CodeSonar Release 9.2, patchlevel 0: Release Notes -------------------------------------------------- - `Notes on Upgrading `_ - `What's New `_ .. _upgrading: Notes on Upgrading ++++++++++++++++++ **The minimum CodeSonar version for direct upgrade to CodeSonar 7.0 or later is 4.1p0. If you have a hub that is running CodeSonar 4.0p2 or earlier, contact** `AdaCore support `__ **for assistance in upgrading.** If you have made changes to any of your CodeSonar configuration files, you will need to upgrade those files as part of the upgrade process. - See **MANUAL: Upgrading Configuration Files** for instructions. - For some configuration files, the procedure includes steps that must be carried out before CodeSonar is upgraded. - If you are upgrading a CodeSonar installation that will be used by someone else: - Determine the most appropriate person to upgrade the general template and compiler template configuration files. This will depend on local factors such as who usually makes changes to these files. If you have previously installed the CodeSonar plug-in for Visual Studio or CodeSonar plug-in for Eclipse, upgrade those installations after upgrading CodeSonar. .. _major_new: What's New ++++++++++ .. list-table:: :header-rows: 0 * - `Distributed Parsing `__ - C and C++ only * - `Offline Build/Analysis `__ - The CodeSonar build and analyze intervals can now be performed without connecting to a hub. We refer to this as *offline* build/analysis. * - ``codesonar submit-results`` - The new ``codesonar submit-results`` subcommand collects information accumulated during offline build and analysis and submits it to a CodeSonar hub. See `Offline Build/Analysis `__, below, for more information. * - `codesonar mcp_server.py `__ - The new ``codesonar mcp_server.py`` subcommand connects your AI coding agent to the CodeSonar Model Context Protocol (MCP) server. * - ``codesonar_citool.py`` - New option: ``-comparison-project``. * - ``codesonar_gerrit_citool.py`` - New option: ``-comparison-project``. * - `Build/Analysis Options `__ - There is a new ``-offline`` option. * - C# Build/Analysis - The C# build/analysis now supports C# 14 (specify ``-csharp-source-level 14.0``) and .NET 10 (specify ``-framework net10.0``). CodeSonar now uses Roslyn 5.3.0, including microsoft.codeanalysis.netanalyzers10.0.202. In consequence, there are several `new C# warning classes `__. Important Note: Due to a bug in Roslyn 5.3 and .NET 10 SDK, the Roslyn MSBuild loader does not cleanly load .NET Framework projects. In consequence, CodeSonar 9.2p0 does not support analyzing .NET Framework (1.0-4.8) projects using the ``-msbuild-solution`` option to ``cs-dotnet-scan``. For more information, see `.NET Framework Analysis Limitations `__, below. * - `Warning Classes `__ - There are new and modified warning classes for C/C++, Java, C#, and Kotlin. * - `New Warning Category Kind `__ - Warning categories with IDs of the form OWASP-2025:A\ *num* correspond to members of the *OWASP® Top Ten Application Security Risks - 2025*. * - `Java Analysis Improvements `__ - The CodeSonar Java build/analysis can now be applied to Java 23, 24, and 25. * - New GUI Alert Kinds - Two new alert kinds: - Missing Runtime Library (red alert) - Alternative Runtime Library (yellow alert) * - `Configuration Parameters `__ - There are a number of new and modified configuration parameters. Four configuration parameters have been deleted. * - Presets - There are two new configuration presets: - ``cwe2025``. Enables all warning classes that are closely mapped to one or more of the 2025 CWE Top 25 Most Dangerous Software Weaknesses. - ``owasp2025``. Enables all warning classes that are closely mapped to one or more of the OWASP Top 10 2025. * - Compiler Models - The ``cc1`` compiler model is provided for use with compilers such as Rowley CrossWorks, which use the GCC/LLVM cc1 compiler internally but do not have a compiler driver. There are two new compiler models for Softune C compilers: ``fcc896s`` and ``fcc911s.`` The ``cl6x`` compiler model now supports GNU C extensions. * - Management Report Templates - There are two new predefined management report templates: - **SANS/CWE Top 25 2025 Report.** Analysis-scoped; contains charts and tables describing the analysis warnings whose classes are closely mapped to each of the 2025 CWE Top 25 Most Dangerous Software Weaknesses. - **OWASP Top Ten 2025 Report.** Analysis-scoped; contains charts and tables describing the analysis warnings whose classes are closely mapped to each of the OWASP Top 10 2025. * - Gerrit Integration - See **MANUAL: CodeSonar-Gerrit Pipeline Integration: Installation and Examples** * - No Longer Supported - The following are not supported as of this release. - 32-bit Windows - 32-bit Linux - FreeBSD - NetBSD * - `API Changes `__ - There are some new API functions, and some changes to C/C++ ASTs. * - Bazel Integration - The CodeSonar build interval can now work with distributed build systems. Some plumbing of configuration information is necessary to enable specific distributed build systems. We supply a Bazel plugin that performs the requisite plumbing for Bazel. See **MANUAL: Using CodeSonar With Bazel.** * - Legacy Java/C#/AndroidAPI Runtimes - CodeSonar now ships with only the most recent versions of Java, C#, and AndroidAPI runtimes. For this release, the shipped runtimes are {``java25``, ``androidAPI35``, ``net10.0``, ``net48``}. If you want to analyze older versions of Java/C#/Android, download the ``codesonar-analysis-runtimes`` archive package matching your CodeSonar version from the `AdaCore Support `__ website and extract the package files directly into your CodeSonar installation base directory. * - CWE - This version of CodeSonar uses CWE v4.19.1, released January 21, 2026. Details +++++++ .. _distributed_parsing: Distributed Parsing (C and C++ only) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In previous CodeSonar versions, the bulk of CodeSonar's work in parsing C and C++ code took place inside the process tree of the project's native build system. The number of CodeSonar parsers that could run in parallel was limited by the number of concurrent compiler processes spawned by the project's native build system. All CodeSonar parsing work had to take place on the same machine that ran the native compiler. With this release, the work that takes place within the project's build process tree has been reduced to identifying compilation details and saving source files to disk. This makes the CodeSonar build interval dramatically faster because it is doing less work. CodeSonar now performs the "real" work of C/C++ parsing at the start of the analyze interval. We refer to this work as "deep parsing". Deep parsing is highly parallelizable in that every translation unit can be processed simultaneously, if enough hardware is available. CodeSonar controls the level of parallelism during this phase and can distribute the work to multiple machines if configured to do so. Languages other than C/C++ work as they did before. We subdivide the analyze interval into *parse mode* and *analysis mode*. .. list-table:: :widths: 25 75 :header-rows: 0 * - *parse mode* - The first part of the analyze interval, in which *deep parsing* of the analyzed code takes place and the CodeSonar project is constructed. Two new analysis states have been introduced to cover parse mode: **Removing Obsoleted Translation Units** and **Parsing Translation Units**. * - *analysis mode* - The remainder of the analyze interval. (This corresponds to the entire CodeSonar 9.1 analyze interval.) Parallel/distributed behavior for parse mode and analysis mode are controlled separately. - Behavior in parse mode is controlled by a new set of ``PARSE_*`` parameters. - ``PARSE_SLAVES`` and ``MAX_PARSE_SLAVES`` to specify the presence and degree of parallelism. - ``REQUEST_REMOTE_PARSE_SLAVES`` specifies the mechanism for automatically starting new parse slaves. - ``MEMORY_PER_PARSE_PROCESS`` estimates the memory usage for a single parse slave. CodeSonar uses this value to determine behavior when ``PARSE_SLAVES=Auto`` and ``REQUEST_REMOTE_PARSE_SLAVES=No``. - Behavior in analysis mode is controlled by the existing set of ``ANALYSIS_*`` parameters. Moving deep C/C++ parsing into a distinct subphase of the analyze interval provides a number of improvements. - Generally improved performance via better parallelism: the number of CodeSonar front end processes that can run concurrently is no longer restricted to the number of parallel compilation processes spawned by the native build system. - The work of deep parsing can be performed on machines that are more powerful than the one on which the native build (and thus ``codesonar build``) is performed. - ``codesonar build`` commands are now much faster, because most work is performed in the analyze interval. - Better determinism for C and C++ code involving inline functions. - Translation units that are recompiled but entirely identical are no longer needlessly re-analyzed during incremental analysis - The number of HTTP requests sent to the hub during parsing is substantially smaller than before. In particular, the number of HTTP connections to the hub during parsing is now constant: it no longer scales linearly with the degree of parallelism in the parse phase. - You may be able to reduce Max Processes in your hub settings if it was set high in order to accommodate highly parallel parsing. .. _offline: Offline Build/Analysis ~~~~~~~~~~~~~~~~~~~~~~ A CodeSonar analysis can be performed offline in the build interval, analyze interval, or both. Offline build and analysis do not interact with a hub. The information that would be continually submitted if the analysis were online is instead stored in the analysis directory (or build directory, during the build interval). Advantages: - If a hub is temporarily unavailable you can still build and analyze a CodeSonar project, and delay submitting results until the hub becomes available again. - If the hardware running the analysis cannot directly connect to the hub, its results can be transferred to a different location and then submitted to the hub. - You can perform build and analysis offline, then make copies of the analysis directory and submit the results to multiple hubs, or to multiple projects on the same hub. Specifying Offline Build/Analysis ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ To perform a codesonar build or codesonar analyze command offline, specify the ``-offline`` flag in your command line or set ``OFFLINE=Yes`` in an appropriate configuration file. Submitting Offline Information ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The accumulated *offline information* must be submitted to the CodeSonar hub with the codesonar submit-results command in order to be used. Specifically, codesonar submit-results must be invoked: - *After offline analysis*. - Until ``codesonar submit-results`` is invoked, analysis results are not available on the hub and the analysis cannot transition to daemon mode. - The build directory and analysis directory cannot be used for a new analysis while they contain accumulated offline information from a previous analysis. - *Between an offline build/analysis command and any subsequent online build/analysis command using the same build directory/analysis directory*. - If you attempt to perform online build/analysis with a directory that contains unsubmitted offline information, the command will fail. Full Details ^^^^^^^^^^^^ See **MANUAL: Offline Build/Analysis**. .. _mcp_server: MCP Server: ``codesonar mcp_server.py`` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The new ``codesonar mcp_server.py`` subcommand connects your AI coding agent to the CodeSonar `Model Context Protocol (MCP) `__ server. This server communicates over stdio and bestows agents with the following capabilities. - Run CodeSonar analyses and poll their status. - Inspect warnings. - Search and read the CodeSonar manual. See **MANUAL: The CodeSonar MCP Server** for details. .. _build_analysis_opts : New Build/Analysis Options ~~~~~~~~~~~~~~~~~~~~~~~~~~ .. list-table:: :header-rows: 1 * - Option - Purpose * - ``-offline`` - Specify that the command will be `performed offline `__. Note: When a build or analysis step is performed offline, command line options that involve hub interaction are not applicable. See the ``-offline`` documentation in the CodeSonar manual for a full list of incompatible options. .. _new_owasp2025 : New OWASP-2025 Category Kind ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Warning categories with IDs of the form OWASP-2025:A\ *num* correspond to members of the *OWASP® Top Ten Application Security Risks - 2025*. +----------------------------+----------------------------------------+ | Associated Warning Classes | OWASP-2025, OWASP-2025 broad | +----------------------------+----------------------------------------+ | Mapping CSV files | ``OWASP-2025-mapping.csv``, | | | ``OWASP-2025-mapping-broad.csv`` | +----------------------------+----------------------------------------+ | Relevant Preset | ``owasp2025`` | +----------------------------+----------------------------------------+ | Management Report Template | OWASP Top Ten 2025 Report | +----------------------------+----------------------------------------+ .. _conf_params : Configuration Parameters ~~~~~~~~~~~~~~~~~~~~~~~~ There are many `new parameters `__ and `modified parameters `__. There are also four `deleted parameters `__. .. _new_conf_param : New configuration parameters ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. list-table:: :header-rows: 1 * - Parameter - Purpose * - ``BUILD_MASTER_LISTEN_INTERFACE`` - Specifies the address on which the build master process will listen during the build interval. * - ``DP_REFINEMENT_MAX_MEMORY`` - Specifies the maximum amount of memory, in megabytes, for the decision procedure when performing refinement (any kind) on warnings. * - ``FORBIDDEN_FUNCTION_NAMES_IN_NAMESPACE`` - Specifies the functions to be checked for the new Forbidden Function Name in Namespace warning class. * - ``MAX_PARSE_SLAVES`` ``MEMORY_PER_PARSE_PROCESS`` ``PARSE_MASTER_KEEPALIVE_PERIOD`` ``PARSE_MASTER_LISTEN_INTERFACE`` ``PARSE_MASTER_USE_TLS`` ``PARSE_SLAVE_TIMEOUT`` ``PARSE_SLAVES`` ``REMOTE_PARSE_SLAVES_LAUNCHDS`` ``REQUEST_REMOTE_PARSE_SLAVES`` - Control various aspects of parallel/distributed parsing. Note: the existing ``REMOTE_ANALYSIS_LAUNCHD`` parameter specifies a launch daemon for remote-managing the entire analyze interval: both parse mode and analysis mode. * - ``OFFLINE`` - Specify whether build and analysis commands should be `performed offline `__. * - ``SLAVE_MANAGED_OBJECTS_IO_BUFFER_CAPACITY`` - Specifies the amount of memory (in Megabytes) to allocate for I/O buffering in slave processes. * - ``SLAVE_MANAGED_OBJECTS_IO_CHECKSUMS`` - Specifies whether checksums should be should be computed/checked when performing I/O in slave processes. * - ``SLAVE_MANAGED_OBJECTS_IO_KERNEL_BUFFERING`` - Specifies whether kernel page buffering should be enabled for files that are buffered in userland (according to ``SLAVE_MANAGED_OBJECTS_IO_BUFFER_CAPACITY``), in slave processes. * - ``SLAVE_MANAGED_OBJECTS_PROTECT_PAGES`` - Specify, for slave processes, whether in-memory pages of managed objects should be protected when not in immediate use. * - ``SLAVE_MANAGED_OBJECTS_RESIDENT_LIMIT`` - Specifies the amount of memory (in Megabytes) to allocate for managed IR objects in slave processes. .. _modified_conf_param : Modified parameters ^^^^^^^^^^^^^^^^^^^ .. list-table:: :header-rows: 1 * - Parameter - Changes/Notes * - ``ANALYSIS_MASTER_KEEPALIVE_PERIOD`` ``ANALYSIS_MASTER_LISTEN_INTERFACE`` ``ANALYSIS_MASTER_USE_TLS`` ``ANALYSIS_SLAVE_TIMEOUT`` ``ANALYSIS_SLAVES`` ``MAX_ANALYSIS_SLAVES`` ``MEMORY_PER_ANALYSIS_PROCESS`` ``REMOTE_ANALYSIS_SLAVES_LAUNCHDS`` ``REQUEST_REMOTE_ANALYSIS_SLAVES`` - These parameters control parallel/distributed behavior for the same set of analysis states as previously, so have not changed as such. However, it is worth noting that this set of states no longer covers the entire analyze interval, because the analyze interval has been extended to include two initial parse mode states (**Removing Obsoleted Translation Units** and **Parsing Translation Units**) whose parallel/distributed behavior is controlled by the corresponding ``PARSE_*`` parameters. * - ``MANAGED_OBJECTS_IO_BUFFER_CAPACITY`` - Now controls the memory for I/O buffering in master processes only: the limit for slave processes is controlled by new parameter ``SLAVE_MANAGED_OBJECTS_IO_BUFFER_CAPACITY``. * - ``MANAGED_OBJECTS_IO_CHECKSUMS`` - Now controls I/O checksums for master processes only: checksums for slave processes are controlled by new parameter ``SLAVE_MANAGED_OBJECTS_IO_CHECKSUMS``. * - ``MANAGED_OBJECTS_IO_KERNEL_BUFFERING`` - Now controls kernel page buffering in master processes only: the limit for slave processes is controlled by new parameter ``SLAVE_MANAGED_OBJECTS_IO_KERNEL_BUFFERING``. The factory setting is now ``No`` (previously ``Yes``, which is now the factory setting of ``SLAVE_MANAGED_OBJECTS_IO_KERNEL_BUFFERING)``. * - ``MANAGED_OBJECTS_PROTECT_PAGES`` - Now controls protection for in-memory pages of managed objects in master processes only: the limit for slave processes is controlled by new parameter ``SLAVE_MANAGED_OBJECTS_PROTECT_PAGES``. * - ``MANAGED_OBJECTS_RESIDENT_LIMIT`` - Now controls the memory limit for IR objects in master processes only: the limit for slave processes is controlled by new parameter ``SLAVE_MANAGED_OBJECTS_RESIDENT_LIMIT``. The factory setting is now ``1024`` (previously ``256``, which is now the factory setting of ``SLAVE_MANAGED_OBJECTS_RESIDENT_LIMIT``). * - ``REMOTE_ANALYSIS_LAUNCHD`` - Controls requesting behavior for the entire analyze interval: both parse mode and analysis mode. .. _deleted_conf_param: Deleted configuration parameters ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - ``ZFRAG_POOL_MINIMUM_CAPACITY`` - ``ZFRAG_POOL_SMALL_THRESHOLD`` - ``SEND_HOOK_LOG_TO_HUB`` (Native Compilation Details Log information is now always sent to the hub) - ``SEND_PARSE_LOG_TO_HUB`` (Parse Log and Parse Details Log information is now always sent to the hub) .. _wcs : Warning Class Changes ~~~~~~~~~~~~~~~~~~~~~ +--------------------------+------------------------------------------+ | `C/C++ `__ | Several new warning classes and a small | | | number of modified warning classes. | +--------------------------+------------------------------------------+ | `Java `__ | There are three new Java warning | | | classes. | +--------------------------+------------------------------------------+ | `C# `__ | There are several new C# warning | | | classes: some due to new built-in C# | | | checking, and some due to upgrading to | | | Roslyn 5.3.0. | +--------------------------+------------------------------------------+ | `Kotlin `__ | Several changes, including a new set of | | | *basic Kotlin warning classes* | | | corresponding to new built-in checks. | +--------------------------+------------------------------------------+ .. _ccpp_wcs : C/C++ Warning Classes ^^^^^^^^^^^^^^^^^^^^^ There are several `new warning classes `__ and a small number of `modified warning classes `__. .. _new_ccpp_wcs : New C/C++ Warning Classes ''''''''''''''''''''''''' +------------------------------------------+--------------------------+ | Braced Initializer with auto | LANG.STRUCT.INIT.BRAUTO | +------------------------------------------+--------------------------+ | C String | LANG.TYPE.CSTR | +------------------------------------------+--------------------------+ | Compilation Error in File | BUILD.ERROR | +------------------------------------------+--------------------------+ | Confusing Initializer-list Constructor | LANG.FUNCS.CILC | +------------------------------------------+--------------------------+ | Conversion to Type bool | LANG.CAST.BOOL | +------------------------------------------+--------------------------+ | Default Initialization of Random Number | BADFUNC.RANDOM.DINIT | | Generator | | +------------------------------------------+--------------------------+ | Default Seed in PRNG | MISC.CRYPTO.SEED | +------------------------------------------+--------------------------+ | Enumeration Has Implicit Underlying Type | LANG.TYPE.EHIUT | +------------------------------------------+--------------------------+ | Forbidden Function Name in Namespace | LANG.STRUCT.DECL.FFNN | +------------------------------------------+--------------------------+ | Implicit Encoding in String | LANG.TYPE.IMPSC | | Concatenation | | +------------------------------------------+--------------------------+ | Inappropriate Compare Object | LANG.FUNCS.ICO | +------------------------------------------+--------------------------+ | Inappropriate Numeric Assignment | LANG.TYPE.INA | +------------------------------------------+--------------------------+ | Inappropriate throw in noexcept Function | LANG.STRUCT.EXCP.ITHROW | +------------------------------------------+--------------------------+ | Include File Without Guard | LANG.PREPROC.INCL.WG | +------------------------------------------+--------------------------+ | Incorrect Privilege Assignment | MISC.PRIVILEGE | +------------------------------------------+--------------------------+ | Missing noexcept | LANG.STRUCT.EXCP.NOX | +------------------------------------------+--------------------------+ | Missing throw in operator new | LANG.STRUCT.EXCP.MTON | +------------------------------------------+--------------------------+ | Misplaced Digit Separator | LANG.TYPE.MDS | +------------------------------------------+--------------------------+ | Mixed Encodings in String Concatenation | LANG.TYPE.MIXSC | +------------------------------------------+--------------------------+ | Nested Conditional Operator | LANG.STRUCT.NCO | +------------------------------------------+--------------------------+ | Non-const Predicate Function Object | LANG.TYPE.NCPFO | +------------------------------------------+--------------------------+ | Non-final Class has Non-Virtual Public | LANG.FUNCS.NFCNVPD | | Destructor | | +------------------------------------------+--------------------------+ | Non-Private Member in Non-POD | LANG.TYPE.ACCESS.NPOD | +------------------------------------------+--------------------------+ | Non-zero Error Code Assignment | LANG.ERRCODE.ANZ | +------------------------------------------+--------------------------+ | Not All Members are Private or Public | LANG.TYPE.ACCESS.PUBPRIV | +------------------------------------------+--------------------------+ | override in final Class | LANG.FUNCS.OFC | +------------------------------------------+--------------------------+ | Parameter is const Reference to Smart | LANG.FUNCS.PCRSMARTP | | Pointer | | +------------------------------------------+--------------------------+ | Risky Range-based for-loop Initializer | LANG.STRUCT.LOOP.RRBFLI | +------------------------------------------+--------------------------+ | std::move Argument is const | LANG.TYPE.MOVECONST | +------------------------------------------+--------------------------+ | std::move Argument is Not Lvalue | LANG.TYPE.MOVENL | +------------------------------------------+--------------------------+ | typeid of Polymorphic Class Type | LANG.TYPE.TOPCT | +------------------------------------------+--------------------------+ | Symmetrical Operator Member Function | LANG.FUNCS.SOMF | +------------------------------------------+--------------------------+ | Unnecessary override Specifier | LANG.FUNCS.UOS | +------------------------------------------+--------------------------+ | Unnecessary virtual Specifier | LANG.FUNCS.UVS | +------------------------------------------+--------------------------+ | Unscoped Enumeration | LANG.TYPE.UENUM | +------------------------------------------+--------------------------+ | Use of Array Type | LANG.STRUCT.DECL.ARRAY | +------------------------------------------+--------------------------+ | Use of Built-in Unary + Operator | LANG.STRUCT.UPLUS | +------------------------------------------+--------------------------+ | Use of Function | BADFUNC.CCTYPE | +------------------------------------------+--------------------------+ | Use of Function | BADFUNC.CWCTYPE | +------------------------------------------+--------------------------+ | User-defined Literal Operator | LANG.FUNCS.UDLO | +------------------------------------------+--------------------------+ | Virtual Function Missing | LANG.FUNCS.VFMVOF | | virtual/override/final | | +------------------------------------------+--------------------------+ | virtual in final Class | LANG.FUNCS.VFC | +------------------------------------------+--------------------------+ .. _mod_ccpp_wcs : Modified C/C++ Warning Classes '''''''''''''''''''''''''''''' +---------------------------------+-------------------------------------------------+ | Modified Class | Changes | +=================================+=================================================+ | Function Defined in Header File | Minor changes to the exception cases for these | | LANG.STRUCT.DEF.FDH | checks when analyzing code as C++, providing | +---------------------------------+ closer correspondence with the MISRA C++ 2023 | | Object Defined in Header File | standard. | | LANG.STRUCT.DEF.ODH | | +---------------------------------+-------------------------------------------------+ | Ignored Return Value | Additional enforced checking, via additional | | LANG.FUNCS.IRV | factory settings for | | | ``RETURN_CHECKER_BUILT_IN_CHECKED_FUNCS`` and | | | ``RETURN_CHECKER_BUILT_IN_CHECKED_PURE_FUNCS``. | +---------------------------------+-------------------------------------------------+ Deleted C/C++ warning classes ''''''''''''''''''''''''''''' +----------------------------+--------------------------------------------+ | Deleted Warning Class | Notes | +============================+============================================+ | Mixed String Concatenation | A Mixed Encodings in String Concatenation | | PARSE.MIXEDSC | warning will be issued instead. | +----------------------------+--------------------------------------------+ .. _java_wcs : Java Warning Classes ^^^^^^^^^^^^^^^^^^^^ There are three new Java warning classes: +-----------------------------------+--------------------+ | Division by Zero (Java) | JAVA.ARITH.DIVZERO | +-----------------------------------+--------------------+ | Use of Hash without a Salt (Java) | JAVA.CRYPTO.HWS | +-----------------------------------+--------------------+ | Unsafe hash comparison (Java) | JAVA.CRYPTO.UHC | +-----------------------------------+--------------------+ .. _csharp_wcs : C# Warning Classes ^^^^^^^^^^^^^^^^^^ There are several new C# warning classes: some due to new built-in C# checking, and some due to changes in Roslyn. New C# warning classes for built-in checks '''''''''''''''''''''''''''''''''''''''''' +---------------------------------+--------------------+ | Use of Hash without a Salt (C#) | CSHARP.CRYPTO.HWS | +---------------------------------+--------------------+ | Unsafe hash comparison (C#) | CSHARP.CRYPTO.UHC | +---------------------------------+--------------------+ .. _new_roslyn : New Roslyn-detected C# warning classes '''''''''''''''''''''''''''''''''''''' CodeSonar now uses Roslyn 5.3.0, including microsoft.codeanalysis.netanalyzers 10.0.202. In consequence, there are several new Roslyn-detected C# warning classes. +-------------------------------------+-------------------------------+ | Avoid potentially expensive logging | ROSLYN.PERFORMANCE.CA1873 | | (C#) | | +-------------------------------------+-------------------------------+ | Do not pass 'IDisposable' instances | ROSLYN.RELIABILITY.CA2025 | | into unawaited tasks (C#) | | +-------------------------------------+-------------------------------+ | Do not use | ROSLYN.RELIABILITY.CA2024 | | 'StreamReader.EndOfStream' in async | | | methods (C#) | | +-------------------------------------+-------------------------------+ | Invalid braces in message template | ROSLYN.RELIABILITY.CA2023 | | (C#) | | +-------------------------------------+-------------------------------+ | Use 'Regex.Count' (C#) | ROSLYN.PERFORMANCE.CA1875 | +-------------------------------------+-------------------------------+ | Use 'Regex.IsMatch' (C#) | ROSLYN.PERFORMANCE.CA1874 | +-------------------------------------+-------------------------------+ | Use cross-platform intrinsics (C#) | ROSLYN.MAINTAINABILITY.CA1516 | +-------------------------------------+-------------------------------+ .. _kotlin_wcs : Kotlin Warning Classes ^^^^^^^^^^^^^^^^^^^^^^ There are several changes to the set of warning classes that can be issued for Kotlin code. - `New Kotlin warning classes `__: CodeSonar now performs checks for a new set of *basic Kotlin warning classes*. - **New enhancement**: existing warning class Division by Zero (Java) now has enhanced Kotlin support, improving detection when Kotlin code targeting the JVM is analyzed with ``cs-java-scan``. - **New Java analysis framework**: new Java analysis framework kotlin.jvm (described `below `__) causes the Java analysis to perform more constrained, Kotlin-focused analysis. A new manual page, **Kotlin Warning Classes**, describes all CodeSonar warning classes that are supported for Kotlin and when their checks are performed. .. _new_kotlin_wcs : New Kotlin Warning Classes '''''''''''''''''''''''''' .. _kotlin_basic : CodeSonar now performs checks for a new set of *basic Kotlin warning classes*. These checks are based on simple textual properties of the source code, and are performed (when enabled) when you include Kotlin source files in your CodeSonar project through any of the following mechanisms. - ``codesonar kotlin_scan.py`` - ``cs-java-scan`` - ``codesonar add_source_files.py`` - ``codesonar import_sarif.py`` These warning classes are all disabled by default. +-------------------------------------------------------+-------------------------------------+ | Deserialization of Untrusted Data (Kotlin) | KOTLIN.CLASS.SER.READ | +-------------------------------------------------------+-------------------------------------+ | Dynamic Thread Creation (Kotlin) | KOTLIN.CONCURRENCY.DTC | +-------------------------------------------------------+-------------------------------------+ | Exposure of PII via write (Kotlin) | KOTLIN.IO.PILEAK.PII | +-------------------------------------------------------+-------------------------------------+ | File Descriptor Exposed to Child Process (Kotlin) | KOTLIN.PROCESS.INHERIT_FD | +-------------------------------------------------------+-------------------------------------+ | Hardcoded Credentials (Kotlin) | KOTLIN.HARDCODED.CRED | +-------------------------------------------------------+-------------------------------------+ | Hardcoded Seed in PRNG (Kotlin) | KOTLIN.HARDCODED.SEED | +-------------------------------------------------------+-------------------------------------+ | Improper Certificate Chain Validation (Kotlin) | KOTLIN.CRYPTO.TRUSTMGR | +-------------------------------------------------------+-------------------------------------+ | Improper Export of Android Component (Kotlin) | KOTLIN.ANDROID.EXPORT | +-------------------------------------------------------+-------------------------------------+ | Improper Hostname Verification (Kotlin) | KOTLIN.CRYPTO.HOSTVERIFY | +-------------------------------------------------------+-------------------------------------+ | Inadequate Salt (Kotlin) | KOTLIN.CRYPTO.SALT | +-------------------------------------------------------+-------------------------------------+ | Inappropriate Array Index (Kotlin) | KOTLIN.MEM.IAI | +-------------------------------------------------------+-------------------------------------+ | Insecure Random Number Generator (Kotlin) | KOTLIN.LIB.RAND.FUNC | +-------------------------------------------------------+-------------------------------------+ | Integer Overflow or Wraparound (Kotlin) | KOTLIN.ARITH.OFLOW.MUL | +-------------------------------------------------------+-------------------------------------+ | Missing Parentheses (Kotlin) | KOTLIN.STRUCT.PARENS | +-------------------------------------------------------+-------------------------------------+ | Plaintext Storage of Password (Kotlin) | KOTLIN.PWD.PLAIN | +-------------------------------------------------------+-------------------------------------+ | Plaintext Storage of Password in Cookie (Kotlin) | KOTLIN.PWD.PLAIN.COOKIE | +-------------------------------------------------------+-------------------------------------+ | Plaintext Storage of Password in Preferences (Kotlin) | KOTLIN.PWD.PLAIN.PREF | +-------------------------------------------------------+-------------------------------------+ | Plaintext Transmission of Password (Kotlin) | KOTLIN.PWD.PLAINTRAN | +-------------------------------------------------------+-------------------------------------+ | Potential Deadlock via ReentrantLock (Kotlin) | KOTLIN.CONCURRENCY.LOCK.NESTED.RL | +-------------------------------------------------------+-------------------------------------+ | Potential Deadlock via Synchronized (Kotlin) | KOTLIN.CONCURRENCY.LOCK.NESTED.SYNC | +-------------------------------------------------------+-------------------------------------+ | Potentially Tainted URL (Kotlin) | KOTLIN.IO.PTAINT.URL | +-------------------------------------------------------+-------------------------------------+ | Potentially Unsynchronised Singleton (Kotlin) | KOTLIN.CONCURRENCY.SINGLETON | +-------------------------------------------------------+-------------------------------------+ | Predictable Seed in PRNG (Kotlin) | KOTLIN.CRYPTO.TIMESEED | +-------------------------------------------------------+-------------------------------------+ | Sensitive Credentials in Error Log (Kotlin) | KOTLIN.IO.CRED.ERRLOG | +-------------------------------------------------------+-------------------------------------+ | Sensitive Credentials in Log File (Kotlin) | KOTLIN.IO.CRED.LOG | +-------------------------------------------------------+-------------------------------------+ | Sensitive Credentials in Print (Kotlin) | KOTLIN.IO.CRED.PRINT | +-------------------------------------------------------+-------------------------------------+ | Sensitive Data in Implicit Intent (Kotlin) | KOTLIN.IO.PILEAK.INTENT | +-------------------------------------------------------+-------------------------------------+ | Sensitive Data in Unsecured External Storage (Kotlin) | KOTLIN.IO.PILEAK.EXTERNAL | +-------------------------------------------------------+-------------------------------------+ | Use of Hash without a Salt (Kotlin) | KOTLIN.CRYPTO.HWS | +-------------------------------------------------------+-------------------------------------+ .. _java_update : Java Analysis Improvements ~~~~~~~~~~~~~~~~~~~~~~~~~~ - The CodeSonar Java build/analysis can now be applied to `Java 23, 24, and 25 `__. - `New framework option kotlin.jvm `__. - Kotlin source files included in Java build/analysis are now also `analyzed for basic Kotlin warning classes `__. .. _java_23_24_25 : Java Build/Analysis for Java 23, 24, 25 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The CodeSonar Java build/analysis can now be applied to Java 23, 24, and 25. ``java23``, ``java24``, and ``java25`` are now valid settings for: - the ``JAVA_ANALYSIS_FRAMEWORK`` configuration parameter, and - the ``-framework`` option to ``cs-java-scan``. Features that are still in preview status as of a particular Java version are *not* parsed when that version (or earlier) is specified. Support and handling for new permanent features in Java 25 are described in the following table. Java 23 and Java 24 have no new permanent features .. list-table:: :header-rows: 1 * - Feature - State of support - Notes * - Module Import Declarations *JEP 511* - Parsed and full internal representation (IR) generated - Minimum specified framework for parsing: Java 25. * - Compact Source Files and Instance Main Methods *JEP 512* - Parsed and full internal representation (IR) generated - Minimum specified framework for parsing: Java 25. * - Flexible Constructor Bodies *JEP 513* - Parsed and full internal representation (IR) generated - Minimum specified framework for parsing: Java 25. * - Scoped Values *JEP 506* - Parsed only - Minimum specified framework for parsing: Java 25. See **MANUAL: CodeSonar support for specific Java versions** for more information. .. _kotlin_jvm : New framework option ``kotlin.jvm`` ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ New framework option ``kotlin.jvm`` causes the Java analysis to perform a more constrained, Kotlin-focused analysis. - When the ``kotlin.jvm`` framework is specified, the Java analysis can only issue a subset of the Java warning classes can be issued: those that are supported in both Java and Kotlin. - When no framework is specified, or a different framework such as ``java25`` or ``androidAPI35`` is specified, the Java analysis can issue all Java warning classes, even in Kotlin source code. - For more information, see **MANUAL: Java+Kotlin Warning Classes**. Java analysis can issue warnings from basic Kotlin warning classes ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Kotlin source files that are analyzed with the CodeSonar Java analysis are now also checked for the new basic Kotlin warning classes (listed `above `__). For more information, see **MANUAL: Basic Kotlin Warning Classes**. .. _api : API Changes ~~~~~~~~~~~ There are some new API functions, and some changes to C/C++ ASTs. New API Functions ^^^^^^^^^^^^^^^^^ .. list-table:: :header-rows: 1 * - Description - C++ - Python - C * - Get the list of flags that enable all warnings for the compiler that compiled this compilation unit. - ``compunit::compiler_wall_enable_flags()`` - ``compunit.compiler_wall_enable_flags()`` - ``cs_file_compiler_wall_enable_flags()`` * - Get the list of flags that cause the compiler that compiled this compilation unit to treat warnings as errors. - ``compunit::compiler_werror_enable_flags()`` - ``compunit.compiler_wall_enable_flags()`` - ``cs_file_compiler_werror_enable_flags()`` * - Get the list of flags seen on the native command line that disable a subset of warnings for the compiler that compiled this compilation unit. - ``compunit::seen_wall_disable_flags()`` - ``compunit.seen_wall_disable_flags()`` - ``cs_file_seen_wall_disable_flags()`` * - Get the list of flags seen on the native command line that disable a subset of errors or cause warnings to not be treated as errors for the compiler that compiled this compilation unit. - ``compunit::seen_werror_disable_flags()`` - ``compunit.seen_werror_enable_flags()`` - ``cs_file_seen_werror_disable_flags()`` * - Get a specified ast-typed field of an AST. - *(ast_field::as_ast() already existed)* - *(ast_field.as_ast() already existed)* - ``cs_ast_get_field_as_ast()`` * - Check: is a file instance an instance of a system include file? - *(sfileinst::is_system_include() already existed)* - *(sfileinst.is_system_include() already existed)* - New function ``cs_sfid_is_system_include()``, in header ``cs_source_files.h``. You can continue to use ``csonar_file_is_system_include()`` (in ``csonar_plugin.h``) if you prefer. AST Class Changes ^^^^^^^^^^^^^^^^^ Modified unnormalized C/C++ AST classes: - ``cc:class-struct-union`` has new ``:is-pod-class`` attribute - ``cc:enum`` has new ``:explicit-underlying-type`` attribute - ``cc:source-correspondence`` has new ``:is-c-external`` attribute - ``cc:variable`` has new ``:has-direct-braced-initializer`` attribute - ``cc:exception-specification`` has new ``:is-noexcept``, ``:throw-any``, and ``:compiler-generated`` attributes - ``cc:routine`` has new ``:is-override`` and ``:is-declared-virtual`` attributes .. _dotnet_limitations : .NET Framework Analysis Limitations ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Due to a bug (dotnet/roslyn #82931) in Roslyn 5.3 and .NET 10 SDK, the Roslyn MSBuild loader does not cleanly load .NET Framework projects. A fix for this bug is anticipated in a future .NET release. In consequence, CodeSonar 9.2p0 does not support analyzing .NET Framework (1.0-4.8) projects using the ``-msbuild-solution`` option to ``cs-dotnet-scan``. If your project includes .NET Framework components, you have several options. - As a work-around, you an try analyzing those components with the ``-include-artifacts`` option to ``cs-dotnet-scan`` (rather than the ``-msbuild-solution option``). Note that ``-include-artifacts`` does not produce exactly the same analysis as ``-msbuild-solution``. - Wait for a future version of CodeSonar. Once a fixed version of .NET 10 has been released, the ability to analyze .NET Framework projects using the ``cs-dotnet-scan -msbuild-solution`` will be restored. Customer Tickets Fixed ~~~~~~~~~~~~~~~~~~~~~~ .. list-table:: :header-rows: 1 * - NAME - NUMBER - NOTES * - Conflict between projects with the same name, but under different project trees, when editing the name to be the same as a project in another project tree. - #4907, ZD-31602, CSO-5098 - *fixed* * - Parse errors for the cc21k.exe compiler builtins: \__builtin_fminf, \__builtin_fmaxf - #4981, ZD-31833, CSO-5193 - *fixed* * - typo in kill analysis output and hub breadcrumb text - #5677, ZD-32282, CSO-5908 - *fixed* * - Parse errors: no instance of constructor "boost::ext::sml::v1_1_4::aux::fixed_string" matches the argument list - #5703, ZD-32359, CSO-5935 - *fixed* * - Parse error: second operator in binary fold expression does not match first - #5704, ZD-32359, CSO-5936 - *fixed* * - armcc compiler model affects output in .d files - #5718, ZD-32440, CSO-5954 - *fixed* * - Hub exception when receiving a junk auth service ID - #5759, ZD-32468, CSO-5998 - *fixed* * - C#: SEVERE Exception while looking for source references in PDB file, Index was outside the bounds of the array. - #5864, ZD-32289, CSO-6104 - *fixed* * - Account for MISRA C:2012 Technical Corrigendum 2 Technical clarification of MISRA C:2012 (March 2022) - #5909, #6115, #7028, CS0042781, ZD-32664, ZD-33150, CSO-6152, CSO-6379 - Updated: see **MANUAL: Checks for MISRA C Standards** * - parse errors - #5982, ZD-32813, CSO-6237 - *fixed* * - Boost parse errors: variable in constexpr function is uninitialized - #5988, ZD-32796, CSO-6243 - *fixed* * - null pointer dereference in function: xQueueGenericCreateStatic - #6003, ZD-32867, CSO-6259 - library model updated * - parse errors with armcc compiler (Windows) - #6035, ZD32693, CSO-6292 - *fixed* * - penetration testing on 9.1p0 shows that some JavaScript libraries which seem to have security vulnerabilities - #6064, ZD-32992, CSO-6325 - security improved * - maximum object size that CodeSonar can handle, causing Buffer Underrun warnings - #6065, ZD-32975, CSO-6327 - maximum size tracked increased by a factor of 8 * - FP - LANG.FUNCS.MODP : Modified Parameter - #6338, ZD-33003, CSO-6602 - *fixed* * - parse errors with aarch64-elina-linux-g++ compiler - #6351, ZD-33094, CSO-6617 - *fixed* * - FP - Invalid Number: warning message cuts off compiler option - #6352, ZD-33196, CSO-6618 - *fixed* * - FUSA test versions: 9.0.0/9.1p0, contain duplicate test cases in the fusatest-tcs.json - #6555, ZD-32185, CSO-6823 - *fixed* * - False positive warnings generated in the CodeSonar report for system call - #6741, ZD-33379 - *fixed* * - Inquiry Regarding Java Score - #6770, ZD-33419 - Refined score computations for many warning classes, including Java warning classes. * - Update manual page for LANG.TYPE.BASIC - #6883, CS0042528 - Updated, see **MANUAL: LANG.TYPE.BASIC**