PVS-Studio 7.25: support for latest versions of Qt Creator, Rider, and more
PVS-Studio 7.25 has been released. In this version, we implemented the support of Qt Creator 10 and Rider 2022.2.3 (and higher), updated the libraries used by the analyzer, enhanced the documentation — and that's not all! See the details in the article.
Support for Qt Creator 10 and Rider 2022.2.3+
We released the previous PVS-Studio version almost simultaneously with the release of Qt Creator 10. Right after that, we received a lot of questions whether we will make a plugin for the new version of this IDE. So, we are happy to announce that the PVS-Studio plugin for Qt Creator 10 is now officially available :). You can read more about it here.
The PVS-Studio plugin for Rider also got an update: now you can use the analyzer in Rider 2022.2.3 and higher.
Beta testing of new plugins for Qt Creator and Visual Studio Code with the ability to run the analysis
In mid-June, we also plan to start beta testing of new plugins for Qt Creator and Visual Studio Code. We improved their UI / UX and, most importantly, made it possible to analyze projects directly from the plugin. Moreover, we plan to add the feature that will allow users to suppress analyzer warnings with the help of suppress files.
Here you can apply for participation in our Early Access Program. When the testing starts, we will send you links to plugins, installation instructions and, of course, a temporary license.
Updating dependencies: MSBuild and Roslyn
Usually, we update the analyzer dependencies after a new .NET version is released. First of all, this approach makes it possible to analyze C# projects that use the new SDK and the new language syntax. Another positive thing is the overall improvement of the Roslyn and MSBuild libraries used by the analyzer.
This time we decided to ignore the tradition and updated the dependencies in advance. Thanks to that, we fixed the error occurring in projects that use attributes for code generation. When it occurred, the analyzer issued the following message:
Can't get compilation for project: NameOfProject. You may have experienced an error due to the use of attributes for automatic code generation. Please contact our support team (https://pvs-studio.com/en/about-feedback).
If you have encountered this error, I strongly recommend downloading a new version of the analyzer.
Speeding up analysis on the 12th gen Intel processors
When checking C++ projects that use MSBuild, PVS-Studio did not use the full power of Intel's 12th generation processors (for example, i7-12700, i9-12900). Apparently, the analysis processes were running only on energy-saving cores, while the rest remained idle.
In the new version of PVS-Studio, the error has been fixed. Now the analyzer fully loads the processors and works much faster.
In this release, we have completely rewritten the documentation on analysis in commit and branch merge modes (pull/merge requests). We have also added separate documentation pages on running the analyzer in AppVeyor (here) and Buddy (here).
We have enhanced the documentation for integrating analysis results into SonarQube. Now the documentation provides the information on how you can make PVS-Studio C# analyzer "friends" with SonarQube for Linux and macOS. The page is available here.
Enabling individual diagnostics via pvsconfig
Sometimes users need to enable only one or a few rules from a whole group of diagnostics. Now you can manage them via pvsconfig files. Just disable the group and enable a specific diagnostic with the commands of the following kind:
For now, this feature is available only in the C++ analyzer, but in the next release we plan to implement it for the C# analyzer as well.
Explicit prioritization of pvsconfig files
Another new feature is the ability to explicitly prioritize pvsconfig files. It is useful when the settings of different configuration files conflict with each other. For example, one of the files disables a diagnostic, and the other turns it on.
If the pvsconfig files have different levels, when a conflict occurs, preference is given to the settings from a file of a lower level. So, the settings from pvsconfig of the solution level may overwrite the settings from pvsconfig of the global level. And the project level settings may overwrite the solution level settings.
Things are not so obvious if a conflict is detected between pvsconfig files of the same level (for example, there is a conflict between settings from two pvsconfig project levels). In the latest release, it is possible to specify pvsconfig priorities. To do that, add the following line to the configuration file:
The smaller the number, the higher the priority of the file. So, in case of a conflict, settings from a file with priority 1 will overwrite settings from a file with priority 2.
If there is no directive, then priorities are set in lexicographic order depending on the file names.
Ignoring global settings for analysis and display of results (Settings.xml)
Sometimes our clients encounter conflicts between settings from two types of configuration files — Settings.xml and *.pvsconfig.
Settings.xml stores various global settings and display parameters in plugins. It also allows you to disable diagnostic groups, etc. These are the settings that a user can see and change in the Visual Studio plugin. You can learn more about Settings.xml here.
pvsconfig is more focused on configuring analysis and diagnostic rules. It allows you to change levels of warnings and messages, enable / disable groups and specific diagnostics, etc. pvsconfig can be unique for each project or solution — this allows you to configure the analysis of different components in various ways. You can find the documentation on pvsconfig files here.
The issue occurs in the following case. If a diagnostic is enabled in pvsconfig, and in the plugin settings (Settings.xml) its messages are hidden, then the user will not see the warnings (regardless of whether the analyzer will issue them). So, the programmer may not notice some warnings relevant to the project.
In PVS-Studio 7.25, it is now possible to specify a directive in the pvsconfig file of the solution level:
With this directive, a plugin for Visual Studio and PVS-Studio_Cmd.exe will completely ignore the settings (from Settings.xml) related to the analysis and selection of displayed warnings. Therefore, the analysis and display of warnings will be configured exclusively using pvsconfig files.
Note. For now, only the plugin for Visual Studio supports the 'V_IGNORE_GLOBAL_SETTINGS' directive. PVS-Studio plugins for other IDEs (for example, Rider or CLion) do not support the described behavior yet. Contact us if you would like to get similar features in the plugin for the IDE you are using.
Optimization group in the C# analyzer
In this release, we have added a new diagnostic group for C#. And the first rule for this group is V4001. The group as a whole is dedicated to optimizing the source code. V4001 focuses on projects made with the Unity game engine. This diagnostic finds frequently executed code in which the boxing is detected. You can read more about the V4001 rule in the documentation.
We plan to add even more diagnostics for improving and optimizing Unity-based projects. If you have any ideas on rules that would be useful for developers who use this game engine, feel free to contact us.
- V837. The 'emplace' / 'insert' function does not guarantee that arguments will not be copied or moved if there is no insertion. Consider using the 'try_emplace' function.
- V1098. The 'emplace' / 'insert' function call contains potentially dangerous move operation. Moved object can be destroyed even if there is no insertion.
- V1099. Using the function of uninitialized derived class while initializing the base class will lead to undefined behavior.
- V2020. The loop body contains the 'break;' / 'continue;' statement. This may complicate the control flow.
- V3190. Concurrent modification of a variable may lead to errors.
- V4001. Unity Engine. Boxing inside a frequently called method may decrease performance.
Spot an error in the Java code
In this release, the PVS-Studio team has prepared for you a new challenge on finding errors in the code. This time it is dedicated to Java. You can find the challenge here. I'm sure you will flawlessly complete it :).
For C++ programmers:
For C# programmers:
- XSS vulnerability in the ASP.NET application: examining CVE-2023-24322 in mojoPortal CMS
- RavenDB and PVS-Studio: win-win collaboration
- BTCPay Server: top 10 bugs in Bitcoin payment processor code
- Top 10 C# conference talks 2019–2022
- NullReferenceException in C#. What is it and how to fix it?
- How static analysis works
- Do developers dream of secure apps?
- 5 reasons why static analysis is important for business
- Can code review be automated?
- SAST vs DAST
You can download the latest version of PVS‑Studio here.
If you'd like to receive press releases by email, subscribe to PVS-Studio newsletter.