DEV Community

Anna Voronina
Anna Voronina

Posted on

PVS-Studio 7.39: OWASP Top Ten 2021, enhanced Visual Studio Code plugin, extended MISRA Compliance support, and more

#java #csharp #cpp #programming

PVS-Studio 7.39 has been released. This version brings the new features, and today we talk about them in this note.

1300_Press_Release_7_39/image1.png

Covering OWASP Top Ten 2021 by Java analyzer

The new PVS-Studio 7.39 release brings an update to the Java analyzer, which includes diagnostic rules from the OWASP Top Ten 2021. Now, the Java analyzer covers 9 out of 10 of its categories. This is a significant step toward the growth of PVS-Studio Java as a SAST solution.

You can find out how the diagnostic rules of C/C++, C#, and Java analyzers align with the OWASP Top Ten 2021 categories here.

Running analysis in compilation monitoring mode in Visual Studio Code plugin

PVS-Studio plugin for Visual Studio Code now supports running analysis in compilation monitoring mode on Windows.

The compilation monitoring system (PVS-Studio Compiler Monitoring, CLMonitoring) seamlessly integrates PVS-Studio's static analysis into any build system on Windows. The build system should use one of the preprocessors supported by the PVS-Studio.exe command-line analyzer for file compilation (Visual C++, GCC, Clang, Keil MDK ARM Compiler 5/6, or IAR C/C++ Compiler for ARM).

More details on the compilation monitoring mode in the VS Code plugin can be found in the documentation.

We also plan to support build tracing on Linux in Visual Studio Code in upcoming releases.

Generating MISRA Compliance reports for new MISRA standard versions

MISRA Compliance is a standard that assesses whether a project is compliant with MISRA C and/or MISRA C++, considering all deviations and re-categorizations. The new PVS-Studio release introduces support for generating MISRA Compliance reports for the new MISRA guideline versions supported by the analyzer.

To generate a report, use the PlogConverter.exe utility (Windows) or plog-converter (Linux and macOS). The report is an HTML page that's convenient for printing. Here's an example of a report when a project complies with MISRA C 2012:

1300_Press_Release_7_39/image2.png

For more details, please refer to the documentation.

We're also continuing to expand the C/C++ analyzer coverage for the MISRA C 2023 standard. We plan to finish the work by the end of this year. You can find out how PVS-Studio diagnostic rules align with MISRA C and MISRA C++ standards here.

Supporting SLNF format for C++ and C# MSBuild projects

Starting with this version, PVS-Studio for C# projects can analyze not only solutions in the .sln format but also their lightweight versions in the .slnf format.

Solution Filter files (.slnf) enable working only with selected projects within a large solution, which boosts compilation and streamlines handling code fragments.

Overriding higher-priority settings in .pvsconfig

The .pvsconfig configuration file is used to display and filter analyzer messages, as well as specify additional analysis settings.

In this release, we've added a mechanism for overriding higher-priority settings in diagnostic rule configuration files (.pvsconfig).

More details can be found in the documentation.

Breaking changes

These changes aren't backward compatible with earlier analyzer versions. You may need to adjust how you use the analyzer due to these changes.

  • In the Java analyzer, we've updated some diagnostic rules. Previously suppressed messages may reappear in the analyzer report.

New diagnostic rules

C and C++:

  • V2652. MISRA. Argument of an integer constant macro should have an appropriate form.
  • V2653. MISRA. The small integer variants of the minimum-width integer constant macros should not be used.
  • V2654. MISRA. Initializer list should not contain persistent side effects.
  • V2655. MISRA. The right operand of a logical '&&' or '||' operator should not contain persistent side effects.
  • V2656. MISRA. The Standard Library function memcmp should not be used to compare null terminated strings.
  • V2657. MISRA. Obsolescent language features should not be used.
  • V2658. MISRA. Dead code should not be used in a project.
  • V2659. MISRA. Switch statements should be well-formed.
  • V2660. MISRA. A function declared with a _Noreturn specifier should not return to its caller.
  • V2661. MISRA. MISRA. A 'for' loop should be well-formed.
  • V2662. MISRA. Any value passed to a function from should be representable as an unsigned character or be the value EOF.

C#:

  • V3226. Potential resource leak. The disposing method will not be called if an exception occurs in the 'try' block. Consider calling it in the 'finally' block.
  • V3227. The precedence of the arithmetic operator is higher than that of the shift operator. Consider using parentheses in the expression.
  • V5631. OWASP. Use of externally-controlled format string. Potentially tainted data is used as a format string.

Java:

  • V5335. OWASP. Potential XXE vulnerability. Insecure XML parser is used to process potentially tainted data.
  • V5336. OWASP. Potential XEE vulnerability. Insecure XML parser is used to process potentially tainted data.

Articles

For C/C++ developers:

For C# developers:

For Java developers:

Other articles:

Do you want to check a project with PVS-Studio? Then start from this page.

If you would like to get news on latest releases, subscribe to the PVS-Studio newsletter here.

Top comments (0)