Sergey Vasiliev

Apr 13 2022

Tags:

#Release

PVS-Studio 7.18: updates and enhancements

• You can find more security defects: PVS-Studio covers 9 out of 10 categories from the OWASP Top Ten 2021
• New compiler monitoring mode on Windows: it catches all compiler launches
• PVS-Studio and Visual Studio Code
• Deeper analysis of C++ code
• PVS-Studio integration with CMake and GitHub Actions
• New diagnostics
  • C, C++
  • C#
• To read, watch, and evaluate
  • To read
  • To watch
  • To evaluate

Meet the latest PVS-Studio release — 7.18. This article will tell you about how we improved the analysis of modern C++, the search of security defects from the OWASP Top 10 list, and a new feature for embedded developers.

You can find more security defects: PVS-Studio covers 9 out of 10 categories from the OWASP Top Ten 2021

We continue developing PVS-Studio as a SAST solution. This allows our clients find even more potential vulnerabilities.

One of our main directions is the development of security diagnostics to find defects from the OWASP Top 10 2021 list. Now PVS-Studio covers 9 out of 10 categories of this list. You can find the mapping of PVS-Studio diagnostics rules to OWASP Top 10 categories here.

One category remained uncovered – A06:2021. One of the ways to cover this category is to make the analyzer look for components with known vulnerabilities in projects. In other words, PVS-Studio should perform the software composition analysis (SCA).

We want to add SCA to the C# analyzer first. We plan to do this in one of our future releases.

New compiler monitoring mode on Windows: it catches all compiler launches

Compiler monitoring system allows users to perform build-system independent analysis of C and C++ projects on Windows. All that matters is that PVS-Studio should support the compiler used in the project.

However, the monitoring system had a drawback: if the compiler process was completed quickly, the system could not always catch it. Due to this, PVS-Studio did not analyze files whose compilation could not be intercepted.

Most often, developers who write code for embedded platforms have encountered that problem.

The new analysis mode solves the problem described. New mode allows PVS-Studio intercept all compiler launches. It doesn't matter whether the code is compiled quickly or not.

We described the new mode in more detail in the documentation.

PVS-Studio and Visual Studio Code

You can work with the PVS-Studio reports in Visual Studio Code. To do this, follow the steps:

• install the Sarif Viewer plugin;
• convert the log to SARIF format;
• open the analyzer report.

We described these steps in detail in the documentation.

You can't run the analysis directly from Visual Studio Code yet. If you would like such a feature to be added, please contact us. Based on the feedback, we will assess how much this functionality is in demand.

Deeper analysis of C++ code

We have updated the type system in the C++ analyzer. Now PVS-Studio understands modern C++ better: the standard library, complex constructions, templates. Diagnostics have become more accurate, which means they find more unsafe places and issue fewer false positive warnings.

More details — in the talk.

PVS-Studio integration with CMake and GitHub Actions

In the new documentation sections, we described how PVS-Studio can be integrated into GitHub Actions and CMake.

New diagnostics

C, C++

• V1079. Parameter of 'std::stop_token' type is not used inside function's body.
• V1080. Call of 'std::is_constant_evaluated' function always returns the same value.
• V1081. Argument of abs() function is minimal negative value. Such absolute value can't be represented in two's complement. This leads to undefined behavior.
• V1082. Function marked as 'noreturn' may return control. This will result in undefined behavior.

C#

• V5619. OWASP. Possible log injection. Potentially tainted data is written into logs.
• V5620. OWASP. Possible LDAP injection. Potentially tainted data is used in a search filter.
• V5621. OWASP. Error message contains potentially sensitive data that may be exposed.

To read, watch, and evaluate

To read

Since the last release, we have checked the code quality of several open-source projects:

• Barotrauma (C#);
• Eto.Forms (C#);
• Ogre3D (C++);
• MuditaOS (C++).

We found several proofs why static analysis is better to use regularly. How? You can find the details here, in short — the algorithm is something like this:

• developers write new code for open-source projects;
• we analyze it with PVS-Studio;
• we look at the analyzer reports and find errors that developers missed;
• we write about errors in our blog.

Some of the issues found are reviewed in the following articles:

• How PVS-Studio prevents rash code changes, example N3
• How PVS-Studio prevents rash code changes, example N4

In addition, we wrote articles about security. We described the defects associated with the processing of XML files, namely:

• what vulnerabilities look like in the code;
• how to perform an attack on the application with a vulnerability;
• what are the consequences.

We wrote about this in two articles:

• Why does my app send network requests when I open an SVG file?
• Vulnerabilities due to XML files processing: XXE in C# applications in theory and in practice

Check out more articles in our blog.

To watch

We not only write articles, but also make videos. These are new videos on our YouTube channel:

• Using PVS-Studio with JetBrains Rider
• Mistakes and suspicious code fragments — or how the static analyzer checked .NET 6
• How to make code reliable and secure [The MISRA standard and PVS-Studio]
• 10 C# tips for beginners

To evaluate

If you don't have a trial key

Do you want to evaluate PVS-Studio? Follow 3 simple steps:

• request a trial key;
• download a distribution;
• check a project.

This page will help you go through all the steps. Don't forget to leave your feedback. :)

If you have a trial key

You can download the latest version of PVS-Studio here.