CodeSonar Release 8.1p0 Release Notes

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.0p0 Hot Tips

CONFIDENTIAL

CodeSecure Inc

Release Notes

CodeSonar Release 8.1, patchlevel 0: Release Notes

Notes on Upgrading
What's New
Customer Tickets Fixed

Notes on Upgrading

The minimum CodeSonar version for direct upgrade to CodeSonar 7.0 or later is 4.1p0. If you have a hub that is running CodeSonar 4.0p2 or earlier, contact CodeSecure support for assistance in upgrading.

If you have made changes to any of your CodeSonar configuration files, you will need to upgrade those files as part of the upgrade process.

See Upgrading Configuration Files for instructions.
For some configuration files, the procedure includes steps that must be carried out before CodeSonar is upgraded.
If you are upgrading a CodeSonar installation that will be used by someone else:
- Determine the most appropriate person to upgrade the general template and compiler template configuration files.
  This will depend on local factors such as who usually makes changes to these files.

If you have previously installed the CodeSonar plug-in for Visual Studio or CodeSonar plug-in for Eclipse, upgrade those installations after upgrading CodeSonar.

What's New

Web GUI	There are a number of GUI appearance and layout enhancements, with a focus on clarity.
Warning Classes	There are several new C/C++ warning classes. There are also many new warning classes for Go, Kotlin, JavaScript, Python, Rust, and TypeScript. These warning classes are used when importing third-party analysis results.
New Warning Category Kinds	There are new warning category kinds: MisraC2023, MisraC++2023, DISA-5r3, and several new category kinds for third party analyzers.
Including Third-Party Analysis Results	There is substantially improved support for integrating third-party analysis results with a CodeSonar project. Analyzer-specific handling and built-in warning classes are provided for the following third party analyzers: Clippy (Rust), detekt (Kotlin), ESLint (JavaScript, TypeScript), Pylint (Python), Staticcheck (Go). A detekt analyzer binary is shipped with CodeSonar on most platforms.
New Terminology	We introduce the notions of language tier and CodeSonar-facing build.
Importing SARIF Files and Source Files	The command names have changed, and their functionality has been extended.
Metric Description Changes	The description values for several metric classes have changed.
Configuration Changes	There are several new configuration presets and several presets have been modified. There are also two new configuration parameters.
Management Reports	There are three new predefined management report templates: DISA v5r3 Report, MISRA C 2023 Report, and MISRA C++ 2023 Report.
Authentication Plug-Ins	There is a new OpenID Connect (OIDC) authentication plug-in shipped with CodeSonar. (Provides OAuth2 SSO authentication.)
New GUI Alerts	There are three new GUI alert kinds.
Dockerfiles	We provide Dockerfiles for Linux and Windows. For more information, see Running CodeSonar in Docker.
Warning Processors	Warning processor display scripts now have access to variable CSHUB_PROCESSORS_HOME, which contains the path to the hub's warning processor installation directory.
API Changes	There are several changes to the CodeSonar Plug-In API.
Release Status	For full information about release status for all current and past CodeSonar versions, see the Supported Product Versions page on the CodeSecure support site.
Durable External Links	External links in the CodeSonar GUI, and in this manual, are now all to URLs of the form https://links.codesonar.com/[...]. Each such link is redirected to the appropriate page.

Details

Warning Classes

There are several new C/C++ warning classes.

There are also a large number of new warning classes corresponding to third party analyzer results.

New C/C++ Warning Classes

New Warning Class	Mnemonic
Array to Pointer Conversion on Temporary Object	MISC.MEM.TEMPARR
Explicit Zero Alignment	LANG.STRUCT.ALIGNAS.EZA
Inappropriate Storage Duration	CONCURRENCY.C_THREAD.ISD
Inconsistent Alignment Specifications	LANG.STRUCT.ALIGNAS.IAS
Inconsistent Chained Designator Initialization	LANG.STRUCT.INIT.ICDI
Non-void noreturn	LANG.STRUCT.NVNR
Too Many Alignment Specifiers	LANG.STRUCT.ALIGNAS.TMAS
Type Qualifier on Function Type	LANG.TYPE.TQFT

New warning classes for Go, Kotlin, JavaScript, Python, Rust, and TypeScript

Since its introduction in CodeSonar 5.0, the SARIF importer for CodeSonar has created new warning classes on an as-needed basis when importing SARIF files into a CodeSonar project.

CodeSonar 8.1 extends this by adding a large number of built-in warning classes corresponding to the results available from several third party analyzers.

Language	Third party analyzer	Mnemonic hierarchy branch	More information, including list of built-in classes
Go	Staticcheck	GO.*	Go Warning Classes Corresponding to Staticcheck Checks
JavaScript	ESLint	JS.*	JavaScript Warning Classes Corresponding to ESLint Rules
Kotlin	detekt	KOTLIN.*	Kotlin Warning Classes Corresponding to detekt Rules
Python	Pylint	PYTHON.*	Python Warning Classes Corresponding to Pylint Messages
Rust	Clippy	RUST.*	Rust Warning Classes Corresponding to Clippy Lints
TypeScript	ESLint with typescript-eslint	TS.*	TypeScript Warning Classes Corresponding to typescript-eslint Rules

New Warning Category Kinds

There are several new warning category kinds:

MisraC2023
MisraC++2023,
DISA-5r3,
several new category kinds for third-party analyzers

New MisraC2023 Category Kind: MISRA C:2023 Guidelines

Warning categories with IDs of the form MisraC2023:topic.num or MisraC2023:C.topic.num correspond to rules and directives, respectively, in the MISRA C:2023 Guidelines.

Associated Warning Classes	MisraC2023, MisraC2023 broad
Mapping CSV files	MisraC2023-mapping.csv, MisraC2023-mapping-broad.csv
Relevant Presets	misra, misra_inc, misrac2023, misrac2023_inc
Management Report Template	MISRA C 2023 Report

New MisraC++2023 Category Kind: MISRA C++:2023 Guidelines

Warning categories with IDs of the form MisraC++2023:topic.num.num correspond to rules in the MISRA C++:2023 Guidelines.

Associated Warning Classes	MisraC++2023, MisraC++2023 broad
Mapping CSV files	MisraC++2023-mapping.csv, MisraC++2023-mapping-broad.csv
Relevant Presets	misrac++, misrac++_inc, misrac++2023, misrac++2023_inc
Management Report Template	MISRA C++ 2023 Report.

New DISA-5r3 Category Kind: DISA Application Security and Development STIG

Warning categories with IDs of the form DISA-5r3:id.num correspond to findings in the Defense Information Systems Agency (DISA) Application Security and Development Security Technical Implementation Guide (STIG), Version 5, release 3 (STIG release date July 26, 2023).

Associated Warning Classes	DISA-5r3, DISA-5r3 broad
Mapping CSV files	DISA-5r3-mapping.csv, DISA-5r3-mapping-broad.csv
Relevant Presets	disa, disa_latest, disa5r3
Management Report Template	DISA v5r3 Report

New category kinds for third-party analyzers

There are several new category kinds corresponding to third party analyzers. Each of the new warning classes corresponding to third party analyzer results is assigned one category of one of these kinds. They are designed to facilitate mapping from CodeSonar warning classes back to the original analyzer documentation.

Analyzer rule set	Category form	Applicability
Clippy	Clippy:id	Rust warning classes only
detekt	detekt:setname.rulename	Kotlin warning classes only
ESLint	ESLint:id	JavaScript warning classes only
Pylint	Pylint:id	Python warning classes only
Staticcheck	Staticcheck:checkid	Go warning classes only
typescript-eslint	typescript-eslint:id	TypeScript warning classes only

For more information, see Warning Categories: Third party analyzers.

Including Third-Party Analysis Results

There is substantially improved support for integrating third-party analysis results with a CodeSonar project. This includes extended functionality for importing SARIF files, and detailed instructions for working with third-party analyzers.

Including Tier 3 Components in a CodeSonar Project

Analyzer-specific instructions:

Language	Third party analyzer	Instructions for adding source code and analyzer results to a CodeSonar project
Go	Staticcheck	Including Go Components in a CodeSonar Project
JavaScript	ESLint	Including JavaScript and TypeScript Components in a CodeSonar Project
Kotlin	detekt	Including Kotlin Components in a CodeSonar Project
Python	Pylint	Including Python Components in a CodeSonar Project
Rust	Clippy	Including Rust Components in a CodeSonar Project
TypeScript	ESLint with typescript-eslint	Including JavaScript and TypeScript Components in a CodeSonar Project

A large number of new built-in warning classes have been added to classify results from several third party analyzers. See New warning classes corresponding to third party analyzer results, above, for a summary with links to detailed information.
A detekt analyzer binary is shipped with CodeSonar on most platforms. The binary will be built for the same target as your CodeSonar installation, but is always located under %CSONAR%\win32-fetcher\.

New Terminology

We introduce the notions of language tier and CodeSonar-facing build.

language tier

In the context of building and analyzing a CodeSonar project, programming languages can be divided into three tiers.

Tier 1	C, C++ CodeSonar has a language-specific front end, and produces highly detailed internal representation (IR).
Tier 2	Java, C# CodeSonar has a language-specific front end, and produces less-detailed IR.
Tier 3	all other languages CodeSonar has no language-specific front end, and produces file-level IR only.

For more information, see Building and Analyzing a CodeSonar Project: Language Tiers.

CodeSonar-facing build

This is the variant of your regular build command that you direct CodeSonar to observe in order to build the CodeSonar project. For C and C++ projects, the CodeSonar-facing build is generally the regular project build. For other languages, the CodeSonar-facing build is an extended variant of the regular build that performs any additional steps required to inform CodeSonar of components to be included in the CodeSonar project.
For more information, see Building and Analyzing a CodeSonar Project: The CodeSonar-Facing Build.

Importing SARIF Files and Source Files

There are a number of changes to the functionality for importing SARIF files and for importing files that cannot be included in the CodeSonar project by other means.

The command names have changed.
A codesonar import_sarif.py invocation can now specify source files to be imported when the SARIF is imported, through the new -include-sources and -exclude-sources options.
This means that an accompanying codesonar add_source_files.py invocation is no longer required.
Three subcommands have new options:
- codesonar import_sarif.py
- codesonar add_source_files.py
- codesonar python_scan.py
Warning class names for warnings imported from SARIF results are now generated from the name property of each rule object as follows.
- For SARIF produced by CodeSonar, warning class name exactly matches name.
- For SARIF produced by certain third party analyzers, CodeSonar provides analyzer-specific SARIF import handling, including customized schemes for producing warning class names from SARIF name values. For more information, see the following: detekt.
- For SARIF from any other source, warning class name exactly matches name.

New command names

Functionality	CodeSonar build/analysis observes invocation of...	Previously
Import SARIF files (and associated tier 3 source files) into the CodeSonar project	codesonar import_sarif.py	cspython $CSONAR/codesonar/py/sarif/sarif_import.pyc
Import files that cannot be included in the CodeSonar project by other means.	codesonar add_source_files.py	cs-metascan cspython $CSONAR/csurf/src/front_ends/cs-import.py
Analyze Python code with Pylint, then import the analysis results and source files into the project	codesonar python_scan.py	cspython pylint2cso.py

Command option changes

codesonar import_sarif.py
	New
		[-analyzer an3p_name]	Informs CodeSonar that the SARIF was produced by third-party analyzer <an3p_name>.
		[-include-sources file_pat] [-exclude-sources file_pat]	Specify a set of source files to be imported into the CodeSonar project.
		-path-baseid id dir]	[Go Staticcheck SARIF only] Inform CodeSonar of the path to the common UriBaseId used in the Staticcheck SARIF. This allows CodeSonar to correctly resolve paths in the SARIF.
		-staticcheck-list path/to/list]	[Go Staticcheck SARIF only] Provides a list of the rules used by the staticcheck executable that produced the SARIF file.
codesonar add_source_files.py
	New
		[-include file_pat] [-exclude file_pat]	Specify an additional set of source files to be imported.
		[-max-bytes num]	Specifies a maximum size of num bytes for imported files: files larger than this maximum size will be ignored by the importer.
		[-language lang]	Specifies that the imported files should be recorded as having source language lang.
codesonar python_scan.py
	New
		[-include-sources file_pat] [-exclude-sources file_pat]	Specify a set of Python source files (.py) to be analyzed with Pylint and included in the CodeSonar project.
		[@infile]	Specify a text file containing a list of -include-sources file_pat and -exclude-sources file_pat entries to be added to the codesonar python_scan.py command line.
	Deleted
		[--inputsfile infile]	Use @infile.
		[--sarif_output outfile]	CodeSonar will now always store the intermediate SARIF files in a temporary location.
		unflagged input files	Use -include-sources and -exclude-sources to specify a set of Python source files (.py) directly in the command.

Metric Description Changes

The description values for several metric classes have changed. The tags for these classes have not changed.

Metric Class Tag	New Description	Previous Description
CALLING	Calling Functions	Number of Called Functions
CALLS	Function Calls	Number of Function Calls
GOTO	goto Statements	Number of goto Statements
NCOMM	Comment Blocks	Number of Comment Blocks
NPATH	Static Paths	Static Path Count
PARAM	Formal Parameters	Number of Formal Parameters
RETURN	return Statements	Number of Returns
STPTH	Statement Paths	Statement Path Count
STST1	Statements in Function (Variant 1)	Number of Statements in Function (Variant 1)
STST2	Statements in Function (Variant 2)	Number of Statements in Function (Variant 2)
STST3	Statements in Function (Variant 3)	Number of Statements in Function (Variant 3)

Configuration Changes

There are several new configuration presets and several presets have been modified. There is also one new configuration parameter.

New Presets

Preset	Description
misrac++	For C++ compilation units, enable all non-DIAG.* warning classes associated with MISRA C++:2023 or MISRA C++:2008 rules.
misrac++_inc	For C++ compilation units, enable all non-DIAG.* warning classes that are supported in incremental analysis and associated with MISRA C++:2023 or MISRA C++:2008 rules.
misrac++2023	For C++ compilation units, enable all non-DIAG.* warning classes associated with MISRA C++:2023 rules.
misrac++2023_inc	For C++ compilation units, enable all non-DIAG.* warning classes that are supported in incremental analysis and associated with MISRA C++:2023 rules.
misrac2023	For C compilation units, enable all non-DIAG.* warning classes associated with MISRA C:2023 rules.
misrac2023_inc	For C compilation units, enable all non-DIAG.* warning classes that are supported in incremental analysis and associated with MISRA C:2023 rules.

Modified Presets

Preset	Changes
disa	Now also enables any non-DIAG.* warning class that is associated with a finding in Version 5, Release 3 of the DISA Application Security and Development STIG
disa_latest	The most recent version of the DISA Application Security and Development STIG for which CodeSonar has mappings is now Version 5, Release 3.
misra	Now also enables any non-DIAG.* warning class that is associated with a MISRA C:2023 rule.
misra_inc	Now also enables any non-DIAG.* warning class that is supported in incremental analysis and associated with a MISRA C:2023 rule.

New configuration parameters

There are two new configuration parameters:

MAX_SOCKET_LISTEN_BACKLOG	Specifies the size limit for a socket's listen queue.
VIRTUAL_COMPILER_PROXY	Specifies whether or not CodeSonar on Windows should virtually proxy compiler executables in order to detect compiler executions.

New GUI Alerts

There are three new GUI alert kinds.

Two new yellow alerts.
- num Dropped Warnings
- Multiple Versions of Source File
One new blue alert.
- Reduced Warning Detail

API Changes

There are several changes to the CodeSonar Plug-in API.

Warning reporting: when specifying a location, the "end column" is now exclusive (previously inclusive). Locations are specified in the various API implementations as follows.
- C++: class locations_node.
- Python: class locations_node
- C: struct cs_locations_node_t
ASTs: unnormalized AST class cc::attribute-arg has new attributes :sfid and :line
Projects: there are several new operators and methods that operate on projects.
Languages: there are many more available values for describing source and machine languages, and some existing values have changed.

API: Projects

There are several new operators and methods that operate on projects.

C++ (class project)	Python (class project)
operator==	project.__eq__
operator!=	project.__ne__()
operator<=	project.__le__()
operator<	project.__lt__()
operator>=	project.__ge__()
operator>	project.__gt__()
project::cmp()	project.__cmp__()
project::hash()	project.__hash__()

API: Language changes

The internal representation now has many more available values for describing source and machine languages. In addition, some of the previously-existing values have changed: if you have plug-in code that uses these values, you will need to update it.

API implementation	Language values representation	Updating your plug-ins
API implementation	Language values representation	replace	with
C++	language attributes	language::ARM	language::SWYX_ARM
		language::ARM64	language::SWYX_ARM64
		language::C	language::EDGCP_C, language::META_C [*]
		language::CPP	language::EDGCP_CPP, language::META_CPP [*]
		language::CSHARP	language::DOTNETFE_CSHARP, language::META_CSHARP [*]
		language::JAVA	language::JFE_JAVA, language::META_JAVA [*]
		language::MIPS	language::SWYX_MIPS
		language::PPC	language::SWYX_PPC
		language::TEXT	language::META_TEXT [*]
		language::X64	language::SWYX_X64
		language::X86	language::SWYX_X86
Python	language attributes	language.ARM	language.SWYX_ARM
		language.ARM64	language.SWYX_ARM64
		language.C	language.EDGCP_C, language.META_C [*]
		language.CPP	language.EDGCP_CPP, language.META_CPP [*]
		language.CSHARP	language.DOTNETFE_CSHARP, language.META_CSHARP [*]
		language.JAVA	language.JFE_JAVA, language.META_JAVA [*]
		language.MIPS	language.SWYX_MIPS
		language.PPC	language.SWYX_PPC
		language.TEXT	language.META_TEXT [*]
		language.X64	language.SWYX_X64
		language.X86	language.SWYX_X86
C	enum symbols for cs_language_enum	csl_arm	csl_swyx_arm
		csl_arm64	csl_swyx_arm64
		csl_c	csl_edgcp_c, csl_meta_c [*]
		csl_cpp	csl_edgcp_cpp, csl_meta_cpp [*]
		csl_csharp	csl_dotnetfe_csharp, csl_meta_csharp [*]
		csl_java	csl_jfe_java, csl_meta_java [*]
		csl_mips	csl_swyx_mips
		csl_ppc	csl_swyx_ppc
		csl_text	csl_meta_text [*]
		csl_x64	csl_swyx_x64
		csl_x86	csl_swyx_x86

[*] The META_ prefix indicates a file that was directly imported into the CodeSonar project.

For C, C++, Java, C#, and binary languages there is both a META_ language value and a value that indicates the file was included using the standard language-specific mechanism.
For all other languages, there is only a META_ language value.

For example, suppose you have a C file myfile.c.

If CodeSonar observes the compilation of myfile.c, its language is recorded as EDGCP_C.
If myfile.c is imported into the project with codesonar add_source_files.py or codesonar import_sarif.py, its language is recorded as META_C.

Customer Tickets Fixed

NUMBER	NAME	NOTES
CSO-2868	Pylint errors in Python analysis	fixed
ZD-28369, CSO-2911	Tasking compiler model parse errors	fixed
ZD-28369, CSO-2953	Enumeration value is out of "int" range	fixed
ZD-28608, CSO-3137	Parse error: expression must have a constant, cl2000.exe	fixed
ZD-28636, CSO-3181	cs-java-scan -exclude-sourceless-artifacts option not present	fixed
ZD-28835, CSO-3359	C# error: Unsupported PDB deleted bitset is not empty	fixed
ZD-28943, CSO-3375	TI armcl parse errors	fixed
ZD-29124, CSO-3503	Parse errors iccarm	fixed
ZD-29329, ZD-29787, CSO-3563	Japanese character encoding is incorrect after migration	fixed
CSO-3589	SSO does not redirect correctly and user appears not to be logged in	fixed
ZD-29485, CSO-3630	Unreachable Call warning for log() function	fixed
ZD-29566, ZD-29686, CSO-3733	Identify bottleneck in transfer of large prj_files dir	fixed
ZD-29653, CSO-3777	IAR parse errors with the iccrl78.exe compiler	fixed
ZD-29718, CSO-3837	Remote Managed launch daemons added to the root launch daemon group never get created with their specified HOME directory	fixed
ZD-29719, CSO-3839	IAR compiler model issue	fixed
ZD-29735, CSO-3840	Request about HIS Metric (CALLING)	fixed
ZD-29758, CSO-3858	Starting hub service as local system not working	Documentation updated to clarify procedure.
ZD-29771, CSO-3878	Failure to invoke clang to get preprocessor macros	fixed
ZD-29749, CSO-3920	Hub upgrade not working with sym link	fixed
ZD-29844, CSO-3934	HTTP API curl command to get bearer token not working with expires data-time format show in Swagger	fixed