>
>
>
PVS-Studio for Visual Studio 2022

Valery Komarov
Articles: 12

PVS-Studio for Visual Studio 2022

The PVS-Studio team writes articles on various topics. But we rarely make articles on how to interact with the analyzer. Let's fix it with an article about the PVS-Studio plugin for the Visual Studio 2022 environment.

What is static code analysis and why do we need it?

Static code analysis is a process of detecting errors and flaws in the program's source code. In general, static analysis is an automated code review process. A joint code review is a wonderful methodology. But it also has a drawback — it costs too much. Developers have to regularly gather to inspect new code or re-inspect the changed one.

On the one hand, regular code reviews are necessary. On the other hand, they're too expensive. A compromise solution is static code analysis tools. They process the program's source code non-stop and recommend the developer to pay special attention to certain code fragments. Of course, the tool won't replace a real code review with a team of developers. However, the price/benefit ratio makes static analyzers a very effective practice used by many companies. If you are interested in numbers, you can read the "PVS-Studio ROI" article.

There are lots of paid and free static code analyzers. Their list is available on Wikipedia: List of tools for static code analysis. The list of languages available for static code analysis is also long — C, C++, C#, Java, Ada, Fortran, Perl, Ruby, etc. Of course, this article is only about the PVS-Studio analyzer.

The main advantage of static analysis — it reduces the cost of fixing program defects. The earlier the error is detected, the lower the cost of fixing it. Steve McConnell in "Code Complete" introduces the following data: correcting an error at the system test stage will cost ten times more than at the construction stage:

Static analysis tools identify a large number of errors at the construction stage. This significantly reduces the cost of the development process. For example, the PVS-Studio static code analyzer runs in the background right after compilation. If the analyzer finds an error, it notifies the developer. Below, this mode is described in detail.

The PVS-Studio static code analyzer

PVS-Studio is a static analyzer that detects code errors and potential vulnerabilities. It works with C, C++ (including C++/CLI and C++/CX extensions), C#, and Java languages. The analyzer is available for Windows, Linux, and macOS. The analyzer can be integrated into Visual Studio 2010 – 2022 , IntelliJ IDEA and Android Studio, JetBrains Rider, and CLion environments. In this article we take a look at the PVS-Studio analyzer for Visual Studio 2022. You can also read about using PVS-Studio in other IDEs:

After installing PVS-Studio and integrating into Visual Studio, users get the additional "PVS-Studio" item in the Extensions menu and a window to work with analyzer warnings.

Initial settings

The analyzer is ready to work right after the installation. In most cases, you don't need to configure anything to make the first launch. The only thing you may need to setup is to exclude third-party libraries. You are not going to fix the source files (for example, jpeg libraries) anyway, so there's no need to analyze it. Besides, if you exclude unnecessary folders, the analysis time will be reduced. You can exclude the directories here: Extensions > PVS-Studio > Options... > Don't Check Files > PathMasks.

If the full path to the file has one of the specified names, the file won't be analyzed. By default, the list already has names of some directories. However, your project may have the "zlib" library named as "zip_lib". That's why you need to edit the list. To start editing, click the button with three dots.

Examples of valid masks for the PathMasks list:

  • c:\Libs\ — excludes all the project files located in this folder and its subfolders.
  • \Libs\ or *\Libs\*— excludes all files located in those directories whose path contains the "Libs" subfolder. If the "*" characters are not specified, they will still be automatically added, so both options are valid.
  • Libs or *Libs* — excludes all files whose path contains 'Libs' as a name or name fragment, for example, c:\project\mylibs.cpp. To avoid confusion, always use backslashes.

Besides excluding entire folders, you can exclude individual files. The FileNameMasks setting can help with this. To find more information on how to work with exception lists, read the "Settings: Don't Check Files" documentation.

Project check

After configuring the analyzer, you can start checking the project. PVS-Studio for Visual Studio can check C++ (.vcxproj) and C# (.csproj) projects. You can also check the whole solution that contains projects of these types. To do this, go Extensions > PVS-Studio > Check > Solution.

It's also possible to run analysis only on certain projects and/or files selected in Solution Explorer. To do so, after choosing elements in Solution Explorer, right-click and select Analyze with PVS-Studio:

If you have difficulties with the check, you can read the "Can't check?" section on our website. These are not useless recommendations like "check that the plug is in the outlet". This section describes typical situations that our clients have contacted us with, and ways to fix it. If you haven't found a solution to your problem, contact our support.

Working with the analyzer's warnings list

After the check all the analyzer warnings will be displayed in a special window. This window has many control elements. All of them serve to display only those analyzer warnings interesting to the user. At first, the window may seem complicated. So, let's look at the control elements.

  • The PVS-Studio window.
  • Additional menu. Allows you to access options, such as marking the warning as false alarm, hiding messages, adding files to exceptions. We'll describe the latter below.
  • This button enables the "something went wrong" messages. For example, when one of the files cannot be preprocessed.
  • Go to the previous/next warning. This button opens the corresponding file, and the cursor is placed on a warning about the potential error. You can also double-click to select a diagnostic from the list. You can assign keyboard shortcuts to go to the previous/next warning. It's Alt+'[' and Alt+']' by default.
  • Buttons that enable warnings on different levels. The picture shows that all the diagnostic levels are enabled. The window shows 312 warnings on the first level, 1354 warnings on the second level, and 1405 warnings on the third level. The warning's level is shown in the left part of the window in a form of string with the corresponding color.
  • Active sets of diagnostic rules. General — general diagnostics. Optimization — micro-optimization. 64-bit — 64-bit diagnostics, OWASP — warnings of the OWASP ASVS standard or related to the OWASP Top 10. Now, not all diagnostic sets are displayed in the window.
  • This button shows the number of false positives. You can enable/disable display of marked warnings in settings: Extensions > PVS-Studio > Options... > Specific Analyzer Settings > Display False Alarms.
  • Quick filters. You can, for example, leave only the V501 diagnostics in the XYZ project.
  • Some diagnostics suggest considering not one but several lines that can be in different files. In this case, three dots appear next to the file name. If you click on it, you can see the list of lines in files and choose one. When you double-click on the list element, you'll go to this line in a file.

The table with the analyzer warnings has the following columns:

  • Level. This is a level of certainty that an error was found. 1st level (red) — the most suspicious places. 3d level (yellow) — most likely an insignificant inaccuracy in code;
  • Star. It has no specific purpose. Users can interpret it as they want. For example, they can mark the most interesting warnings for further analysis. This is similar to marking letters with stars in mail programs like Thunderbird or Outlook.
  • ID. A warning's unique number. It can be useful when you work with a long list. For example, you can go to the warning with a specific name (see the "Navigate to ID..." item in the dropdown menu). You can disable this column with the context menu.
  • Code. Warning's code. If you click on it, it will open a page with the warning description.
  • CWE. Allows to identify a warning by CWE ID (Common Weakness Enumeration). If you click on the link, you can view this CWE description on the Web. You can disable this column with the context menu.
  • SAST. The same functionality as above, but for the MISRA, AUTOSAR, SEI CERT, or OWASP standards. You can disable this column with the context menu.
  • Message. Text of the analyzer's warning.
  • Project. Project's name. You can disable this column with the context menu.
  • File. The file name. Note! Some file names have dots after them. For example: "FileName.cpp(...)". Click on the table cell with the file name, and you will get a list of all the code lines (these lines may be in different files) that relate to this warning. At the same time, it is possible to go to each of the lines in the list.
  • Line. The number of a line to which the warning was issued.
  • FA. It indicates that the analyzer warning is marked as false positive.

A long list. However, I assure you, once you try the tool, you'll quickly get used to it. You will rarely press any button to configure the analyzer.

Displaying Analyzer's Best Warnings

When you run the analyzer for the first time, the result may scare and/or confuse the developer — the analyzer's report may contain a huge number of warnings about potential errors and vulnerabilities. We took into account this scenario and added the Best Warnings mechanism to the plugin for Visual Studio. The button for enabling/disabling this mechanism is in the Additional Actions menu:

This mechanism calculates the best analyzer warnings using a number of criteria assigned to each diagnostic. You can find more information about this mechanism in the corresponding section of our documentation.

The analyzer's best warnings filter is designed for a more pleasant first acquaintance with PVS-Studio, so we do not recommend using it on a regular basis.

Dropdown menu

If you double-click on a warning, you go to the desired code fragment. If you right-click on a warning, you'll open the dropdown menu.

The menu is quite simple, so we won't overwhelm the article with its description. If something is unclear, you can look it up in the documentation.

Some items in the context menu have keyboard shortcuts, which allows you to process the analysis results more quickly and conveniently.

However, we should mention a very useful feature. Remember that in the settings you can add folders/files for exclusion. Adding something is much easier than it seems!

Note the item "Don't check files and hide all messages from...". If you click on it, it displays a list of paths that can be added to exceptions.

You can select one file or the whole directory. The picture shows that we chose the "Sources\Sandbox.Game\Game\Entities" folder. This means that all files in this folder and its subfolders are excluded from the analysis. Moreover, all the messages related to these files will immediately disappear from the list. You don't need to restart the analysis to remove all the messages related to test files.

Incremental analysis mode

This article wouldn't be complete if we didn't tell you about incremental analysis.

The earlier we find an error, the lower the cost of fixing it. It's great to search for an error in the edited program code. However, it's technically difficult and resource-intensive. That's why PVS-Studio starts running in the background when the edited code is compiled. Thus, the analyzer searches for errors in the changed files. The icon in the system notifications area implies that the analysis is running in the background.

When it finds an error, a notification appears and warns the developer.

If you click on the notification or an icon, the IDE with the analysis result opens, and you can inspect suspicious code fragments.

Actually, rather than reading about this mode, you should try it. You write code as usual. The analyzer will disturb you only when it's necessary. Try it!

The PVS-Studio developers constantly use this mode. Yes, we make mistakes when coding, too. The ability to fix them immediately reduces the time spent on detecting an error and trying to understand why the program does not behave as intended. It's a shame to spend 15-20 minutes on debugging and then find a typo in an index. Here's one of the cases when the PVS-Studio analyzer found an error in itself right after it appeared in code:

if (in[0] == '\\' && in[1] == '.' && in[1] == '\\')
{
  in += 2;
  continue;
}

Of course, the most interesting is yet to come. The PVS-Studio analyzer can be much more useful. Here's a review about our analyzer: "A user's experience of working with the analyzer". Read it, it's worth your time.

Let me summarize. Incremental analysis is something you should definitely try. You'll love it as soon as it finds a couple of errors in fresh code.

Intermodular analysis

The PVS-Studio analyzer for C# is built on Roslyn API, which performs intermodular project analysis. It's a bit more complicated with intermodular analysis of C++ projects. That's why we only recently implemented this feature in PVS-Studio. Intermodular analysis allows the analyzer to collect information about the whole project instead of each separate file. This allows to increase the analysis quality and accuracy. More detailed information about the features of the intermodular analysis of C++ projects in PVS-Studio can be found in the article "Intermodular analysis of C++ projects in PVS-Studio.".

PVS-Studio diagnostic rules

Let's be honest. It's impossible to briefly describe all the diagnostics in our analyzer. You can find the full list of diagnostics and their description by following the link: PVS-Studio Messages. In this article we'll show you a table where diagnostics are grouped by type. Some diagnostics belong to more than one group. The grouping is very conventional. For example, a typo can cause the use of uninitialized memory. Some errors were excluded from this list — they are too specific. Nevertheless, this table demonstrates PVS-Studio's functionality. Note: the table is too long, so here's a small screenshot. If you want to see the whole table, follow the link above or just click on the picture.

As you can see, the analyzer shows its full power when searching for typos and copy-paste. It's good at finding the problems related to code security.

If you want to see how it works on real projects, visit the error database page. This database has errors that we found when checking open-source projects.

SAST

PVS-Studio is a Static Application Security Testing (SAST) tool. The analyzer detects potential vulnerabilities in the project's code and shows the corresponding error identifier in a certain classification.

PVS-Studio supports the following error classifications:

You can enable the display of CWE/SAST codes by using the context menu and following this path: Show Columns > CWE / SAST.

Alternatively, you can enable it in the menu (Extensions > PVS-Studio > Display CWE Codes in Output Window / Display SAST Codes in Output Window)

MISRA/AUTOSAR/OWASP diagnostics are enabled separately in the settings:

You can read more about it here.

Checking projects from the command line

You can also run the PVS-Studio analyzer from the command line. To do so, use the PVS-Studio-Cmd.exe utility. Detailed information on the utility and its parameters can be found in the documentation.

This is how this utility looks like:

After execution, you receive a plog file with the report, the path to which we specified in the startup parameters. This report can be converted to other formats with PlogConverter.exe. To view the report in the IDE, just double-click on the plog file in explorer.

You can also open the report file in the extensions menu by following the path Extensions > PVS-Studio > Open/Save > Open Analysis Report...

Suppressing false positives

Some warnings issued by analyzer will inevitably be false positives. There's nothing we can do about it. A static analyzer is just a program that does not have artificial intelligence and cannot accurately determine whether it has found a real error or not.

To fight false positives, the analyzer provides a set of different mechanisms. They are described in the following sections of the documentation:

Conclusion

Of course, this is not even the half about our analyzer. If we start describing everything, then the article will turn into documentation. The goal was to show how easy it is to work with the tool within the Visual Studio environment. You can read about other environments and modes of operation in the documentation and other articles on our website. By the way, there are a lot of interesting things for developers there. Come visit.

Note that PVS-Studio doesn't work in the Microsoft environment exclusively. The analyzer also supports the Java language, works on Linux and macOS, can be integrated into CMake, and much more. Read more about it in documentation.

I wish clean code to you and hope you'd enjoy PVS-Studio. If you have any questions, we'll happily help you. Contact us.

Additional links