Codechecker

Latest version: v6.23.1

Safety actively analyzes 638379 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 3 of 13

6.20.0rc1

:bug: Analyzer improvements
- **Cppcheck support** (3680)
Cppcheck is a static analyzer tool which is now driven by CodeChecker. Similar to Clang analysis, [Cppcheck](https://cppcheck.sourceforge.io/) also can be configured and executed by CodeChecker. For configuration and execution see [Configure Clang Static Analyzer and checkers Guide](https://github.com/Ericsson/codechecker/blob/master/docs/analyzer/checker_and_analyzer_configuration.md#cppcheck)
Please note that you need to add cppcheck to your PATH (env var) before using it with CodeChecker.
**WARNING**: The analysis results depend on which cppcheck version you configured
- **Merge, and don't override when multiple --analyzer-configs are specified** (3655)
When multiple `--analyzer-config` options are given to CodeChecker then only the last one was taken into account. From this version both are handled: `--analyzer-config <option1> --analyzer-config <option2>`. The old format is also still available: `--analyzer-config <option1> <option2>`.

:computer: CLI/Server improvements
- **Refactored Review Status Handling**
- **Changed handling of in-code suppressions (e.g. //codechecker_suppress [ all ] This is a false warning)** (3580)
Review status is now connected to the individual reports instead of the (all reports) with the same report hash.
This makes it possible to mark a bug as a false positive on one branch (and store it in a run) and mark it as intentional on another branch.
**Warning:** The different handling of such rare cases can cause a change in the checker statistics.
- **Changed handing of suppressions in the GUI** (3646)
If you handle suppressions in the GUI instead of the source code, the suppressions remain effective for all reports identified by the same bug hash. These are called "suppression rules". You can list and manage such rules in the "Review Status Rules" window:
![image](https://user-images.githubusercontent.com/8030953/186143044-96ee1b76-651f-4cca-8fba-32e6b2d23126.png)

- **Changed visualization of false positive and intentional reports in the Oustanding Reports Statistics**
Outstanding report statistics excluded false positive reports from the graphs even for time periods, when these reports were active. After this change, the reports will be counted in the outstanding reports graphs until the time they were classified as false positive. So you will be able to see a decreasing trend in the outstanding reports graph, after you classify reports false positive.

![image](https://user-images.githubusercontent.com/8030953/186143148-a2cf254c-e684-4c44-8f8f-2e8173f58a73.png)

- **Find reports by file anywhere on bugpath** (3717)
In the GUI the set of reports can be filtered by filename or source
component. However, these filters are concerning the last bug point,
i.e. one can list the set of reports ending in a specific file.

A new filter option has been introduced which returns all reports where the file is involved at any part of the bug path.
![image](https://user-images.githubusercontent.com/8030953/186632120-738727c6-12aa-47dd-bd78-3ce9002c7460.png)

- **Fix storage of headers with same name in different paths** (3706)
When a header file occurred in multiple directories with the same name (for example multiple standard libraries at different locations are involved in the project) then only one of them was stored to the server. This has been fixed, so all instances are stored now.
- `--trim-path-prefix` flag may now contain joker characters (3674)
`--trim-path-prefix` flag helps to remove a given prefix of each file path during report storage. This prefix may now contain joker characters too. The longest matching prefix will be eliminated from each file path.
- **Don't ignore compiler warnings, even if `clangtidy:take-config-from-directory=true` is specified** (3698)
`clangtidy:take-config-from-directory` is an analyzer config that makes ClangTidy get its arguments from a `.clang-tidy` file, and only from that
file. What this implies, is that all other options on the command line for ClangTidy will be ignored. The problem was that this also ignores compiler warnings, so it has been fixed.
- **Garbage collection enhancement in "files" table** (3710)
When a run storage and removal occurs concurrently with both referring the same file may result a foreign key constraint error on server side and storage fails. This has been fixed.
- **Import the suppressions per report** (3693)
`CodeChecker cmd suppress run_name -i <import_file>` will only import suppressions for the run indicated by `run_name`, and not all reports in all runs.
- **Fix remote diff behavior** (369)
When two runs are compared then reports should be considered as closed even if their review status is false positive or intentional.
- **Speed up run deletion** (3700)
Sometimes run deletion is a slow operation due to cascades and such. So runs are deleted in separate transactions in order to avoid potential statement timeouts in a DBMS.
- **Get failed files with `CodeChecker cmd runs --details`** (3669)
This command now lists the files that are failed to analyze.
- **Fix storage of context-insensitive ClangSA reports** (3662)
In some cases ClangSA produced plists where an included file had a context-insensitive bug report at the exact same "file:row:col:checker", but different bug hash. Only one instance of these reports were stored before this release.
- **Fix exceptions during blame information storage* (3647)
When the HEAD file exists in the `.git` directory but the user who is running the CodeChecker store command doesn't have permission to this file then the storage failed.
- **Fix uniqueing compilation commands** (3635)

:repeat: Profile changes
- **The following checkers are added to the following profiles** (3714)
- `alpha.unix.Errno`: extreme
- `bugprone-assignment-in-if-condition`: default, sensitive, extreme
- `misc-const-correctness`: extreme
- `misc-confusable-identifiers`: default, sensitive, extreme
- `modernize-macro-to-enum`: extreme
- **All cppcheck checker from the error and warning category have been added to the default profile**

:book: Documentation updates
- **Refactoring the analyzer user guide** (3694)
- **Checker documentation URLs have changed in ClangTidy** (3715)
- **Fix some links in `README.md`** (3512)
- **Enhancement of the user guides related to the run comparison feature** (3696)
- **Fix some CLI usage examples in the docs** (3666)
- **Add documentation to the python thrift client example** (3652)

:hammer: Other improvements/fixes
- **Fix ctu extdef mapping file with space problem** (3653)
CodeChecker uses `clang-extdef-mapping` utility during CTU analysis. This collects for each function definition in which file they have been defined. The format of this mapping file changed, and this change needs to be adapted in CodeChecker.
- **Adding `dev_package` make target** (3682)
This make target results symlinks in the build directory to the source files. This way it is not necessary to rebuild CodeCompass for each source code change during the development. Known issue: `CC_LIB_DIR` needs to be set to `.../build/CodeChecker/lib/python3` directory.
- **Fix install of PPA clang-tidy in config coverage job** (3678)
Fixing a broken installment in GitHub Actions.
- **Add a job that checks coverage of checker labelling** (3367)
- **Minor improve some debug logs** (3659)
There was a debug log which could not be used for debugging, because the arguments containing whitespaces were not quoted properly.

6.19.1

:bug: Analyze fixes
- **Disappearing `--stats` flag** (3630, 3633)
`CodeChecker analyze` command has `--stats` flag if there is at least one checker contating `statisticsbased` in its name. We are using the checker listing function to determine the list of checkers but by default it excludes modeling checkers. This default behavior should be overridden when checking if underlying Clang supports statistics based checkers.
- **Add `-sdkroot` option to COMPILE_FLAGS structure** (3631)
A special downstream compiler duplicated the `--sysroot` option, and CodeChecker is not aware of the option chosen by this downstream
compiler. Adding these entries enables CodeChecker to not drop or strip the arguments to this option when interpreted and driven from a
`compile_commands.json` file.

:hammer: Other fixes
- Add `pyyaml` dependency to the web part to fix docker container (3626)
- Fix snap package build (3624)

For more information check the [milestone](https://github.com/Ericsson/codechecker/milestone/82).

6.19.0

:exclamation::exclamation::exclamation: Backward incompatible changes :exclamation::exclamation::exclamation:
- **Fix JSON format of CodeChecker version subcommand** (3558)
The output of the `CodeChecker version -o json` command wasn't a valid JSON format. From this release CodeChecker will provide a valid JSON output for this command.
For more information see the [documentation](https://github.com/Ericsson/codechecker/blob/master/docs/web/user_guide.md#json-format).
- **Not allowing disabling modeling checkers in ClangSA** (3323)
When a `Clang Static Analyzer` checker is disabled in CodeChecker, clang is invoked with the `analyzer-disable-checker` flag. This allows the user disabling core modeling checkers such as `unix.DynamicMemoryModeling`. This causes malfunctioning of depending checkers.
From this release `modeling` and `debug` checkers (listed with `clang -cc1 -analyzer-checker-help-developer`) will not be listed and cannot be disabled through CodeChecker with the `--enable` and `--disable` flags.
They can be enabled/disabled through the Clang Static Analyzer specific `--saargs` flag only.
- **Change minimum supported `node` version** (3581, 3586)
The minimum supported node version to build CodeChecker after this release is `>=14.17.0`.

:star: New features
- **Add `print-steps` option to `CodeChecker cmd diff` command** (3555)
Without bug steps it is hard to understood the problem by a programmer. With this commit we will introduce a new option for the `CodeChecker cmd diff` command which can be used to print bug steps similar what we are doing at the `CodeChecker parse` command. This patch also solve the problem to print bug steps in HTML files for reports which comes from a CodeChecker server.
- **Support yaml CodeChecker configuration files** (3602)
Multiple subcommands have a `--config` option which allow the configuration from an explicit configuration file. The parameters in the config file will be emplaced as command line arguments. Previously we supported only `JSON` format but the limitation of this format is that we can't add comments in this file for example why we enabled/disabled a checker, why an option is important etc.
From this release we will also support `YAML` format:
yaml
analyzer:
Enable/disable checkers.
- --enable=core.DivideZero

For more information see the [documentation](https://github.com/Ericsson/codechecker/blob/master/docs/config_file.md#yaml).

:computer: CLI / Server improvements / fixes
- **Allow `--file` and `skipfile` option to be given together and analyze header file** (3616)
The CodeChecker VSCodePlugin uses the `--file` parameter to analyze single files. Large projects load in their configuration using the `--config` parameter and if there is a `-i skipfile` given in the config, `CodeChecker analyze` call drops an error. From this release CodeChecker will allow `-i skipfile` and `--file` to be given together.
Also if a header file is given to the `--file` option CodeChecker under the hood will try to figure out which source files are depends on the given header file and we will analyze these source files.
- **Allow escaping `:` in run names with `\:`** (3536)
In certain scenarios, the run name might contain a `:` character that does NOT separate a tag from a name. Commands such as `server` and `cmd results` accept `:` as a literal in the name, but `cmd diff` previously cut it as the "run tag" separator.
- **Update allowed TLS versions** (3594)
`TLS1` and `TLS1.1` were deprecated in [RFC8996](https://datatracker.ietf.org/doc/html/rfc8996). From this release CodeChecker will enforce the newer `TLS1.2` or `TLS1.3`.
- **Fix HTML generation for CodeChecker cmd diff command** (3600)
If the diff command result contained reports from multiple source files (e.g.: `a.cpp` + `b.cpp`) the `CodeChecker cmd diff` command in HTML format generated HTML files for each source file but inserted the same list of reports in all of the HTML files. From this release CodeChecker will insert only those reports to a generated HTML file which are really related to that file.
- **Relative doc url to absolute file path** (3609)
Convert relative `doc_url` value's to absolute file paths in the `CodeChecker checkers` output. This way other tools can open and view these documentation files easily.
- **Fix html generation for report directory without plists** (3610)
Fix HTML generation for report directory which doesn't contain any analyzer result (plist) file.

:repeat: Profile changes
- **The following checkers are added to the following profiles** (3621)
- `bugprone-shared-ptr-array-mismatch`: `default`, `extreme`, `sensitive`
- `misc-misleading-bidirectional`: `default`, `extreme`, `sensitive`
- `readability-container-contains`: `default`, `extreme`, `sensitive`
- **The following checkers are removed from the following profiles** (3618)
- `cppcoreguidelines-narrowing-conversions`: `extreme`

:bug: Analyze improvements / fixes
- Proper handling of multi-target build (3598)
- Prefer ldlogger over intercept-build (3605)
- Quote command line segment using shlex (3578)
- Fix ldlogger escaping a bunch of characters (3589)
- Handle relative file paths in compilation database (3587)
- Avoid plist filenames being the same (3588)
- Proper exit code for `CodeChecker check` in case of exception (3603).
- Print info message about logger tool (3573)
- Add severity for `readability-duplicate-include` (3592)

:book: Documentation updates
- Update documentation with multiple source code comments in the same line (3597)
- Highlight that user must be logged in before token generation (3599)
- List possible severity levels for JSON report format (3604)
- Extend documentation with implicitly disabled checkers under `--enable-all` (3611)
- Added link to basic database setup (3541)
- Fix grammatical and spelling errors in documentations (3557)
- Mention CodeChecker vscode extension in the docs (3585)

:hammer: Other improvements / fixes.
- Thrift Python client example (3575)
- No rebuild on satisfied requirements (3547)
- Port LD-logger tests to python (3153)
- Fix compile warnings, missing return statements, etc. (3590)
- Fix the prepare debug scripts (3614)
- Upgrade `python-ldap` to `3.4.0` (3550)
- Upgrade `lxml` to `4.7.1` (3553)
- Upgrade `npm` packages (3581, 3586)
- Upgrade python version to `3.9.7` in docker image (3591)

For more information check the [milestone](https://github.com/Ericsson/codechecker/milestone/79).

---
:tada: CodeChecker VSCode plugin
We are proud to announce the official release of [CodeChecker VSCode plugin](http://github.com/Ericsson/codecheckervsCodePlugin/).

:star2: Main features
- Run CodeChecker analysis from the editor and see the results automatically.
- Re-analyze the current file when saved.
- Commands and build tasks for running CodeChecker as part of a build system.
- Browse through the found reports and show the reproduction steps directly in the code.
- Navigate between the reproduction steps.

:computer: Trying It Out
1. [Install CodeChecker] version `6.18.2` or later and optionally add it to the `PATH` environment variable.
2. Install CodeChecker extension from the [Visual Studio Marketplace], from [Open VSX] or download manually from [Downloads].
3. Check the path to CodeChecker and set your preferred command-line arguments - see [Configuring CodeChecker] for more information.
4. Open your project, and run an analysis, or browse through the found reports!

[Install CodeChecker]: https://github.com/Ericsson/CodeChecker#install-guide
[Visual Studio Marketplace]: https://marketplace.visualstudio.com/items?itemName=codechecker.vscode-codechecker
[Open VSX]: https://open-vsx.org/extension/codechecker/codechecker
[Downloads]: https://github.com/Ericsson/CodecheckerVSCodePlugin/releases
[Configuring CodeChecker]: https://github.com/Ericsson/CodecheckerVSCodePlugin/blob/main/README.md#configuring-codechecker

6.18.2

:bug: Analyze fixes
- **Fix skipping reports** (3559).
When a skip list was set, not only those reports were skipped that were included in the skipped files, but also those that had a bug path traversing a skipped file. This resulted in disappeared findings.
- **Fix static HTML report files** (3570).
It was not always possible to navigate in the static HTML files, when the bug path traversed multiple files.
- **Remove `bugprone-easily-swappable-parameters` from `sensitive` profile** (3579).
The checker warns for a bugprone coding style at function definitions. It is mostly useful for new code, where new functions are being defined. On the other hand, the checker required too many changes in legacy projects with non-matching coding style.

:computer: CLI / Server fixes
- **Fix suppressing bug on the server** (3563).
When the report was in multiple lines, the source code comments in the code were not taken into consideration.
- **Fix source line / file for remote reports** (3568).
An exception was thrown at `CodeChecker cmd diff` when path trimming was used in the stored results.
- **Fix storage of control points** (3576).
Not all of the control points were stored to the server, because the *plist* format what the report converter produced and the *plist* parser expected was invalid. This way when an analyzer result file was stored to the server, bug path arrows were missing from the GUI.
- **Escape values for v-html attributes** (3549).
We are using [`v-html`](https://vuejs.org/v2/api/#v-html) attribute on the UI side to dinamically rendering comments and analyzer commands. This can be very dangerous because it can easily lead to XSS vulnerabilities. To solve this problem the server will always return the escaped version of these values which can be safely rendered on the UI.
- **Fix link in gerrit output** (3572).
If `CC_REPORT_URL` is defined and `gerrit` format is used at `CodeChecker parse` or `CodeChecker cmd diff` commands, the output will contain the value of this environment variable wrapped inside quotes. When this output is sent to gerrit, it will convert URL links to HTML `a` tags. Unfortunately gerrit will think that the ending quote is part of the URL, so it will not remove it. This way the URL will be invalid.
- **Change permission of stored analysis failure files** (3574).
Change permission of the stored analysis failure zip files so only the current user/group will have access to this file.

For more information check the [milestone](https://github.com/Ericsson/codechecker/milestone/81).

6.18.1

Not secure
:bug: Analyze improvements / fixes
- Add label for file `markdownlint` (3505).
- Include `cppcoreguidelines-virtual-class-destructor` in profiles (3532).
- Add `bugprone-unhandled-exception-at-new` to default profile (3531).

:computer: CLI / Server improvements / fixes
- Add `--file` filter option for `CodeChecker parse` command (3454).
- Add checker documentation URLs to static HTML files (3539).
- Fix html output of CodeChecker parse (3524, 3538).
- Handle missing database file ids for file paths (3508).
- Simplify query for Other source component (3534).
- Improve cli store log (3533).
- More info logs at server for storage API request (3509).
- Use print_exc at store command (3511).
- Fix number of outstanding reports chart (3544).
- Fix whitespace in run name links (3529).
- Print broken pipe errors properly (3516).

:book: Documentation updates
- Update the Usage Guide with failed zips (3503).
- Add taint analysis documentation (3522).
- Add new features section for `6.18.0` release (3530).
- Mention more details in the build instructions (3517).
- Documentation for parse JSON output (3519).

:hammer: Other improvements / fixes.
- Fix building snap package (3496).
- Add static files to the pypi package (3502).
- Fix running docker container with existing volume (3540).
- New build argument (`CC_REPO`) for docker image (3543).
- Fix non-deterministic test in plist to html (3545).
- Upgrade `lxml` to `4.6.4` (3528).


For more information check the [milestone](https://github.com/Ericsson/codechecker/milestone/78).

---
:bulb: Hints
:dvd: 1. Installing CodeChecker
CodeChecker can be installed and used from multiple repositories:
- [PyPi](https://pypi.org/project/codechecker/)
- [Snap](https://snapcraft.io/codechecker)
- [Docker](https://hub.docker.com/r/codechecker/codechecker-web)

For more information see the [installation guide](https://github.com/Ericsson/codechecker#install-guide).

:file_cabinet: 2. Storage of multiple analyzer results
CodeChecker can be used as a generic tool for visualizing analyzer results of multiple static and dynamic analyzers:
- **C/C++**: [Clang Static Analyzer](https://clang-analyzer.llvm.org/), [Clang Tidy](https://clang.llvm.org/extra/clang-tidy/), [Clang Sanitizers](https://github.com/Ericsson/codechecker/blob/master/docs/tools/report-converter.md#sanitizers), [Cppcheck](http://cppcheck.sourceforge.net), [Facebook Infer](https://fbinfer.com), [cpplint](https://github.com/cpplint/cpplint) etc.
- **Java**: [SpotBugs](https://spotbugs.github.io), [Facebook Infer](https://fbinfer.com).
- **Python**: [Pylint](https://www.pylint.org), [Pyflakes](https://github.com/PyCQA/pyflakes).
- **JavaScript**: [ESLint](https://eslint.org/)
- **TypeScript**: [TSLint](https://palantir.github.io/tslint)
- **Go**: [Golint](https://github.com/golang/lint)
- **Markdown**: [Markdownlint](https://github.com/markdownlint/markdownlint)

For details see [supported code analyzers](https://github.com/Ericsson/codechecker/blob/master/docs/supported_code_analyzers.md) documentation and the [Report Converter Tool](https://github.com/Ericsson/codechecker/blob/master/docs/tools/report-converter.md).

6.18.0

Not secure
:exclamation::exclamation::exclamation: Backward incompatible CLI change :exclamation::exclamation::exclamation:
The `JSON` output of the CodeChecker parse command was not stable enough and the structure was very similar to the plist structure. Our plan is to support reading/parsing/storing of multiple analyzer output types not only plist but for example sarif format as well (http://docs.oasis-open.org/sarif/sarif/v2.0/csprd01/sarif-v2.0-csprd01.html). For this reason we changed the format of the `JSON` output of the `CodeChecker parse` and `CodeChecker cmd diff` command. The new format is described in #3519.

New features
Get access controls (3476)
Create a new global role (`PERMISSION_VIEW`) which will be used to allow the users to fetch access control information from a running
CodeChecker server by using the `CodeChecker cmd permissions` subcommand.

Analyze improvements / fixes
- Uplifting label file for clang 13 (3485).
- Add label files for sanitizers (3471).
- Add labels for compiler warnings (3483).
- Add labels for some supported report converters (3484).
- Fix check for response files (3474).
- Use -imacros flag instead of -macros (3428).
- Ignore `-mfp16-format`, `-fmacro-prefix-map`, `-fno-defer-pop`, `-fstack-usage` flags (3433, 3445).
- Add misra c guideline (3489).
- Removing cppcoreguidelines-virtual-class-destructor from the profiles (3494).

CLI / Server improvements / fixes
- Add confidentiality classification to the product config (3405)
- Jump to checker docs automatically (3455).
- Support newline in analysis info (3490).
- Fix run name link in report info (3477).
- Fix console error on reports page (3478).
- Fix weird file path filter (3479).
- Fix getting checker labels for 'unknown' analyzer (3491).
- Change required permission to view access for some API request (3440).
- Fix getting git commit url (3453).
- Update blame info (3488).

Other improvements / fixes.
- Refactoring code for sarif support (3462).
- Fix duplication warning when collecting blame info (3446).
- Upgrade mkdocs to 1.2.3 (3472).
- Use clang-13 in the CI, uplift tests accordingly (3475).
- Add github action to publish snap package (3492).
- Install common requirements on venv_dev target (3493).
- Mention venv_dev target in the main readme file (3480).
- Do not skip building the UI code when creating a pypi package (3461).
- Small typo fix (3434)


For more information check the [milestone](https://github.com/Ericsson/codechecker/milestone/76).

Page 3 of 13

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.