Codechecker

Latest version: v6.23.1

Safety actively analyzes 638388 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 2 of 13

6.22.1

:star2: Highlights
[fix][server] Fix webapp crash when using component filter

CodeChecker webapp was crashing when using the component filter, which has been fixed in this release. 3887

[doc] Make every second release highlight green 3882

6.22.0

:star2: Highlights

Further enhancements to speed up the store procedure
After another round of optimizations, `CodeChecker store` is ~2 times faster than in v6.21.0. Combined with the previous release, storing may be as much as 4 times faster than v6.20.0., with larger result directories seeing a greater degree of improvement.

This should allow those that use CodeChecker in CI loops to see fewer timeouts due to long storages, or lower timeout tresholds significantly.

Multiroot analysis
CodeChecker now supports an analysis mode where for each source file, it tries to find the closest compile_commands.json file up in the directory hierarchy starting from the source file.

If your project is structured such that multiple folders act as their own root folder (hence the name _multiroot_), CodeChecker should be able to support that out of the box. clangd and clang-tidy already works this way: https://clangd.llvm.org/installation.html#compile_commandsjson

This feature also affects the CodeChecker Visual Studio Code plugin, where analysis will be done on multiroot projects as well [Ericsson/CodecheckerVSCodePlugin113](https://github.com/Ericsson/CodecheckerVSCodePlugin/issues/113).

Previously the input of analysis must have been a compilation database JSON file. This PR supports the following new `CodeChecker analyze` invocations, as long as a corresponding compilation database file is found:

Analyze a single file.
CodeChecker analyze analyze.cpp -o reports

Analyze all source files under a directory.
CodeChecker analyze my_project -o reports

Support report annotations and add dynamic analyzer related annotations

CodeChecker is now able to parse additional fields from plist files especially relevant to dynamic analyses.
https://github.com/Ericsson/codechecker/blob/master/docs/analyzer/user_guide.md#dynamic-analysis-results


<dict>
<key>diagnostics</key>
<array>
<dict>
<key>category</key>
<string>unknown</string>
<key>check_name</key>
<string>UndefinedBehaviorSanitizer</string>
<key>report-annotation</key>
<dict>
<key>testcase</key>
<string>yhegalkoei</string>
<key>timestamp</key>
<string>1970-04-26T17:27:55</string>
</dict>
<key>path</key>
<array>
...
</array>
</dict>


![image](https://user-images.githubusercontent.com/23276031/227945494-e3583eaf-dc52-449f-b13e-ab48b0d94f57.png)

Unlike for static analyzers, the time of the detection can be a crucial piece of information, as a report may be a result of another preceding report. Users that record the timestamp of the detection and store it in CodeChecker under the new 'Timestamp' field will be able to sort reports by it. CodeChecker now also supports the 'Testsuite' field.

You can read more about this feature in its PR 3849, and the relevant docs PR 3871.

:exclamation: Backward incompatible changes
* [cmd] Remove some deprecated flags. [3823](https://github.com/Ericsson/codechecker/pull/3823)
* `CodeChecker checkers --only-enabled DEPRECATED.` Show only the enabled checkers. use CodeChecker checkers --details to list the checker status (enabled/disabled)
* `CodeChecker checkers --only-disabled.` use CodeChecker checkers --details to list the checker status.
* `CodeChecker cmd diff -s, --suppressed DEPRECATED.` Lists the suppressed reports.
Use the  `--review-status [REVIEW_STATUS [REVIEW_STATUS ...]]` flag to filter the results.
* `CodeChecker cmd diff --filter FILTER`       DEPRECATED. Filter diff results.
Use  the `--review-status [REVIEW_STATUS [REVIEW_STATUS ...]]` flag
                        to filter the results.
* `CodeChecker cmd sum  --disable-unique`  DEPRECATED. Use the '--uniqueing' option to get uniqueing results.
* [cmd] Remove the CodeChecker analyzer `--tidy-config flag` [3822](https://github.com/Ericsson/codechecker/pull/3822)
* `CodeChecker analyze [--tidy-config TIDY_CONFIG]` DEPRECATED and removed.
Use the `CodeChecker analyzers --analyzer-config clang-tidy` to list the analyzer options
Use e.g. `CodeChecker analyze --analyzer-config clang-tidy:WarningsAsErrors=true` to set a parameter.
Alternatively you can use .clang-tidy config files too
* [analyzer] Promote the missing checker warning to an error 3820
* If a checker name given to `--enable/--disable` is not recognized (usually because of a typo) by any of the analyzers, CodeChecker now emits an error. While we strongly advise you against it, you can demote this error to a warning, restoring the behaviour similar to previous releases, with the flag `--no-missing-checker-error` (3866).

:bug: Analyzer improvements
* ignore -fno-keep-inline-dllexport gcc option 3813
* Fix error using Clang option '-stdlib=libc++' 3808
* [fix] Fix a condition about checkers being compiler warnings 3838
* [analyzer] Promote the missing checker warning to an error 3820
* [fix] Pass arch flag correctly 3854
* [fix] Treat clang-diagnostic-* checkers as compiler flags 3874
* Forward --driver-mode compiler flag to the analyzer 3867

:repeat: Profile changes
* `bugprone-standalone-empty`: default, extreme, sensitive
* `bugprone-unsafe-functions`: extreme, security, sensitive
* `cert-msc24-c`: alias of `bugprone-unsafe-functions`
* `cert-msc33-c`: alias of `bugprone-unsafe-functions`
* `cppcoreguidelines-avoid-capture-default-when-capturing-this`: extreme, sensitive
* `cppcoreguidelines-avoid-capturing-lambda-coroutines`: default, extreme, sensitive
* `cppcoreguidelines-avoid-reference-coroutine-parameters`: default, extreme, sensitive
* `cppcoreguidelines-rvalue-reference-param-not-moved`: extreme, sensitive
* `llvmlibc-inline-function-decl`: style
* `misc-use-anonymous-namespace`: default, extreme, sensitive
* Document the new checker misc-use-anonymous-namespace 3803
* [cfg] Assign new check profiles for 6.22RC1 3861

:computer: CLI/Server improvements
* **Further enhancements to speed up the store procedure** 3796
* **Multiroot analysis** 3815
CodeChecker now supports an analysis mode where for each source file,
it tries to find the closest compile_commands.json file up in the directory hierarchy starting from the source file.
clangd and clang-tidy works this way: https://clangd.llvm.org/installation.html
This feature allows the analaysis of multi-root projects also in the vscode plugin [Ericsson/CodecheckerVSCodePlugin113](https://github.com/Ericsson/CodecheckerVSCodePlugin/issues/113)
Previously the input of analysis was a compilation database JSON file. The of this PR is to support the following analysis invocations:

Analyze one source file.
CodeChecker analyze main.c -o reports

analyze all source files under a directory.
CodeChecker analyze my_project -o reports

* **Support report annotations and add dynamic analyzer related annotations** 3849
* **Required format for --checker-config** 3817
"CodeChecker analyze" command has a --checker-config flag. The parameter this flag should be in the following format:
`<analyzer>:<checker>:<option>=<value>`. This format is checked and an error message is emitted if the format is not met.
* [cmd] Gracefully exit instead of crashing when cmd diff is missing a param 3801
* cppcheck: allow spaces in path 3812
* [cmd] Fix a crash with CodeChecker cmd diff --unique on 3816
* [bugfix] Don't convert cppcheck parameters to absolute path 3821
* [cmd] Deprecate --warnings flag 3802
* [gui] Fix for filter product in gui test 3469
* [web] Fix stale permission caching 3840

:deciduous_tree: Environment
* [req] Upgrade `lxml` to `4.9.1` 3799
* Fix three bugs and a couple of style issues 3804
* Updates to setup.py/PyPI configuration 3819
* [test] Upgrade to Python 3.8 in GitHub Actions 3859

:book: Documentation updates
* README.md: add `python3-setuptools` dependency 3729
* [docs] Reword what labels, guidelines, checkers mean, and their enabling 3845

:hammer: Other
* [version] Bump version to 6.22.0 3787
* [repo] Add vim sessions file to gitignore 3792
* [docs] Fix facebook-infer links 3834
* [tests] Change subprocess.call to subprocess.Popen 3837
* Change dev/test servers port from default 3833

6.22.0rc1

:star2: Highlights

Further enhancements to speed up the store procedure
After another round of optimizations, `CodeChecker store` is ~2 times faster than in v6.21.0. Combined with the previous release, storing may be as much as 4 times faster than v6.20.0., with larger result directories seeing a greater degree of improvement.

This should allow those that use CodeChecker in CI loops to see fewer timeouts due to long storages, or lower timeout tresholds significantly.

Multiroot analysis
CodeChecker now supports an analysis mode where for each source file, it tries to find the closest compile_commands.json file up in the directory hierarchy starting from the source file.

If your project is structured such that multiple folders act as their own root folder (hence the name _multiroot_), CodeChecker should be able to support that out of the box. clangd and clang-tidy already works this way: https://clangd.llvm.org/installation.html#compile_commandsjson

This feature also affects the CodeChecker Visual Studio Code plugin, where analysis will be done on multiroot projects as well [Ericsson/CodecheckerVSCodePlugin113](https://github.com/Ericsson/CodecheckerVSCodePlugin/issues/113).

Previously the input of analysis must have been a compilation database JSON file. This PR supports the following new `CodeChecker analyze` invocations, as long as a corresponding compilation database file is found:

Analyze a single file.
CodeChecker analyze analyze.cpp -o reports

Analyze all source files under a directory.
CodeChecker analyze my_project -o reports

Support report annotations and add dynamic analyzer related annotations

CodeChecker is now able to parse additional fields from plist files especially relevant to dynamic analyses.


<key>diagnostics</key>
<array>
<dict>
   <key>category</key>
   <string>Memory error</string>
   ...
   <dict>
     <key>timestamp</key>
     <string>2000-01-01 10:00</string>
     <key>testsuite</key>
     <string>TS-1</key>
     ...
   </dict>
</dict>
</array>


![image](https://user-images.githubusercontent.com/23276031/227945494-e3583eaf-dc52-449f-b13e-ab48b0d94f57.png)

Unlike for static analyzers, the time of the detection can be a crucial piece of information, as a report may be a result of another preceding report. Users that record the timestamp of the detection and store it in CodeChecker under the new 'Timestamp' field will be able to sort reports by it. CodeChecker now also supports the 'Testsuite' field.

You can read more about this feature in its PR: 3849.

:exclamation: Backward incompatible changes
* [cmd] Remove some deprecated flags. 3823
* [cmd] Remove --tidy-config flag 3822
* [cmd] Remove some deprecated flags. [3823](https://github.com/Ericsson/codechecker/pull/3823)
* `CodeChecker checkers --only-enabled DEPRECATED.` Show only the enabled checkers. use CodeChecker checkers --details to list the checker status (enabled/disabled)
* `CodeChecker checkers --only-disabled.` use CodeChecker checkers --details to list the checker status.
* `CodeChecker cmd diff -s, --suppressed DEPRECATED.` Lists the suppressed reports.
Use the  `--review-status [REVIEW_STATUS [REVIEW_STATUS ...]]` flag to filter the results.
* `CodeChecker cmd diff --filter FILTER`       DEPRECATED. Filter diff results.
Use  the `--review-status [REVIEW_STATUS [REVIEW_STATUS ...]]` flag
                        to filter the results.
* `CodeChecker cmd sum  --disable-unique`  DEPRECATED. Use the '--uniqueing' option to get uniqueing results.
* [cmd] Remove the CodeChecker analyzer `--tidy-config flag` [3822](https://github.com/Ericsson/codechecker/pull/3822)
* `CodeChecker analyze [--tidy-config TIDY_CONFIG]` DEPRECATED and removed.
Use the `CodeChecker analyzers --analyzer-config clang-tidy` to list the analyzer options
Use e.g. `CodeChecker analyze --analyzer-config clang-tidy:WarningsAsErrors=true` to set a parameter.
Alternatively you can use .clang-tidy config files too

:bug: Analyzer improvements
* ignore -fno-keep-inline-dllexport gcc option 3813
* Fix error using Clang option '-stdlib=libc++' 3808
* [fix] Fix a condition about checkers being compiler warnings 3838
* [analyzer] Promote the missing checker warning to an error 3820
* [fix] Pass arch flag correctly 3854

:repeat: Profile changes
* `bugprone-standalone-empty`: default, extreme, sensitive
* `bugprone-unsafe-functions`: extreme, security, sensitive
* `cert-msc24-c`: alias of `bugprone-unsafe-functions`
* `cert-msc33-c`: alias of `bugprone-unsafe-functions`
* `cppcoreguidelines-avoid-capture-default-when-capturing-this`: extreme, sensitive
* `cppcoreguidelines-avoid-capturing-lambda-coroutines`: default, extreme, sensitive
* `cppcoreguidelines-avoid-reference-coroutine-parameters`: default, extreme, sensitive
* `cppcoreguidelines-rvalue-reference-param-not-moved`: extreme, sensitive
* `llvmlibc-inline-function-decl`: style
* `misc-use-anonymous-namespace`: default, extreme, sensitive
* Document the new checker misc-use-anonymous-namespace 3803
* [cfg] Assign new check profiles for 6.22RC1 3861

:computer: CLI/Server improvements
* **Further enhancements to speed up the store procedure** 3796
* **Multiroot analysis** 3815
CodeChecker now supports an analysis mode where for each source file,
it tries to find the closest compile_commands.json file up in the directory hierarchy starting from the source file.
clangd and clang-tidy works this way: https://clangd.llvm.org/installation.html
This feature allows the analaysis of multi-root projects also in the vscode plugin [Ericsson/CodecheckerVSCodePlugin113](https://github.com/Ericsson/CodecheckerVSCodePlugin/issues/113)
Previously the input of analysis was a compilation database JSON file. The of this PR is to support the following analysis invocations:

Analyze one source file.
CodeChecker analyze main.c -o reports

analyze all source files under a directory.
CodeChecker analyze my_project -o reports

* **Support report annotations and add dynamic analyzer related annotations** 3849
* **Required format for --checker-config** 3817
"CodeChecker analyze" command has a --checker-config flag. The parameter this flag should be in the following format:
`<analyzer>:<checker>:<option>=<value>`. This format is checked and an error message is emitted if the format is not met.
* [cmd] Gracefully exit instead of crashing when cmd diff is missing a param 3801
* cppcheck: allow spaces in path 3812
* [cmd] Fix a crash with CodeChecker cmd diff --unique on 3816
* [bugfix] Don't convert cppcheck parameters to absolute path 3821
* [cmd] Deprecate --warnings flag 3802
* [gui] Fix for filter product in gui test 3469
* [web] Fix stale permission caching 3840

:deciduous_tree: Environment
* [req] Upgrade `lxml` to `4.9.1` 3799
* Fix three bugs and a couple of style issues 3804
* Updates to setup.py/PyPI configuration 3819
* [test] Upgrade to Python 3.8 in GitHub Actions 3859

:book: Documentation updates
* README.md: add `python3-setuptools` dependency 3729
* [docs] Reword what labels, guidelines, checkers mean, and their enabling 3845

:hammer: Other
* [version] Bump version to 6.22.0 3787
* [repo] Add vim sessions file to gitignore 3792
* [docs] Fix facebook-infer links 3834
* [tests] Change subprocess.call to subprocess.Popen 3837
* Change dev/test servers port from default 3833

6.21.0

:bug: Analyzer improvements
- **[report-converter] Support Roslynator** (3765)
The [Roslynator](https://github.com/JosefPihrt/Roslynator) project contains several analyzers for C# built on top of Microsoft Roslyn. CodeChecker now supports the visualization of these C anlaysis results. It also provides a [.NET tool](https://github.com/JosefPihrt/Roslynator#roslynator-command-line-tool-) for running Roslyn code analysis from the command line. It is not limited to Microsoft and Roslynator analyzers, it supports any Roslyn anaylzer. It can also report MSBuild compiler diagnostics.

:computer: CLI/Server improvements

- **Make `CodeChecker store` about twice as fast** (3777)
This small change from a regex to a string search is expected to shave off the time it takes to run a `CodeChecker store` command by as much as 50%!
- **[fix] Speed up resolved diffing** (3771)
This fixes the everlasting diff runtime, when the report count is large (~60000) and the ReviewStatusRule count is also substantial.

:repeat: Profile changes
- **[analyzer][clang][clang-tidy] Assign new check profiles** (3769)
- `bugprone-assignment-in-if-condition`: extreme (no longer in the `sensitive` and `default` profiles)
- `bugprone-signal-handler`: default (new), security (new), sensitive, extreme
- `bugprone-suspicious-realloc-usage` (new): default, sensitive, extreme
- `bugprone-stringview-nullptr` (new): default, sensitive, extreme
- `bugprone-unchecked-optional-access` (new): extreme
- `cert-sig30-c`: removed from all profiles (as it is an alias to [bugprone-signal-handler](https://clang.llvm.org/extra/clang-tidy/checks/bugprone/signal-handler.html))
- `cppcoreguidelines-avoid-const-or-ref-data-members`: sensitive (new), extreme
- `cppcoreguidelines-avoid-do-while` (new): extreme
- `misc-const-correctness`: removed from all profiles (it was too extreme even for extreme)
- `misc-misleading-bidirectional`: default, security (new), sensitive, extreme
- `misc-misleading-identifier"` (new): default, security, sensitive, extreme
- `alpha.unix.Errno`: sensitive (new), extreme
- `core.uninitialized.NewArraySize` (new): default, sensitive, extreme
- `alpha.unix.cstring.UninitializedRead` (new): extreme

:book: Documentation updates

- **[analyzer][doc] Mention that Z3 as the constraint solver is highly unstable** (3772)
While LLVM supports the usage of Z3, that doesn't mean the same for the Clang Static Analyzer. It is a highly experimental feature that may or may not be generally available in a stable way, which is now better explained in the [docs](https://github.com/Ericsson/codechecker/blob/master/docs/analyzer/checker_and_analyzer_configuration.md#z3-theorem-prover) and in `--help` messages.
- **[doc] Refurbish several parts of the `README`** (3763)
- Self-advertise the CodeChecker GitHub CI action!
- Added the PLDI'2020 talk about CodeChecker to the papers section
- Moved information about Python 2 lower as it is no longer really an important thing in today's world
- Figure out the new LLVM monorepo commit for the referenced SVN commit that introduced Bug hashes to Clang SA

:hammer: Other improvements/fixes
- **Quick fix for cppcheck environment** (3744)
The cppcheck needs the original environment when invoked. This quick fix restores it at analyzer invocation.
- **[bugfix] Old client has different behavior with new server** (3746, 3747)
So far, we have supported the communication in between a CodeChecker server and almost all older CodeChecker clients versions. For CodeChecker servers on version 6.20.0, clients issueing `CodeChecker cmd diff` to the server got an incorrect results, which this PR fixes.
- **[bugfix] Don't update review status date** (3749)
When a review status is set in the GUI then a new entry is inserted to review_statuses table. Every time the same report is stored, its review status date used to be updated, which was a bug, since the storage date is NOT the same as the review status date.
- **Document 'cppcoreguidelines-avoid-const-or-ref-data-members'** (3734)
- **Document 'bugprone-suspicious-realloc-usage'** (3755)
- **Escape &, <, > from the source C-files to HTML-output** (3748)
This fixed a bug where `CodeChecker parse --export html` produced an invalid HTMl file.
- **[feat] Comment lines in skipfile** (3768)
Hashmark () character can be used for commenting lines out in skipfiles, and can now be used for CodeCheckers skip files!
- **Issue a warning about this release being only an RC** (3780)
CodeChecker version now warns users about the current release being only a release candidate. Please create a bug report if you find anything wrong, so we can fix it for the proper release!
- **[fix] Ignore files that .gitignore ignores** (3785)
- **Set "anywhere on path" in URL** (3783)
In the previous release, on the gui, when the "anywhere on path" filter was set, it wasn't saved in the URL. It is now!
- **[bugfix] Don't crash with intercept-build based compilation database** (3685)
CodeChecker was only really compatible with compilation databases where "command" was used instead of "arguments" as the actual command to execute. This is now fixed.
- **[db] Garbage collection of analysis_info timeout** (3775)
The garbage collection of analysis_info table has been restructured because the original query exceeded a 2min timeout.

6.21.0rc1

:bug: Analyzer improvements
- **[report-converter] Support Roslynator** (3765)
The [Roslynator](https://github.com/JosefPihrt/Roslynator) project contains several analyzers for C# built on top of Microsoft Roslyn. CodeChecker now supports the visualization of these C anlaysis results. It also provides a [.NET tool](https://github.com/JosefPihrt/Roslynator#roslynator-command-line-tool-) for running Roslyn code analysis from the command line. It is not limited to Microsoft and Roslynator analyzers, it supports any Roslyn anaylzer. It can also report MSBuild compiler diagnostics.

:computer: CLI/Server improvements

- **Make `CodeChecker store` about twice as fast** (3777)
This small change from a regex to a string search is expected to shave off the time it takes to run a `CodeChecker store` command by as much as 50%!
- **[fix] Speed up resolved diffing** (3771)
This fixes the everlasting diff runtime, when the report count is large (~60000) and the ReviewStatusRule count is also substantial.

:repeat: Profile changes
- **[analyzer][clang][clang-tidy] Assign new check profiles** (3769)
- `bugprone-assignment-in-if-condition`: extreme (no longer in the `sensitive` and `default` profiles)
- `bugprone-signal-handler`: default (new), security (new), sensitive, extreme
- `bugprone-suspicious-realloc-usage` (new): default, sensitive, extreme
- `bugprone-stringview-nullptr` (new): default, sensitive, extreme
- `bugprone-unchecked-optional-access` (new): extreme
- `cert-sig30-c`: removed from all profiles (as it is an alias to [bugprone-signal-handler](https://clang.llvm.org/extra/clang-tidy/checks/bugprone/signal-handler.html))
- `cppcoreguidelines-avoid-const-or-ref-data-members`: sensitive (new), extreme
- `cppcoreguidelines-avoid-do-while` (new): extreme
- `misc-const-correctness`: removed from all profiles (it was too extreme even for extreme)
- `misc-misleading-bidirectional`: default, security (new), sensitive, extreme
- `misc-misleading-identifier"` (new): default, security, sensitive, extreme
- `alpha.unix.Errno`: sensitive (new), extreme
- `core.uninitialized.NewArraySize` (new): default, sensitive, extreme
- `alpha.unix.cstring.UninitializedRead` (new): extreme

:book: Documentation updates

- **[analyzer][doc] Mention that Z3 as the constraint solver is highly unstable** (3772)
While LLVM supports the usage of Z3, that doesn't mean the same for the Clang Static Analyzer. It is a highly experimental feature that may or may not be generally available in a stable way, which is now better explained in the [docs](https://github.com/Ericsson/codechecker/blob/master/docs/analyzer/checker_and_analyzer_configuration.md#z3-theorem-prover) and in `--help` messages.
- **[doc] Refurbish several parts of the `README`** (3763)
- Self-advertise the CodeChecker GitHub CI action!
- Added the PLDI'2020 talk about CodeChecker to the papers section
- Moved information about Python 2 lower as it is no longer really an important thing in today's world
- Figure out the new LLVM monorepo commit for the referenced SVN commit that introduced Bug hashes to Clang SA

:hammer: Other improvements/fixes
- **Quick fix for cppcheck environment** (3744)
The cppcheck needs the original environment when invoked. This quick fix restores it at analyzer invocation.
- **[bugfix] Old client has different behavior with new server** (3746, 3747)
So far, we have supported the communication in between a CodeChecker server and almost all older CodeChecker clients versions. For CodeChecker servers on version 6.20.0, clients issueing `CodeChecker cmd diff` to the server got an incorrect results, which this PR fixes.
- **[bugfix] Don't update review status date** (3749)
When a review status is set in the GUI then a new entry is inserted to review_statuses table. Every time the same report is stored, its review status date used to be updated, which was a bug, since the storage date is NOT the same as the review status date.
- **Document 'cppcoreguidelines-avoid-const-or-ref-data-members'** (3734)
- **Document 'bugprone-suspicious-realloc-usage'** (3755)
- **Escape &, <, > from the source C-files to HTML-output** (3748)
This fixed a bug where `CodeChecker parse --export html` produced an invalid HTMl file.
- **[feat] Comment lines in skipfile** (3768)
Hashmark () character can be used for commenting lines out in skipfiles, and can now be used for CodeCheckers skip files!
- **Issue a warning about this release being only an RC** (3780)
CodeChecker version now warns users about the current release being only a release candidate. Please create a bug report if you find anything wrong, so we can fix it for the proper release!

6.20.0

:bug: Analyzer improvements
- **Cppcheck support** (3680)
Cppcheck is a static analyzer tool which is now driven by CodeChecker. Similar to Clang analysis, [Cppcheck](https://cppcheck.sourceforge.io/) also can be configured and executed by CodeChecker. For configuration and execution see [Configure Clang Static Analyzer and checkers Guide](https://github.com/Ericsson/codechecker/blob/master/docs/analyzer/checker_and_analyzer_configuration.md#cppcheck)
Please note that you need to add cppcheck to your PATH (env var) before using it with CodeChecker.
**WARNING**: The analysis results depend on which cppcheck version you configured
- **Merge, and don't override when multiple --analyzer-configs are specified** (3655)
When multiple `--analyzer-config` options are given to CodeChecker then only the last one was taken into account. From this version both are handled: `--analyzer-config <option1> --analyzer-config <option2>`. The old format is also still available: `--analyzer-config <option1> <option2>`. This is especially useful when you specify the base analysis parameters in the [codechecker_config ](https://github.com/Ericsson/codechecker/blob/master/docs/config_file.md) file and you want to override certain parameters in the command line.

:computer: CLI/Server improvements
- **Refactored Review Status Handling**
- **Changed handling of in-code suppressions (e.g. //codechecker_suppress [ all ] This is a false warning)** (3580)
Review status is now connected to the individual reports instead of the (all reports) with the same report hash.
This makes it possible to mark a bug as a false positive on one branch (and store it in a run) and mark it as intentional on another branch.
**Warning:** The different handling of such rare cases can cause a change in the checker statistics.
- **Changed handing of suppressions in the GUI** (3646)
If you handle suppressions in the GUI instead of the source code, the suppressions remain effective for all reports identified by the same bug hash. These are called "suppression rules". You can list and manage such rules in the "Review Status Rules" window:
![image](https://user-images.githubusercontent.com/8030953/186143044-96ee1b76-651f-4cca-8fba-32e6b2d23126.png)

- **Changed visualization of false positive and intentional reports in the Oustanding Reports Statistics**
Outstanding report statistics excluded false positive reports from the graphs even for time periods, when these reports were active. After this change, the reports will be counted in the outstanding reports graphs until the time they were classified as false positive. So you will be able to see a decreasing trend in the outstanding reports graph, after you classify reports false positive.

![image](https://user-images.githubusercontent.com/8030953/186143148-a2cf254c-e684-4c44-8f8f-2e8173f58a73.png)

- **Find reports by file anywhere on bugpath** (3717)
In the GUI the set of reports can be filtered by filename or source
component. However, these filters are concerning the last bug point,
i.e. one can list the set of reports ending in a specific file.

A new filter option has been introduced which returns all reports where the file is involved at any part of the bug path.
![image](https://user-images.githubusercontent.com/8030953/186632120-738727c6-12aa-47dd-bd78-3ce9002c7460.png)

- **Fix storage of headers with same name in different paths** (3706)
When a header file occurred in multiple directories with the same name (for example multiple standard libraries at different locations are involved in the project) then only one of them was stored to the server. This has been fixed, so all instances are stored now.
- `--trim-path-prefix` flag may now contain joker characters (3674)
`--trim-path-prefix` flag helps to remove a given prefix of each file path during report storage. This prefix may now contain joker characters too. The longest matching prefix will be eliminated from each file path.
- **Don't ignore compiler warnings, even if `clangtidy:take-config-from-directory=true` is specified** (3698)
`clangtidy:take-config-from-directory` is an analyzer config that makes ClangTidy get its arguments from a `.clang-tidy` file, and only from that
file. What this implies, is that all other options on the command line for ClangTidy will be ignored. The problem was that this also ignores compiler warnings, so it has been fixed.
- **Garbage collection enhancement in "files" table** (3710)
When a run storage and removal occurs concurrently with both referring the same file may result a foreign key constraint error on server side and storage fails. This has been fixed.
- **Import the suppressions per report** (3693)
`CodeChecker cmd suppress run_name -i <import_file>` will only import suppressions for the run indicated by `run_name`, and not all reports in all runs.
- **Fix remote diff behavior** (369)
When two runs are compared then reports should be considered as closed even if their review status is false positive or intentional.
- **Speed up run deletion** (3700)
Sometimes run deletion is a slow operation due to cascades and such. So runs are deleted in separate transactions in order to avoid potential statement timeouts in a DBMS.
- **Get failed files with `CodeChecker cmd runs --details`** (3669)
This command now lists the files that are failed to analyze.
- **Fix storage of context-insensitive ClangSA reports** (3662)
In some cases ClangSA produced plists where an included file had a context-insensitive bug report at the exact same "file:row:col:checker", but different bug hash. Only one instance of these reports were stored before this release.
- **Fix exceptions during blame information storage* (3647)
When the HEAD file exists in the `.git` directory but the user who is running the CodeChecker store command doesn't have permission to this file then the storage failed.
- **Fix uniqueing compilation commands** (3635)

:repeat: Profile changes
- **The following checkers are added to the following profiles** (3714)
- `alpha.unix.Errno`: extreme
- `bugprone-assignment-in-if-condition`: default, sensitive, extreme
- `misc-const-correctness`: extreme
- `misc-confusable-identifiers`: default, sensitive, extreme
- `modernize-macro-to-enum`: extreme
- **All cppcheck checker from the error and warning category have been added to the default profile**

:book: Documentation updates
- **Refactoring the analyzer user guide** (3694)
- **Checker documentation URLs have changed in ClangTidy** (3715)
- **Fix some links in `README.md`** (3512)
- **Enhancement of the user guides related to the run comparison feature** (3696)
- **Fix some CLI usage examples in the docs** (3666)
- **Add documentation to the python thrift client example** (3652)

:hammer: Other improvements/fixes
- **Fix ctu extdef mapping file with space problem** (3653)
CodeChecker uses `clang-extdef-mapping` utility during CTU analysis. This collects for each function definition in which file they have been defined. The format of this mapping file changed, and this change needs to be adapted in CodeChecker.
- **Adding `dev_package` make target** (3682)
This make target results symlinks in the build directory to the source files. This way it is not necessary to rebuild CodeCompass for each source code change during the development. Known issue: `CC_LIB_DIR` needs to be set to `.../build/CodeChecker/lib/python3` directory.
- **Fix install of PPA clang-tidy in config coverage job** (3678)
Fixing a broken installment in GitHub Actions.
- **Add a job that checks coverage of checker labelling** (3367)
- **Minor improve some debug logs** (3659)
There was a debug log which could not be used for debugging, because the arguments containing whitespaces were not quoted properly.
- **Fix the incorrect run count on the product page** (3733)
Due to a bug in our caching strategy, the number of runs in a product displayed on the product page were sometimes higher than the actual count (which was corrently displayed in the bottom left of the run page). This occurred when multiple runs were deleted at once.

Page 2 of 13

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.