CodeSonar Release 9.0p0 Release Notes

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.0p0 Hot Tips

CONFIDENTIAL

CodeSecure Inc

Release Notes

CodeSonar Release 9, patchlevel 0: Release Notes

Notes on Upgrading
What's New
Customer Tickets Fixed

Notes on Upgrading

The minimum CodeSonar version for direct upgrade to CodeSonar 9.0p0 or later is 5.4p0.
If you have a hub that is running CodeSonar 5.3p0 or earlier, contact CodeSecure support for assistance in upgrading.

If you have made changes to any of your CodeSonar configuration files, you will need to upgrade those files as part of the upgrade process.

See Upgrading Configuration Files for instructions.
For some configuration files, the procedure includes steps that must be carried out before CodeSonar is upgraded.
If you are upgrading a CodeSonar installation that will be used by someone else:
- Determine the most appropriate person to upgrade the general template and compiler template configuration files.
  This will depend on local factors such as who usually makes changes to these files.

If you have previously installed the CodeSonar plug-in for Visual Studio or CodeSonar plug-in for Eclipse, upgrade those installations after upgrading CodeSonar.

What's New

codesonar import_sarif.py	New option: -staticcheck
New codesonar_citool.py	The codesonar_citool.py wrapper supports running the CodeSonar build/analysis in a continuous integration (CI) context and performing specified checks on the analysis results. For details, see codesonar_citool.py: A Wrapper for CI Contexts.
New Warning Category Kind	Warning categories with IDs of the form DISA-6r1:id.num correspond to findings in the Defense Information Systems Agency (DISA) Application Security and Development Security Technical Implementation Guide (STIG), Version 6, release 1 (STIG release date June 5, 2024). Associated Warning Classes: DISA-6r1, DISA-6r1 Broad Mapping Mapping CSV files: DISA-6r1-mapping.csv, DISA-6r1-mapping-broad.csv Relevant Presets: disa, disa_latest, disa6r1 Management Report Templates: DISA v6 r1 Report, DISA v6 r1 Severity Report
Warning Classes	One new C/C++ warning class: Dynamic Thread Creation. One modified C/C++ warning class: Leak: checkers now also detect threads that are created but never joined or detached.
Android Support	CodeSonar Java analysis can now be performed on Android 15 (or projects utilizing Android 15).
C# Build/Analysis	There is a new -msbuild-project option, which can be used when the cs-dotnet-scan command specifies a solution file with -msbuild-solution. This is particularly useful for analyses performed with the CodeSonar Plug-in for Visual Studio: it supports setting up a post-build step to analyze the project that has just been built.
New Analysis Traversal	New parallel depth-first traversal. New corresponding analysis state "Analyzing Translation Units" Traversal previously referred to as "depth-first" is now referred to as serial depth-first to emphasize the distinction. Corresponding analysis state now called "Analyzing Translation Units Serially" (previously "Collecting Constants"). New API visitors available for the new traversal.
New GUI Alert Kind	One new red alert: num Failed Analysis Tasks
Dockerfile	The Dockerfile shipped with CodeSonar has undergone substantial changes and improvements. In particular: The Dockerfile is now invoked from the root directory of an existing installation (previously the CodeSonar package was provided as an argument to docker build). The C_ANALYSIS argument now controls the availability of components required for C and C++ analysis only. New argument C_BUILD controls the availability of components required to accumulate (build) C and C++ components into a CodeSonar project. Similarly, the JAVA_ANALYSIS argument now controls the availability of components required for Java and C# analysis only, and new argument JAVA_BUILD controls the availability of components required to accumulate Java and C# components into a CodeSonar project. The PYTHON_ANALYSIS argument has been removed. Set SHALLOW_ANALYSIS=0 to delete the components required for analyzing all languages except C, C++, Java, and C#. There are several other new --buildarg arguments. For full details, see the Dockerfile comments.
Management Reports	There are several new predefined management report templates.
Configuration Presets	There are two new presets, and several modified presets. This includes modifications to several taxonomy presets based on changes to the characterizations for all taxonomy presets.
New Configuration Parameters	Three new parameters: HUB_UPLOAD_STREAMS, THREAD_CREATION_FUNCTIONS, THREAD_INIT_FUNCTIONS
API Changes	There are several changes to the CodeSonar Plug-In API in this release. Visitor Changes: many new visitors, and one important change to an existing visitor. One new compilation unit function/method. Changes to functions/methods with arguments that represent bounds.
Performance improvements	The new parallel depth-first traversal supports further parallelization of the CodeSonar analysis. When parallel analysis is enabled and multiple analysis slaves are available, analysis times will generally be better than previously for analyses that enable resource-intensive warning classes (such as many of the classes that support the various MISRA C and MISRA C++ standards). In particular, the analysis will spend less total time in "Analyzing Translation Units Serially" and "Analyzing Translation Units" states than it previously spent in the "Collecting Constants" state. CodeSonar now also supports multiple concurrent upload streams to the hub. This will generally improve performance for analyses that spend a lot of time flushing transactions to the hub. The number of permitted streams is controlled by the new HUB_UPLOAD_STREAMS configuration parameter. The default setting of this parameter is 4: you will not need to change it to see substantial benefit, since previous behavior was equivalent to a setting of 1.
Release Status	For full information about release status for all current and past CodeSonar versions, see the Supported Product Versions page on the CodeSecure support site.

Details

Configuration Presets

There are several changes to the set of available configuration presets.

Two new presets.
Several modified presets. This includes modifications to several taxonomy presets based on changes to the characterizations for all taxonomy presets.

New Presets

There are two new presets.

cwe2024. Enables all warning classes that are closely mapped to one or more of the 2024 CWE Top 25 Most Dangerous Software Weaknesses.
disa6r1. Enables all warning classes that are closely mapped to one or more 'findings' in the DISA Application Security and Development STIG version 6, release 1.

Modified Presets

There are several modifications to existing presets.

The disa-lastest preset is now equivalent to the disa6r1 preset.
The disa preset now includes warning classes that are closely mapped to one or more 'findings' in the DISA Application Security and Development STIG version 6, release 1.
The characterizations of all taxonomy presets have changed.
For a given warning class C, a taxonomy preset will enable C if all of the following are true.
- C is closely mapped to one or more categories in the specified taxonomies.
- The preset does not also enable warning classes that are closer matches for the same categories.
- C satisfies any additional conditions specified for the preset.
  When a warning class is omitted from a taxonomy preset for this reason, the preset file contains an explanatory comment.
The second of these requirements was not previously applied.

The behavior of several existing presets is affected by this change in characterization.

All MISRA C presets and MISRA C++ presets	No longer enables Inappropriate Include File Specification (Malformed #include is a closer match to the same rules).
cert, certc	No longer enables Assignment Result in Expression and Condition Contains Side Effects (Assignment in Conditional is a closer match to the same CERT-C rule in both cases.)
ts17961	No longer enables Malformed switch Statement (Missing default is a closer match to the same ISO/IEC TS 17961 rule).

Management Reports

There are several new predefined management report templates.

SANS/CWE Top 25 2024 Report. Analysis-scoped; contains charts and tables describing the analysis warnings whose classes are closely mapped to each of the 2024 CWE Top 25 Most Dangerous Software Weaknesses.
DISA v6 r1 Report. Analysis-scoped; contains charts and tables describing the analysis warnings whose classes are closely mapped to 'findings' in the DISA Application Security and Development STIG version 6, release 1.
There are four new templates for warning class category severity reports:
- DISA v6 r1 Severity Report
- DISA v5 r3 Severity Report
- DISA v4 r3 Severity Report
- DISA v3 r10 Severity Report
A warning class category severity report is divided into sections by severity category (as specified by the corresponding standard or rule set), then into subsections for each category that has one or more closely mapped CodeSonar warning classes. Each subsection contains information about the category and its related warning classes, along with a (possibly-empty) table containing warnings of those classes that were issued by the analysis.
A summary at the top of the report lists the number of warnings reported in each severity category.
Additional warning class category severity report templates will be added in a future release.

API Changes

There are several changes to the CodeSonar Plug-In API in this release.

Visitor Changes: many new visitors, and one important change to an existing visitor.
One new compilation unit function/method.
Changes to functions/methods with arguments that represent bounds of various kinds.

Visitor changes

There are many new visitors, and one important change to an existing visitor.

Important change. The semantics of program finish visitors have changed. They now run earlier—at the end of the serial depth-first phase—instead of after all traversals. To execute code after all traversals have finished, use a program bottom-up finish visitor.
If you have existing plug-ins that include a program finish visitor, update them to use a program bottom-up finish visitor instead.

New and modified visitors are show in the following table. The majority of new visitors belong to the new parallel depth-first analysis traversal.

	Description	API Implementation
	Description	C++	Python	C
Serial depth-first phase: one new visitor and one and modified visitor
NEW	source file instance finish visitor; serial-depth first phase	analysis::add_sfileinst_finish_visitor()	@sfileinst_finish_visitor	csonar_add_sfi_finish_visitor()
MODIFIED	program-level finish visitor: now applied at the end of the serial depth-first phase instead of after all traversals	analysis::add_project_finish_visitor()	@project_finish_visitor	csonar_add_program_bottom_up_finish_visitor()
Parallel depth-first phase: new phase, with full set of new visitors
NEW	program-level visitor, applied at the beginning of the parallel depth-first phase	analysis::add_project_parallel_visitor()	@project_parallel_visitor	csonar_add_program_parallel_visitor()
NEW	compilation unit visitor; parallel depth-first phase	analysis::add_compunit_parallel_visitor()	@compunit_parallel_visitor	csonar_add_uid_parallel_visitor()
NEW	procedure visitor; parallel depth-first phase	analysis::add_procedure_parallel_visitor()	@procedure_parallel_visitor	csonar_add_pdg_parallel_visitor()
NEW	symbol visitor; parallel depth-first phase	analysis::add_symbol_parallel_visitor()	@symbol_parallel_visitor	csonar_add_abs_loc_parallel_visitor()
NEW	point visitor; parallel depth-first phase	analysis::add_point_parallel_visitor()	@point_parallel_visitor	csonar_add_pdg_vertex_parallel_visitor()
NEW	procedure visitor; parallel depth-first phase	analysis::add_procedure_parallel_finish_visitor()	@procedure_parallel_finish_visitor	csonar_add_pdg_parallel_finish_visitor()
NEW	source file visitor; parallel depth-first phase	analysis::add_sfile_parallel_visitor()	@sfile_parallel_visitor	csonar_add_sf_parallel_visitor()
NEW	source file instance visitor; parallel depth-first phase	analysis::add_sfileinst_parallel_visitor()	@sfileinst_parallel_visitor	csonar_add_sfi_parallel_visitor()
NEW	source file instance finish visitor; parallel depth-first phase	analysis::add_sfileinst_parallel_finish_visitor()	@sfileinst_parallel_finish_visitor	csonar_add_sfi_parallel_finish_visitor()
NEW	source file finish visitor; parallel depth-first phase	analysis::add_sfile_parallel_finish_visitor()	@sfile_parallel_finish_visitor	csonar_add_sf_parallel_finish_visitor()
NEW	compilation unit finish visitor; parallel depth-first phase	analysis::add_compunit_parallel_finish_visitor()	@compunit_parallel_finish_visitor	csonar_add_uid_parallel_finish_visitor()
NEW	program-level finish visitor, applied at the end of parallel depth-first phase	analysis::add_project_parallel_finish_visitor()	@project_parallel_finish_visitor	csonar_add_program_parallel_finish_visitor
Bottom-up phase: one new visitor
NEW	program-level visitor, applied at the end of the bottom-up phase (and thus after all traversals are finished)	analysis::add_project_bottom_up_finish_visitor()	@project_bottom_up_finish_visitor	csonar_add_program_bottom_up_finish_visitor()

New compilation unit function/method

There is one new compilation unit function/method.

Description	API Implementation
Description	C++	Python	C
Check: did the front end reach any limits (for example, INITIALIZER_LIMIT, CONSTEXPR_CALL_DEPTH_LIMIT, AST_DEPTH_LIMIT) while parsing the specified compilation unit? If so, this may have resulted in missing IR.	compunit::limit_reached()	compunit.limit_reached()	cs_uid_limit_reached()

Changes to functions/methods with arguments that represent bounds

Various functions/methods in the C++ and Python API implementations have numerical arguments that represent bounds on the information to be retrieved. These functions now generally use the maximum value of the argument type to represent "no bound", where previously they used -1. See the following table for details.

Behavior for the corresponding functions in the C implementation has not changed.

Change	API Implementation
Change	C++	Python	C
Set limit argument to SIZE_MAX (previously -1) to indicate no bound.	ast::pretty_print()	ast.pretty_print()	n/a
Set limit argument to SIZE_MAX (previously -1) to indicate no bound.	point::characters()	point.characters()	n/a
Set end argument to UINT32_MAX (previously -1) to indicate the end of the file.	sfileinst::count_lines()	sfileinst.count_lines()	n/a
Set col_end argument to UINT32_MAX (previously -1) to read to the end of line_end. Set limit argument to SIZE_MAX (previously -1) to return the entire substring, regardless of length.	sfileinst::read()	sfileinst.read()	n/a
Set limit argument to SIZE_MAX (previously -1) to return the entire substring, regardless of length.	sfileinst::read_line()	sfileinst.read_line()	n/a
Set line_end argument to UINT32_MAX (previously -1) to read to the end of the file. Set limit argument to SIZE_MAX (previously -1) to return the entire substring, regardless of length.	sfileinst::read_lines()	sfileinst.read_lines()	n/a

Customer Tickets Fixed

NAME	NUMBER	NOTES
False Positive: "Conversion: Pointer to Incomplete"	ZD-29189, ZD-31816, CSO-3488	fixed
ecomppc compiler model - allow use of copy-list-initialization with explicit constructor	ZD-30158, CSO-4840	ecomppc compiler model updated.
Authentication issues when username ends with a space	ZD-30512, ZD-30779, ZD-31385, CSO-4390	CodeSonar no longer permits usernames and passwords to begin or end with whitespace.
False Positive: "Cross Site Scripting (Java)"	ZD-31060, CSO-4579	fixed
IAR parse issue	ZD-31233, ZD-31319, CSO-4797	fixed
False Positive: "Uninitialized Variable"	ZD-31247, ZD-31615, CSO-4766	fixed
Configuration tool does not display hubs if user selects to use SaaS cloud instead of their own resources	ZD-31456, CSO-4908	fixed
Delist "Disabled Input Validation (Java)" warning class	ZD-31491, CSO-4929	Class no longer listed as available.
False Positive: "Missing Parentheses"	ZD-31581, CSO-5041	fixed
Error running CodeSonar image for Docker - Harbor	ZD-31725, CSO-5141	fixed
Don't report "Implicit Address of Function" on std::endl	ZD-31777, CSO-5165	fixed
Improve Dockerfile.	CSO-5067	Improvements include smaller layer sizes and expanded comments.
Management Reports: creating a warnings table with 'Show warning comments' does not show the warning comments in the report	CSO-5100, BZ-75258	fixed
Extend documentation for -launchd-key option.	CSO-5107	Extended -launchd-key documentation.