CodeSonar Release 8.3p0 Release Notes

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.0p0 Hot Tips

CONFIDENTIAL

CodeSecure Inc

Release Notes

CodeSonar Release 8.3, patchlevel 0: Release Notes

Notes on Upgrading
What's New
Customer Tickets Fixed

Notes on Upgrading

The minimum CodeSonar version for direct upgrade to CodeSonar 7.0 or later is 4.1p0. If you have a hub that is running CodeSonar 4.0p2 or earlier, contact CodeSecure support for assistance in upgrading.

If you have made changes to any of your CodeSonar configuration files, you will need to upgrade those files as part of the upgrade process.

See Upgrading Configuration Files for instructions.
For some configuration files, the procedure includes steps that must be carried out before CodeSonar is upgraded.
If you are upgrading a CodeSonar installation that will be used by someone else:
- Determine the most appropriate person to upgrade the general template and compiler template configuration files.
  This will depend on local factors such as who usually makes changes to these files.

If you have previously installed the CodeSonar plug-in for Visual Studio or CodeSonar plug-in for Eclipse, upgrade those installations after upgrading CodeSonar.

What's New

C# Analysis Improvements	There are several improvements to the C# build/analysis.
Build/Analysis For Java 20, 21, 22	The CodeSonar Java build/analysis can now be applied to Java 20, 21, and 22.
Warning Classes	There are many new warning classes and one modified class for C/C++.
GUI	The Management Report Template Editor now includes functionality for inserting and customizing a Warning Categories table.
Management Reports	Management reports have added support for warning categories. You can now include Warning Categories tables in your custom management reports. When a Warnings table includes a Categories column, you can now apply a warning category filter to that column.
Configuration Changes	There is one new configuration preset and one preset has been modified. There are also six new configuration parameters.
CWE	This version of CodeSonar uses CWE v4.15, released July 16, 2024. CWE mappings are now provided for the Kotlin warning classes corresponding to detekt rules.
LDAP Authentication Plug-In Changes	The LDAP (Active Directory) authentication plug-in has several improvements. You can now map a single LDAP role to multiple CodeSonar roles. There is a new Role Mapping Base DN setting Note that automatic role mapping is available for Microsoft Active Directory only.
API Changes	There are some changes to CodeSonar C/C++ ASTs.
Support Warning	CodeSonar 8.3 is the final CodeSonar release to support the CodeSonar plug-in for Visual Studio 2015. The CodeSonar plug-in for Visual Studio 2017 and Visual Studio 2019 and the CodeSonar plug-in for Visual Studio 2022 will still be supported.
Release Status	For full information about release status for all current and past CodeSonar versions, see the Supported Product Versions page on the CodeSecure support site.

Details

C# Analysis Improvements

There are several improvements to the C# build/analysis.

The analysis no longer tries to find source files for libraries (included with -include-libraries) and signatures (included with -include-signatures) that have associated PDB files. Analyses that include libraries or signatures will generally experience improved performance and fewer "Missing Source Files" alerts.
Specifying maximum verbosity (10) no longer causes a command syntax error.
Source file detection has been improved.
Support for .properties, sarl, and .xml artifacts has been improved.
Fixed issue where trailing backslash on -msbuild-location value was not accepted.
Fixed issue where Windows paths sent to hub had Unix-style slashes for some artifact analyses.

Java Build/Analysis for Java 20, 21, 22

The CodeSonar Java build/analysis can now be applied to Java 20, 21, and 22. You can specify these frameworks with, respectively:

Features that are still in preview status as of a particular Java version are not parsed when that version (or earlier) is specified.

Support and handling for new permanent features in Java 21 and 22 are described in the following table. Java 20 has no new permanent features.

Feature	State of support	Notes
Unnamed Variables and Patterns JEP 456	parsed, IR generated	Minimum specified framework for parsing: Java 22. Unnamed variables and patterns are parsed but currently analyzed as classical named local variables. Using them will cause CodeSonar to issue a false positive Unused Value: Variable (Java) warning for each use.
Record Patterns JEP 440	parsed, partial IR generated	Minimum specified framework for parsing: Java 21. Using these will cause CodeSonar to issue false positive warnings of the following classes. Generic Exception Handler (Java) : one warning for each method where record patterns are used. Instanceof Always True (Java) : at least one warning for each record class in a complex pattern.
Pattern Matching for switch JEP 441	Parsed only	Minimum specified framework for parsing: Java 21. CodeSonar will parse code using this feature, but not generate IR or apply any additional handling. Pattern expressions and references do not contribute to code metrics. Using the feature may cause some non-blocking exceptions to be recorded in the analysis log. Some switch cases may be incorrectly identified as unreachable, causing CodeSonar to issue false positive warnings of various classes.

Feature

State of support

Notes

Unnamed Variables and Patterns
JEP 456

parsed, IR generated

Minimum specified framework for parsing: Java 22.

Unnamed variables and patterns are parsed but currently analyzed as classical named local variables. Using them will cause CodeSonar to issue a false positive Unused Value: Variable (Java) warning for each use.

Record Patterns
JEP 440

parsed, partial IR generated

Minimum specified framework for parsing: Java 21.

Using these will cause CodeSonar to issue false positive warnings of the following classes.

Generic Exception Handler (Java) : one warning for each method where record patterns are used.
Instanceof Always True (Java) : at least one warning for each record class in a complex pattern.

Pattern Matching for switch
JEP 441

Parsed only

Minimum specified framework for parsing: Java 21.

CodeSonar will parse code using this feature, but not generate IR or apply any additional handling.

Pattern expressions and references do not contribute to code metrics.
Using the feature may cause some non-blocking exceptions to be recorded in the analysis log.
Some switch cases may be incorrectly identified as unreachable, causing CodeSonar to issue false positive warnings of various classes.

A new manual page summarises CodeSonar support for specific Java versions.

Warning Classes

There are many new C/C++ warning classes, and one modified C/C++ warning class.

New C/C++ Warning Classes

Array Parameter	LANG.FUNCS.AP
Implicit Inheritance from Stateful Virtual Base	LANG.TYPE.IISVB
Inappropriate Assignment Operator Return	LANG.STRUCT.ASSIGNRET
Inappropriate Include File Specification	LANG.PREPROC.INCL.IIFS
Macro Argument is both Mixed and Expanded	LANG.PREPROC.MARGME
Missing User-defined Operations	LANG.TYPE.MUDO
Multiple Inheritance with Private Interface Class	LANG.TYPE.MI.PRIVI
Multiple Inheritance with Protected Interface Class	LANG/LANG.TYPE.MI.PROTI
Multiple Inheritance with Public Base Class	LANG.TYPE.MI.PBC
Multiple Inheritance with Too Many Protected Base Classes	LANG.TYPE.MI.TMPBC
switch With Non-enum Expression	LANG.STRUCT.SW.SWNEE
Unnamed Field	LANG.TYPE.UNF
Too Many Side Effects in Assignment	ANG.STRUCT.SE.ASSIGN
Too Many Side Effects in Condition	LANG.STRUCT.SE.ECOND
Too Many Side Effects in Function Call	LANG.STRUCT.SE.CALL
Too Many Side Effects in Statement	LANG.STRUCT.SE.STMT
Too Many Side Effects in Switch	LANG.STRUCT.SE.SWITCH
Unnamed Field	LANG.TYPE.UNF
Unneeded Implicitly Generated Operations	LANG.TYPE.UIGO

Modified C/C++ Warning Class

Warning Class	Changes
Commented-out Code	Checks can now be configured with new configuration parameters COMMENTED_OUT_CODE_SIZE_THRESHOLD, COMMENTED_OUT_CODE_MIN_RATIO, COMMENTED_OUT_CODE_MAX_RATIO.

Configuration Changes

There is one new configuration preset and one preset has been modified. There are also six new configuration parameters.

New Preset

Preset	Description
csharp_no_roslyn	Disables all Roslyn-detected C# warning classes (those with mnemonic ROSLYN.*).

Modified Preset

Preset	Changes
csharp_complete	Now also enables all warning classes detected in C# code, including Roslyn-detected C# warning classes. (Previously enabled only CodeSonar-detected C# warning classes).

New configuration parameters

There are six new configuration parameters:

COMMENTED_OUT_CODE_SIZE_THRESHOLD	Specifies a comment size threshold for reporting Commented-out Code warnings.
COMMENTED_OUT_CODE_MAX_RATIO COMMENTED_OUT_CODE_MIN_RATIO	Specify upper and lower bounds on the "operator"/"non-operator" character ratio that will be treated as indicating the presence of code for Commented-out Code checks.
LOG_COMPILER_ARGUMENT_FILES	Specifies whether or not to log the contents of argument files processed by compiler models to the Native Compilation Details Log.
SWITCH_LABEL_CARDINALITY_THRESHOLD	The threshold below which a switch statement has too few cases to trigger a switch With Non-enum Expression warning.
SWITCH_LABEL_DENSITY_THRESHOLD	The threshold below which the cases in a switch statement are too sparse to trigger a switch With Non-enum Expression warning.

API Changes

There are some changes to CodeSonar C/C++ ASTs.

There are two new unnormalized AST classes: cc:const-eval-deferred-expr and cc:template-name.
There is one new normalized AST class: c:language-features.
There is one modified normalized AST class: c:file-info has new attribute :language-features.
Helper enumeration attribute_kind has new members attribute_pass_object_size and attribute_diagnose_if.

Customer Tickets Fixed

NAME	NUMBER	NOTES
Error message 'The metric "None" does not exist' when previewing edits to a copy of the standard "Analysis Report" template	ZD-28659, ZD-30448, ZD-31281, CSO-3143	fixed
Roslyn parse errors in C# analysis	ZD-28835, ZD-29981, ZD-31028, CSO-3931	fixed
C++ parse errors in a mixed C++/C# project	ZD-30581, CSO-4449	fixed
Parse errors when using musllib stdio	ZD-30861, ZD-31075, CSO-4516, BZ:72096	Additional modeling added.
LDAP role mapping not working when there are multiples of the same DN being mapped to different hub roles	ZD-30895, CSO-4569	fixed
C# analysis message "The number of constants 65536 is over the size of the constant pool: 65535"	ZD-31028, ZD-31150, CSO-4631	fixed
parse error for ecomppc: cannot open source file "string.h" #include_next <string.h>	ZD-31134, CSO-4725	fixed
cl compiler model needs to handle /EXTERNAL argument	ZD-31155, CSO-4705	fixed
Error: "Bad Request: This hub only speaks HTTPS, but that was an HTTP request. Use https:// in the URL"	ZD-31181, CSO-4720	fixed
Relative dates broken; Exception Type:TypeError Exception Value:list indices must be integers or slices, not float	ZD-31197, CSO-4723	fixed
Improved mapping for OWASP top ten 2017/2021 and related CWE categories	ZD-31226, CSO-4729	Improvements to warning category broad mappings, in particular for OWASP-2017, OWASP-2021, and CWE.
config tool option 1, permission denied when trying to create a new hub user	ZD-31337, CSO-4806	fixed
C# build problems when using -msbuild-solution with VS 2022 17.11 and later	ZD-31349, CSO-4880	fixed
Extend documentation for two warning classes	ZD-31354, CSO-4811	Documentation for Macro Does Not End With } or ) and Macro Does Not Start With { or ( extended.
FP: Unused Parameter	ZD-31336, CSO-4807	fixed