PVS-Studio expands its support of OWASP Top 10 list of the most common Web-application security risks. At the moment, 9 out of 10 categories are covered. We plan to expand the analyzer to the last remaining category, A6 Vulnerable and Outdated Components, in one of the upcoming future releases, by implementing SCA (Software Composition Analysis) capabilities in PVS-Studio C# analyzer.
This release brings an improved and updated semantic analysis system to PVS-Studio C and C++ analyzer, which is based on a new representation of type system of the analyzed source code. Adopting new type system representation allows the analyzer to significantly improve its understanding of modern C++ language, with its complex expressions, templates, standard library, etc. Many analyzer rules will benefit from this by expanding the variety and number of potentially dangerous code fragments they can discover, and also by reducing the number of mistakes that the rules can potentially make. However, considering the fundamental nature of the change in the analyzer, it is possible that new false-positive messages can also appear. If you experience such new false-positives, please write us - we always strive to fix any remaining analyzer mistakes as soon as possible.
The PVS-Studio compiler monitoring system for Windows introduces a new 'wrapping' trace mode based on IFEO (Image File Execution Options) settings. Compiler monitoring is an all-round way of 'seamless' integration into any build system, as long as such build system utilizes one of the compilers supported by PVS-Studio. The new mode requires additional configuration before it can be used, making it a bit harder to set up. However, it solves a significant flaw of the monitoring system — skipping of short-lived processes. This flaw is especially devastating while using monitoring on tracing the compilation of C code for embedded platforms. The new wrapping mode allows to use compiler monitoring for such scenarios without skipping a single source file.
A new section of documentation contains instructions on working with PVS-Studio analysis results from Visual Studio Code editor. The ability to convert analyzer report to the universal SARIF format also allows this report to be loaded into Visual Studio Code with the help of SARIF Viewer extension.