Get started with PVS-Studio static analyzer

PVS-Studio static analyzer is a tool for detecting code errors throughout the entire project lifecycle. In this article, you can meet the key analyzer features, common usage scenarios, and analysis options, and learn everything you need to get started.

What is PVS-Studio?

PVS-Studio is a SAST tool that identifies potential errors and vulnerabilities in the source code of C, C++, C#, and Java projects. It's a B2B solution trusted by many development teams and companies around the world.

The analyzer runs on Windows, Linux, and macOS, offering several usage and integration scenarios with various tools.

Usage scenarios of static analysis

PVS-Studio offers multiple ways to integrate static analysis into your workflow. It can be arranged as an IDE plugin, as well as an automated server testing tool. You can choose the approach that fits your workflow best—or combine all options to fully protect your code by integrating the analyzer at every developing stage.

On-premise analysis

One of the practical ways to use the analyzer is to run it locally on developers' machines, either via the IDE plugin or the console version.

This is also the most versatile approach, covering a wide range of environments:

• Windows, Linux, and macOS
• platform-independent launching methods
• IDEs
• build systems
• game engines (PVS-Studio can analyze game projects).

This scenario allows developers to catch errors early and efficiently, right as the team is working on a new functionality or refining an existing one, enabling make quick code changes.

However, it's worth combining multiple options to supply your pipeline with advanced security. For example, to prevent defects from entering version control systems (VCS), it'd be better to have a second-level protection: regular static analysis on the build server.

Regular static analysis

The best approach is to implement a two-level source code verification system both on premise and on server. The earlier an issue is detected, the lower the cost and complexity of fixing it. We would also recommend using incremental analysis to automatically analyze only modified code after a build. This enables optimize and enhance performance the CI pipeline.

Regular analysis for pull requests significantly streamlines the code review process. Even if errors get into VCS, they can be quickly spotted and fixed, potentially saving time, money, and the product's reputation.

Early detection is one of the key static analysis benefits along its regular usage. Running analysis only once, for example, before a release, can lead to several problems:

• Increased time required to review and mark up warnings
• Reduced analysis quality (the more warnings reviewed at once, the easier it's to miss important issues)
• More complex bug fixing (long periods between introducing and detecting an issue can force developers to spend time to familiarize with the context)

For more details about the regular use of PVS-Studio, CI integration, and configuration recommendations, please refer to this documentation.

In addition to on-premise infrastructure, you can always configure analysis in cloud-based CI services. PVS-Studio integrates with most of the prominent cloud-based CI systems. You can find the complete list and setup instructions on this page.

Note. PVS-Studio can analyze commits and branch merging (pull/merge requests). In this mode, only files modified relative to the current branch state are analyzed. This reduces analysis time and facilitates result review. More details are provided in the documentation.

Server-side analysis

Project analysis can be integrated into nightly builds to generate a detailed report on the codebase state each day. Regular analyzer feedback on detected issues can help quickly fix the problematic code.

A key scenario characteristic is that the analyzer operates with the full project context. This increases effectiveness through intermodular analysis and detects issues in different program components.

For example, a potential defect may be located in one file (e.g., a missing null check) while its consequences appear in another program segment (e.g., a NullReferenceException occurs when the object is accessed).

To further improve efficiency, analysis results can be integrated with code quality management tools (web dashboards). These tools enhance interaction with reports without requiring changes to the existing development pipeline and provide additional capabilities such as analysis result visualization, report aggregation, issue tracking and resolution management, etc.

The full list of supported tools and integration instructions is available in the documentation.

Supported standards

PVS-Studio is a SAST (Static Application Security Testing) solution that searches for security defects and helps refine overall code security.

Code reliability

Code reliability is critical in industries where software defects can have severe consequences, such as aerospace, medical, and engineering. Errors in applications with high-reliability requirements can lead to millions of dollars in losses or even endanger human lives.

To write reliable code, developers adhere to special coding standards, such as MISRA C, MISRA C++, and AUTOSAR Coding Guidelines.

PVS-Studio identifies the code that doesn't comply with these standards. To see the full list of diagnostic rules mapped for the standards, please refer to the following documentation:

• MISRA C and MISRA C++ Coding Standards
• AUTOSAR C++14 Coding Guidelines

Code security

Secure code is more resilient to various types of cyberattacks, such as SQL injections, XEE, XXE, and others. Thus, code security is especially critical in applications that handle user-sensitive data (banking software, web applications, etc.).

To ensure applications are secure, development teams implement a secure software development lifecycle (SSDLC). One of its stages is to search for security issues using SAST (Static Application Security Testing).

Specialized standards are used to ensure secure code development. PVS-Studio maps its diagnostic rules to industry-recognized security standards and vulnerability lists (CWE), including:

• Common Weakness Enumeration (CWE)
• OWASP ASVS (Application Security Verification Standard)
• SEI CERT Coding Standards

Among all security flaws, the most dangerous and common ones are highlighted. Discover how PVS-Studio helps mitigate these risks:

• OWASP Top 10 Web Application Security Risks
• CWE Top 25 Most Dangerous Software Weaknesses

Choosing a PVS-Studio license

Before getting started, we recommend reviewing the available PVS-Studio license options and choosing the one that best fits your team.

PVS-Studio is primarily tool for development teams, so we do not provide single-user licenses. Licenses are packaged according to the number of users in the team, but our flexible licensing policy makes it easy to adopt and manage the tool. Here are the main particularities:

• The license is calculated based on the number of people in the team who leverage the repositories (that will be analyzed), rather than the number of machines involved.
• One license can cover developers across several departments/projects.
• There are no restrictions on code volume, diagnostic rules, and new versions.
• Technical support comes directly from the analyzer developers.

Two main types of licenses

• Team: suitable for small teams up to nine users. It includes basic analyzer features.
• Enterprise: a good option for large teams. It has more features, more usage scenarios, and priority technical support.

Team license

The Team license is designed for small teams of up to nine developers (inclusive).

It includes basic support:

• assistance with integrating into the development process;
• prompt resolution of analyzer issues;
• several analyzer developers simultaneously assisting in a single technical support request.

The license includes all core analyzer functionality but has some functional limitations related to development process quality management, such as:

• automatic notifications
• integration with cloud services
• partial restrictions on incremental analysis
• etc.

Note. For more details on what each PVS-Studio license includes, please refer to this page.

Enterprise license

The Enterprise license is designed for medium and large teams and has no restrictions on the use of the analyzer's functionalities. A single Enterprise license can be used by multiple teams within a company, including several small teams.

It includes all the basic analyzer functionality and additional features specific to this licensing option. These include:

• adaptation of PVS-Studio functionality to the specifics of the customers' ecosystem;
• several analyzer developers simultaneously assisting in multiple technical support requests;
• analysis of files changed since the previous build;
• on-premise and CI-driven usage of incremental analysis.

You can request a trial Enterprise license here.

Quick start

Relevant analyzer warnings

If you're new to static analysis tools and want to explore their functionality, you can use the Best Warnings mechanism that is designed specifically for the first encounter with PVS-Studio static analyzer.

It highlights the most important and reliable warnings in the project report. To display them, click the Best button:

The report displays ten warnings, giving a quick overview of the analyzer's potential without reviewing the entire list of results.

How to work with legacy code using static analysis

PVS-Studio has a mass suppression mechanism intended for use when integrating the analyzer into an existing codebase with a large number of pre-existing warnings.

Mass suppression mechanism helps focus on analyzing new code while preserving the ability to return to warnings found in legacy code later.

As a result, the report will include only warnings related to newly written or modified code. This mode doesn't require any changes to the project's source files.

For more details, you can refer to the documentation.

What's next?

If you still haven't tried the analyzer on your project, feel free to evaluate its performance. You can obtain a trial license here.

To learn more, you can read a full version of the documentation.

If you have further questions about configuring the analyzer or understanding its behavior, you can leave a comment below the article or contact us via the feedback form.