ID is now com.codesonar.eclipse (previously com.grammatech.codesonar). If you are upgrading CodeSonar: Uninstall and reinstall the CodeSonar plug-in for Eclipse after upgrading CodeSonar. If you are monitoring changes to your Eclipse .project files (for example, because they are kept in source control), you will observe the "builders" and "natures" settings changing to use the new plug-in ID. CodeSonar 8.0p0 supports Eclipse versions 4.19 (2021-03) through 4.29 (2023-09), official/supported releases only.
Plug-in for Visual Studio	The behavior of the installer has changed slightly. You will now see up to three installer dialogs, depending on the versions of Visual Studio you have installed: a separate dialog for each of the following. Visual Studio 2015 Visual Studio 2017 and Visual Studio 2019 Visual Studio 2022 If you are upgrading CodeSonar: Uninstall and reinstall the CodeSonar plug-in for Visual Studio after upgrading CodeSonar.
New Compiler Model	There is one new compiler model: mwccarm, for the Freescale CodeWarrior for Embedded ARM compiler.
Terminology Change	The three intervals involved in a CodeSonar build and analysis are now referred to as build (B), analyze (A), and daemon mode (D). (Previously parse (P), analyze (A), and daemon mode (D).) Text in the CodeSonar product and documentation has been updated to reflect this change. The Parse Log and Parse Details Log have not been renamed.
CWE	This version of CodeSonar uses CWE v4.12, released June 29, 2023.
Jira Server Integration	Support for the CodeSonar integration for Jira Server has been restored.
API Changes	There are several changes to the CodeSonar Plug-in API. One new API function compunit::get_group_uid() (C++) \| compunit.get_group_uid() (Python) \| cs_file_group_uid() (C) One renamed function cs_codesecure_home_directory() (previously cs_grammatech_home_directory()) This function is renamed in the C API only: C++ equivalent remains csurf_info::install_path() and Python equivalent remains csurf_info.install_path() AST helper enumeration builtin_operation_kind has two new symbols: csae_c_bok_cw_type_type, csae_c_bok_cw_type_expr The package name for the beta Java API is now com.codesecure.cs (previously com.grammatech.cs).
HTML5 Visualization Tool	The HTML5 Visualization Tool visualization feature has been removed. The 'graphical (lite)' visualization provided by the Explore Callers GUI page type is still available.
Release Status	For full information about release status for all current and past CodeSonar versions, see the Supported Product Versions page on the CodeSecure support site.

CodeSecure

CodeSonar is now a product of CodeSecure, Inc.
In some cases this may mean that you need to take additional steps when upgrading: see the notes on upgrading above for details.

Warning Classes

There are several new C/C++ warning classes.
The mnemonic for existing warning class Use of C Generic is now LANG.STRUCT.CGEN (previously LANG.STRUCT.C_GENERIC).
The warning class previously named "Inappropriate Argument Type" is now named Inappropriate Argument to memcmp and its mnemonic is now LANG.TYPE.IARGT.MEMCMP (previously LANG.TYPE.IARGT).

GUI

There is a new User Sessions page type, and there are several changes to the Settings and Account Editor page types.

Sessions

A single hub user account can now have multiple simultaneous associated sessions.

The global licensed user sessions and licensed anonymous sessions limits are still enforced.
Additional, customizable per-user and user-pool limits are now provided to help prevent individual users from monopolizing too many sessions (whether by accident or otherwise).
There is a new User Sessions page type. This shows the current sessions for a hub user, and provides functionality for creating and deleting sessions.
HTTP API functionality for creating sessions has been extended.
Bearer token authentication can be used to authenticate CodeSonar operations with respect to a session.

For more information, see User Sessions and Anonymous Sessions.

Bearer Token Authentication

Authenticated codesonar subcommands and HTTP API operations can now be authenticated with respect to a session by presenting that session's bearer token. The expected use case is for automated operations that are noninteractive or unattended, such as continuous integration or nightly scripts.

There are new command line authentication options, which are used in combination for bearer authentication: -auth bearer -hubbearerfile bearerfile
The HTTP API Authentication documentation describes how to authenticate HTTP API operations with a bearer token.

For more information, see User Sessions and Anonymous Sessions: Bearer Authentication

Kubernetes deployment

We now provide Helm charts and templates for deploying CodeSonar on a Kubernetes cluster.

codesonar generate_hubpwfile.py

This is a new codesonar subcommand for interactively generating a password file. The password file can then be supplied with the -hubpwfile option to any codesonar subcommands that require hub authentication. For full details see codesonar generate_hubpwfile.py: Interactively Generate a Hub Password File.

Configuration Parameters

A configuration parameter has been renamed: MAX_CONCURRENT_BUILD_PROCESSES (previously MAX_CONCURRENT_PARSE_PROCESSES)

Plug-in for Eclipse

The plug-in ID is now com.codesonar.eclipse (previously com.grammatech.codesonar).
If you are upgrading CodeSonar:

Uninstall and reinstall the CodeSonar plug-in for Eclipse after upgrading CodeSonar.
If you are monitoring changes to your Eclipse .project files (for example, because they are kept in source control), you will observe the "builders" and "natures" settings changing to use the new plug-in ID.

CodeSonar 8.0p0 supports Eclipse versions 4.19 (2021-03) through 4.29 (2023-09), official/supported releases only.

Plug-in for Visual Studio

The behavior of the installer has changed slightly. You will now see up to three installer dialogs, depending on the versions of Visual Studio you have installed: a separate dialog for each of the following.

Visual Studio 2015
Visual Studio 2017 and Visual Studio 2019
Visual Studio 2022

If you are upgrading CodeSonar:

Uninstall and reinstall the CodeSonar plug-in for Visual Studio after upgrading CodeSonar.

New Compiler Model

There is one new compiler model: mwccarm, for the Freescale CodeWarrior for Embedded ARM compiler.

Terminology Change

The three intervals involved in a CodeSonar build and analysis are now referred to as build (B), analyze (A), and daemon mode (D).
(Previously parse (P), analyze (A), and daemon mode (D).)

Text in the CodeSonar product and documentation has been updated to reflect this change.
The Parse Log and Parse Details Log have not been renamed.

CWE

This version of CodeSonar uses CWE v4.12, released June 29, 2023.

Jira Server Integration

Support for the CodeSonar integration for Jira Server has been restored.

API Changes

There are several changes to the CodeSonar Plug-in API.

One new API function
compunit::get_group_uid() (C++) | compunit.get_group_uid() (Python) | cs_file_group_uid() (C)
One renamed function cs_codesecure_home_directory() (previously cs_grammatech_home_directory())
This function is renamed in the C API only: C++ equivalent remains csurf_info::install_path() and Python equivalent remains csurf_info.install_path()
AST helper enumeration builtin_operation_kind has two new symbols: csae_c_bok_cw_type_type, csae_c_bok_cw_type_expr
The package name for the beta Java API is now com.codesecure.cs (previously com.grammatech.cs).

HTML5 Visualization Tool

The HTML5 Visualization Tool visualization feature has been removed.
The 'graphical (lite)' visualization provided by the Explore Callers GUI page type is still available.

Release Status

For full information about release status for all current and past CodeSonar versions, see the Supported Product Versions page on the CodeSecure support site.

New Warning Class	Mnemonic
Bit-field in Union	LANG.TYPE.BFUNION
Direct Access to Field of C Atomic Object	CONCURRENCY.C_ATOMIC.DAF
Excessive Macro Parameter Evaluation in C Generic	LANG.STRUCT.CGEN.EMPE
Implicit Pointer Type Conversion in Selection of C Generic	LANG.TYPE.CGEN.IMPTC
Inappropriate Argument to <tgmath.h> Macro	LANG.TYPE.IARGT.TGMATH
Inappropriate Argument to Integer Constant Macro	LANG.PREPROC.ICONST
Inappropriate Association Type in C Generic	LANG.TYPE.CGEN.IAT
Inappropriate Selection Type in C Generic	LANG.TYPE.CGEN.IST
Inconsistent Macro Parameter Evaluation in C Generic	LANG.STRUCT.CGEN.IMPE
Inconsistent Types of Arguments to <tgmath.h> Macro	MATH.TYPE.TGMATH.ITA
Misplaced Default Association in C Generic	LANG.STRUCT.CGEN.MPD
Missing Non-default Association in C Generic	LANG.STRUCT.CGEN.MND
Pointer to Variably-modified Array Type	LANG.TYPE.VMAT
Selection in C Generic not Expanded from Macro Parameters	LANG.STRUCT.CGEN.NOTMACRO
Side Effects in C Generic Selection	LANG.STRUCT.SE.CGEN
Use of <stdint.h> Small Integer Constant Macro	BADMACRO.STDINT_H_ICONST
Void C Atomic	CONCURRENCY.C_ATOMIC.VOID

New Warning Class

Mnemonic

Bit-field in Union

LANG.TYPE.BFUNION

Direct Access to Field of C Atomic Object

CONCURRENCY.C_ATOMIC.DAF

Excessive Macro Parameter Evaluation in C Generic

LANG.STRUCT.CGEN.EMPE

Implicit Pointer Type Conversion in Selection of C Generic

LANG.TYPE.CGEN.IMPTC

Inappropriate Argument to <tgmath.h> Macro

LANG.TYPE.IARGT.TGMATH

Inappropriate Argument to Integer Constant Macro

LANG.PREPROC.ICONST

Inappropriate Association Type in C Generic

LANG.TYPE.CGEN.IAT

Inappropriate Selection Type in C Generic

LANG.TYPE.CGEN.IST

Inconsistent Macro Parameter Evaluation in C Generic

LANG.STRUCT.CGEN.IMPE

Inconsistent Types of Arguments to <tgmath.h> Macro

MATH.TYPE.TGMATH.ITA

Misplaced Default Association in C Generic

LANG.STRUCT.CGEN.MPD

Missing Non-default Association in C Generic

LANG.STRUCT.CGEN.MND

Pointer to Variably-modified Array Type

LANG.TYPE.VMAT

Selection in C Generic not Expanded from Macro Parameters

LANG.STRUCT.CGEN.NOTMACRO

Side Effects in C Generic Selection

LANG.STRUCT.SE.CGEN

Use of <stdint.h> Small Integer Constant Macro

BADMACRO.STDINT_H_ICONST

Void C Atomic

CONCURRENCY.C_ATOMIC.VOID

Modified Warning Class	Changes
Inappropriate Argument to memcmp	New name (previously "Inappropriate Argument Type") and new mnemonic LANG.TYPE.IARGT.MEMCMP (previously LANG.TYPE.IARGT).
Use of C Generic	New mnemonic LANG.STRUCT.CGEN (previously LANG.STRUCT.C_GENERIC) .
Essential Type Diagnostic Inappropriate Assignment Type Inappropriate Cast Type Inappropriate Cast Type: Expression Inappropriate Operand Type Mismatched Operand Types	Checkers for C/C++ warning classes that make use of the MISRA C:2012 concept of essential type category now account for the essential type model extensions and corresponding rule refinements in MISRA C:2012 – Addendum 3.

Modified Warning Class

Changes

Inappropriate Argument to memcmp

New name (previously "Inappropriate Argument Type") and new mnemonic LANG.TYPE.IARGT.MEMCMP (previously LANG.TYPE.IARGT).

Use of C Generic

New mnemonic LANG.STRUCT.CGEN (previously LANG.STRUCT.C_GENERIC) .

Essential Type Diagnostic
Inappropriate Assignment Type
Inappropriate Cast Type
Inappropriate Cast Type: Expression
Inappropriate Operand Type
Mismatched Operand Types

Checkers for C/C++ warning classes that make use of the MISRA C:2012 concept of essential type category now account for the essential type model extensions and corresponding rule refinements in MISRA C:2012 – Addendum 3.

Settings	Two changes on the Account tab: The Change Password section now includes a "Sign out sessions?" field. Select Yes to delete your user sessions when you click Update to change your password; No to keep your existing user sessions. The GUI session you are using to perform the password change is treated as a special case and is not deleted even if you select Yes. The tab now includes a link to the User Sessions page for the currently-authorized user.
Account Editor	Two changes on the Account Settings tab: The Change Password section now includes a "Sign out sessions?" field. Select Yes to delete all sessions for the user when you click Update to change their password; No to keep their existing sessions. If you are changing your own password, the GUI session you are using to perform the change is treated as a special case and is not deleted even if you select Yes. The tab now includes a link to the user's User Sessions page.

Settings

Two changes on the Account tab:

The Change Password section now includes a "Sign out sessions?" field. Select Yes to delete your user sessions when you click Update to change your password; No to keep your existing user sessions. The GUI session you are using to perform the password change is treated as a special case and is not deleted even if you select Yes.
The tab now includes a link to the User Sessions page for the currently-authorized user.

Account Editor

Two changes on the Account Settings tab:

The Change Password section now includes a "Sign out sessions?" field. Select Yes to delete all sessions for the user when you click Update to change their password; No to keep their existing sessions. If you are changing your own password, the GUI session you are using to perform the change is treated as a special case and is not deleted even if you select Yes.
The tab now includes a link to the user's User Sessions page.

NUMBER	NAME	NOTES
BZ-64057	Launchd protocol version not always set, resulting in bad rpc requests	fixed
CSO-2117	Add manual task for setting up and performing a remote analysis	see Task: Set Up and Perform a Remote-Managed Analysis
CSO-2266	[vscode] Code markers (Funky flags) not working	fixed
ZD-27603, ZD-28014, ZD-28043, ZD-18407, ZD-28701, CSO-2547	Analysis performance issue	fixed
ZD-28226, CSO-2819	Parse errors mostly related to va_list	fixed
ZD-28369, CSO-2953	Enumeration value is out of "int" range	fixed
ZD-28381, CSO-2918	Create 16-bit conf file for cl6x compiler model	fixed
ZD-28391, CSO-2917	MISRA analysis takes too long	fixed
ZD-28505, CSO-2981	CodeSonar performance slowdown from close() on exec	fixed
ZD-28844, CSO-3366	cl2000 compiler model weaknesses	fixed
ZD-28943, CSO-3375	TI armcl parse errors	fixed
ZD-29120, CSO-3459	Update k8s/cso-components/Dockerfile-hub ubuntu version	fixed
ZD-29124, CSO-3470	Too many parse errors - iccarm compiler	fixed
ZD-29168, CSO-3485	Unexpected results for project search	Search language documentation extended.
ZD-29189, CSO-3488	'Conversion: Pointer to Incomplete' warning when comparing with NULL	fixed
ZD-29231, CSO-3520	Jenkins plugin sees no warnings	fixed
ZD-29265, CSO-3547	Problem uploading results to GitLab Ultimate	fixed

NUMBER

NAME

NOTES

BZ-64057

Launchd protocol version not always set, resulting in bad rpc requests

fixed

CSO-2117

Add manual task for setting up and performing a remote analysis

see Task: Set Up and Perform a Remote-Managed Analysis

CSO-2266

[vscode] Code markers (Funky flags) not working

fixed

ZD-27603, ZD-28014, ZD-28043, ZD-18407, ZD-28701, CSO-2547

Analysis performance issue

fixed

ZD-28226, CSO-2819

Parse errors mostly related to va_list

fixed

ZD-28369, CSO-2953

Enumeration value is out of "int" range

fixed

ZD-28381, CSO-2918

Create 16-bit conf file for cl6x compiler model

fixed

ZD-28391, CSO-2917

MISRA analysis takes too long

fixed

ZD-28505, CSO-2981

CodeSonar performance slowdown from close() on exec

fixed

ZD-28844, CSO-3366

cl2000 compiler model weaknesses

fixed

ZD-28943, CSO-3375

TI armcl parse errors

fixed

ZD-29120, CSO-3459

Update k8s/cso-components/Dockerfile-hub ubuntu version

fixed

ZD-29124, CSO-3470

Too many parse errors - iccarm compiler

fixed

ZD-29168, CSO-3485

Unexpected results for project search

Search language documentation extended.

ZD-29189, CSO-3488

'Conversion: Pointer to Incomplete' warning when comparing with NULL

fixed

ZD-29231, CSO-3520

Jenkins plugin sees no warnings

fixed

ZD-29265, CSO-3547

Problem uploading results to GitLab Ultimate

fixed

CodeSonar Release 8.0, patchlevel 0: Release Notes

Notes on Upgrading

What's New

Details

Warning Classes

New C/C++ Warning Classes

Modified C/C++ Warning Classes

GUI

New page type: User Sessions

Modified page types: Settings, Account Editor

Customer Tickets Fixed