Codechecker

Latest version: v6.23.1

Safety actively analyzes 638386 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 5 of 13

6.13.0

New feature highlights

New web UI
In this release the UI framework was completely replaced to increase usability, stability and performance.
The new framework allows a lot of improvements like:
* faster page load
* faster navigation
* improved front-end testing
* less load on the server

With the new UI the permalinks are backward compatible so the saved URLs should work as before.
Additionally to the UI improvements there is a new feature.
If `Unique reports` is enabled on the reports view there is a drop down list for each report showing the similar reports
with the same report hash (but maybe with a different execution path)

**Note!** When building the package nodejs newer than v10.14.2 is required!
Please check the install guide for further instructions on how to install the dependencies.

Apply checker fixits

Some checkers in [Clang-Tidy](https://clang.llvm.org/extra/clang-tidy/) can provide source code changes (fixits) to automatically modify the source code
and fix a report. This feature can also be used to modernize the source code.
To use this feature the `clang-tidy` analyzer and the `clang-apply-replacements` tools needs to be available in the PATH.
During the clang-tidy analyzer execution the fixits are automatically collected.

CodeChecker analyze -o report_dir -j4 -e modernize -e performance -e readability compile_command.json --analyzers clang-tidy

Use the `CodeChecker fixit report_dir` command to list all collected fixits.
Fixits can be applied for a source file automatically like this:

CodeChecker fixit report_dir --apply --file "*mylib.h"

or in interactive mode where every source code modification needs to be approved:

CodeChecker fixit report_dir --interactive --file "*mylib.h"


Fixits can be applied based on a checker name, so to cleanup all the `readability-redundant-declaration` results execute this command:

CodeChecker fixit report_dir --apply --checker-name readability-redundant-declaration


Coding guideline mapping to checkers (SEI-CERT)

There are coding guidelines like ([SEI-CERT](https://wiki.sei.cmu.edu/confluence/display/seccode/SEI+CERT+Coding+Standards), [C++ Core Guidelines](https://isocpp.github.io/CppCoreGuidelines/CppCoreGuidelines), etc.) which contain best practices on avoiding common programming mistakes. To easily identify which checker maps to which guideline the`--guideline` flag was introduced.

To list the available guidelines where the mapping was done, use this command:

CodeChecker checkers --guideline

The checkers which cover a selected guideline can be listed like this:

CodeChecker checkers --guideline sei-cert

If we want to get which checker checks the sei-cert rule `err55-cpp` by executing
the command below we can get that the `bugprone-exception-escape` checker should be enabled if the `err55-cpp` rule needs to be checked.

CodeChecker checkers --guideline err55-cpp
bugprone-exception-escape

More detailed information about the checkers and the guideline mapping can be found by executing
this command:

CodeChecker checkers --guideline sei-cert --details


Makefile output

CodeChecker can generate a Makefile without executing the analysis.
The Makefile will contain all the necessary analysis commands as build targets.
With this Makefile the analysis can be executed by `make` or by some distributed
build system which can use a Makefile to distribute the analysis commands.

Locally with a simple `make` it can be executed like this:

CodeChecker analyze --makefile -o makefile_reports compile_command.json
make -f makefile_reports/Makefile -j8


On demand CTU analysis support

With this new flag (`--ctu-ast-mode`) the user can choose choose the way ASTs are loaded during CTU analysis.
There are two options:
- `load-from-pch` (the default behavior now, works with older clang versions v9 or v10)
- `parse-on-demand` (needs clang master branch or clang 11)

The mode 'load-from-pch' can use significant disk-space for the serialized ASTs.
By using the 'parse-on-demand' mode some runtime CPU overhead can incur in the second phase of the analysis but uses much less disk space is used.

Execute this command to enable the `on-demand` mode:

CodeChecker analyze -j4 -o reports_ctu_demand --ctu --ctu-ast-mode parse-on-demand

See the [pull request](https://github.com/Ericsson/codechecker/pull/2240) for more information.

Disable all warnings like checker groups

Clang compiler warnings are reported (clang-tidy) by checker names staring with `clang-diagnostic-`.
Disabling them could be done previously only one-by-one.
In this release the warnings can be disabled now with the corresponding checker group.

CodeChecker analyze --analyzers clang-tidy -d clang-diagnostic


IPv6 support
The CodeChecker server can be configured to listen on IPv6 addresses.

Performance improvements
- diff command printing out source code lines got a performance improvement 2772
- report storage performance got improved 2804

Changes

- DEPRECATED flag!
`--ctu-reanalyze-on-failure` flag is marked as deprecated and it will be removed in one of the upcoming releases.
It will be removed because the [Cross Translation Unit (CTU)](https://clang.llvm.org/docs/analyzer/user-docs/CrossTranslationUnit.html) analysis functionality got more stable in the Clang Static analyzer so this feature can be removed.

Other improvements and changes
There are a lot of further improvements and bug fixes in this release.
The full list of changes can be found [here](https://github.com/Ericsson/codechecker/milestone/65).

Contributors
Big thanks to everyone who helped us creating this release: sylvestre thresheek

6.12.1

Feature change!

Incremental analysis extension introduced in v6.12.0 feature was changed in 2786!
Getting the c/cpp files that are dependencies of a changed header is **not done automatically** from now on, the user has to generate the c/cpp file list which should be analyzed.
To support this use case the `tu_collector` tool was extended to be able to generate the dependency source file list like this:
sh
tu_collector --dependents -l ./full_compilation_database.json -f "*/main.h"

Additional helper scripts and examples can be found in the `tu_collector` [documentation](https://github.com/Ericsson/codechecker/tree/release-v6.12.1/tools/tu_collector#create-skip-file-from-source-files-that-need-to-be-reanalyzed) how to analyze the source and header files which were modified in a git commit.

Bugfixes

- The parse command could not generate HTML output files 2771
- Fix analyzer --file option. The reports from the included header files should not be skipped 2788
- Fix update comments if the message did not change 2780
- Fix source component update error 2778
- Fix run history tag filter 2769
- Fix tidyargs file encoding error 2767
- Fix segmentation fault in the compile command logger 2768
- The wrong codechecker_api version was used in the developer virtual environments 2770
- The hash overwrite feature crashed if the plist report file was missing 2779

6.12.0

New feature Highlights

Show clang-tidy reports in headers

Clang-tidy reports are shown from headers (non system) now, this change can increase the number of new results!
Use the following analyzer configuration to turn back the old behavior by setting the HeaderFilterRegex value to an empty string:
`CodeChecker analyze compile_command.json --analyzer-config
clang-tidy:HeaderFilterRegex=\"\"`

Python 3 only

Because of Python 2 [sunset](https://www.python.org/doc/sunset-python-2/) at the beginning of 2020 CodeChecker was ported to Python 3 the minimal required version is 3.6. Because of the Python version change and a lot of 3pp dependencies were updated it is required to remove the old and create a new virtual environment to build the package!

Store results from multiple static and dynamic analyzer tools

Starting with this version CodeChecker can store the results of multiple static and dynamic analyzers for different programming languages:
* Facebook Infer (C/C++, Java)
* Clang Sanitizers (C/C++)
* Spotbugs (Java)
* Pylint (Python)
* Eslint (Javascript)
* ...

The complete list of the supported analyzers can be found [here](https://github.com/Ericsson/codechecker/blob/master/docs/supported_code_analyzers.md).
To be able to store the reports of an analyzer a [report converter tool](https://github.com/Ericsson/codechecker/tree/master/tools/report-converter) is available which can convert the reports of the supported analyzers to a format which can be stored by the CodeChecker store command.

New build and CI system features and improvements

GitLab integration

Inside a GitLab Runner CodeChecker can executed to provide a code quality report for each GitLab review request. The codeclimate json output format was added to the `Codechecker parse` and
`CodeChecker cmd diff` commands to generate a json file which can be parsed
by GitLab as a quality report. See the [GitLab integration guide](https://github.com/Ericsson/codechecker/blob/master/docs/gitlab_integration.md) for more details how to configure the GitLab runners and CodeChecker.

Gerrit

Integration was simplified, no extra output parsing and converter scripts are needed. The `CodeChecker cmd diff -o gerrit ...` command can generate an output format which can be sent to gerrit as a review result.

Bazel build system support

Compilation commands executed by the Bazel build system can now be logged with the Codechecker logger to run the static analyzers on the source files. Check out the Bazel build system [integration guide]( https://github.com/Ericsson/codechecker/blob/e506338a7e5f1b5e2d5d405e0e75584f0a645b7d/docs/analyzer/user_guide.md#bazel) for more details.

Compilation errors as reports

Compilation errors occurred during the analysis are now captured as reports by the `clang-diagnostic-error` checker. These types of reports can be disabled as a normal checker like this:
`CodeChecker analyze --disable clang-diagnostic-error ...`

Analyzer and checker configuration from the command line

The Clang and Clang-tidy static analyzers and the checkers can be configured from the command line with the newly introduced `--analyzer-config` and `--checker-config` options.

Analyzer configuration

Use these commands to list the available analyzer config options (use the `--details` flag for the default values and more description):
* `CodeChecker analyzers --analyzer-config clangsa`
* `CodeChecker analyzers --analyzer-config clang-tidy`

A Clang Static Analyzer configuration option can be enabled during analysis like this:
`CodeChecker analyze compile_command.json -o reports --analyzer-config clangsa:suppress-c++-stdlib=false -c`

Checker configuration

Use the `CodeChecker checkers --checker-config` command to list the checker options, or the `CodeChecker checkers --checker-config --details` command to get the checker options with the default values.

A checker option can be set like this:
`CodeChecker analyze compile_command.json -o reports -e cplusplus.Move --checker-config clangsa:cplusplus.Move:WarnOn="All"`

Select only a few files to be analyzed from the compile command database

There is no need for a complex skip file or to create smaller compile command database files to execute the analysis only on a few files. With the `--file` option the important files can be selected the analysis for the other files will be skipped.
`CodeChecker analyze compile_command.json --file "*main.cpp" "*lib.cpp"`

Incremenetal Analysis Extension: Analyze c/cpp files that are dependencies of a changed header

Header files can not be analyzed without a c/cpp file. If a skip file contains a header file (with a "+" tag) like this:

+*lib.h
-*

Which means the header file should be analyzed. CodeChecker tries to find all the c/cpp files including that header file and execute the analysis on those c/cpp files too so the header file will be analyzed.
The only limitation is that the full compilation database is required to collect this information.


CodeChecker CLI configuration files

The CodeChecker commands can be saved in a config file which can be put into a version control system or distributed between multiple developers much easier. In the previous release v6.11.0 the support for the analyzer configuration file was added. In this release it was extended to the web server related commands (store, server) so they can be stored into a configuration file too.
It is not required to type out the options in the command line all the time to store the analysis reports.
With an example `store_cfg.json` config file like this:
json
{
"store":
[
"--name=run_name",
"--tag=my_tag",
"--url=http://codechecker.my/MyProduct"
]
}

The CodeChecker store command can be this short: `CodeChecker store reports --config store_cfg.json`

Other new features worth mentioning

* The review comments in the source code are shown by the `CodeChecker parse` command
* A free text description can be store to every run which can contain any compilation or analysis related description.
`CodeChecker store --description "analysis related extra information" ...`


Removed command line options

These `CodeChecker check` and `CodeChecker analyze` options were already deprecated and were removed in this release:
* -f/--force
* --add-compiler-defaults

Other improvements and changes

There are a lot of improvements and bug fixes in this release.
The full list of changes can be found [here](https://github.com/Ericsson/codechecker/milestone/63?closed=1).

License change
This is the last release with the NCSA license the new license after the release will be: "Apache 2.0 with LLVM Exception", SPDX License Identifier: "Apache-2.0 WITH LLVM-exception"

Contributors

Big thanks to everyone who helped us creating this release: itzurabhi, tilya, themightyoarfish rpavlik sylvestre

6.11.1

Improvements

- Handle two kinds of implicit includes differently (gcc include-fixed and *intrin.h headers) 2562 2541
- Filter out include directories containing *intrin.h header files 2569
- Add -fno-keep-static-consts flag to gcc ignore list 2568

Bugfixes

- Translation unit collector did not detect CCache in the build commands 2524
- Fix row output type in command line 2547
- Number of reports was not calculated right for parse command 2539 2556 2550
- Path normalization fix for the file skip feature 2548
- Fix error when query limit is larger than max limit 2533
- CodeChecker check no longer works analyzer 2505 2506 2532
- fixes the problem where ClangSA is not available in the PATH

Changes

- Do not enable all modernize checkers in sensitive profile 2502 2558

6.11.0

New Feature highlights

- **Show system comments for bugs GUI** 746
Review status changes by the users are automatically stored and shown at the report comment section
for each report. With this feature the status changes of the reports can be easily tracked.

- **Introduce different compiler argument filtering if the original compiler was clang** 2382 2482
If the original compiler used to build a project was clang/clang++ only a minimal compilation
flag filtering or modification is done.
In the case where the original compiler was gcc/g++ many non compatible compiler flags were
filtered which is not required if the original compiler is clang.

- **Store the Cppcheck plist reports** 2474
Plist reports generated by Cppcheck can be stored by the `CodeChecker store` command.
For a more detailed example how to configure Cppcheck to generate the reports in the right format
see the [documentation](https://github.com/Ericsson/codechecker/blob/master/docs/cppcheck.md).

- **CodeChecker config file support for the analysis arguments** 427 2268
The arguments for a `CodeChecker analyze` command can be given in a config file.
A more detailed description about the usage and the config file format can be
found [here](https://github.com/Ericsson/codechecker/blob/master/docs/analyzer/user_guide.md#analyzer-configuration-file).

- **[Log compile commands with absolute paths](https://github.com/Ericsson/codechecker/tree/master/analyzer/tools/build-logger#cc_logger_abs_path)** 2447
With the introduction of a new environment variable (CC_LOGGER_ABS_PATH) the compiler include paths
will be converted to an absoute path.
This conversion can be necessary if the compiler command database created
by CodeChecker will be used by other static analyzers (E.g. Cppcheck).

- **Enforce taking the analyzers from PATH** 2378
With the newly introduced environment variable the usage of the static analyzers in the PATH
can be forced even if the configuration contains analyzers not from the PATH.

- **List ClangSA checker options** 2425
The Clang Static Analyzer options can be listed now (requires clang v9.0.0 or newer).
Use the command `CodeChecker analyzers --dump-config clangsa` to print the static analyzer configuration.

- **Support json output for parse command** 2424
The parse command can generate json output from the reports if required:
`CodeChecker parse -e json analyzer_reports`

- **Use `CodeChecker parse` with multiple directories** 2384
The `CodeChecker cmd parse` command now accepts multiple directories to parse the reports from.

- **[Update the name of a run](https://github.com/Ericsson/codechecker/blob/dbd3feaffd389703a4c59c8d24b5f14f6d54374d/docs/web/user_guide.md#cmd-update)** from the command line 1778

Improvements and bug fixes

Analyzer

* Detect -MG as a precompilation flag 2472
* CodeChecker analyze and parse fails for non ascii. 2454
* Document some new checkers 2445
* Incorrect full path reconstruction for `-include` 2440
* Resolve symlinks of compiler binaries 2430
* Add missing lxml dependency to the analyzer 2414
* Document two new checks 2405
* Replace analyzer option `api-metadata-path` with package option `APIMetadataPath` 2403
* Skip handler must be run before compiler options parsing not after 2396
* Incremental analysis failures on the same file results in stupid failure ZIP 2395
* Do not count a number of skipped actions in progress log 2394
* 'aggressive-binary-operation-simplification' should be clang version dependent 2390
* Do not load plugins when CC_ANALYZERS_FROM_PATH is used 2483
* Print a log message when overwriting a plist file 2375
* Ignore -mllvm option 2374
* Fix taint issue 2426
* Fix missing analyzer binary 2437
* Fix failure zip 2444
* Fix handling '--sysroot=' flag format 2453
* Handle enabled checker per profile for ClangSA 2337
* Do not disable all clang static analyzer checkers unconditionally 2386
* Less argument processing if skip file used without ctu and stats 2462
* Set io.open encoding to utf-8 2484
* Add 4 new checker severity levels 2485
* some specific Xclang arguments modify the output 2492
* do not disable all clang static analyzer checkers unconditionally 2386

Web

* args.config has been renamed to args.config_file 2478
* Can not delete run 2473
* Always generate a new token on login 2423
* Use saved credentials if auto login is enabled 2421
* Trim white spaces from the user name when adding new permissions to it 2420
* Fix personal access token generation 2413
* Add a heartbeat and readiness URL 2410
* Keep the selected sub tab on run tab switch 2401
* Run tab switch jumps back to previous tab 2400
* Disable run limitation 1949
* Fix hiding tooltip of the source component filter item 2489

Other

* Documentation for cppcheck report storage 2481
* Remove SimpleStream checker from sensitive profile 2480
* Extra comments for clang compiler change in travis 2469
* Bump up the minimal required clang version 2468
* OSX does not have include-fixed in its include path 2464
* The existence of a config file influences the test 2463
* Fix test case for has_analyzer_option 2460
* Sort report lines for files 2459
* Fix missing type imports for the tests 2456
* Update to xcode10 in travis 2455
* Upgrade tests to run with Clang 9.0.0 2451
* Remove fail zip first in case of write mode. 2450
* Fix pylint errors 2448
* Fix travis error code handling. 2446
* Adding compilation database to JSON in tu_collector 2441
* Revert "add label configuration for the github actions" 2438
* Update authentication.md for codechecker.readthedocs.io publishing 2436
* Fix thrift path on osx 2431
* Fix pylint warnings 2422
* Add more example how to use credentials 2416
* Simplify Gerrit integration documentation 2415
* Rename shared.thrift to codechecker_api_shared.thrift 2406
* Fix travis failure 2392
* Add default values to the package_layout.json 2385
* Refactoring package_layout.json file 2379
* Increment CodeChecker version to 6.11.0 2313
* It is not possible to order runs by run name 2235
* Support response files 2092
* Introduce code owners file 2075

API changes

* New filter options for CodeChecker cmd runs command 2343

Contributors

Big thanks to everyone who helped us creating this release: josod, LebedevRI, sylvestre, hpwxf, irishrover, scphantm

6.10.1

This is a bug fix release including many fixes and documentation updates. There are no new features or backward incompatible changes.


Bugfixes

Most important

- Fix exception handling for HTTP POST requests 2331
The improper handling of a possible exception caused the server to hang and not respond to the new requests.
- Autocompletion for the login form 2276
The login form will be autocompleted if the credentials are saved by the browser.
- fix backslash in user name 2332
LDAP user names containing a backslash caused exception at the server.
- Skip lists should not be applied to the CTU pre-analysis step 2299
To collect the required information for the CTU and statistics based analysis no source
files are skipped from the compilation database at the pre-analysis step.
- api modeling checkers should be enabled in all profiles 2305
- Increase the severity of some checker that indicate Undefined Behaviour 2370
- Removing `alpha.security.MallocOverflow` from the sensitive profile throws too many false positives 2366

compiler include path related fixes

- Keep GCC `include-fixed` dirs in include paths 2272
The `include-fixed` include paths by gcc might be required for the analysis, but that is
project dependent a new `--keep-gcc-include-fixed` flag is introduced so the projects can keep or remove
the include paths for the analysis.
- Additional `-nostdinc[++]` 2344, `-stdlib` 2303 compilation flags are considered at the implicit compiler include path detection, because they affect the list of the include paths.
- Clang searches for builtin includes relative to the binary 2302
Clang builtin include paths were added by an `--isystem` flag at a fixed place if the include files were in the package, standard clang installation should not be affected by this change.

compilation command logging related fixes

- Fix ld_logger crash 2309
A crash during logging prevented to collect the compilation commands.
- Give absolute path in the `CC_GCC_LOGGER_LIKE` environment variable 2315
If there are compiler wrapper scripts named the same way as the original compiler (gcc/g++) logging the original compiler was hard because the difference was only in the path of the executable. With this change the logging the original compiler execution can be done too.

Analyzer

- Fix Z3 refutation detection 2231
- return 0 in case no analysis is needed 2255
- Crash in splitting output of "clang - ..." 2300
- Plist files should contain absolute paths 2360
- import get_logger in clang_options.py 2296
- CodeChecker disables apiModeling by default 2289
- Introduce clang version dependent options 2287
- fix env forwarding for the subprocess in ctu autodetect 2284
- Fix a typo on setup_process_timeout call 2281
- -fstack-reuse is not supported by clang 2280
- Determine language based on compiler name 2277
- Remove skip list handler from common module 2274
- remove argument handling class from common module 2254
- move report parsing related code to the parse cmd 2252
- fix context free report hash generation doc 2251
- refactor suppress file handler 2250
- Fix LOG.debug 2248
- move proc timeout functions and tests to analyzer 2246
- move get_binary_in_path to analyzer module 2245
- Add tests for cmdline 2283

Web

- Store analyzer version instead of CodeChecker version 2373
- Upgrade JQuery to 3.4.1 2345
- Fix double scroll bar on the GUI 2334
- Extend the help message of "CodeChecker cmd del" command 2325
- indentation of the call graph is not always correct 2320
- Make placeholder help for source components more descriptive 2310
- "loading" label for unauthorized users 2307
- Fix local session creation 2301
- Fix comment update 2282
- Fix pg8000 test command 2275
- Revise how events are indented in a bug report 2269
- Web GUI doesn't honor new lines for comments 2259
- move profiler from common to server 2247
- Impossible to delete run in the web GUI 2234
- Fix reading worker_processes config value 2227
- Fix source code comment regex 2356

Other

- Description of incremental analysis using skipfile 2381
- Remove whitespace characters at cmd results 2362
- Buggy 'CodeChecker parse --print-steps' filename outputs when a report is ranging across TUs. 2358
- Format main README.md 2355
- Fix daily script 2316
- package_layout.json "ctu_func_map_cmd" is not considered 2330
- Update documentation 2323
- ld_logger improvement 2317
- gcc compiler flags against Spectre unknown by clang 2304
- match for multiple digit clang versions in tests 2298
- Update travis ci base image to bionic 2291
- replace StackAddressEscape checker in analyzer tests 2288
- Omit extra newlines while logging build commands 2286
- Add standalone package target 2273
- remove unused db version information 2270
- create reports and project for the update test 2266
- enable build matrix for travis 2261
- tu_collector tests can be run independently 2253
- update travis to clang8 2244
- Exception on regex characters in checker name 2241
- Fix Clang version regex in tests 2239
- bump up version to v6.10.1 2225

API

- Fix getDiffResultsHash API function 2265

Credits

Big thanks to everyone who helped us creating this release: gwangmu, irishrover, zingo

Page 5 of 13

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.