CodeSonar Release 9.2, patchlevel 0: Release Notes

Notes on Upgrading

The minimum CodeSonar version for direct upgrade to CodeSonar 7.0 or later is 4.1p0. If you have a hub that is running CodeSonar 4.0p2 or earlier, contact AdaCore support for assistance in upgrading.

If you have made changes to any of your CodeSonar configuration files, you will need to upgrade those files as part of the upgrade process.

  • See MANUAL: Upgrading Configuration Files for instructions.

  • For some configuration files, the procedure includes steps that must be carried out before CodeSonar is upgraded.

  • If you are upgrading a CodeSonar installation that will be used by someone else:

    • Determine the most appropriate person to upgrade the general template and compiler template configuration files. This will depend on local factors such as who usually makes changes to these files.

If you have previously installed the CodeSonar plug-in for Visual Studio or CodeSonar plug-in for Eclipse, upgrade those installations after upgrading CodeSonar.

What’s New

Distributed Parsing

C and C++ only

Offline Build/Analysis

The CodeSonar build and analyze intervals can now be performed without connecting to a hub. We refer to this as offline build/analysis.

codesonar submit-results

The new codesonar submit-results subcommand collects information accumulated during offline build and analysis and submits it to a CodeSonar hub. See Offline Build/Analysis, below, for more information.

codesonar mcp_server.py

The new codesonar mcp_server.py subcommand connects your AI coding agent to the CodeSonar Model Context Protocol (MCP) server.

codesonar_citool.py

New option: -comparison-project.

codesonar_gerrit_citool.py

New option: -comparison-project.

Build/Analysis Options

There is a new -offline option.

C# Build/Analysis

The C# build/analysis now supports C# 14 (specify -csharp-source-level 14.0) and .NET 10 (specify -framework net10.0).

CodeSonar now uses Roslyn 5.3.0, including microsoft.codeanalysis.netanalyzers10.0.202. In consequence, there are several new C# warning classes.

Important Note: Due to a bug in Roslyn 5.3 and .NET 10 SDK, the Roslyn MSBuild loader does not cleanly load .NET Framework projects. In consequence, CodeSonar 9.2p0 does not support analyzing .NET Framework (1.0-4.8) projects using the -msbuild-solution option to cs-dotnet-scan. For more information, see .NET Framework Analysis Limitations, below.

Warning Classes

There are new and modified warning classes for C/C++, Java, C#, and Kotlin.

New Warning Category Kind

Warning categories with IDs of the form OWASP-2025:Anum correspond to members of the OWASP® Top Ten Application Security Risks - 2025.

Java Analysis Improvements

The CodeSonar Java build/analysis can now be applied to Java 23, 24, and 25.

New GUI Alert Kinds
Two new alert kinds:

  • Missing Runtime Library (red alert)

  • Alternative Runtime Library (yellow alert)

Configuration Parameters

There are a number of new and modified configuration parameters. Four configuration parameters have been deleted.

Presets
There are two new configuration presets:

  • cwe2025. Enables all warning classes that are closely mapped to one or more of the 2025 CWE Top 25 Most Dangerous Software Weaknesses.

  • owasp2025. Enables all warning classes that are closely mapped to one or more of the OWASP Top 10 2025.

Compiler Models

The cc1 compiler model is provided for use with compilers such as Rowley CrossWorks, which use the GCC/LLVM cc1 compiler internally but do not have a compiler driver.

There are two new compiler models for Softune C compilers: fcc896s and fcc911s.

The cl6x compiler model now supports GNU C extensions.

Management Report Templates
There are two new predefined management report templates:

  • SANS/CWE Top 25 2025 Report. Analysis-scoped; contains charts and tables describing the analysis warnings whose classes are closely mapped to each of the 2025 CWE Top 25 Most Dangerous Software Weaknesses.

  • OWASP Top Ten 2025 Report. Analysis-scoped; contains charts and tables describing the analysis warnings whose classes are closely mapped to each of the OWASP Top 10 2025.

Gerrit Integration

See MANUAL: CodeSonar-Gerrit Pipeline Integration: Installation and Examples

No Longer Supported
The following are not supported as of this release.

  • 32-bit Windows

  • 32-bit Linux

  • FreeBSD

  • NetBSD

API Changes

There are some new API functions, and some changes to C/C++ ASTs.

Bazel Integration

The CodeSonar build interval can now work with distributed build systems. Some plumbing of configuration information is necessary to enable specific distributed build systems. We supply a Bazel plugin that performs the requisite plumbing for Bazel. See MANUAL: Using CodeSonar With Bazel.

Legacy Java/C#/AndroidAPI Runtimes

CodeSonar now ships with only the most recent versions of Java, C#, and AndroidAPI runtimes. For this release, the shipped runtimes are {java25, androidAPI35, net10.0, net48}. If you want to analyze older versions of Java/C#/Android, download the codesonar-analysis-runtimes archive package matching your CodeSonar version from the AdaCore Support website and extract the package files directly into your CodeSonar installation base directory.

CWE

This version of CodeSonar uses CWE v4.19.1, released January 21, 2026.

Details

Distributed Parsing (C and C++ only)

In previous CodeSonar versions, the bulk of CodeSonar’s work in parsing C and C++ code took place inside the process tree of the project’s native build system. The number of CodeSonar parsers that could run in parallel was limited by the number of concurrent compiler processes spawned by the project’s native build system. All CodeSonar parsing work had to take place on the same machine that ran the native compiler.

With this release, the work that takes place within the project’s build process tree has been reduced to identifying compilation details and saving source files to disk. This makes the CodeSonar build interval dramatically faster because it is doing less work.

CodeSonar now performs the “real” work of C/C++ parsing at the start of the analyze interval. We refer to this work as “deep parsing”. Deep parsing is highly parallelizable in that every translation unit can be processed simultaneously, if enough hardware is available. CodeSonar controls the level of parallelism during this phase and can distribute the work to multiple machines if configured to do so.

Languages other than C/C++ work as they did before.

We subdivide the analyze interval into parse mode and analysis mode.

parse mode

The first part of the analyze interval, in which deep parsing of the analyzed code takes place and the CodeSonar project is constructed. Two new analysis states have been introduced to cover parse mode: Removing Obsoleted Translation Units and Parsing Translation Units.

analysis mode

The remainder of the analyze interval. (This corresponds to the entire CodeSonar 9.1 analyze interval.)

Parallel/distributed behavior for parse mode and analysis mode are controlled separately.

  • Behavior in parse mode is controlled by a new set of PARSE_* parameters.

    • PARSE_SLAVES and MAX_PARSE_SLAVES to specify the presence and degree of parallelism.

    • REQUEST_REMOTE_PARSE_SLAVES specifies the mechanism for automatically starting new parse slaves.

    • MEMORY_PER_PARSE_PROCESS estimates the memory usage for a single parse slave. CodeSonar uses this value to determine behavior when PARSE_SLAVES=Auto and REQUEST_REMOTE_PARSE_SLAVES=No.

  • Behavior in analysis mode is controlled by the existing set of ANALYSIS_* parameters.

Moving deep C/C++ parsing into a distinct subphase of the analyze interval provides a number of improvements.

  • Generally improved performance via better parallelism: the number of CodeSonar front end processes that can run concurrently is no longer restricted to the number of parallel compilation processes spawned by the native build system.

  • The work of deep parsing can be performed on machines that are more powerful than the one on which the native build (and thus codesonar build) is performed.

  • codesonar build commands are now much faster, because most work is performed in the analyze interval.

  • Better determinism for C and C++ code involving inline functions.

  • Translation units that are recompiled but entirely identical are no longer needlessly re-analyzed during incremental analysis

  • The number of HTTP requests sent to the hub during parsing is substantially smaller than before. In particular, the number of HTTP connections to the hub during parsing is now constant: it no longer scales linearly with the degree of parallelism in the parse phase.

    • You may be able to reduce Max Processes in your hub settings if it was set high in order to accommodate highly parallel parsing.

Offline Build/Analysis

A CodeSonar analysis can be performed offline in the build interval, analyze interval, or both.

Offline build and analysis do not interact with a hub. The information that would be continually submitted if the analysis were online is instead stored in the analysis directory (or build directory, during the build interval).

Advantages:

  • If a hub is temporarily unavailable you can still build and analyze a CodeSonar project, and delay submitting results until the hub becomes available again.

  • If the hardware running the analysis cannot directly connect to the hub, its results can be transferred to a different location and then submitted to the hub.

  • You can perform build and analysis offline, then make copies of the analysis directory and submit the results to multiple hubs, or to multiple projects on the same hub.

Specifying Offline Build/Analysis

To perform a codesonar build or codesonar analyze command offline, specify the -offline flag in your command line or set OFFLINE=Yes in an appropriate configuration file.

Submitting Offline Information

The accumulated offline information must be submitted to the CodeSonar hub with the codesonar submit-results command in order to be used. Specifically, codesonar submit-results must be invoked:

  • After offline analysis.

    • Until codesonar submit-results is invoked, analysis results are not available on the hub and the analysis cannot transition to daemon mode.

    • The build directory and analysis directory cannot be used for a new analysis while they contain accumulated offline information from a previous analysis.

  • Between an offline build/analysis command and any subsequent online build/analysis command using the same build directory/analysis directory.

    • If you attempt to perform online build/analysis with a directory that contains unsubmitted offline information, the command will fail.

Full Details

See MANUAL: Offline Build/Analysis.

MCP Server: codesonar mcp_server.py

The new codesonar mcp_server.py subcommand connects your AI coding agent to the CodeSonar Model Context Protocol (MCP) server. This server communicates over stdio and bestows agents with the following capabilities.

  • Run CodeSonar analyses and poll their status.

  • Inspect warnings.

  • Search and read the CodeSonar manual.

See MANUAL: The CodeSonar MCP Server for details.

New Build/Analysis Options

Option

Purpose

-offline

Specify that the command will be performed offline. Note: When a build or analysis step is performed offline, command line options that involve hub interaction are not applicable. See the -offline documentation in the CodeSonar manual for a full list of incompatible options.

New OWASP-2025 Category Kind

Warning categories with IDs of the form OWASP-2025:Anum correspond to members of the OWASP® Top Ten Application Security Risks - 2025.

Associated Warning Classes

OWASP-2025, OWASP-2025 broad

Mapping CSV files

OWASP-2025-mapping.csv, OWASP-2025-mapping-broad.csv

Relevant Preset

owasp2025

Management Report Template

OWASP Top Ten 2025 Report

Configuration Parameters

There are many new parameters and modified parameters. There are also four deleted parameters.

New configuration parameters

Parameter

Purpose

BUILD_MASTER_LISTEN_INTERFACE

Specifies the address on which the build master process will listen during the build interval.

DP_REFINEMENT_MAX_MEMORY

Specifies the maximum amount of memory, in megabytes, for the decision procedure when performing refinement (any kind) on warnings.

FORBIDDEN_FUNCTION_NAMES_IN_NAMESPACE

Specifies the functions to be checked for the new Forbidden Function Name in Namespace warning class.

MAX_PARSE_SLAVES MEMORY_PER_PARSE_PROCESS PARSE_MASTER_KEEPALIVE_PERIOD PARSE_MASTER_LISTEN_INTERFACE PARSE_MASTER_USE_TLS PARSE_SLAVE_TIMEOUT PARSE_SLAVES REMOTE_PARSE_SLAVES_LAUNCHDS REQUEST_REMOTE_PARSE_SLAVES

Control various aspects of parallel/distributed parsing.

Note: the existing REMOTE_ANALYSIS_LAUNCHD parameter specifies a launch daemon for remote-managing the entire analyze interval: both parse mode and analysis mode.

OFFLINE

Specify whether build and analysis commands should be performed offline.

SLAVE_MANAGED_OBJECTS_IO_BUFFER_CAPACITY

Specifies the amount of memory (in Megabytes) to allocate for I/O buffering in slave processes.

SLAVE_MANAGED_OBJECTS_IO_CHECKSUMS

Specifies whether checksums should be should be computed/checked when performing I/O in slave processes.

SLAVE_MANAGED_OBJECTS_IO_KERNEL_BUFFERING

Specifies whether kernel page buffering should be enabled for files that are buffered in userland (according to SLAVE_MANAGED_OBJECTS_IO_BUFFER_CAPACITY), in slave processes.

SLAVE_MANAGED_OBJECTS_PROTECT_PAGES

Specify, for slave processes, whether in-memory pages of managed objects should be protected when not in immediate use.

SLAVE_MANAGED_OBJECTS_RESIDENT_LIMIT

Specifies the amount of memory (in Megabytes) to allocate for managed IR objects in slave processes.

Modified parameters

Parameter

Changes/Notes

ANALYSIS_MASTER_KEEPALIVE_PERIOD ANALYSIS_MASTER_LISTEN_INTERFACE ANALYSIS_MASTER_USE_TLS ANALYSIS_SLAVE_TIMEOUT ANALYSIS_SLAVES MAX_ANALYSIS_SLAVES MEMORY_PER_ANALYSIS_PROCESS REMOTE_ANALYSIS_SLAVES_LAUNCHDS REQUEST_REMOTE_ANALYSIS_SLAVES

These parameters control parallel/distributed behavior for the same set of analysis states as previously, so have not changed as such. However, it is worth noting that this set of states no longer covers the entire analyze interval, because the analyze interval has been extended to include two initial parse mode states (Removing Obsoleted Translation Units and Parsing Translation Units) whose parallel/distributed behavior is controlled by the corresponding PARSE_* parameters.

MANAGED_OBJECTS_IO_BUFFER_CAPACITY

Now controls the memory for I/O buffering in master processes only: the limit for slave processes is controlled by new parameter SLAVE_MANAGED_OBJECTS_IO_BUFFER_CAPACITY.

MANAGED_OBJECTS_IO_CHECKSUMS

Now controls I/O checksums for master processes only: checksums for slave processes are controlled by new parameter SLAVE_MANAGED_OBJECTS_IO_CHECKSUMS.

MANAGED_OBJECTS_IO_KERNEL_BUFFERING

Now controls kernel page buffering in master processes only: the limit for slave processes is controlled by new parameter SLAVE_MANAGED_OBJECTS_IO_KERNEL_BUFFERING. The factory setting is now No (previously Yes, which is now the factory setting of SLAVE_MANAGED_OBJECTS_IO_KERNEL_BUFFERING).

MANAGED_OBJECTS_PROTECT_PAGES

Now controls protection for in-memory pages of managed objects in master processes only: the limit for slave processes is controlled by new parameter SLAVE_MANAGED_OBJECTS_PROTECT_PAGES.

MANAGED_OBJECTS_RESIDENT_LIMIT

Now controls the memory limit for IR objects in master processes only: the limit for slave processes is controlled by new parameter SLAVE_MANAGED_OBJECTS_RESIDENT_LIMIT. The factory setting is now 1024 (previously 256, which is now the factory setting of SLAVE_MANAGED_OBJECTS_RESIDENT_LIMIT).

REMOTE_ANALYSIS_LAUNCHD

Controls requesting behavior for the entire analyze interval: both parse mode and analysis mode.

Deleted configuration parameters

  • ZFRAG_POOL_MINIMUM_CAPACITY

  • ZFRAG_POOL_SMALL_THRESHOLD

  • SEND_HOOK_LOG_TO_HUB (Native Compilation Details Log information is now always sent to the hub)

  • SEND_PARSE_LOG_TO_HUB (Parse Log and Parse Details Log information is now always sent to the hub)

Warning Class Changes

C/C++

Several new warning classes and a small number of modified warning classes.

Java

There are three new Java warning classes.

C#

There are several new C# warning classes: some due to new built-in C# checking, and some due to upgrading to Roslyn 5.3.0.

Kotlin

Several changes, including a new set of basic Kotlin warning classes corresponding to new built-in checks.

C/C++ Warning Classes

There are several new warning classes and a small number of modified warning classes.

New C/C++ Warning Classes

Braced Initializer with auto

LANG.STRUCT.INIT.BRAUTO

C String

LANG.TYPE.CSTR

Compilation Error in File

BUILD.ERROR

Confusing Initializer-list Constructor

LANG.FUNCS.CILC

Conversion to Type bool

LANG.CAST.BOOL

Default Initialization of Random Number Generator

BADFUNC.RANDOM.DINIT

Default Seed in PRNG

MISC.CRYPTO.SEED

Enumeration Has Implicit Underlying Type

LANG.TYPE.EHIUT

Forbidden Function Name in Namespace

LANG.STRUCT.DECL.FFNN

Implicit Encoding in String Concatenation

LANG.TYPE.IMPSC

Inappropriate Compare Object

LANG.FUNCS.ICO

Inappropriate Numeric Assignment

LANG.TYPE.INA

Inappropriate throw in noexcept Function

LANG.STRUCT.EXCP.ITHROW

Include File Without Guard

LANG.PREPROC.INCL.WG

Incorrect Privilege Assignment

MISC.PRIVILEGE

Missing noexcept

LANG.STRUCT.EXCP.NOX

Missing throw in operator new

LANG.STRUCT.EXCP.MTON

Misplaced Digit Separator

LANG.TYPE.MDS

Mixed Encodings in String Concatenation

LANG.TYPE.MIXSC

Nested Conditional Operator

LANG.STRUCT.NCO

Non-const Predicate Function Object

LANG.TYPE.NCPFO

Non-final Class has Non-Virtual Public Destructor

LANG.FUNCS.NFCNVPD

Non-Private Member in Non-POD

LANG.TYPE.ACCESS.NPOD

Non-zero Error Code Assignment

LANG.ERRCODE.ANZ

Not All Members are Private or Public

LANG.TYPE.ACCESS.PUBPRIV

override in final Class

LANG.FUNCS.OFC

Parameter is const Reference to Smart Pointer

LANG.FUNCS.PCRSMARTP

Risky Range-based for-loop Initializer

LANG.STRUCT.LOOP.RRBFLI

std::move Argument is const

LANG.TYPE.MOVECONST

std::move Argument is Not Lvalue

LANG.TYPE.MOVENL

typeid of Polymorphic Class Type

LANG.TYPE.TOPCT

Symmetrical Operator Member Function

LANG.FUNCS.SOMF

Unnecessary override Specifier

LANG.FUNCS.UOS

Unnecessary virtual Specifier

LANG.FUNCS.UVS

Unscoped Enumeration

LANG.TYPE.UENUM

Use of Array Type

LANG.STRUCT.DECL.ARRAY

Use of Built-in Unary + Operator

LANG.STRUCT.UPLUS

Use of <cctype> Function

BADFUNC.CCTYPE

Use of <cwctype> Function

BADFUNC.CWCTYPE

User-defined Literal Operator

LANG.FUNCS.UDLO

Virtual Function Missing virtual/override/final

LANG.FUNCS.VFMVOF

virtual in final Class

LANG.FUNCS.VFC
Modified C/C++ Warning Classes

Modified Class

Changes

Function Defined in Header File LANG.STRUCT.DEF.FDH

Minor changes to the exception cases for these checks when analyzing code as C++, providing closer correspondence with the MISRA C++ 2023 standard.

Object Defined in Header File LANG.STRUCT.DEF.ODH

Ignored Return Value LANG.FUNCS.IRV

Additional enforced checking, via additional factory settings for RETURN_CHECKER_BUILT_IN_CHECKED_FUNCS and RETURN_CHECKER_BUILT_IN_CHECKED_PURE_FUNCS.
Deleted C/C++ warning classes

Deleted Warning Class

Notes

Mixed String Concatenation PARSE.MIXEDSC

A Mixed Encodings in String Concatenation warning will be issued instead.

Java Warning Classes

There are three new Java warning classes:

Division by Zero (Java)

JAVA.ARITH.DIVZERO

Use of Hash without a Salt (Java)

JAVA.CRYPTO.HWS

Unsafe hash comparison (Java)

JAVA.CRYPTO.UHC

C# Warning Classes

There are several new C# warning classes: some due to new built-in C# checking, and some due to changes in Roslyn.

New C# warning classes for built-in checks

Use of Hash without a Salt (C#)

CSHARP.CRYPTO.HWS

Unsafe hash comparison (C#)

CSHARP.CRYPTO.UHC
New Roslyn-detected C# warning classes

CodeSonar now uses Roslyn 5.3.0, including microsoft.codeanalysis.netanalyzers 10.0.202. In consequence, there are several new Roslyn-detected C# warning classes.

Avoid potentially expensive logging (C#)

ROSLYN.PERFORMANCE.CA1873

Do not pass ‘IDisposable’ instances into unawaited tasks (C#)

ROSLYN.RELIABILITY.CA2025

Do not use ‘StreamReader.EndOfStream’ in async methods (C#)

ROSLYN.RELIABILITY.CA2024

Invalid braces in message template (C#)

ROSLYN.RELIABILITY.CA2023

Use ‘Regex.Count’ (C#)

ROSLYN.PERFORMANCE.CA1875

Use ‘Regex.IsMatch’ (C#)

ROSLYN.PERFORMANCE.CA1874

Use cross-platform intrinsics (C#)

ROSLYN.MAINTAINABILITY.CA1516

Kotlin Warning Classes

There are several changes to the set of warning classes that can be issued for Kotlin code.

  • New Kotlin warning classes: CodeSonar now performs checks for a new set of basic Kotlin warning classes.

  • New enhancement: existing warning class Division by Zero (Java) now has enhanced Kotlin support, improving detection when Kotlin code targeting the JVM is analyzed with cs-java-scan.

  • New Java analysis framework: new Java analysis framework kotlin.jvm (described below) causes the Java analysis to perform more constrained, Kotlin-focused analysis.

A new manual page, Kotlin Warning Classes, describes all CodeSonar warning classes that are supported for Kotlin and when their checks are performed.

New Kotlin Warning Classes

CodeSonar now performs checks for a new set of basic Kotlin warning classes. These checks are based on simple textual properties of the source code, and are performed (when enabled) when you include Kotlin source files in your CodeSonar project through any of the following mechanisms.

  • codesonar kotlin_scan.py

  • cs-java-scan

  • codesonar add_source_files.py

  • codesonar import_sarif.py

These warning classes are all disabled by default.

Deserialization of Untrusted Data (Kotlin)

KOTLIN.CLASS.SER.READ

Dynamic Thread Creation (Kotlin)

KOTLIN.CONCURRENCY.DTC

Exposure of PII via write (Kotlin)

KOTLIN.IO.PILEAK.PII

File Descriptor Exposed to Child Process (Kotlin)

KOTLIN.PROCESS.INHERIT_FD

Hardcoded Credentials (Kotlin)

KOTLIN.HARDCODED.CRED

Hardcoded Seed in PRNG (Kotlin)

KOTLIN.HARDCODED.SEED

Improper Certificate Chain Validation (Kotlin)

KOTLIN.CRYPTO.TRUSTMGR

Improper Export of Android Component (Kotlin)

KOTLIN.ANDROID.EXPORT

Improper Hostname Verification (Kotlin)

KOTLIN.CRYPTO.HOSTVERIFY

Inadequate Salt (Kotlin)

KOTLIN.CRYPTO.SALT

Inappropriate Array Index (Kotlin)

KOTLIN.MEM.IAI

Insecure Random Number Generator (Kotlin)

KOTLIN.LIB.RAND.FUNC

Integer Overflow or Wraparound (Kotlin)

KOTLIN.ARITH.OFLOW.MUL

Missing Parentheses (Kotlin)

KOTLIN.STRUCT.PARENS

Plaintext Storage of Password (Kotlin)

KOTLIN.PWD.PLAIN

Plaintext Storage of Password in Cookie (Kotlin)

KOTLIN.PWD.PLAIN.COOKIE

Plaintext Storage of Password in Preferences (Kotlin)

KOTLIN.PWD.PLAIN.PREF

Plaintext Transmission of Password (Kotlin)

KOTLIN.PWD.PLAINTRAN

Potential Deadlock via ReentrantLock (Kotlin)

KOTLIN.CONCURRENCY.LOCK.NESTED.RL

Potential Deadlock via Synchronized (Kotlin)

KOTLIN.CONCURRENCY.LOCK.NESTED.SYNC

Potentially Tainted URL (Kotlin)

KOTLIN.IO.PTAINT.URL

Potentially Unsynchronised Singleton (Kotlin)

KOTLIN.CONCURRENCY.SINGLETON

Predictable Seed in PRNG (Kotlin)

KOTLIN.CRYPTO.TIMESEED

Sensitive Credentials in Error Log (Kotlin)

KOTLIN.IO.CRED.ERRLOG

Sensitive Credentials in Log File (Kotlin)

KOTLIN.IO.CRED.LOG

Sensitive Credentials in Print (Kotlin)

KOTLIN.IO.CRED.PRINT

Sensitive Data in Implicit Intent (Kotlin)

KOTLIN.IO.PILEAK.INTENT

Sensitive Data in Unsecured External Storage (Kotlin)

KOTLIN.IO.PILEAK.EXTERNAL

Use of Hash without a Salt (Kotlin)

KOTLIN.CRYPTO.HWS

Java Analysis Improvements

Java Build/Analysis for Java 23, 24, 25

The CodeSonar Java build/analysis can now be applied to Java 23, 24, and 25.

java23, java24, and java25 are now valid settings for:

  • the JAVA_ANALYSIS_FRAMEWORK configuration parameter, and

  • the -framework option to cs-java-scan.

Features that are still in preview status as of a particular Java version are not parsed when that version (or earlier) is specified.

Support and handling for new permanent features in Java 25 are described in the following table. Java 23 and Java 24 have no new permanent features

Feature

State of support

Notes

Module Import Declarations JEP 511

Parsed and full internal representation (IR) generated

Minimum specified framework for parsing: Java 25.

Compact Source Files and Instance Main Methods JEP 512

Parsed and full internal representation (IR) generated

Minimum specified framework for parsing: Java 25.

Flexible Constructor Bodies JEP 513

Parsed and full internal representation (IR) generated

Minimum specified framework for parsing: Java 25.

Scoped Values JEP 506

Parsed only

Minimum specified framework for parsing: Java 25.

See MANUAL: CodeSonar support for specific Java versions for more information.

New framework option kotlin.jvm

New framework option kotlin.jvm causes the Java analysis to perform a more constrained, Kotlin-focused analysis.

  • When the kotlin.jvm framework is specified, the Java analysis can only issue a subset of the Java warning classes can be issued: those that are supported in both Java and Kotlin.

  • When no framework is specified, or a different framework such as java25 or androidAPI35 is specified, the Java analysis can issue all Java warning classes, even in Kotlin source code.

  • For more information, see MANUAL: Java+Kotlin Warning Classes.

Java analysis can issue warnings from basic Kotlin warning classes

Kotlin source files that are analyzed with the CodeSonar Java analysis are now also checked for the new basic Kotlin warning classes (listed above).

For more information, see MANUAL: Basic Kotlin Warning Classes.

API Changes

There are some new API functions, and some changes to C/C++ ASTs.

New API Functions

Description

C++

Python

C

Get the list of flags that enable all warnings for the compiler that compiled this compilation unit.

compunit::compiler_wall_enable_flags()

compunit.compiler_wall_enable_flags()

cs_file_compiler_wall_enable_flags()

Get the list of flags that cause the compiler that compiled this compilation unit to treat warnings as errors.

compunit::compiler_werror_enable_flags()

compunit.compiler_wall_enable_flags()

cs_file_compiler_werror_enable_flags()

Get the list of flags seen on the native command line that disable a subset of warnings for the compiler that compiled this compilation unit.

compunit::seen_wall_disable_flags()

compunit.seen_wall_disable_flags()

cs_file_seen_wall_disable_flags()

Get the list of flags seen on the native command line that disable a subset of errors or cause warnings to not be treated as errors for the compiler that compiled this compilation unit.

compunit::seen_werror_disable_flags()

compunit.seen_werror_enable_flags()

cs_file_seen_werror_disable_flags()

Get a specified ast-typed field of an AST.

(ast_field::as_ast() already existed)

(ast_field.as_ast() already existed)

cs_ast_get_field_as_ast()

Check: is a file instance an instance of a system include file?

(sfileinst::is_system_include() already existed)

(sfileinst.is_system_include() already existed)

New function cs_sfid_is_system_include(), in header cs_source_files.h.

You can continue to use csonar_file_is_system_include() (in csonar_plugin.h) if you prefer.

AST Class Changes

Modified unnormalized C/C++ AST classes:

  • cc:class-struct-union has new :is-pod-class attribute

  • cc:enum has new :explicit-underlying-type attribute

  • cc:source-correspondence has new :is-c-external attribute

  • cc:variable has new :has-direct-braced-initializer attribute

  • cc:exception-specification has new :is-noexcept, :throw-any, and :compiler-generated attributes

  • cc:routine has new :is-override and :is-declared-virtual attributes

.NET Framework Analysis Limitations

Due to a bug (dotnet/roslyn #82931) in Roslyn 5.3 and .NET 10 SDK, the Roslyn MSBuild loader does not cleanly load .NET Framework projects. A fix for this bug is anticipated in a future .NET release.

In consequence, CodeSonar 9.2p0 does not support analyzing .NET Framework (1.0-4.8) projects using the -msbuild-solution option to cs-dotnet-scan.

If your project includes .NET Framework components, you have several options.

  • As a work-around, you an try analyzing those components with the -include-artifacts option to cs-dotnet-scan (rather than the -msbuild-solution option). Note that -include-artifacts does not produce exactly the same analysis as -msbuild-solution.

  • Wait for a future version of CodeSonar. Once a fixed version of .NET 10 has been released, the ability to analyze .NET Framework projects using the cs-dotnet-scan -msbuild-solution will be restored.

Customer Tickets Fixed

NAME

NUMBER

NOTES

Conflict between projects with the same name, but under different project trees, when editing the name to be the same as a project in another project tree.

#4907, ZD-31602, CSO-5098

fixed

Parse errors for the cc21k.exe compiler builtins: __builtin_fminf, __builtin_fmaxf

#4981, ZD-31833, CSO-5193

fixed

typo in kill analysis output and hub breadcrumb text

#5677, ZD-32282, CSO-5908

fixed

Parse errors: no instance of constructor “boost::ext::sml::v1_1_4::aux::fixed_string” matches the argument list

#5703, ZD-32359, CSO-5935

fixed

Parse error: second operator in binary fold expression does not match first

#5704, ZD-32359, CSO-5936

fixed

armcc compiler model affects output in .d files

#5718, ZD-32440, CSO-5954

fixed

Hub exception when receiving a junk auth service ID

#5759, ZD-32468, CSO-5998

fixed

C#: SEVERE Exception while looking for source references in PDB file, Index was outside the bounds of the array.

#5864, ZD-32289, CSO-6104

fixed

Account for MISRA C:2012 Technical Corrigendum 2 Technical clarification of MISRA C:2012 (March 2022)

#5909, #6115, #7028, CS0042781, ZD-32664, ZD-33150, CSO-6152, CSO-6379

Updated: see MANUAL: Checks for MISRA C Standards

parse errors

#5982, ZD-32813, CSO-6237

fixed

Boost parse errors: variable in constexpr function is uninitialized

#5988, ZD-32796, CSO-6243

fixed

null pointer dereference in function: xQueueGenericCreateStatic

#6003, ZD-32867, CSO-6259

library model updated

parse errors with armcc compiler (Windows)

#6035, ZD32693, CSO-6292

fixed

penetration testing on 9.1p0 shows that some JavaScript libraries which seem to have security vulnerabilities

#6064, ZD-32992, CSO-6325

security improved

maximum object size that CodeSonar can handle, causing Buffer Underrun warnings

#6065, ZD-32975, CSO-6327

maximum size tracked increased by a factor of 8

FP - LANG.FUNCS.MODP : Modified Parameter

#6338, ZD-33003, CSO-6602

fixed

parse errors with aarch64-elina-linux-g++ compiler

#6351, ZD-33094, CSO-6617

fixed

FP - Invalid Number: warning message cuts off compiler option

#6352, ZD-33196, CSO-6618

fixed

FUSA test versions: 9.0.0/9.1p0, contain duplicate test cases in the fusatest-tcs.json

#6555, ZD-32185, CSO-6823

fixed

False positive warnings generated in the CodeSonar report for system call

#6741, ZD-33379

fixed

Inquiry Regarding Java Score

#6770, ZD-33419

Refined score computations for many warning classes, including Java warning classes.

Update manual page for LANG.TYPE.BASIC

#6883, CS0042528

Updated, see MANUAL: LANG.TYPE.BASIC