Vladislav Bogdanov

Feb 20 2025

Tags:

#Release

PVS-Studio 7.35: MISRA C 2023 support, Qt Creator 15 plugin, and more

PVS-Studio 7.35 has been released. Support for the MISRA C standard, the plugin for Qt Creator 15.x, modified file analysis in Visual Studio, and that's not all! See more details in this note.

MISRA C standard coverage

We've begun work to expand the PVS-Studio's coverage of the MISRA C standard. With the release of 7.35, the first eight diagnostic rules have already been implemented, and more are on the way. The full list of implemented rules is provided below.

We plan to cover at least 85% of MISRA C and support the latest version of MISRA C 2023.

For more details on how PVS-Studio classifies warnings according to MISRA, please check out this page.

Qt Creator 15.x plugin support & Discontinuation of 9.x support

The PVS-Studio plugin is now available for Qt Creator 15.x.

Qt Creator 15.0.0 has an issue when installing plugins for a specific user via the installation wizard—the installation path differs from the expected search path. This issue has been resolved in version 15.0.1.

We've also discontinued the plugin support for Qt Creator 9.x versions. We aim to maintain backward compatibility by supporting the latest plugin versions for all Qt Creator versions within two years of each release.

Modified file analysis mode in Visual Studio plugin

The modified file analysis mode has been added to the plugin for Visual Studio. This mode can help you analyze only files modified relative to the saved state of the project directory.

It serves as an alternative to incremental analysis and is particularly useful for checking Pull Requests.

In release 7.35, we've also introduced an additional option for this mode: you can analyze both files modified since the previous analysis run and files that still contain warnings from the previous run.

For more details, please consult the documentation.

C# analyzer optimization

The PVS-Studio team has optimized C# analyzer to handle code blocks with a large number of variable identifiers (500 or more). Previously, they could cause slowdowns during analysis.

Java and OWASP

Starting with the 7.34 release, the Java analyzer has focused on information security. By the 7.35 release, the tool covers 7 of the 10 OWASP Top Ten 2021 categories.

Currently, the analyzer can detect vulnerabilities in the following categories:

• A01:2021-Broken Access Control;
• A02:2021-Cryptographic Failures;
• A03:2021-Injection;
• A04:2021-Insecure Design;
• A05:2021-Security Misconfiguration;
• A07:2021-Identification and Authentication Failures;
• A09:2021-Security Logging and Monitoring Failures.

In future releases, we will continue to implement diagnostic rules to detect potential vulnerabilities from the OWASP Top Ten list.

Breaking Changes

These changes aren't backward compatible with earlier versions of the analyzer. You may need to adjust the way you use the analyzer due to these changes.

Changes: Java analyzer

• We've fixed the incorrect behavior of the arguments: ‑‑license-path in the Java analyzer core and licensePath in PVS-Studio plugins for Maven and Gradle. Now, license information is saved to the path specified in the parameter instead of the default license location. For more details, please consult the documentation.
• In version 7.34, the analyzer behaved incorrectly when there were no warnings in the report. The current version now generates an empty suppress file when there are no warnings to suppress in the report, using the ‑‑convert flag with the toSuppress value.

Changes: C and C++ analyzer

• The C and C++ analyzer core now displays the SAST identifier along with the MISRA standard version (2012 or 2023) in the warnings of the MISRA group diagnostic rules.

Change: MSBuild project analysis

Note. This change applies to analysis of C, C++, C# projects on Windows via PVS-Studio_Cmd and C# projects on Linux/macOS via pvs-studio-dotnet.

• The internal format of compilation dependency cache entries has been changed. We maintain backward compatibility with the old format.

New diagnostic rules

C, C++:

• V2626. MISRA C 2023 12.5. The sizeof operator should not have an operand which is a function parameter declared as 'array of type'.
• V2627. MISRA C 2023 17.13. Function type should not be type qualified.
• V2628. MISRA C 2023 21.15. Pointer arguments to the Standard Library function 'Foo' should be pointers to qualified or unqualified versions of compatible types.
• V2629. MISRA C 2023 21.16. Pointer arguments to the Standard Library function memcmp should point to either a pointer type, an essentially signed type, an essentially unsigned type, an essentially Boolean type or an essentially enum type.
• V2630. MISRA C 2023 6.3. Bit field should not be declared as a member of a union.
• V2631. MISRA C 2023 18.10. Pointers to variably-modified array types should not be used.
• V2632. MISRA C 2023 18.9. Object with temporary lifetime should not undergo array-to-pointer conversion.
• V2633. MISRA C 2023 5.5. Identifiers should be distinct from macro names.

C#:

• V3211. Unity Engine. The operators '?.', '??' and '??=' do not correctly handle destroyed objects derived from 'UnityEngine.Object'.
• V3212. Unity Engine. Pattern matching does not correctly handle destroyed objects derived from 'UnityEngine.Object'.
• V3213. Unity Engine. The 'GetComponent' method must be instantiated with a type that inherits from 'UnityEngine.Component'.
• V3214. Unity Engine. Using Unity API in the background thread may result in an error.
• V3215. Unity Engine. Passing a method name as a string literal into the 'StartCoroutine' is unreliable.
• V3216. Unity Engine. Checking a field for null may not work correctly due to implicit field initialization by the engine.
• V3217. Possible overflow as a result of an arithmetic operation.
• V4008. Unity Engine. Avoid using memory allocation Physics APIs in performance-sensitive context.

Java:

• V5310. OWASP. Possible command injection. Potentially tainted data is used to create OS command.
• V5311. OWASP. Possible argument injection. Potentially tainted data is used to create OS command.
• V5312. OWASP. Possible XPath injection. Potentially tainted data is used to create XPath expression.
• V5313. OWASP. Do not use the old versions of SSL/TLS protocols as it may cause security issues.
• V5314. OWASP. Use of an outdated hash algorithm is not recommended.
• V5315. OWASP. Use of an outdated cryptographic algorithm is not recommended.
• V5316. OWASP. Do not use the 'HttpServletRequest.getRequestedSessionId' method because it uses a session ID provided by a client.
• V5317. OWASP. Implementing a cryptographic algorithm is not advised because an attacker might break it.
• V5318. OWASP. Setting POSIX file permissions to 'all' or 'others' groups can lead to unintended access to files or directories.
• V5319. OWASP. Possible log injection. Potentially tainted data is written into logs.

Articles

For those, who code in C++:

• C++ programmer's guide to undefined behavior: part 11 of 11;
• How third-party libraries change code analysis rules
• Court is in session: Top 10 most notorious C and C++ errors in 2024
• C++ programmer's guide to undefined behavior: part 12 of 11;
• How frivolous use of polymorphic allocators can imbitter your life;
• PPSSPP or psp? Uncovering bugs from the past;
• Exploring Nau Engine codebase: pt.1.
• History of C and C++. Part two: standardization of C and C++, Qt, Clang, and Unreal Engine.

With this release, the long and fascinating series of articles on undefined behavior has reached its conclusion! Here's a link to the article aggregator—a convenient way to navigate through different parts of the series:

C++ programmer's guide to undefined behavior

For those, who code in C#:

• Top 10 errors found in C# projects in 2024;
• How to update library and get swamped with this task. Roslyn and PVS-Studio 7.34 update;
• .NET Digest #5;
• An ode to one diagnostic rule and to a couple more, or a Jellyfin check;
• Bugs and suspicious places in .NET 9 source code;
• Microsoft makes mistakes too. Let's check MSBuild.

For those, who code in Java:

• Top 10 most intriguing Java errors in 2024;
• Java, Taint, and SAST: What is it and why do we need it?;
• How to crash Minecraft with your mod.

Other articles:

• New diagnostic rules in PVS-Studio 7.34;
• How we added Apple Silicon support to analyzer (arm64);
• Grandma's recipe for mastering regular static analysis;
• Distributed build of Unreal Engine projects with Horde and UBA.

I'd like to highlight an article covering the changes over the past year: PVS-Studio in 2024. We highly recommend to read!

Video

How to use the PVS-Studio extension in Visual Studio Code

In this release, we've prepared a video tutorial demonstrating how to use our extension for Visual Studio Code, which includes:

• installing the extension
• running analysis for CMake, MSBuild, and Java projects
• handling analysis results.

Watch the tutorial here:

You can also read the text version of the tutorial in the documentation: Using PVS-Studio extension for Visual Studio Code.

"Terrible tips for a C++ developer" now available in PDF

Andrey Karpov's book "Terrible tips for a C++ developer" is now available in the PDF format! This humorous yet insightful collection dives into real situations from C++ programming practice that are better to avoid.

To get the book, simply subscribe to our article digest or Telegram bot—that's all! All the details are available at the link.

Subscribe to the PVS-Studio newsletter to receive the latest release news.

#Release

0

0

0

0

SHARE

Tags:

#Release

We can email you a selection of our best articles once a month