PVS-Studio 7.20: Unreal Engine, SAST, SCA

• Short version
• Detailed version
  • Enhanced analyzer
  • New diagnostics
  • Miscellaneous

This press release is also a test of a new format: the main information is summarized. If you want more information — you can read sections with detailed description. Choose what you like more.

Short version

Security. We've covered all categories from the OWASP Top 10 2021: PVS-Studio has at least one diagnostic rule for each category. Also, PVS-Studio for C# now can search for dependencies with vulnerabilities — we've implemented software composition analysis (SCA).

Unreal Engine. The bug related to Unreal Engine's inability to find PVS-Studio by the default path is finally fixed. Starting from Unreal Engine 5.0.3. you you can analyze projects without any workarounds. We've also enhanced the analysis of UE projects: you'll see more true warnings and fewer false ones.

Cross-platform analysis for C and C++ projects. The pvs-studio-analyzer and CompilerCommandsAnalyzer utilities have been improved: now you can use them more conveniently. These utilities are described in the documentation.

Activities:

• Can you spot errors in the C# code? Let's see!
• Who are you in the C++ world? Find the answer!

Get a trial version or download PVS-Studio 7.20 here. Subscribe to the newsletter so as not to miss our new releases and articles.

Detailed version

Enhanced analyzer

OWASP Top 10 2021: search for security weaknesses from all categories

In the 7.20 release we've covered the last category from the OWASP Top 10 2021 – A06. Now PVS-Studio can search for security defects from all categories listed in the OWASP Top 10.

There's a special page where you can see the diagnostic rules that search for issues from each category.

SCA: check dependencies of C# projects for vulnerabilities

The application may be vulnerable if it uses dependencies with vulnerabilities. To search for "malicious" dependencies, developers use software composition analysis (SCA) tools.

PVS-Studio for C# now can search for such dependencies too. If the analyzer finds a dependency with a vulnerability — it issues a warning.

Read more in the documentation for the V5625 diagnostic rule.

Unreal Engine: more true warnings, fewer false ones

Starting from Unreal Engine 5.0.3 you can analyze UE 5 projects without any workarounds. Before this update, some users reported that UE couldn't find PVS-Studio by the default path. Now the bug is fixed.

Besides, now PVS-Studio better understands code of Unreal Engine projects. The analyzer now issues less false positives and understands more about types native for the engine. For example, about analogues for containers from the C++ standard library.

Here's the documentation about analysis of Unreal Engine projects.

Cross-platform analysis of C and C++ projects: enhanced utilities, new documentation

We've enhanced our utilities for cross-platform analysis of C and C++ projects — pvs-studio-analyzer and CompilerCommandsAnalyzer. For example, they better determine the compiler used in a project. If these utilities failed to determine the compiler's type right, you can specify it manually (see the '‑‑compiler' flag).

You can find their use case scenarios, command-line flags, and exit codes in the new documentation section.

New diagnostics

C, C++:

• V1086. Call of the 'Foo' function will lead to buffer underflow.
• V1087. Upper bound of case range is less than its lower bound. This case may be unreachable.
• V1088. No objects are passed to the 'std::scoped_lock' constructor. No locking will be performed. This can cause concurrency issues.
• V1089. Waiting on condition variable without predicate. A thread can wait indefinitely or experience a spurious wake up.

C#:

• V3177. Logical literal belongs to second operator with a higher priority. It is possible literal was intended to belong to '??' operator instead.
• V5624. OWASP. Use of potentially tainted data in configuration may lead to security issues.
• V5625. OWASP. Referenced package contains vulnerability.

Miscellaneous

Newsletters of the new versions and article digests. Subscribe so as not to miss new articles and releases. Once a month we'll send you a digest of the most interesting articles and every two months — an email about our new release with the new analyzer features.

If you want to know how we created our newsletter, read this article.

Can you spot errors in the C# code? Prior to that, our challenge was for C++ developers only. Now we released the game version for C#!

Here's a quick tutorial:

• 10 code fragments. All these fragments are taken from real projects;
• every code fragment contains an error. You have to find it in under 60 seconds;
• each correct answer scores you one point. Try to get the best result!

Play: C# edition, C++ edition.

Share these links with your teammates — let them try to beat your score ;)

PVS-Studio quiz: Who you are in C++. A small entertaining quiz that will show you who you are in the C++ world. Want to distract from your tasks for a couple of minutes and relax? This quiz is a great option to do so.

Take the quiz here.

What to read. Some articles that we've published since the previous release:

• Intermodular analysis of C++ projects in detail: part 1, part 2.
• Why do you need to delete arrays via delete[] in C++? The answer's here.
• This article will tell you about related variables and how we process them in data flow analysis of the C# code.
• And this article is for those who want to use PVS-Studio in their projects but can't get approval from their managers. We'll figure out the reasons for it and how to handle potential objections.

Download PVS-Studio 7.20 here. Want to evaluate the analyzer? Get a trial key :).

A small question in the end: how do you find this press release format?