PVS-Studio 7.26: running analysis in VS Code and Qt Creator, integration with DefectDojo, and more

PVS-Studio 7.26 has been released. Now you can run the analysis in plugins for VS Code and Qt Creator; upload the analysis results to DefectDojo, and more. In this note, we'll take a closer look at these and other enhancements.

Visual Studio Code and Qt Creator: running analysis and suppressing warnings

Now the PVS-Studio plugins for Visual Studio Code and Qt Creator support the analysis of C and C++ projects. Moreover, the plugins support mass suppression of analyzer warnings (with the help of suppress files). This mechanism enables you to hide warnings for legacy code and work only with new warnings. In this way, the integration of the analyzer into the project will be much easier. You can read more about it in the article: "How to introduce a static code analyzer in a legacy project and not to discourage the team".

Now you can analyze the projects that use the following build systems:

• Visual Studio Code: CMake
• Qt Creator: CMake, QMake, Qbs

You can find more detailed information in the documentation:

• PVS-Studio for Visual Studio Code
• PVS-Studio for Qt Creator

Integration with DefectDojo

Now PVS-Studio has integration with DefectDojo, the DevSecOps platform that helps teams manage the entire security workflow. Find out more details in the documentation.

Support for JDK 20 projects

The Java analyzer now supports projects that use JDK 20 and Java 20. It also maintains backward compatibility with all previous versions.

New features for C and C++ function annotations

Function annotations give PVS-Studio more data for analysis.

The C++ analyzer received an enhanced user annotation mechanism. Now you can write annotations for functions at any nesting level. Moreover, now it's possible to use the function name without specifying the class and namespace when annotating.

Here you can find the guidelines for user annotations.

New diagnostics

C++

• V838. Temporary object is constructed during lookup in ordered associative container. Consider using a container with heterogeneous lookup to avoid construction of temporary objects.
• V1100. Unreal Engine. Declaring a pointer to a type derived from 'UObject' in a class that is not derived from 'UObject' is dangerous. The pointer may start pointing to an invalid object after garbage collection.
• V1101. Changing the default value of a virtual function parameter in a derived class may result in unexpected behavior.

C#

• V3191. Iteration through collection makes no sense because it is always empty.
• V4002. Unity Engine. Avoid storing consecutive concatenations inside a single string in performance-sensitive context. Consider using StringBuilder to improve performance.
• V4003. Unity Engine. Avoid capturing variable in performance-sensitive context. This can lead to decreased performance.

Articles

For those who code in C#:

• Does C# always have boxing with string concatenation and interpolation?
• Ryujinx: re-checking the Nintendo Switch emulator using PVS-Studio
• Examining suspicious code fragments in AWS SDK for .NET
• Top 3 open-source games written in C#: searching for bugs

For those who code in C++:

• Heroes of Code and Magic: VCMI game engine analysis

For more articles, you can visit our blog.

**