PVS-Studio 7.36: expanded MISRA support, plugin for Qt Creator 16, enhanced user annotations for C#, and much more
PVS-Studio 7.36 has been released. This version brings exciting updates, including extended MISRA support, a plugin for Qt Creator 16, enhanced user annotations in C#, and more! See more details in this note. You can download the latest PVS-Studio version here. Specifying the MISRA C & MISRA C++ standard versions Now you can specify the version of MISRA C and MISRA C++ standards in PVS-Studio C and C++ analyzer. Just set it right in the PVS-Studio plugin for Visual Studio. The supported standard versions include MISRA C 2012, MISRA C 2023, and MISRA C++ 2008. Extended user annotation mechanism in C# The C# analyzer now features an extended user annotation mechanism. Previously, user annotations were only available for taint analysis. The analyzer provides a variety of annotations for taint analysis, allowing users to track taint sources and sinks. You can mark up methods or constructors that validate tainted data. Once the data is marked as validated, the analyzer will no longer issue warnings when the data reaches the sink. Now, you can also mark up code with annotations that go beyond taint analysis. For example, you can indicate that a method can return null, that its return value should be used, that an argument should not be -null, and much more. For more details, please consult the documentation. Qt Creator 16.x plugin support The PVS-Studio plugin is now available for Qt Creator 16.x. We've discontinued support for Qt Creator 10.x versions. We aim to maintain backward compatibility by supporting the latest plugin versions for all Qt Creator versions within two years of each release. Learn more on how to use PVS-Studio in Qt Creator here. Refinement: configuration file flags PVS-Studio has introduced a new --apply-pvs-configs flag for the cross-platform pvs-studio-analyzer utility for analyzing C and C++ projects. This flag activates a mode for searching and applying the .pvsconfig configuration files for analyzed source files. The configuration files are searched in the source file directory and its parent directories, up to the project root folder defined by the --project-root flag. For more details, please consult the documentation. The pvs-studio-analyzer command line utility now includes the isolate-settings mode for the --analysis-paths flag. This mode isolates settings for the .pvsconfig files within the specified directory. Only the settings in the specified directory are applied—any configurations in parent folders are skipped. For more details, please consult the documentation. This mode has also introduced settings for the .pvsconfig file: //V_ANALYSIS_PATHS isolate-settings and //V_ISOLATE_CURRENT_DIR. For more details, please consult the documentation section. Breaking Changes These changes aren't backward compatible with earlier versions of the analyzer. You may need to adjust the way you use the analyzer due to these changes. When analyzing C and C++ projects based on compile_commands.json in the pvs-studio-analyzer command line utility, all non-compiler calls are now ignored. To work with compilers that have non-standard names and aren't automatically recognized by PVS-Studio, you can use the --compiler flag. For more details, please consult the documentation. The minimum recommended macOS version for running PVS-Studio analyzer on x86-64 processors is now macOS Big Sur (11.1). You can find the full list of changes on the PVS-Studio release history page. New diagnostic rules C, C++: V2634. MISRA. Features from should not be used. V2635. MISRA. The function with the 'system' name should not be used. V2636. MISRA. The functions with the 'rand' and 'srand' name of should not be used. V2637. MISRA. A 'noreturn' function should have 'void' return type. V2638. MISRA. Generic association should list an appropriate type. V2639. MISRA. Default association should appear as either the first or the last association of a generic selection. V2640. MISRA. Thread objects, thread synchronization objects and thread-specific storage pointers should have appropriate storage duration. V2641. MISRA. Types should be explicitly specified. V2642. MISRA. The '_Atomic' specifier should not be applied to the incomplete type 'void'. V2643. MISRA. All memory synchronization operation should be executed in sequentially consistent order. C#: V3218. Cycle condition may be incorrect due to an off-by-one error. V3219. The variable was changed after it was captured in a LINQ method with deferred execution. The original value will not be used when the method is executed. V3220. The result of the LINQ method with deferred execution is never used. The method will not be executed. V3221. Modifying a collection during its enumeration will lead to an exception. V5629. OWASP. Code contains invisible characters that may alter its logic. Consider enabling the display of invisible characters in the code editor. Java: V5320. OWASP. Use of potentially tainted data
PVS-Studio 7.36 has been released. This version brings exciting updates, including extended MISRA support, a plugin for Qt Creator 16, enhanced user annotations in C#, and more! See more details in this note.
You can download the latest PVS-Studio version here.
Specifying the MISRA C & MISRA C++ standard versions
Now you can specify the version of MISRA C and MISRA C++ standards in PVS-Studio C and C++ analyzer. Just set it right in the PVS-Studio plugin for Visual Studio.
The supported standard versions include MISRA C 2012, MISRA C 2023, and MISRA C++ 2008.
Extended user annotation mechanism in C#
The C# analyzer now features an extended user annotation mechanism. Previously, user annotations were only available for taint analysis.
The analyzer provides a variety of annotations for taint analysis, allowing users to track taint sources and sinks. You can mark up methods or constructors that validate tainted data. Once the data is marked as validated, the analyzer will no longer issue warnings when the data reaches the sink.
Now, you can also mark up code with annotations that go beyond taint analysis. For example, you can indicate that a method can return null, that its return value should be used, that an argument should not be -null, and much more.
For more details, please consult the documentation.
Qt Creator 16.x plugin support
The PVS-Studio plugin is now available for Qt Creator 16.x. We've discontinued support for Qt Creator 10.x versions. We aim to maintain backward compatibility by supporting the latest plugin versions for all Qt Creator versions within two years of each release.
Learn more on how to use PVS-Studio in Qt Creator here.
Refinement: configuration file flags
- PVS-Studio has introduced a new
--apply-pvs-configsflag for the cross-platformpvs-studio-analyzerutility for analyzing C and C++ projects.
This flag activates a mode for searching and applying the .pvsconfig configuration files for analyzed source files. The configuration files are searched in the source file directory and its parent directories, up to the project root folder defined by the --project-root flag.
For more details, please consult the documentation.
- The
pvs-studio-analyzercommand line utility now includes theisolate-settingsmode for the--analysis-pathsflag.
This mode isolates settings for the .pvsconfig files within the specified directory. Only the settings in the specified directory are applied—any configurations in parent folders are skipped.
For more details, please consult the documentation.
This mode has also introduced settings for the .pvsconfig file: //V_ANALYSIS_PATHS isolate-settings and //V_ISOLATE_CURRENT_DIR.
For more details, please consult the documentation section.
Breaking Changes
These changes aren't backward compatible with earlier versions of the analyzer. You may need to adjust the way you use the analyzer due to these changes.
- When analyzing C and C++ projects based on
compile_commands.jsonin thepvs-studio-analyzercommand line utility, all non-compiler calls are now ignored. To work with compilers that have non-standard names and aren't automatically recognized by PVS-Studio, you can use the--compilerflag. For more details, please consult the documentation. - The minimum recommended macOS version for running PVS-Studio analyzer on x86-64 processors is now macOS Big Sur (11.1).
You can find the full list of changes on the PVS-Studio release history page.
New diagnostic rules
C, C++:
- V2634. MISRA. Features from should not be used.
- V2635. MISRA. The function with the 'system' name should not be used.
- V2636. MISRA. The functions with the 'rand' and 'srand' name of should not be used.
- V2637. MISRA. A 'noreturn' function should have 'void' return type.
- V2638. MISRA. Generic association should list an appropriate type.
- V2639. MISRA. Default association should appear as either the first or the last association of a generic selection.
- V2640. MISRA. Thread objects, thread synchronization objects and thread-specific storage pointers should have appropriate storage duration.
- V2641. MISRA. Types should be explicitly specified.
- V2642. MISRA. The '_Atomic' specifier should not be applied to the incomplete type 'void'.
- V2643. MISRA. All memory synchronization operation should be executed in sequentially consistent order.
C#:
- V3218. Cycle condition may be incorrect due to an off-by-one error.
- V3219. The variable was changed after it was captured in a LINQ method with deferred execution. The original value will not be used when the method is executed.
- V3220. The result of the LINQ method with deferred execution is never used. The method will not be executed.
- V3221. Modifying a collection during its enumeration will lead to an exception.
- V5629. OWASP. Code contains invisible characters that may alter its logic. Consider enabling the display of invisible characters in the code editor.
Java:
- V5320. OWASP. Use of potentially tainted data in configuration may lead to security issues.
- V5321. OWASP. Possible LDAP injection. Potentially tainted data is used in a search filter.
- V5322. OWASP. Possible reflection injection. Potentially tainted data is used to select class or method.
- V5323. OWASP. Potentially tainted data is used to define 'Access-Control-Allow-Origin' header.
- V5324. OWASP. Possible open redirect vulnerability. Potentially tainted data is used in the URL.
- V5325. OWASP. Setting the value of the 'Access-Control-Allow-Origin' header to '*' is potentially insecure.
- V5326. OWASP. OWASP. A password for a database connection should not be empty.
- V5327. OWASP. Possible regex injection. Potentially tainted data is used to create regular expression.
- V5328. OWASP. Using weak authorization checks could lead to security violations.
- V5329. OWASP. Using unsafe methods of file creation is not recommended because an attacker might access the files.
- V5330. OWASP. Possible XSS injection. Potentially tainted data might be used to execute a malicious script.
Articles
For those, who code in C++:
- Beta testing: updated parser for C and C++ code analysis
- std::array in C++ is faster than array in C. Sometimes
- Safe array handling? Never heard of it
- Exploring Nau Engine codebase: pt.2
- Exploring Nau Engine codebase: pt.3
- Breaking down bugs in TDengine to master refactoring, part 1: sausage code
- Breaking down bugs in TDengine to master refactoring, part 2: stack-consuming macro
- Breaking down bugs in TDengine to master refactoring, part 3: price of laziness
For those, who code in C#:
- PVS-Studio in development of Unity projects: new specialized diagnostic rules
- Copy-paste on big screen. Analyzing errors and oddities in Radarr code
- Graph mess: what does ScottPlot have in store?
- PowerShell: new features, same old bugs
- .NET Digest #6
For those, who code in Java:
- What's new in Java 24
- Notepad injection or the story of writing new diagnostic rules
- Looking for potential vulnerabilities in code, part 2: practice
Other articles:
- New exciting diagnostic rules in PVS-Studio 7.35
- Dirty code: trusted keeper of errors. Broken windows theory
- Does ChatGPT know everything? Let's check some facts about PVS-Studio
Do you want to check a project with PVS-Studio? Then start from this page.
If you would like to get news on latest releases, subscribe to the PVS-Studio newsletter here.
