CodeSonar Release 8.2 Release Notes

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.0p0 Hot Tips

CONFIDENTIAL

CodeSecure Inc

Release Notes

CodeSonar Release 8.2, patchlevel 0: Release Notes

Notes on Upgrading
What's New
Customer Tickets Fixed

Notes on Upgrading

The minimum CodeSonar version for direct upgrade to CodeSonar 7.0 or later is 4.1p0. If you have a hub that is running CodeSonar 4.0p2 or earlier, contact CodeSecure support for assistance in upgrading.

If you have made changes to any of your CodeSonar configuration files, you will need to upgrade those files as part of the upgrade process.

See Upgrading Configuration Files for instructions.
For some configuration files, the procedure includes steps that must be carried out before CodeSonar is upgraded.
If you are upgrading a CodeSonar installation that will be used by someone else:
- Determine the most appropriate person to upgrade the general template and compiler template configuration files.
  This will depend on local factors such as who usually makes changes to these files.

If you have previously installed the CodeSonar plug-in for Visual Studio or CodeSonar plug-in for Eclipse, upgrade those installations after upgrading CodeSonar.

What's New

New: codesonar es_scan.py	When invoked as part of the CodeSonar-facing build, analyzes the indicated JavaScript and TypeScript source files with ESLint and then imports the source files and SARIF results into the CodeSonar project. See Including JavaScript and TypeScript Components in a CodeSonar Project for details.
New: codesonar go_scan.py	When invoked as part of the CodeSonar-facing build, analyzes the indicated Go source files with Staticcheck and then imports the source files and Staticcheck SARIF results into the CodeSonar project. See Including Go Components in a CodeSonar Project for details.
New: codesonar kotlin_scan.py	When invoked as part of the CodeSonar-facing build, analyzes the indicated Kotlin source files with detekt and then imports the source files and detekt SARIF results into the CodeSonar project. See Including Kotlin Components in a CodeSonar Project for details.
New: codesonar rust_scan.py	When invoked as part of the CodeSonar-facing build, analyzes the indicated Rust source files with Clippy and then imports the source files and Clippy SARIF results into the CodeSonar project. See Including Rust Components in a CodeSonar Project for details.
New: codesonar generate_hubbearerfile.py	Create or delete a hub user session and bearer file. A bearer file created with this command can be supplied with the -hubbearerfile option to any codesonar subcommands that require hub authentication.
codesonar import_sarif.py	New options -path-base, -source-language, -source-max-bytes. Source files larger than 500KB, or whose language cannot be determined from their file extension, can now be imported as part of a codesonar import_sarif.py invocation instead of requiring a separate invocation of codesonar add_source_files.py.
codesonar python_scan.py	New options -X , -source-max-bytes , -sarif-output , -pylint-output, new positional argument file_or_dir
codesonar analysis_id.py	New option -strip.
codesonar hub-start	The behavior of the -permissive option has changed: it can now affect existing hubs if a database upgrade is involved.
Warning Category Filtering	The CodeSonar web GUI now supports warning category filtering: when you are viewing a page that contains warning category information, you can use this feature to display only those categories that you are interested in.
GUI Changes	There is one new GUI page type, and several existing page types have been extended, to support warning category filtering.
New Preset	There is one new configuration preset: cwe660_java, which enables all Java warning classes that are broadly mapped to CWE:660"Weaknesses in Software Written in Java".
API Changes	There are some changes to CodeSonar C/C++ ASTs.
C# (.NET) Analysis	There are several changes to the C# build/analysis.
Warning Classes	There are many new warning classes and several modified classes for C/C++. An upgrade to Roslyn 4.8 means that there are many new warning classes and three deleted classes for C#.
Compiler Models	Three new compiler models: c251, for the Keil C251 C compiler. mcc30, for the MPLAB C30 C compiler. qpp, for the QNX SDP C/C++ compiler (C++ interface) There are also ongoing enhancements to existing compiler models.
EDG Upgrade	CodeSonar now uses EDG version 6.6, released December 18, 2023. Improved C support: all C17/C18 features are now fully supported, as are many C23 features. Improved C++ support: additional support for C++20 features and C++23 features.
CWE	This version of CodeSonar uses CWE v4.14, released February 29, 2024. CWE mappings are now provided for the Python warning classes corresponding to Pylint rules.
Warning Processors	The warning processor execution environment now includes environment variables CSONAR and CSHUB_PROCESSORS_HOME. The display script execution scope now includes variable CSHUB_PROCESSORS_HOME.
UTC Timestamps	Timestamps in general hub information are now UTC-based. Timestamps in hub-generated messages in the hub log are now UTC-based; timestamps in stdout messages written to the log but originating from CodeSonar analysis, PostgreSQL, or other third-party components may be based on your system time zone.
Support Warning	CodeSonar 8.2 is the final CodeSonar release to support FreeBSD 10.0. FreeBSD 12 will still be supported.
No Longer Supported	Windows 8.0, Windows 8.1, and Windows Server 2012 are no longer supported as of this release.
Release Status	For full information about release status for all current and past CodeSonar versions, see the Supported Product Versions page on the CodeSecure support site.

Details

Warning Category Filtering

The CodeSonar web GUI now supports warning category filtering: when you are viewing a page that contains warning category information, you can use this feature to display only those categories that you are interested in. For example, if you are only interested in MISRA C rules, you can define and apply a category filter that displays only those categories, and hides categories related to CWE, CERT, JSF++, and so on.

Warning category filter settings correspond to saved searches in the new warning category search domain.
CodeSonar ships with several warning category filters.
- all : show all categories.
- taxonomy_name : show only categories from the specified taxonomy.
  There is a built-in taxonomy_name filter for each taxonomy listed in Warning Categories: Standard Category Kinds.
There are several GUI changes.
In particular, all GUI page types that display warning category information now display only the categories permitted by the current warning category filter setting.

For more information, see GUI: Warning Category Filtering.

Warning Category Search

This version of CodeSonar adds support for searching in a new domain: Warning Categories.

Search results in this domain correspond to warning categories.
Saved searches in this domain are used by the new warning category filtering feature.

The Warning Categories search domain is supported by existing search infrastructure:

The Saved Searches page now has an additional Categories tab.
The domain/scope menu includes a categories option where appropriate.
There is a warning category search language.
There is a warning category search results page type.
Visibility filter "Visible Categories" applies to the warning category search results page.

GUI Changes

There are a number of GUI changes in this version of CodeSonar.

New GUI Page Types

Warning Category Search Results	Presents the results of a search in the Warning Categories domain (new functionality).

Modified GUI Page Types

Account Editor	The Visibility Settings tab now includes a Visible Categories setting.
Saved Searches	Now includes a Categories tab, for saved searches in the new Warning Categories domain.
Analysis: Warnings Warning Search Results Warning Cluster	The contents of the Categories column in the table of warnings are now displayed according to the current warning category filter. Warning category filtering controls can be accessed through a button to the right of the Categories column header.
Warning Report	In the expanded Warning Properties and Details section, the contents of the Categories field are now displayed according to the current warning category filter. Warning category filtering controls can be accessed through a button under the Categories heading.

Warning Classes

There are changes to warning classes for C++ and C#.

C++: there are many new C/C++ warning classes, and several modified C/C++ warning classes.
C#: CodeSonar now uses Roslyn 4.8, including microsoft.codeanalysis.netanalyzers 8.0.0. In consequence, the set of Roslyn-detected C# warning classes has changed: there are many new C# warning classes and three deleted classes.

New C/C++ Warning Classes

Cast: Virtual Base to Derived	LANG.CAST.PC.VBASE
Float Multiplication Overflow	LANG.ARITH.FMULOFLOW
Implicit Constructor Shadowing	LANG.FUNCS.ICS
Inappropriate Comparison of Virtual Member Function	LANG.STRUCT.ICVMF
Inappropriate Volatile Declaration	LANG.TYPE.IVD
Macro Defines Constant	LANG.PREPROC.MDC
Override of Non-Virtual Method	LANG.TYPE.ONVM
Register Keyword	LANG.STRUCT.REGISTER
Risky Atomic Memory Order	CONCURRENCY.C_ATOMIC.MO
Specialization after Use	LANG.STRUCT.DECL.SAU
Use of #define	LANG.PREPROC.DEFINE
Use of #elif	LANG.PREPROC.ELIF
Use of #elifdef	LANG.PREPROC.ELIFDEF
Use of #elifndef	LANG.PREPROC.ELIFNDEF
Use of #else	LANG.PREPROC.ELSE
Use of #endif	LANG.PREPROC.ENDIF
Use of #error	LANG.PREPROC.ERROR
Use of #if	LANG.PREPROC.IF
Use of #ifdef	LANG.PREPROC.IFDEF
Use of #ifndef	LANG.PREPROC.IFNDEF
Use of #import	LANG.PREPROC.IMPORT
Use of #include	LANG.PREPROC.INCLUDE
Use of #include_next	LANG.PREPROC.INCLUDE_NEXT
Use of #line	LANG.PREPROC.LINE
Use of #pragma	LANG.PREPROC.PRAGMA
Use of #using	LANG.PREPROC.USING
Use of #warning	LANG.PREPROC.WARNING
Use of NULL	BADMACRO.NULL
Use of setlocale	BADFUNC.SETLOCALE
Use of std::locale::global	BADFUNC.LOCALE.GLOBAL

Modified C/C++ Warning Classes

Warning Class	Changes
Dangerous Include File Name Malformed #include Use of <setjmp.h> Use of <signal.h> Use of <tgmath.h>	Warnings of these classes are now also triggered when the preprocessing directive is #include_next (previously #include only).
Invalid Preprocessor Directive	Now also triggered by #warning directives with no body.
Missing Lock Acquisition	Condition-wait functions are now modeled as releasing and then reacquiring the specified lock. They can therefore trigger warnings of these classes: Missing Lock Acquisition if a function contains a condition-wait call specifying a lock that was not previously acquired in the same function. Missing Lock Release if a function contains a condition-wait call specifying a lock that is not released before the function returns.
Missing Lock Release
No matching #if	Now also triggered by occurrences of #elifdef or #elifndef when there is no preceding #if or #ifdef directive.

New Roslyn-detected C# warning classes

There are several new Roslyn-detected C# warning classes.

New Roslyn-detected C# Warning Class	Mnemonic
A constant is expected for the parameter (C#)	ROSLYN.PERFORMANCE.CA1857
Avoid constant arrays as arguments (C#)	ROSLYN.PERFORMANCE.CA1861
Avoid using 'Enumerable.Any()' extension method (C#)	ROSLYN.PERFORMANCE.CA1860
Cache and reuse 'JsonSerializerOptions' instances (C#)	ROSLYN.PERFORMANCE.CA1869
Do not call Enumerable.Cast or Enumerable.OfType with incompatible types (C#)	ROSLYN.RELIABILITY.CA2021
Do not use ConfigureAwaitOptions.SuppressThrowing with Task (C#)	ROSLYN.USAGE.CA2261
Incorrect usage of ConstantExpected attribute (C#)	ROSLYN.PERFORMANCE.CA1856
Prefer the 'IDictionary.TryAdd(TKey, TValue)' method (C#)	ROSLYN.PERFORMANCE.CA1864
Prevent behavioral change (C#) (previously named "Prevent from behavioral change (C#)")	ROSLYN.RELIABILITY.CA2020
Unnecessary call to 'Contains(item)' (C#)	ROSLYN.PERFORMANCE.CA1868
Use 'CompositeFormat' (C#)	ROSLYN.PERFORMANCE.CA1863
Use 'StartsWith' instead of 'IndexOf' (C#)	ROSLYN.PERFORMANCE.CA1858
Use a cached 'SearchValues' instance (C#)	ROSLYN.PERFORMANCE.CA1870
Use ArgumentException throw helper (C#)	ROSLYN.MAINTAINABILITY.CA1511
Use ArgumentNullException throw helper (C#)	ROSLYN.MAINTAINABILITY.CA1510
Use ArgumentOutOfRangeException throw helper (C#)	ROSLYN.MAINTAINABILITY.CA1512
Use char overload, CA1865 (C#)	ROSLYN.PERFORMANCE.CA1865
Use char overload, CA1866 (C#)	ROSLYN.PERFORMANCE.CA1866
Use char overload, CA1867 (C#)	ROSLYN.PERFORMANCE.CA1867
Use concrete types when possible for improved performance (C#)	ROSLYN.PERFORMANCE.CA1859
Use ObjectDisposedException throw helper (C#)	ROSLYN.MAINTAINABILITY.CA1513
Use the 'StringComparison' method overloads to perform case-insensitive string comparisons (C#)	ROSLYN.PERFORMANCE.CA1862

Deleted Roslyn-detected C# warning classes

The following Roslyn-detected warning classes are no longer available, because the corresponding rules are not present in microsoft.codeanalysis.netanalyzers 8.0.0.

ROSLYN.SECURITY.CA2109 Review visible event handlers (C#)
ROSLYN.USAGE.CA2229 Implement serialization constructors (C#)

In addition, ROSLYN.RELIABILITY.CA2020 Prevent from behavioral change (C#) has been deleted and replaced by ROSLYN.RELIABILITY.CA2020 Prevent behavioral change (C#).

C# (.NET) Analysis

There are several changes to the C# build/analysis.

.NET 8.0 is now supported: specify -framework net8.0.
CodeSonar now searches in more places for .NET and .NET Core assemblies when it is resolving references in your analyzed files during the build interval.
Previously, commands of the form codesonar cs-dotnet-scan -include-artifacts [...] always needed to explicitly specify paths to commonly used assemblies such as PresentationCore.dll, System.Diagnostics.EventLog.dll, System.Windows.Forms.dll, and System.Windows.Presentation.dll. After this change, such paths only need to be specified (with -include-libraries or -include-signatures) if the assemblies are also needed in the analyze interval. If a referenced assembly is needed for the analyze interval but is not included, CodeSonar will issue an alert.
CodeSonar now uses Roslyn 4.8, including microsoft.codeanalysis.netanalyzers 8.0.0. As a result, there are several changes to the set of available Roslyn-detected C# warning classes

API Changes

There are some changes to CodeSonar C/C++ ASTs.

There are two new unnormalized AST classes: cc:builtin-operation-class-template-and-type and cc:static-assertion.
Unnormalized AST class cc:constant-ptr-to-member has new attributes :field and :routine.
Helper enumeration flt_kind has new members stdbfloat16, stdfloat32x, stdfloat64x.
Helper enumeration builtin_operation_kind has new members bok-builtin-is-deducible, bok-is-bounded-array, bok-is-unbounded-array, bok-is-referencable, bok-is-nothrow-convertible, bok-constructs-from-temporary, bok-reference-converts-from-temporary, bok-is-convertible.

Customer Tickets Fixed

NAME	NUMBER	NOTES
Parse error: invalid type conversion - clang-15.0.1	ZD-28640, CSO-3138	fixed
Add information regarding C# messages related to invalid, native, and duplicate components	ZD-28835, CSO-3326	Alerts documentation updated.
Front end crash, cl compiler: type_pointed_to: not a pointer type	ZD-29102, CSO-3442	fixed
Fatal error in analysis	ZD-29908, CSO-3995	fixed
"Missing Final Else" reporting FPs	ZD-29953, CSO-3966	fixed
Parse error "expression must have a constant"	ZD-29994, CSO-4003	fixed
Different compilation unit statuses: obsoleted vs finished, when analyzing on 7.1 vs 8.0	ZD-30004, CSO-4002	fixed
The environment variable: JAVA_JFE_INCLUDESOURCE_LIMIT, needs to be documented in the manual.	ZD-30075, CSO-4251	See Build and Analysis for Java Projects: "Too many potential candidates" parse errors
Parse errors - compiler QNX 7.1	ZD-30131, CSO-4092	fixed
MPLab C30 compiler model	ZD-30139, CSO-4234	New mcc30 compiler model added.
Build wizard does not work with Modus Toolbox IDE	ZD-30149, CSO-4198	fixed
Update system requirements page to be more explicit about supported processors	ZD-30153, CSO-4067	System Requirements page updated
MISC.CPE warning class information needs to be updated to reflect language support	ZD-30233, CSO-4249	Copy-Paste Error (MISC.CPE) is available for all languages.
C# analysis alert: Invalid Component Cannot parse MP21Tools/MP21ToolsTop.class	ZD-30332, CSO-4277	fixed
SaaS hub: Exception Type:AssertionError - Exception Value:Project name cannot be the empty string	ZD-30426, CSO-4273	fixed
Hub exception when trying to download SARIF: Exception Type:ExpatError Exception Value:not well-formed	ZD-30427, CSO-4278	fixed
Unable to perform analyses after upgrade from 7.2 to 8.1: hub Exception Type:AssertionError	ZD-30449, ZD-30538, ZD-30875, CSO-4285	fixed
Different C# results for the same code in different projects	ZD-30486, CSO-4333	When you have cs-dotnet-scan -msbuild-solution ... commands, ensure that they: specify -msbuild-location, and use -msbuild-property to account for the property settings used to build the project.
CodeSonar analysis using -remote-archive has issue: The project is locked by another process.	ZD-30487, CSO-4320	fixed
Parse errors when using the compiler: C:\msys64\mingw64\bin\g++ (g++.exe (Rev3, Built by MSYS2 project) 13.2.0)	ZD-30492, CSO-4323	fixed
Parse errors for compiler: aarch64-poky-linux-g++, identifier "__fp16" is undefined	ZD-30501, CSO-4327	fixed
ModuleNotFoundError: No module named 'analysis_alert'	ZD-30523, CSO-4466	fixed
Preset misrac2023 has incorrect configuration, targeting 'language=c++' instead of 'language=c'	ZD-30576, CSO-4362	fixed
Updates to helm chart	ZD-30623, CSO-4415	fixed
Parse errors: g++ compiler "*** EDGCP-dist/src/decl_inits.c:7171: expected some parse errors, but none was issued."	ZD-30668 , CSO-4467	fixed
Useful lifetime is unbound assertion failure	ZD-30847, CSO-4506	fixed
Update manual page: TLS Certificates, to provide more information about CSR for trusted CAs	ZD-30909, CSO-4515	Information about obtaining a hub server certificate added to manual page.