Pour obtenir une clé
d'essai remplissez le formulaire ci-dessous
Demandez des tariffs
Nouvelle licence
Renouvellement de licence
--Sélectionnez la devise--
USD
EUR
RUB
* En cliquant sur ce bouton, vous acceptez notre politique de confidentialité

Free PVS-Studio license for Microsoft MVP specialists
To get the licence for your open-source project, please fill out this form
** En cliquant sur ce bouton, vous acceptez notre politique de confidentialité.

I am interested to try it on the platforms:
** En cliquant sur ce bouton, vous acceptez notre politique de confidentialité.

Votre message a été envoyé.

Nous vous répondrons à


Si vous n'avez toujours pas reçu de réponse, vérifiez votre dossier
Spam/Junk et cliquez sur le bouton "Not Spam".
De cette façon, vous ne manquerez la réponse de notre équipe.

>
>
PVS-Studio 7.18: updates and enhancemen…

PVS-Studio 7.18: updates and enhancements

13 Avr 2022

Meet the latest PVS-Studio release — 7.18. This article will tell you about how we improved the analysis of modern C++, the search of security defects from the OWASP Top 10 list, and a new feature for embedded developers.

0934_Release_7_18/image1.png

You can find more security defects: PVS-Studio covers 9 out of 10 categories from the OWASP Top Ten 2021

We continue developing PVS-Studio as a SAST solution. This allows our clients find even more potential vulnerabilities.

One of our main directions is the development of security diagnostics to find defects from the OWASP Top 10 2021 list. Now PVS-Studio covers 9 out of 10 categories of this list. You can find the mapping of PVS-Studio diagnostics rules to OWASP Top 10 categories here.

One category remained uncovered – A06:2021. One of the ways to cover this category is to make the analyzer look for components with known vulnerabilities in projects. In other words, PVS-Studio should perform the software composition analysis (SCA).

We want to add SCA to the C# analyzer first. We plan to do this in one of our future releases.

New compiler monitoring mode on Windows: it catches all compiler launches

Compiler monitoring system allows users to perform build-system independent analysis of C and C++ projects on Windows. All that matters is that PVS-Studio should support the compiler used in the project.

However, the monitoring system had a drawback: if the compiler process was completed quickly, the system could not always catch it. Due to this, PVS-Studio did not analyze files whose compilation could not be intercepted.

Most often, developers who write code for embedded platforms have encountered that problem.

The new analysis mode solves the problem described. New mode allows PVS-Studio intercept all compiler launches. It doesn't matter whether the code is compiled quickly or not.

We described the new mode in more detail in the documentation.

PVS-Studio and Visual Studio Code

You can work with the PVS-Studio reports in Visual Studio Code. To do this, follow the steps:

  • install the Sarif Viewer plugin;
  • convert the log to SARIF format;
  • open the analyzer report.

We described these steps in detail in the documentation.

You can't run the analysis directly from Visual Studio Code yet. If you would like such a feature to be added, please contact us. Based on the feedback, we will assess how much this functionality is in demand.

Deeper analysis of C++ code

We have updated the type system in the C++ analyzer. Now PVS-Studio understands modern C++ better: the standard library, complex constructions, templates. Diagnostics have become more accurate, which means they find more unsafe places and issue fewer false positive warnings.

More details — in the talk.

PVS-Studio integration with CMake and GitHub Actions

In the new documentation sections, we described how PVS-Studio can be integrated into GitHub Actions and CMake.

New diagnostics

C, C++

  • V1079. Parameter of 'std::stop_token' type is not used inside function's body.
  • V1080. Call of 'std::is_constant_evaluated' function always returns the same value.
  • V1081. Argument of abs() function is minimal negative value. Such absolute value can't be represented in two's complement. This leads to undefined behavior.
  • V1082. Function marked as 'noreturn' may return control. This will result in undefined behavior.

C#

  • V5619. OWASP. Possible log injection. Potentially tainted data is written into logs.
  • V5620. OWASP. Possible LDAP injection. Potentially tainted data is used in a search filter.
  • V5621. OWASP. Error message contains potentially sensitive data that may be exposed.

To read, watch, and evaluate

To read

Since the last release, we have checked the code quality of several open-source projects:

We found several proofs why static analysis is better to use regularly. How? You can find the details here, in short — the algorithm is something like this:

  • developers write new code for open-source projects;
  • we analyze it with PVS-Studio;
  • we look at the analyzer reports and find errors that developers missed;
  • we write about errors in our blog.

Some of the issues found are reviewed in the following articles:

In addition, we wrote articles about security. We described the defects associated with the processing of XML files, namely:

  • what vulnerabilities look like in the code;
  • how to perform an attack on the application with a vulnerability;
  • what are the consequences.

We wrote about this in two articles:

Check out more articles in our blog.

To watch

We not only write articles, but also make videos. These are new videos on our YouTube channel:

To evaluate

If you don't have a trial key

Do you want to evaluate PVS-Studio? Follow 3 simple steps:

  • request a trial key;
  • download a distribution;
  • check a project.

This page will help you go through all the steps. Don't forget to leave your feedback. :)

If you have a trial key

You can download the latest version of PVS-Studio here.

Popular related articles

Comments (0)

Next comments
Unicorn with delicious cookie
Nous utilisons des cookies pour améliorer votre expérience de navigation. En savoir plus
Accepter