PVS-Studio 7.04

Summer is not only a holiday season, but also time of fruitful work. Sunny days are so inspiring that there's enough energy both for late walks and large code commits. The second summer PVS-Studio 7.04 release turned out to be quite large, so we suggest for your attention this press release, in which we'll tell you about everything.

PVS-Studio is a tool designed to detect errors and potential vulnerabilities in the source code of programs, written in C, C++, C#, Java. It works in Windows, Linux, and macOS environment.

An extensive collection of errors found in code during the checks of various open source projects clearly demonstrates the abilities of the analyser.

Here's an overview of new features coming with the PVS-Studio 7.04 release.

Search for Files with Copyleft Licenses

When working on a task developers take code from so many various places. A popular source of Copy-Paste code is the Stackoverflow website and similar ones. There are cases when a developer takes the code from an open source project and doesn't check license requirements. Thus, a closed source project may accidentally get a few files from an open source project with a Copyleft license, which obliges to make the entire project code open source. In companies with a large number of employees, it's difficult to keep track of this, whereas such actions might cause adverse risks and problems. So, PVS-Studio now has a diagnostic, which will help to find such files. It relates to all supported languages (C, C++, C#, Java).

Diagnostic numbers for different languages:

• C, C++: V1042
• C#: V3144
• Java: V6071

Let's take a closer look at these diagnostics and figure out what they are made for. An example of a comment that the analyser will issue a warning to:

/*  This program is free software: you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation, either version 3 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */

For Closed Projects

If you add a file with such a license (in this case, GPL3) in a closed project, you'll have to open the rest code due to specifics of this license.

Such a type of licenses is called "viral" because of their ability to extend to the rest of the project files. The problem is that usage of at least one file with such a license in a closed project automatically makes the entire source code open and obliges to distribute it along with binary files.

The diagnostic is looking for the following «virus» licenses:

• AGPL-3.0
• GPL-2.0
• GPL-3.0
• LGPL-3.0

Here are the options of what you can do in case if you detect usage of files with a copyleft license in a closed project:

1. Refrain from using such code (library) in your project;
2. Substitute the used library;
3. Make the project open source.

For Open Projects

We understand that this diagnostic is inappropriate for open source projects. The PVS-Studio team contributes to developing of open source projects, helps to fix errors in them and provides free license options. However, our product is a B2B solution and therefore this diagnostic is enabled by default.

If your code is distributed under one of the copyleft licenses above, you can disable this diagnostic in the following ways (for C\C ++ it is V1042):

• If you're using the PVS-Studio plugin for Visual Studio, you can disable this diagnostic by going to Options > PVS-Studio > Detectable Errors > 1.General Analysis > V1042. After this, it won't be shown in the analyser report. The downside of this method is that the error will still be written in the analyser's log while saving it (or if the analysis was run from the command line). Therefore, when you open such a log on another machine or convert the analysis results to another format, the messages that were disabled in this way may reappear.
• If you're not using the plugin and want to block the rule for the entire team, or remove it from the analyser's report, you can add the comment "//-V::1042" to the configuration file (.pvsconfig) or to one of the global header files. For developers, who use Visual C++, a nice option would be to add this comment in the «stdafx.h». file. This comment tells the analyser to disable the V1042 diagnostic. Documentation gives more detailed information about disabling diagnostics using the comments.
• If you're using the Plog Converter utility to convert reports, you can disable the diagnostic using the "-d" key.

For C# V3144 is a corresponding number of a diagnostic, V6071 — for Java.

Extending the List of Dangerous Licenses

In case if you know other types of «virus» licenses that PVS-Studio doesn't detect at this point, you're welcome to let us know through our feedback form. We'll add them in the next release.

New diagnostics

C, C++ (General)

• V1040. Possible typo in the spelling of a pre-defined macro name.
• V1041. Class member is initialized with dangling reference.
• V1042. This file is marked with copyleft license, which requires you to open the derived source code.
• V1043. A global object variable is declared in the header. Multiple copies of it will be created in all translation units that include this header file.

I'd like to give special attention to the diagnostic with the number V1040. We managed to find an interesting error in the library of the well-known CMake project even at the beta stage:

V1040 Possible typo in the spelling of a pre-defined macro name. The '__MINGW32_' macro is similar to '__MINGW32__'. winapi.h 4112

/* from winternl.h */
#if !defined(__UNICODE_STRING_DEFINED) && defined(__MINGW32_)
#define __UNICODE_STRING_DEFINED
#endif

There's a typo made in the name __MINGW32_. At the end, one underline character is missing. If you search the code with this name, you can see that the version with two underline characters on both sides is used in the project:

You can check out all found errors in the CMake project in the article: "CMake: the Case when the Project's Quality is Unforgivable".

C, C++ (MISRA)

• V2551. MISRA. Variable should be declared in a scope that minimizes its visibility.
• V2552. MISRA. Expressions with enum underlying type should have values corresponding to the enumerators of the enumeration.
• V2553. MISRA. Unary minus operator should not be applied to an expression of the unsigned type.
• V2554. MISRA. Expression containing increment (++) or decrement (--) should not have other side effects.
• V2555. MISRA. Incorrect shifting expression.
• V2556. MISRA. Use of a pointer to FILE when the associated stream has already been closed.
• V2557. MISRA. Operand of sizeof() operator should not have other side effects.

C#

• V3140. Property accessors use different backing fields.
• V3141. Expression under 'throw' is a potential null, which can lead to NullReferenceException.
• V3142. Unreachable code detected. It is possible that an error is present.
• V3143. The 'value' parameter is rewritten inside a property setter, and is not used after that.
• V3144. This file is marked with copyleft license, which requires you to open the derived source code.
• V3145. Unsafe dereference of a WeakReference target. The object could have been garbage collected before the 'Target' property was accessed.

As for the C# analyser, we added evaluation of read\written values from property getters and setters, as well as from async methods.

We're currently working on improvement of monitoring fields' values and properties of objects as they are passed to methods, as well as monitoring the contents of turples. These improvements will be available in the next analyser release.

Java

• V6068. Suspicious use of BigDecimal class.
• V6069. Unsigned right shift assignment of negative 'byte' / 'short' value.
• V6070. Unsafe synchronization on an object.
• V6071. This file is marked with copyleft license, which requires you to open the derived source code.

SonarQube 7.9 LTS

Long-awaited Release

It has been almost 2 years since the last release of the LTS-version of SonarQube 6.7. The new version was eagerly awaited starting with the SQ 7.x and when LTS was released, users began to actively switch to it, which caused various problems. Soon SQ 7.9.1 LTS came out with minor fixes and third-party plugin developers also made patches.

Fortunately, the PVS-Studio plugin had only one problem, related to switching to Java 11, which was quickly fixed and our clients immediately switched to a workable version.

We're also kept compatibility with old SonarQube versions and the list of supported versions now looks as follows: SonarQube 6.7 LTS and later

More Supported Language Plugins

The PVS-Studio plugin only converts analysis results into the format of the SonarQube database. In other words, it just downloads results of PVS-Studuio analysis in SQ. To get the SonarScanner utility operate fully, you need to have plugins for programming languages installed. We didn't start to develop what already exists, so we just add support of already existing popular plugins. In this version, we've added compatibility with Sonar C Community and SonarCFamily language plugins.

The entire list of supported language plugins looks like this:

• Sonar C++ Community
• Sonar C Community
• SonarC#
• SonarJava
• SonarCFamily (SQ Developer Edition)

To upload the results of the PVS-Studio analysis it is enough to install at least one plugin from this list. Most users install only Sonar C++ Community, SonarC# or SonarJava. The rest plugins may be needed for more specific projects.

When choosing plugins, consider the fact that Community plugins aren't compatible with SonarCFamily. But if you use only SonarQube Community Edition, there will be no such problem.

New Settings Page

Previously, one could configure the analyser only through the configuration file sonar-project.properties. There are no complaints about this method. It's very convenient and is used 99% of time, but we've made an additional settings page in Administration > Configuration > PVS-Studio on SonarQube's server side, as it can be a preferably used for some scenarios.

The settings page looks like this:

When setting configurations in two ways, the ones specified in the file sonar-project.properties are of highest priority.

Plugin for IntelliJ IDEA

Releases of new IntelliJ IDEA and PVS-Studio versions differ in dates. Recently we've had a situation when IntelliJ IDEA 192.* was released but the PVS-Studio plugin couldn't be installed in it. In this release, we've added support for the latest IntelliJ IDEA versions, as well as refinements to avoid similar problems in the future.

Plugins for Jenkins

PVS-Studio Plugin

PVS-Studio Plugin is meant for publishing reports of the PVS-Studio analyser results in the Jenkins continuous integration system in the HTML format. Previously, this plugin was only available to Windows users because it called the report converter automatically and did it only for Windows. In PVS-Studio 7.04, the plugin supports only HTML-reports that have to be generated in a single step, but this measure made the plugin cross-platform.

Warnings NG Plugin

For Jenkins, there is a useful plugin Warnings Next Generation Plugin for viewing analysis results from various tools. We've recently added PVS-Studio support in it. The ability to load the PVS-Studio analysis results using this plugin became available in the 6.0.0, its release accidently coincided with the PVS-Studio 7.04 release:

Other Improvements

PVS-Studio_Cmd

PVS-Studio_Cmd.exe now has a special operational mode — credentials. This mode enables you to create a settings file and enter license information without using a GUI interface (for example, Visual Studio plugin or C and C++ Compiler Monitoring UI utility). This mode is especially relevant when used on a build server (where GUI utilities may be absent), in containers, when integrating with cloud solutions.

Analysis of Unreal Engine Projects

We added the option AutoloadUnrealEngineLog in the PVS-Studio plugin for Visual Studio which enables you to automatically upload the analyser report in the PVS-Studio output window after the analysis. Without this option, the log must be uploaded manually through the plugin menu.

Also the documentation section "Analysis of Unreal Engine projects" describes changes of standard build scripts that allow you to build and analyse in one action. Without scripts modifications (when adding the flag -StaticAnalyzer=PVSStudio to launch arguments) the project is only analysed, not built.

CLMonitor

For the CLMonitor utility, we've added the ability to monitor compiler runs for a specific process. This will let you monitor compiler runs, related only to a specific project, even during parallel builds of several projects. To work in this mode, the flags --parentProcessID %PID% (CLMonitor monitors processes child-related to the specified one) and --attach (CLMonitor monitors processes child-related to a current console) are used.

pvs-studio-analyzer

The --ignore-ccache flag is added in the pvs-studio-analyzer utility, which is meant for checking projects in Linux and macOS:

pvs-studio-analyzer analyze ... --ignore-ccache ...

If the ccache utility is used in a project build, PVS-Studio is operating in the incremental analysis mode. To check the entire project without resetting the cache of the ccache utility, choose this flag.

Additional links

Subscribe to be informed about our new publications:

1. Twitter: @Code_Analysis
2. Youtube: PVS-Studio
3. Facebook: @StaticCodeAnalyzer
4. Instagram: @pvsstudio
5. Telegram: PVS-Studio
6. RSS: viva64-blog-en

PVS-Studio:

1. PVS-Studio product page
2. Download
3. Documentation
4. Clients