To get a trial key
fill out the form below
Team License (standard version)
Enterprise License (extended version)
* By clicking this button you agree to our Privacy Policy statement

** This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Request our prices
New License
License Renewal
--Select currency--
USD
EUR
GBP
RUB
* By clicking this button you agree to our Privacy Policy statement

** This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

** This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

** This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
I am interested to try it on the platforms:
* By clicking this button you agree to our Privacy Policy statement

** This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Message submitted.

Your message has been sent. We will email you at


If you haven't received our response, please do the following:
check your Spam/Junk folder and click the "Not Spam" button for our message.
This way, you won't miss messages from our team in the future.

>
>
PVS-Studio 7.12 New Features for Findin…

PVS-Studio 7.12 New Features for Finding Safety and Security Threats

Mar 11 2021

Security. What does this word mean to you? Nowadays, companies spare no effort to ensure that their product is secured from hacking and all sorts of information leaks. PVS-Studio decided to help its users and expand the functionality in this area. Therefore, one of the main innovations of the upcoming release will be the introduction of analyzer new features which will ensure code safety and security. This article aims to present these features.

0811_New_SAST_Feature/image1.png

A few words about us in terms of safety and security

At the moment, PVS-Studio is developing not only as a static analyzer searching for code quality defects (quality control solution) but also as a solution for searching for security and safety defects. In security context, the PVS-Studio analyzer is a SAST tool. SAST (Static Application Security Testing) is a type of static code analysis aimed at finding potential security vulnerabilities. Such an analysis can reveal a large number of flaws, including even those that haven't revealed themselves yet. Safety is another area focused on ensuring the reliability and fault tolerance of programs.

As the title of the article suggests, we are expanding the PVS-Studio functionality in these areas. Previously, there were various mapping tables of compliance with safety and security standards on our site. However, it was inconvenient because this information did not get directly into the analyzer report. Now we are making these analyzer features more user-friendly (for example, by integrating our IDE plugins into interfaces). What is more, we are expanding the existing database by supporting new standards. PVS-Studio was mentioned in the report Static Application Security Testing, Q3 2020 by Forrester Research, one of the leading researchers of the impact of new and innovative technologies on business processes and the market. That fact gave us an additional impetus to improve the analyzer features. You can read more about this and how we have developed as a SAST and safety solution here.

New features

Well, to waste no time, let's point out the additions right away. So, here is what's new, safe, and cool in PVS-Studio:

  • New diagnostic groups OWASP ASVS and The AUTOSAR C++14 Coding Guidelines have been added to the analyzer. Previously, the compliance of PVS-Studio diagnostic rules with these standards was available only on our website. Now we have more than 50 new diagnostic rules!
  • Now the analyzer shows information about the compliance of the warnings with the SEI CERT Coding Standard. This information formerly was available only on the PVS-Studio website.
  • The interface of our plugins for Visual Studio, JetBrains Rider, and IntelliJ IDEA has been improved to ease the work with analyzer messages that have safety and security standards identifiers.
  • New diagnostic groups (OWASP, AUTOSAR) in PlogConverter are supported.
  • New diagnostics (OWASP, AUTOSAR) are supported in SonarQube at the tag level. We classified our diagnostic rules by OWASP Top 10.

Note. Previous versions have already supported security standards such as MISRA C:2012 and MISRA C++:2008. At the time of writing, 74 diagnostic rules have been implemented for them.

We also support the compliance of our diagnostics with the most common classification of potential vulnerabilities – CWE (Common Weakness Enumeration). We already have 514 diagnostics that fit this classification.

New diagnostic groups

Let's talk a little bit about the new diagnostic groups (OWASP and AUTOSAR), which we previously had only on our site in the form of comparisons. The new release of PVS-Studio 7.12 includes diagnostics from these standards in separate groups of rules with their own numbers, documentation, and all the other things inherent in our diagnostic rules. That is, when checking a project, the analyzer issues warnings for new groups, as with other warnings. Previously, out of all the security and safety rules, only PVS-Studio diagnostics had separate groups that met the MISRA C and C++ standards.

Actually, what's the meaning of these unusual words: OWASP, AUTOSAR? Let's clarify the situation a bit.

The AUTOSAR C++14 Coding Guidelines is a set of guidelines for writing code in C++14. The set is used to work in systems where security and fault tolerance are important. This document is mainly used in the automotive industry. However, it can also be used in other industries dealing with the development of embedded systems.

For this standard, we created a separate group with numbers from 3500 to 3999. You can view the comparison of these diagnostics with the AUTOSAR standard here.

The OWASP Application Security Verification Standard is a list of application security requirements and tests that can be used by software architects, developers, testers, application security specialists, vendors, and users of tools for developing, building, testing, and verifying secure applications.

As you understand, unlike the AUTOSAR organization standard, OWASP ASVS is not tied to any particular language. That is why, we've implemented diagnostics of this type in all the languages we analyze (C, C++, C#, Java). These diagnostic rules received their own group and numbers from 5000 to 5999.

Now let's move on to CERT. The SEI CERT Coding Standard is a set of software writing standards for improving the reliability and security of software in C, C++, Java, and Perl. These standards are developed by the CERT Coordination Center (CERT/CC). You can find their comparison with the rules of PVS-Studio here.

However, in the case of CERT, we did not create a new group of diagnostics, because a significant part of our General Analysis falls under this standard. But don't worry. You will definitely find out that the diagnosis is a specific CERT rule. It is added to the analyzer report in the same way as OWASP ASVS or AUTOSAR C++14 Coding Guidelines.

At the same time, we continue to support standards such as MISRA C:2012 and MISRA C++:2008. These are software development standards. Their main purpose is to improve the security, portability, and reliability of programs for embedded systems (mapping).

By the way, we don't want to stop there. Our team will make more and more new diagnostics aimed at finding safety and security errors. PVS-Studio Roadmap 2021 also includes our plans for 2021.

Just open plugins

Well, we've added new diagnostics. Are you curious to see the result? You'll definitely find it in our plugins! To date, we display information about security standards in plugins for three IDEs. These are Visual Studio (for versions from 2010 to 2019), JetBrains Rider, and IntelliJ IDEA. In order for the plugins to display these new warnings, the following improvements were made:

  • A new SAST column was added. It displays all information about MISRA C:2012, MISRA C++:2008, The AUTOSAR C++14 Coding Guidelines, OWASP ASVS, SEI CERT Coding Standard from warnings.
  • The MISRA column was removed. Now all the information is registered in the SAST column. The same column will be used in the future with our support for the new standards.
  • Buttons for new standards are added. It allows you to remove the corresponding warnings from the display. In the settings, the option to disable\enable diagnostic rules completely or partially for these categories was added.

Here are a couple of pictures to give you an idea of what it looks like. In the plugin for Visual Studio 2019, it looks as follows:

0811_New_SAST_Feature/image2.png

We added the same functionality in Rider and in IntelliJ IDEA. This is what it looks like in Rider:

0811_New_SAST_Feature/image3.png

PlogConverter

We haven't forgotten our utility that helps to convert reports to various formats. Now all of our report types, in which the reports can be converted, support OWASP and AUTOSAR. Let's take FullHtml, perhaps, the most commonly used conversion type, as an example. This type allows you to view the report in a browser. It's nice and convenient if you can't work directly with the plugin in your development environment. Plus, it's easy to send such a report or a link to it by mail.

Actually, we quickly got the desired file. So, let's take a look at it. As you can see, there's a new Total Warnings (OWASP) field in the header. It indicates the number of potential errors from this category:

0811_New_SAST_Feature/image4.png

This is how the SAST column itself is displayed:

0811_New_SAST_Feature/image5.png

SonarQube

Now, I'd like to say a few words about our integration with SonarQube. We provide the plugin that allows you to add messages found by the PVS-Studio analyzer to the SonarQube server message database. Further, you can filter messages, navigate through the code for error analysis, analyze the dynamics of the number of errors, evaluate the quality level of the project code, and so on.

To date, we are expanding the capabilities of our plugin by adding tags for diagnostics related to OWASP, AUTOSAR groups. Now the OWASP messages look like this:

0811_New_SAST_Feature/image6.png

Also, we classified our diagnostic rules by OWASP Top 10. The OWASP Top 10 is the ranking of the most dangerous attack vectors on web applications. Each point of this ranking has a description and examples of attack scenarios, as well as links to the rules from the OWASP ASVS Standard and the CWE classification that apply to it. You may check one of the points in the ranking.

The OWASP Top 10 includes vulnerabilities such as:

  • injections;
  • broken authentication;
  • sensitive data exposure;
  • XML external entities;
  • broken access control;
  • security misconfiguration;
  • cross-site scripting;
  • insecure deserialization;
  • using components with known vulnerabilities;
  • insufficient logging and monitoring.

In SonarQube, it is displayed here:

0811_New_SAST_Feature/image7.png

It is displayed similar to the CWE, which you can also see in the screenshot. We use a special Security Category tab for this. Here is an example of what filled CWE category looks like:

0811_New_SAST_Feature/image8.png

Conclusion

Obviously, this release was quite intense. The analyzer has received new diagnostic groups for the OWASP ASVS and AUTOSAR C++14 Coding Guidelines. In addition, analysis results contain information about the warnings' compliance with the SEI CERT Standard. The interface of our plugins for Visual Studio, JetBrains Rider, and IntelliJ IDEA has been improved to make it easier to work with analyzer messages that now have safety and security standards identifiers. Moreover, PlogConverter and SonarQube learned how to work with new diagnostic groups (OWASP, AUTOSAR). All this is just about the direction of safety and security!

It is very important. After all, the elimination of all kinds of vulnerabilities at the software development stage reduces the chance of security threats in the future. Due to this, the company won't suffer financial difficulties and ranking loss. Therefore, we try to help our users to avoid problems related to safety and security.

Be happy and keep an eye on your code. Thank you for your attention!

Popular related articles
The Ultimate Question of Programming, Refactoring, and Everything

Date: Apr 14 2016

Author: Andrey Karpov

Yes, you've guessed correctly - the answer is "42". In this article you will find 42 recommendations about coding in C++ that can help a programmer avoid a lot of errors, save time and effort. The au…
PVS-Studio ROI

Date: Jan 30 2019

Author: Andrey Karpov

Occasionally, we're asked a question, what monetary value the company will receive from using PVS-Studio. We decided to draw up a response in the form of an article and provide tables, which will sho…
The Evil within the Comparison Functions

Date: May 19 2017

Author: Andrey Karpov

Perhaps, readers remember my article titled "Last line effect". It describes a pattern I've once noticed: in most cases programmers make an error in the last line of similar text blocks. Now I want t…
The way static analyzers fight against false positives, and why they do it

Date: Mar 20 2017

Author: Andrey Karpov

In my previous article I wrote that I don't like the approach of evaluating the efficiency of static analyzers with the help of synthetic tests. In that article, I give the example of a code fragment…
Free PVS-Studio for those who develops open source projects

Date: Dec 22 2018

Author: Andrey Karpov

On the New 2019 year's eve, a PVS-Studio team decided to make a nice gift for all contributors of open-source projects hosted on GitHub, GitLab or Bitbucket. They are given free usage of PVS-Studio s…
Appreciate Static Code Analysis!

Date: Oct 16 2017

Author: Andrey Karpov

I am really astonished by the capabilities of static code analysis even though I am one of the developers of PVS-Studio analyzer myself. The tool surprised me the other day as it turned out to be sma…
Static analysis as part of the development process in Unreal Engine

Date: Jun 27 2017

Author: Andrey Karpov

Unreal Engine continues to develop as new code is added and previously written code is changed. What is the inevitable consequence of ongoing development in a project? The emergence of new bugs in th…
How PVS-Studio Proved to Be More Attentive Than Three and a Half Programmers

Date: Oct 22 2018

Author: Andrey Karpov

Just like other static analyzers, PVS-Studio often produces false positives. What you are about to read is a short story where I'll tell you how PVS-Studio proved, just one more time, to be more atte…
The Last Line Effect

Date: May 31 2014

Author: Andrey Karpov

I have studied many errors caused by the use of the Copy-Paste method, and can assure you that programmers most often tend to make mistakes in the last fragment of a homogeneous code block. I have ne…
PVS-Studio for Java

Date: Jan 17 2019

Author: Andrey Karpov

In the seventh version of the PVS-Studio static analyzer, we added support of the Java language. It's time for a brief story of how we've started making support of the Java language, how far we've co…

Comments (0)

Next comments

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
This website uses cookies and other technology to provide you a more personalized experience. By continuing the view of our web-pages you accept the terms of using these files. If you don't want your personal data to be processed, please, leave this site.
Learn More →
Accept