PVS-Studio 7.37: enhanced taint analysis, MISRA version control, SLNX project support, and more

PVS-Studio 7.37 has been released! Discover the expanded taint analysis mechanism, MISRA version selection, analysis of MSBuild projects in the SLNX format, and many other updates. Check out the details in this release note.

You can download the latest PVS-Studio version here.

Expanded taint analysis

PVS-Studio brings enhancements to taint analysis!

In PVS-Studio C++ analyzer, this mechanism is now expanded to diagnostic rules of searching for other types of errors, including divisions by zero, buffer overflows, bitwise shifts, signed integer overflows, and passing tainted values as arguments.

Plus, PVS-Studio C# and Java analyzers factor in tainted data when detecting array overruns, overflows, and potential divisions by zero.

These changes help detect bugs and potential vulnerabilities in a wider range of scenarios.

MISRA version selection

Our team has introduced a new setting that lets users choose the version of the MISRA C Coding Guidelines in PVS-Studio plugins for Visual Studio Code, Qt Creator, CLion, and Rider—as well as in the command-line utilities, PVS-Studio_Cmd.exe and pvs-studio-analyzer.

In the previous PVS-Studio release, a similar setting has been added to the Visual Studio plugin.

Analysis of SLNX-format projects

The analyzer for MSBuild projects now supports the SLNX format—a new, more streamlined solution format introduced in .NET SDK 9.0.200.

C23 & Standard library: C and C++ analyzer updates

We're excited to introduce support for the C23 language standard in PVS-Studio C and C++ analyzer. Now it includes the constexpr and alignas keywords.

Moreover, PVS-Studio for C and C++ now handles the standard library more efficiently. We've enhanced parsing of brace-initializer-list for built-in containers and added new annotations for std::min, std::max, std::unique_ptr<T[]>::reset, and std::unique_ptr<T[]>::release.

Settings for security-related issues in .pvsconfig

Previously, PVS-Studio plugins for IDEs and command-line utilities provided the option to enable SAST identifiers only for analyzer messages related to potential security threats.

Now it is also available for .pvsconfig files.

Note. To learn more about .pvsconfig files, see the documentation.

Breaking Changes

These changes are not backward compatible with earlier versions of the analyzer. You may need to adjust how you use the analyzer due to these changes.

• V1077: This diagnostic rule has been modified. You may need to re-suppress warnings for this rule that were previously suppressed.
• Taint analysis updates: Due to the expanded taint analysis mechanism to cover diagnostic rules V557, V609, V610, V1083, and V575, previously suppressed V1010 warnings may reappear.

New diagnostic rules

C, C++:

• V1118. Excessive file permissions can lead to vulnerabilities. Consider restricting file permissions.

C#:

• V5630. Possible cookie injection. Potentially tainted data is used to create a cookie.
• V3222. Potential resource leak. An inner IDisposable object might remain non-disposed if the constructor of the outer object throws an exception.
• V3223. Inconsistent use of a potentially shared variable with and without a lock can lead to a data race.

Java:

• V6126. Native synchronization used on high-level concurrency class.
• V6127. Closeable object is not closed. This may lead to a resource leak.
• V6128. Using a Closable object after it was closed can lead to an exception.
• V6129. Possible deadlock due to incorrect synchronization order between locks.
• V6130. Integer overflow in arithmetic expression.
• V6131. Casting to a type with a smaller range will result in an overflow.
• V5331. OWASP. Hardcoded IP addresses are not secure.
• V5332. OWASP. Possible path traversal vulnerability. Potentially tainted data might be used to access files or folders outside a target directory.

Articles

For C++ developers:

• Curling CPython around PVS-Studio
• Why SSDLC needs static analysis: a case study of 190 bugs in TDengine
• Creating Sega Genesis emulator in C++

For C# developers:

• .NET Digest #7
• History of C#: versions, .NET, Unity, Blazor, and MAUI

For Java developers:

• Searching in a search: let's check Elasticsearch
• How NASA got the planet's source code wrong

Do you want to check a project with PVS-Studio? Then start from this page.

If you would like to get news on the latest releases, subscribe to the PVS-Studio newsletter here.