Aleksandra Uvarova

Aug 14 2025

Tags:

#Release

PVS-Studio 7.38: new C++ analyzer core, user annotations in Java, enhanced taint analysis, and more

PVS-Studio 7.38 has been released. This version brings the new core for the C and C++ analyzer, the user annotation mechanism in the Java analyzer, enhanced taint analysis, and that's not all! See more details in this note.

New core for C and C++ analyzer

The C and C++ analyzer got a new core with completely redesigned components like a parser, a semantic analyzer, and a type system. The new core provides more accurate handling of template constructs and better parsing of the standard library and code based on modern C++ standards. During the extended testing period (EAP), the new core demonstrated stable performance across a wide range of real-world projects.

To maintain backward compatibility, we've left the temporary switch back to the previous core version. You can do this in several ways:

• Using the pvs-studio-analyzer utility via the ‑‑use-old-parser flag.
• Using the .pvsconfig configuration file of diagnostic rules via the //V_USE_OLD_PARSER flag.
• Using the Settings.xml analysis configuration file via the <UseOldCppParser> tag.
• Using the Specific Analyzer Settings tab via the Use Old Cpp Parser setting.

If you encounter any issues during analysis, we recommend contacting our technical support. Your feedback helps us accelerate the finalization of the new C and C++ analyzer core.

User annotations in Java analyzer

PVS-Studio Java analyzer has been enhanced with user annotations, a mechanism for marking types and functions in JSON format to provide additional information to the analyzer. This feature was previously available only in the C and C++ analyzer.

Now you can annotate methods and constructors as sources, sinks, or validators of tainted data. This feature allows the analyzer to detect more vulnerabilities, each of which matches a separate diagnostic rule.

Classification of diagnostic rules according to the MISRA standard

The PVS-Studio warning classification page for MISRA C and MISRA C++ now includes a version-based listing.

We continue to expand the coverage of the MISRA C 2023 standard and plan to finish it by the end of 2025.

Enhanced taint analysis mechanism

We've improved taint analysis in the C and C++ analyzer. Now, taint tracking works correctly with the % operator, warnings are no longer skipped in the ReadFile function, and taint status handling in branches has been enhanced. These updates improve the detection of potential vulnerabilities related to unverified data.

Breaking changes

These changes are not backward compatible with earlier versions of the analyzer. You may need to adjust how you use the analyzer due to these changes.

• The message for the V1062 diagnostic rule has been changed when it is issued for = delete. As a result, previously suppressed warnings may reappear in the analyzer report.
• Taint analysis has been extended to support additional diagnostic rules: V557, V609, V610, V1083, and V575. Previously suppressed warnings of the V5009 diagnostic rule may be reissued.
• The syntax for describing method and constructor parameters in JSON annotations for PVS-Studio C# analyzer has been changed. More details on updated syntax can be found in the documentation.

New diagnostic rules

C and C++:

• V2644. MISRA. Controlling expression of generic selection must not have side effects.
• V2645. MISRA. The language features specified in Annex K should not be used.
• V2646. MISRA. All arguments of any multi-argument type-generic macros from <tgmath.h> should have the same type.
• V2647. MISRA. Structure and union members of atomic objects should not be directly accessed.
• V2648. MISRA. Null pointer constant must be derived by expansion of the NULL macro provided by the implementation.
• V2649. MISRA. All arguments of any type-generic macros from <tgmath.h> should have an appropriate essential type.
• V2650. MISRA. Controlling expression of generic selection must have essential type that matches its standard type
• V2651. MISRA. Initializer using chained designators should not contain initializers without designators.

C#:

• V3224. Consider using an overload with 'IEqualityComparer', as it is present in similar cases for the same collection element type.
• V3225. A data reading method returns the number of bytes that were read and cannot return the value of -1.

Java:

• V5333. OWASP. Possible insecure deserialization vulnerability. Potentially tainted data is used to create an object during deserialization.
• V5334. OWASP. Possible server-side request forgery. Potentially tainted data is used in the URL.
• V6132. It is possible that 'else' block was forgotten or commented out, thus altering the program's operation logics.

Articles

For C++ developers:

• Fewer bugs—more FPS: how static analysis benefits Unreal Engine projects
• Windows Terminal proves to be terminal?
• Little adventure in pursuit of errors. The Battle for Wesnoth!
• C++ with no classes?

For C# developers:

• Stonks or not stonks. Checking Lean trading engine source code
• GameDev Guardian: static analysis and Unity
• .SLN is dead. Long live .SLNX!
• .NET Digest #8
• Expedition into Avalonia project

For Java developers:

• PVS-Studio user annotations are now in Java
• Method Handles is faster than reflection (sometimes)
• Lock, Java, and two nulls: XMage edition
• History of Java: evolution, legal battles with Microsoft, Mars exploration, Spring, Gradle and Maven, IDEA and Eclipse

Other articles:

• Seamless static analysis integration and overcoming false positives
• Static analysis for pull requests. Another step towards regularity
• Code red: turning negative feedback into positive outcome
• Anxious analyzer and developer hostage syndrome

Useful video for working with PVS-Studio

What is PVS-Studio?

In this video, we'll talk about the key concept and aspects related to PVS-Studio static analyzer. You'll find out not just how PVS-Studio can help you, but also what mechanisms and approaches it uses.

You can watch it by this link.

How to integrate PVS-Studio analysis results into SonarQube

The PVS-Studio plugin allows you to add analyzer messages to the SonarQube message database. In the video, we'll show you how to integrate the PVS-Studio analysis results into SonarQube using a C++ project check as an example.

You can watch it by this link.

How to use PVS-Studio extension in Visual Studio Code

In this video, we'll take a closer look at an extension that enables you to use the PVS-Studio analyzer in Visual Studio Code.

You can watch it by this link.

How to work with PVS-Studio in the Visual Studio IDE

The PVS-Studio plugin for the Microsoft Visual Studio IDE provides a wide range of features. In this video, we'll show you how to install the analyzer, run the analysis on a project, and what settings may help you make the analysis more accurate.

You can watch it by this link.

If you would like to get news on the latest releases, subscribe to the PVS-Studio newsletter here.

#Release

0

0

0

0

SHARE

Tags:

#Release

We can email you a selection of our best articles once a month

By clicking this button you agree to our Privacy Policy statement