Skip to content

Releases: Ericsson/codechecker

v6.25.1

13 Mar 10:52
Compare
Choose a tag to compare
  • Add OWASP Top 10 guideline #4482
  • [fix] Bug report bubble display bugfix #4480

Full Changelog: v6.25.0...v6.25.1

6.25.0

10 Mar 12:45
d1ca304
Compare
Choose a tag to compare

🌟 Highlights

Guideline Statistics page under the statistics tab to generate SEI Cert and CWE Top 25 Compliance reports

A new Guideline Statistics page is added under the statistics tab to generate SEI Cert Compliance reports.
image

This page shows the compliance of an analyzed program to a coding guideline (such as SEI Cert C/C++) . It shows all checkers corresponding to a guideline rule, their configuration status (on/off) and all outstanding and closed reports per guideline rule.

It is possible to generate the table into HTML and CSV format.

The first supported guidelines are SEI Cert C and C++ and CWE Top 25

Facebook Infer as a new C/C++ analyzer plugin

Besides clang-tidy, clang static analyzer, cppcheck and gcc, Facebook Infer is a well known open-source static code analyzer tool https://github.com/facebook/infer

CodeChecker will support executing this analyzer. It will not be enabled by default, but is available for testing.

image

PVS Studio report conversion

From now on, it will be possible to convert the reports of the https://pvs-studio.com/en/pvs-studio/ analyzer and handle them with CodeChecker.
PVS-Studio Static Code Analyzer support by @feeelin in #4356

❗ Backward incompatible changes

  • Resolve checker enable/disable ambiguity by @noraz31 in #4377 and by @cservakt in #4392
    CodeChecker analyze emits an error (instead of a warning) when the enabled checkers/profiles/checker prefix groups are given ambiguously. In these cases the ambiguity must be resolved. For example CodeChecker analyze -e security command is ambiguous as security is a checker group (all checkers starting with security. and a profile at the same time. Please define explicitly CodeChecker -e prefix:security if you mean the prefix group, or profile:security if you mean the security profile.

CodeChecker -e clang-diagnostic-format will give an error, because it is ambiguous if the user means the clang-diagnostic-format single checker, or all checkers starting with clang-diagnostic-format. To refer the former, the user must user checker:clang-diagnostic-format or to the latter prefix:clang-diagnostic-format.

If you have such clashing cases, you must resolve them. The following namespaces can be used
prefix: - to mach checkers starting with a prefix
profile: - to match a checker profile
checker: - to match a single checker
guideline: - to match checkers belonging to a guideline
severity: - to match checkers belonging to a given severity.

  • The skip file handling changed! Adding a --drop-reports-from-skipped-files parameter to analyze by @dkrupp in #4332
    After this patch, the skip files will only skip the analysis of the listed files, but will not filter out any reports. This may result in more reports than before.
    By default CodeChecker used to filter out all reports from files which were on the skip list. This can hide true positive reports starting from unskipped code and ending in skipped files (typical with CTU and header related findings).
    This patch removes the default report filtering post processing step from CodeChecker analyze --skip SKIPFILE operation.
    The legacy functionality is still available with the --drop-reports-from-skipped-files parameter.

  • guideline:sei-cert cannot be used anymore. The sei-cert guideline profile was split to guideline:sei-cert-c for the C guideline and guideline:sei-cert-cpp for the C++ guideline. #4400

  • CodeChecker -e W* syntax is not supported anymore. Clang warnings only appear as clang-diagnostic-* checkers and they can be enabled using the standard checker checker on/off mechanism e.g. CodeChecker analyze -e clang-diagnostic-unused-function

  • The --saargs, --tidyargs and --cppcheckargs flags are now deprecated. The corresponding analyzer configuration option should be used instead, e.g. --analyzer-config clangsa:cc-verbatim-args-file=<filename>. The old flags are still working, but will be converted to the new form under the hood.

🐛 Analyzer improvements

  • [fix] Resolve checker enable/disable ambiguity #4392
  • [fix] Don't capture cc1 by the logger. by @bruntib in #4300
  • Add -mmitigate-rop to ignored options by @noraz31 in #4295
  • Removing alpha checkers from the security profile so it can be used in production by @dkrupp in #4284
  • [analyzer] Adds -fno-freestanding to ignored GCC compiler flags by @ArchieAtkinson in #4281
  • [analyzer] Disable clang-diagnostic-error checker by @cservakt in #4325
  • [analyzer] Ignore -fno-printf-return-value by @pdgendt in #4329
  • [anayzer] Fb infer by @stt08 in #4257
  • [feat] Introduce cc-verbatim-args-file @bruntib #4456

💻 CLI/Server improvements

🌳 Environment

📖 Documentation updates

  • Modified documentation to match current procedures for changing schema by @feyruzb in #4366
  • chore: Remove ancient, unused docs/checker_docs.md by @whisperity in #4283
  • additional library was required for venv_dev by @stt08 in #4273

🔨 Other

Read more

v6.24.7

18 Feb 10:31
Compare
Choose a tag to compare
  • The CodeChecker server in the codechecker-web docker image could not connect to LDAP servers for authentication using SSL and the authentication was not working. This was fixed.

Full Changelog: v6.24.6...v6.24.7

v6.24.6

17 Feb 15:04
Compare
Choose a tag to compare
  • Update the Python version in the codechecker-web Docker image
  • Fix an URL parsing error in the web server
    Full Changelog: v6.24.5...v6.24.6

v6.24.5

21 Jan 15:04
5914f3a
Compare
Choose a tag to compare

This is a security patch release

Move from cookie-based to token-based authentication
Session-based authentication is deprecated, but left in for the benefit of old CLI clients.
When performing upgrade, all users will need to re-authenticate.

v6.25.0-rc1

11 Dec 09:07
Compare
Choose a tag to compare
v6.25.0-rc1 Pre-release
Pre-release

🌟 Highlights

Guideline Statistics page under the statistics tab to generate SEI Cert Compliance reports

A new Guideline Statistics page is added under the statistics tab to generate SEI Cert Compliance reports.
image

This page shows the compliance of an analyzed program to a coding guideline (such as SEI Cert C/C++) . It shows all checkers corresponding to a guideline rule, their configuration status (on/off) and all outstanding and closed reports per guideline rule.

It is possible to generate the table into HTML and CSV format.

The first supported guidelines are SEI Cert C and C++.

Facebook Infer as a new C/C++ analyzer plugin

Besides clang-tidy, clang static analyzer, cppcheck and gcc, Facebook Infer is a well known open-source static code analyzer tool https://github.com/facebook/infer

CodeChecker will support executing this analyzer. It will not be enabled by default, but is available for testing.

image

PVS Studio report conversion

From now on, it will be possible to convert the reports of the https://pvs-studio.com/en/pvs-studio/ analyzer and handle them with CodeChecker.
PVS-Studio Static Code Analyzer support by @feeelin in #4356

❗ Backward incompatible changes

  • Resolve checker enable/disable ambiguity by @noraz31 in #4377 and by @cservakt in #4392
    CodeChecker analyze emits an error (instead of a warning) when the enabled checkers/profiles/checker prefix groups are given ambigously. In these cases the ambiguity must be resolved. For example CodeChecker analyze -e security command is ambigous as security is a checker group (all checkers starting with security. and a profile at the same time. Please define explicitly CodeChecker -e prefix:security if you mean the prefix group, or profile:security if you mean the security profile.

CodeChecker -e clang-diagnostic-format will give an error, because it is ambigous if the user means the clang-diagnostic-format single checker, or all chekcers starting with clang-diagnostic-format. To refer the former, the user must user checker:clang-diagnostic-format or to the latter prefix:clang-diagnostic-format.

If you have such clashing cases, you must resolve them. The following namespaces can be used
prefix: - to mach checkera starting with a prefix
profile: - to match a checker profile
checker: - to match a single checker
guideline: - to match checkers belonging to a guideline
severity: - to match checkers belonging to a given severity.

  • The skip file handling changed! Adding a --drop-reports-from-skipped-files parameter to analyze by @dkrupp in #4332
    After this patch, the skip files will only skip the analysis of the listed files, but will not filter out any reports. This may result in more reports than before.
    By default CodeChecker used to filter out all reports from files which were on the skip list. This can hide true positive reports strating from unskipped code and ending in skipped files (typical with CTU and header related findings).
    This patch removes the default report filtering post processing step from CodeChecker analyze --skip SKIPFILE operation.
    The legacy functionality is still available with the --drop-reports-from-skipped-files paramer.

  • guideline:sei-cert cannot be used anymore. The sei-cert guideline profile was split to guideline:sei-cert-c for the C guideline and guideline:sei-cert-cpp for the C++ guideline. #4400

  • CodeChecker -e W* syntax is not supported anymore. Clang warnings only appear as clang-diagnostic-* checkers and the

🐛 Analyzer improvements

  • [fix] Resolve checker enable/disable ambiguity #4392
  • [fix] Don't capture cc1 by the logger. by @bruntib in #4300
  • Add -mmitigate-rop to ignored options by @noraz31 in #4295
  • Removing alpha checkers from the security profile so it can be used in production by @dkrupp in #4284
  • [analyzer] Adds -fno-freestanding to ignored GCC compiler flags by @ArchieAtkinson in #4281
  • [analyzer] Disable clang-diagnostic-error checker by @cservakt in #4325
  • [analyzer] Ignore -fno-printf-return-value by @pdgendt in #4329
  • [anayzer] Fb infer by @stt08 in #4257

💻 CLI/Server improvements

🌳 Environment

📖 Documentation updates

  • Modified documentation to match current procedures for changing schema by @feyruzb in #4366
  • chore: Remove ancient, unused docs/checker_docs.md by @whisperity in #4283
  • additional library was required for venv_dev by @stt08 in #4273

🔨 Other

Read more

v6.24.4

27 Oct 22:23
Compare
Choose a tag to compare

This release fixes a bug about permission settings:

  • [fix] Get product configuration with view permission #4375
    Users with admin rights couldn't get product configuration page for changing product configuration or setting user permissions.

v6.24.3

18 Oct 13:36
Compare
Choose a tag to compare

This release fixes an authentication issue:

  • CodeChecker authentication fixed #4369
    Version 6.24.2 introduced the super_user field in the server_config.json.
    If this field was missing from the config file, the authentication did not work for any user.

v6.24.2

18 Oct 10:23
Compare
Choose a tag to compare

This release contains security vulerability fixes.
It is highly recommended to upgrade to this as soon as possible.

  1. [fix] Removing the root user creation 3bb2cbf
    Backward incompatible change: The built-in root user generated at CodeChecker server start with
    CodeChecker --reset-root ... has been disabled.
    Instead, the user can give SUPER_USER permission to an existing user in the server_config.json
    For further details, see https://github.com/Ericsson/codechecker/blob/master/docs/web/user_guide.md#initial-super-user

  2. Fix the endpoint parsing issue 8953b30
    CodeChecker web server has accepted some invalid URLs. The URL parsing has been hardened.

v6.24.1

13 Sep 11:25
Compare
Choose a tag to compare

🌟 Highlights

Standard library handling change

GCC has implicit include paths that are forwarded to Clang. Until now these paths were added with -isystem flag, but sometimes the priority of this is too high: https://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html The implicit include paths should be searched the last, so -isystem has been changed to -idirafter.
In case of potential backward compatibility break --add-gcc-include-dirs-with-isystem has been introduced for "CodeChecker analyze" command which reverts this change.

ld_logger environment change

CodeChecker log command uses the LD_PRELOAD environment variable for collecting the build commands. This environment variable relies on LD_LIBRARY_PATH which tells where to find the .so file set in LD_PRELOAD. Some build systems overwrite the value of LD_LIBRARY_PATH and for this reason CodeChecker fails to collect build commands. A solution to this problem was to fill LD_PRELOAD with an absolute path. However, this solution doesn't work when the analyzed project is built for multiple target architectures (e.g 32 and 64 bits), since CodeChecker sets a single absolute path based on the host architecture.
If the project's build system is resetting LD_LIBRARY_PATH, then the workaround solution is to extend LD_LIBRARY_PATH with the proper ldlogger.so file: For further details consult this documentation.

Enable checkers by group prefix

Checkers can be enabled by providing a group prefix. For example, cplusplus.NewDeleteLeaks can be enabled by --enable cplusplus. The problem was that checkers are enabled by any name prefix, so this former checker is also enabled by cplusplus.NewDelete which is not an intended behavior. This release fixes this issue.
Also, it was possible to enable checkers by suffix (e.g. --enable NewDeleteLeaks). As of this release, the suffix matching is not checked either.

💻 CLI/Server improvements

  • [fix] Don't reset PATH in Cppcheck plugin #4320
  • [feat] Implicit include paths added with -idirafter #4315
  • Revert "[analyzer] Use absolute path to logger.so in LD_PRELOAD" #4314
  • [cmd] Checker name prefixes are meant along separator characters #4311
  • Analyzer binary dependent environment #4305
  • [fix] Support joker characters at annotation filter #4306
  • [Fix] Report sorting in unique mode #4294
  • [fix] Don't enable checkers by suffix #4307
  • [fix] Minor fixing for statistics tabs #4304
  • [fix] Error when debug logging skipped actions #4301
  • [fix] Don't capture cc1 by the logger. #4300
  • Add -mmitigate-rop to ignored options #4295
  • [analyzer] Ignore -fno-printf-return-value #4329
  • [fix] Disable clang-diagnostic-error checker #4325
  • [fix] Missing analyzer error #4330
  • [fix] Forwarding --ctu-ast-mode to analyze command #4341
  • Environment initialization for binaries #4337

🌳 Environment

  • [cfg] Add setuptools as a dependency #4285
  • Deprecate distutils #4286
  • Bump urllib3 from 2.2.1 to 2.2.2 in /scripts/labels/label_tool #4290
  • [cfg] Upgrade to pylint 3.2.4 #4279
  • [analyzer] Adds -fno-freestanding to ignored GCC compiler flags #4281
  • [cfg] Upgrade pycodestyle to 2.12.0 #4264
  • [cfg] Upgrade lxml version #4262

🔨 Other

  • [test] The assertDictContainsSubset() is depreceted and removed #4322
  • [fix] fix compare_results.py sciprt #4319
  • [script] Script for querying all reports #4245
  • [cmd] Display warning instead of debug log for missing diagtool #4342