Meet the latest PVS-Studio release — 7.18. This article will tell you about how we improved the analysis of modern C++, the search of security defects from the OWASP Top 10 list, and a new feature for embedded developers.
We continue developing PVS-Studio as a SAST solution. This allows our clients find even more potential vulnerabilities.
One of our main directions is the development of security diagnostics to find defects from the OWASP Top 10 2021 list. Now PVS-Studio covers 9 out of 10 categories of this list. You can find the mapping of PVS-Studio diagnostics rules to OWASP Top 10 categories here.
One category remained uncovered – A06:2021. One of the ways to cover this category is to make the analyzer look for components with known vulnerabilities in projects. In other words, PVS-Studio should perform the software composition analysis (SCA).
We want to add SCA to the C# analyzer first. We plan to do this in one of our future releases.
Compiler monitoring system allows users to perform build-system independent analysis of C and C++ projects on Windows. All that matters is that PVS-Studio should support the compiler used in the project.
However, the monitoring system had a drawback: if the compiler process was completed quickly, the system could not always catch it. Due to this, PVS-Studio did not analyze files whose compilation could not be intercepted.
Most often, developers who write code for embedded platforms have encountered that problem.
The new analysis mode solves the problem described. New mode allows PVS-Studio intercept all compiler launches. It doesn't matter whether the code is compiled quickly or not.
We described the new mode in more detail in the documentation.
You can work with the PVS-Studio reports in Visual Studio Code. To do this, follow the steps:
We described these steps in detail in the documentation.
You can't run the analysis directly from Visual Studio Code yet. If you would like such a feature to be added, please contact us. Based on the feedback, we will assess how much this functionality is in demand.
We have updated the type system in the C++ analyzer. Now PVS-Studio understands modern C++ better: the standard library, complex constructions, templates. Diagnostics have become more accurate, which means they find more unsafe places and issue fewer false positive warnings.
More details — in the talk.
In the new documentation sections, we described how PVS-Studio can be integrated into GitHub Actions and CMake.
Since the last release, we have checked the code quality of several open-source projects:
We found several proofs why static analysis is better to use regularly. How? You can find the details here, in short — the algorithm is something like this:
Some of the issues found are reviewed in the following articles:
In addition, we wrote articles about security. We described the defects associated with the processing of XML files, namely:
We wrote about this in two articles:
Check out more articles in our blog.
We not only write articles, but also make videos. These are new videos on our YouTube channel:
If you don't have a trial key
Do you want to evaluate PVS-Studio? Follow 3 simple steps:
This page will help you go through all the steps. Don't forget to leave your feedback. :)
If you have a trial key
You can download the latest version of PVS-Studio here.