>
>
PVS-Studio in 2022

Polina Alekseeva
Articles: 5

PVS-Studio in 2022

It's January 2023, which means it's time to look back at our achievements in 2022. In this article, we'll tell you what we accomplished and show you what features appeared in PVS-Studio in 2022. Let's go :).

Unreal Engine

Last year, we significantly enhanced the integration of PVS-Studio with Unreal Engine. Now the analyzer supports Unreal Engine 5. Besides, in version 5.0.3. the bug related to Unreal Engine's inability to find PVS-Studio by the default path was fixed.

The analyzer learned to better work with types specific to UE projects: for example, with types similar to containers from the C++ standard library. This helped reduce the number of false positives.

Now you can work with suppress files via PVS-Studio plugins for Visual Studio and JetBrains Rider (read more about in in the documentation). We also created a pull request that allows you to use more settings when working with UE projects.

Moreover, now you can check UE projects not only on Windows, but also on Linux. Updated documentation on using PVS-Studio with UE projects will help you deal with all this.

Best Warnings

The "Best Warnings" filter, which was significantly enhanced in 2022, will help you getting started with the analyzer.

The PVS-Studio analyzer has a special filter that shows you the most interesting warnings issued on your project. The mechanism for selecting warnings is based on the analysis of various projects and the most common and dangerous warnings found in them.

This filter simplifies the first acquaintance with the analyzer report. Now you can view the most interesting warnings (which are most likely to point out errors) in just one click. There are no more than 10 warnings in the collection — you can quickly view them.

The "Best Warnings" filter is available in C and C++ Compiler Monitoring UI as well as in PVS-Studio plugins for:

  • Visual Studio;
  • Rider;
  • CLion;
  • IntelliJ IDEA.

Thus, "Best Warnings" allows you to instantly evaluate the tool's capabilities at the first analyzer run.

Plugins for Visual Studio and Qt Creator

In 2022, we added the PVS-Studio plugins for Visual Studio Code and Qt Creator. They significantly expand the possibilities of the cross-platform use of the analyzer.

The extension for Visual Studio Code looks like this:

And here's the plugin for Qt Creator:

As of now, you can only use these extensions to work with the PVS-Studio report: watch warnings, filter them, sort them in the grid, etc. You can't run the analysis yet, but we're planning to add this feature in upcoming releases.

Read more about the plugins in the documentation: Qt Creator and Visual Studio Code.

Cross-platform analysis of C and C++ projects

PVS-Studio has been supporting cross-platform analysis of projects (based on compile_commands.json or trace files) for quite a long time. However, some scenarios were not working well enough.

For example: you're developing a CMake-based cross-platform application on 3 platforms: Windows, Linux, and macOS. You want to analyze your project with PVS-Studio. You can do it thanks to the CMake module.

A feedback from our users helped us understand that the module works incorrectly on Windows. That's why we fixed it in the beginning of 2022. Now you can more neatly integrate the analyzer into a CMake-based project on several platforms at once — and also study the documentation on this use case scenario.

Besides checking projects, users need to see analyzer warnings issued on the fresh code. If you want that too — disable warnings on the existing code. Unfortunately, there were some pitfalls with the cross-platform use of this mechanism as well. We fixed these issues:

  • now suppress files of the JSON format work on all three supported platforms. You no longer need two sets of files — *.suppress for Windows and *.json for Linux/macOS;
  • we unified algorithm for matching warnings in the analyzer report with the same warnings in JSON suppress files on different platforms. Previously, if the warning was issued the same on all platforms, then even if suppressed on Windows, it would still be issued on Linux/macOS, and vice versa. Now it will be enough to suppress the warning on any of the supported platforms.

We also updated the cross-platform analysis utility. It happens to have different names for different platforms: pvs-studio-analyzer (for Linux and macOS) and CompilerCommandsAnalyzer (for Windows). Now this utility better detects the compilers used in a project. Besides, now you can explicitly specify the name and type of the compiler. It is especially useful in the embedded development, where compilers can have many different names. We described the use case scenarios for utilities, command-line flags and exit codes in the new documentation section.

Speaking of cross-platform. As of now, the analyzer runs on Windows, Linux, and macOS on the x86_64 architecture. It is currently impossible to run the analyzer natively on the same operating systems under ARM (except for C and C++ analyzer on ARM-based macOS: you can run it via Rosetta).

We're wondering if there are many people among our readers who want to natively use the analyzer on ARM. How critical is the build and analysis of projects on the ARM architecture for you?

Security

We keep developing PVS-Studio to identify potential vulnerabilities at the early stages of software development.

An application can be vulnerable if it uses dependencies with vulnerabilities. To search for such vulnerable application components, developers use software composition analysis (SCA) during development.

Now PVS-Studio can search for dependencies with known vulnerabilities in C# projects. To do this, it checks which components the application consists of. If it finds components with security weaknesses, it issues warnings.

In 2022, we covered the last category from the OWASP Top 10 2021 by implementing SCA. Now PVS-Studio can search for security weaknesses from all categories listed in the OWASP Top Ten 2021.

OWASP Top 10 is a regularly updated list of the most common and dangerous threats to the security of web applications. Here you can see the classification of PVS-Studio warnings according to the OWASP.

Web

In 2022, we actively developed the C# analyzer for the needs of our users — and many of them are developing web applications. That's why we expanded the analyzer's functionality in web project analysis: now PVS-Studio performs deeper analysis of web applications.

The analyzer better understands the methods from ASP.NET Core. As a result, PVS-Studio can find more errors in code fragments and issues fewer false positives at the same time.

Besides, we taught PVS-Studio to analyze Blazor components. Now you can use C# analyzer to check @code blocks in .razor files.

Embedded

In 2022, we fixed the issue with the analyzer skipping some short-lived processes while compiling C and C++ code. The compilation process could complete so quickly that the compiler monitoring utility could not intercept it and thus couldn't run the analysis on all compiled files. The embedded developers suffered from this issue the most.

We implemented a new compilation monitoring mode. Now it doesn't matter at all whether the code compiles quickly or not — the analyzer will trace all compilation processes anyway. By the way, we described in detail how we fixed this issue and told about the new mode in general in this article.

We also continue to add support for new compilers and enhance the work with already supported ones for C and C++ languages. In 2022, we added support for checking projects built with the C6000-CGT — a compiler for embedded systems by Texas Instruments. Besides, we enhanced the definition of the target platform for compilers of the QNX Momentics QCC family. We also supported the work of the C++ analyzer with the latest versions of QNX compilers.

Enhanced analysis

The most fundamental improvement of the C++ analyzer in 2022 was the update of the type system. By doing this, we created a kind of a groundwork for further language support. Now PVS-Studio better understands modern C++: standard library, complex language constructions, templates. The diagnostics became more accurate, and the analyzer can find even more issues.

If you want to know what our motives were for such a huge update for the C++ analyzer, as well as how we did it, you're welcome to read an article about that.

We keep enhancing and updating our C# analyzer. In 2022, we supported the analysis of projects on .NET 7 and C#.

Last year, we also added 44 new diagnostic rules for C++ and C# analyzers. The graph below illustrates how the number of diagnostic rules has been growing over the years.

For the C and C++ analyzer: V1077, V1078, V2017, V1079, V1080, V1081, V1082, V834, V835, V1083, V1084, V1085, V1086, V1087, V1088, V1089, V1090, V1091, V1092, V836, V2018, V2019

For the C# analyzer: V3174, V5617, V5618, V5619, V5620, V5621, V3175, V3176, V5622, V5623, V3177, V5624, V5625, V3178, V3179, V3180, V3181, V3182, V3183, V5626, V5627, V5628.

The PVS-Studio reports are compatible with GitLab Code Quality

We continue making PVS-Studio reports more convenient. Last year, we added the ability to convert analysis results into a report compatible with GitLab Code Quality. Now you can control code quality within the GitLab ecosystem. The documentation describes how to do it.

Entertainment

In 2022, we wanted to cheer our users with various kinds of interactivity: quizzes and games. We created the game where you can try to beat the analyzer in spotting code errors — in C++ and C#.

We also made two quizzes to finally answer the most important questions: "Who are you in C++?" and "Who are you in C#?". By the way, you can get a prize after finding out the answer :). Moreover, in the eve of Christmas holidays, we made a special quiz with one of the most riveting character of this year — Bug!

If you want something more active, play our game and try to live a normal developer's working day — with deadlines, bugs and coffee breaks.

Conclusion

Well, we tried to tell you about all new analyzer features that appeared in 2022. Some other enhancements, alas, remained "behind the scene".

For example, we finally launched our newsletter with new releases and latest articles on our blog. Subscribe so as to keep up with the latest news about our product.

You can find out more about all the changes included in the PVS-Studio releases in 2022 here.

What features would you like to see in PVS-Studio in 2023? Drop your ideas in comments!