What's new in Klocwork 2020.2
Here are the highlights for Klocwork 2020.2. If you're upgrading, also see the Limitations for items that affect how you use Klocwork.
New Jenkins plugin
Our new Jenkins plugin provides an easy way for you to automate industry-leading static code analysis as part of your Continuous Integration (CI) or Continuous Delivery (CD) pipeline.
To support the DevOps and CI/CD movement, which requires speed from a static analysis tool, our plugin provides Klocwork's Differential Analysis, which uses system context data from the server to analyze only the files that were changed, while providing a diff analysis as if the entire system were analyzed, resulting in the shortest analysis times. You can also use it to generate periodic full analysis runs.
For more information, see Klocwork Jenkins CI plugin.
CLion plugin
Use our new CLion desktop analysis plugin to quickly and easily detect and fix issues before check-in. For more information, see Getting started with Klocwork Desktop plugin for CLion.
PCI DSS version 3.2.1 taxonomy
We now provide taxonomies that map Payment Card Industry Data Security Standard (PCI DSS) Version 3.2.1 IDs to Klocwork checkers for C and C++, C#, and Java. The PCI DSS was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. For more information, see Payment Card Industry Data Security Standard IDs mapped to Klocwork checkers.
Joint Strike Fighter Air Vehicle C++ taxonomy
Our new Joint Strike Fighter Air Vehicle C++ taxonomy maps the Joint Strike Fighter Air Vehicle C++ coding standard to Klocwork C++ checkers. The Joint Strike Fighter Air Vehicle C++ coding standard, developed by Lockheed Martin, helps programmers develop error-free code for safety-critical systems. For more information, see Joint Strike Fighter Air Vehicle C++ IDs mapped to Klocwork C++ checkers.
Dramatic improvements to C#
- We've significantly improved C# build integration using kwinject.
- We now support mixed C/C++ and C# projects.
- We've also added support for more C# VS project types like .Net.
On some Open Source projects that we benchmark against, we've seen up to a 30% increase in defects detected!
- out variables as function arguments and discard out variables
- pattern matching
- tuples, tuple deconstruction, and discards in tuple deconstruction
- local functions
- binary literals and digit separators
- ref locals and returns
- generalized async return types
- expression bodied members for members formally returning void
- throw expressions
Significant improvements to Java
- Java Platform Module System
- private methods in interfaces
- diamond operator for anonymous inner class
- @SafeVarargs on private instance methods
- Try-with-resources Java 9 enhancement
- Lambda return types are now properly analyzed and determined, which allows for better nesting and chaining of lambdas in objects such as java.util.Stream.
- We've improved the type inference of input values such that we understand both lower and upper bounds and perform parameter coercion correctly.
- Method references now properly identify static and non-static methods and match overloaded methods correctly.
Improved Knowledge bases
We've improved our KB related to virtual methods. For more information, see C/C++ knowledge base reference.
Analysis improvements
We now support cases of intraprocedural function pointer resolution in defect detection as well as cases of function pointers that are returned directly or indirectly by function calls (limited interprocedural support). We've also improved support for rvalue references and for override file mechanisms.
Simplified plugin installation
We've simplified the installation of our IntelliJ IDEA and Android Studio plugins by converting our installers into JetBrains-style plugins. For more information, see Installing the IntelliJ IDEA/Android Studio/CLion plugins.
Klocwork checker improvements
From release to release, we improve issue detection to bring state-of-the-art capabilities to our customers. As a result, expect your analysis results to change as accuracy and coverage improve.
New Klocwork checkers
Checker | Description |
---|---|
CS.SV.TAINTED.ALLOC_SIZE | C# checker that flags code that uses tainted data in determining the size of a memory allocation. |
CS.SV.TAINTED.BINOP | C# checker that flags code that uses tainted data in arithmetic binary operations, such as addition, subtraction, or multiplication. |
CS.SV.TAINTED.CALL.BINOP | C# checker that flags code that uses tainted data, via a function call, in arithmetic binary operations, such as addition, subtraction, or multiplication. |
CS.SV.TAINTED.CALL.INDEX_ACCESS | C# checker that flags code that passes tainted data to functions that will use it to access an array. |
CS.SV.TAINTED.CALL.LOOP_BOUND | C# checker that flags code when a loop variable is passed as an argument to another function and used as a loop boundary. |
CS.SV.TAINTED.INDEX_ACCESS | C# checker that flags code that uses tainted data to access an array. |
CS.SV.TAINTED.LOOP_BOUND | C# checker that flags code when an unvalidated argument is used as a loop boundary. |
JD.CAST.SUSP.MIGHT | Related to Java checker JD.CAST.SUSP.MUST. This checker flags code when an object is checked with an instance of operator for type A and then cast to type B, where types A and B may be unrelated. |
JD.CAST.SUSP.MUST | Renamed Java checker JD.CAST.SUSP. This checker flags code when an object is checked with an instance of operator for type A and then cast to type B, where types A and B are unrelated. |
MISRA.PTR.ARITH.NOT_SAME.2008 | Supports MISRA C++ Rule 5–0–16: A pointer operand and any pointer resulting from pointer arithmetic using that operand shall both address elements of the same array. |
MISRA.TYPE.NAMECLASH.C.2004 | Deprecated the checker MISRA.TYPE.NAMECLASH and split it into two checkers. This checker supports MISRA C Rule 5.6 (advisory): No identifier in one name space should have the same spelling as an identifier in another name space, with the exception of structure member and union member names. |
MISRA.TYPE.NAMECLASH.CPP.2008 | Deprecated the checker MISRA.TYPE.NAMECLASH and split it into two checkers. This checker supports MISRA C++ Rule 2-10-6 (required): If an identifier refers to a type, it shall not also refer to an object or a function in the same scope. |
SV.TAINTED.CALL.GLOBAL | This C/C++ checker flags code whenever tainted data is used to assign a global variable via a function call. |
SV.TAINTED.GLOBAL | This C/C++ checker flags code whenever tainted integer data is used to initialize the global variable. |
New community checkers
Checker | Description |
---|---|
CXX.BSTR.LITERAL | Do not pass string literal or casted CString to COM function expecting BSTR parameter. |
CXX.CWARN.DTOR.NONVIRT | Destructors should be declared as virtual. |
CXX.CWARN.HARDCODED_LOOP_BOUND | Hard-coded loop used for array index. |
CXX.CWINAPP.INIT | Incorrect or missing InitInstance override for class derived from CWinApp. |
CXX.FUNC.CSTRING.FORMAT | CString cannot call CString.Format() on itself. |
CXX.FUNC.MEMSET.BUILTIN | Calls to memset must not pass a reference to a structure containing non-builtin types. |
Modified Klocwork checkers
Checker | Description |
---|---|
DBZ.CONST | New defects detected |
CS.HIDDEN.MEMBER.LOCAL.CLASS | New defects detected |
JD.CAST.KEY | Fewer false positives are expected |
MISRA.CTOR.BASE | Fewer false positives are expected |
MISRA.FLOAT_EQUAL | New defects detected. |
MISRA.FUNC_CAST | New defects detected |
MISRA.FLOAT_EQUAL | New defects detected |
MISRA.LITERAL.NULL.PTR.CONST.2012 | Fewer false positives are expected |
MISRA.ONEDEFRULE.VAR | New defects detected |
MISRA.PTR.ARITH | Fewer false positives are expected |
MISRA.VAR.HIDDEN | New defects detected, and fewer false positives are expected. |
RH.LEAK | Fewer false positives are expected |
RTC.CALL | Fewer false positives are expected |
SV.TAINTED.BINOP | New defects detected |
UNINIT.STACK.MIGHT | Fewer false positives are expected |
Enabled or disabled checkers
Taxonomy improvements
As part of our installation, we offer several custom taxonomy files that map our checkers to standards such as MISRA, CWE, OWASP, and DISA STIG.
Taxonomy | New/Updated |
---|---|
autosar_cpp_17_10.tconf and autosar_cpp_17_10_ja.tconf | Updated rule 6.2 to reference MISRA.TYPE.NAMECLASH.CPP.2008 instead of MISRA.TYPE.NAMECLASH. |
autosar_cpp_18_03.tconf and autosar_cpp_18_03_ja.tconf | Updated rule 6.2 to reference MISRA.TYPE.NAMECLASH.CPP.2008 instead of MISRA.TYPE.NAMECLASH. |
| These are new taxonomies that map Klocwork checkers to CERT C and CERT C++ IDs, respectively. We split the previous cert_c_cpp.tconf and cert_c_cpp_ja.tconf taxonomies into separate C and C++ taxonomies. |
| These are new taxonomies that map both Klocwork and community checkers to CERT C and CERT C++ IDs, respectively. We split the previous cert_c_cpp_community.tconf and cert_c_cpp_community_ja.tconf into separate C and C++ taxonomies and added the Klocwork checkers. |
| Removed the reference to rule CWE-400 for CS.SQL.INJECT.LOCAL. We added references to the following checkers: CWE-20: Improper Input Validation
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-190: Integer Overflow or Wraparound
|
jsf_av_rev_c_community_cpp.tconf and jsf_av_rev_c_community_cpp_ja.tconf | New community taxonomy that maps the Joint Strike Fighter Air Vehicle C++ coding standard to Klocwork C++ checkers. |
kw_quality_std_java.tconf and kw_quality_std_java_ja.tconf | Removed the reference to JD.CAST.SUSP and added references to JD.CAST.SUSP.MIGHT and JD.CAST.SUSP.MUST. |
misra_c_2004.tconf and misra_c_2004_ja.tconf | Removed the reference to MISRA.TYPE.NAMECLASH and added a reference to MISRA.TYPE.NAMECLASH.C.2004. |
misra_cpp_2008.tconf and misra_cpp_2008_ja.tconf |
|
pci_3_2_1_community_cs.tconf and pci_3_2_1_community_cs_ja.tconf | New taxonomy that maps the Payment Card Industry Data Security Standard (PCI DSS) Version 3.2.1 IDs to Klocwork C# checkers. |
pci_3_2_1_community_cxx.tconf and pci_3_2_1_community_cxx_ja.tconf | New taxonomy that maps the Payment Card Industry Data Security Standard (PCI DSS) Version 3.2.1 IDs to Klocwork C and C++ checkers. |
pci_3_2_1_community_java.tconf and pci_3_2_1_community_java_ja.tconf | New taxonomy that maps the Payment Card Industry Data Security Standard (PCI DSS) Version 3.2.1 IDs to Klocwork Java checkers. |
quality_community_cxx.tconf and quality_community_cxx_ja.tconf | Added references to the following checkers:
|
Improvements to supported compilers
We've improved support for the following compilers:
- Clang
- GNU
- IAR compiler/linker for STM8 Microcontroller family
- Renesas SuperH and RX family
- Wind River Diab
For the full list of supported C/C++ compilers, see C/C++ compilers supported for build integration.
Solaris and AIX support
Downloads for Solaris and AIX are now by request. To obtain Solaris or AIX product downloads, please contact Klocwork Customer Support.
Solaris installation packages, build tools, and desktop tools are available for Klocwork release 2020.1. Downloads are not available for later releases.
Licensing
2019 licenses are not compatible with Klocwork 2020.4. You need a new license to use the latest version of the product. Contact license@perforce.com to obtain a new license.
We upgraded the version of FlexNet Publisher that we support for Windows and Linux to version 2018 R4 (11.16.2). If you are using your own FlexNet Publisher license server, ensure you upgrade to this or a newer version. You can also use the license server included with Klocwork 2020.1 and beyond.
Maintenance for Klocwork 2018 ended
Maintenance for all versions of Klocwork 2018 ended February 29, 2020. The end of maintenance (EOM) date and end of sale (EOS) date was also February 29, 2020. For information about the availability of support for any release of Klocwork, see the Klocwork Product Lifecycle.
Portal licensing changes
Klocwork has implemented additional licensing checks related to running the Klocwork Server, which, among other things, underpins the Klocwork portal. We recommend you validate your licensing needs to ensure you have a sufficient number of web service licenses.
Changes to system requirements
- Windows 10 versions beyond 1903 to 1909
- Debian 9.12 and 10.3
- Red Hat Enterprise Linux 8.1
- Oracle Linux versions beyond 7 to 7.7 and 8 to 8.1
- CentOS versions beyond 8.0 to 8.1
- Ubuntu 18.04.4 LTS
- SUSE Enterprise 12 SP5
- AIX 7.2 (TL4)
- Eclipse versions beyond 4.13 to 4.15
- Android Studio versions beyond 3.5.1 to 3.6
- Visual Studio 2017 versions beyond 15.9.17 to 15.9.20
- Visual Studio 2019 versions beyond 16.3.6 to 16.4.5
- IntelliJ IDEA 2019.2 versions beyond 2019.2.3 to 2019.2.4
- IntelliJ IDEA 2019.3 up to 2019.3.3
- Wind River Workbench 4 SR0630
- Microsoft Internet Explorer versions beyond 11.0.155 to 11.0.175
- Microsoft Edge 79.x, 80.x to 80.0.361
- Mozilla Firefox 73.x
- Chrome versions beyond 78.x to 80.x
- Safari versions beyond 12.1.2 to 13.0
- Jenkins versions 1.658 to 2.204.5
- Gradle versions beyond 5.6.3 to 6.2.1
- CLion versions 2019.2 (up to 2019.2.5), 2019.3 (up to 2019.3.6), and 2020.1 (up to 2020.1.1).
- Fedora 29
- IntelliJ IDEA versions earlier than 12.x
- Android Studio versions earlier than 2.3.2
- Eclipse versions earlier than 4.2
Changes to commands, tools, and options
We've improved support for kwinject so that it is the command of choice for C#.
For more information about Klocwork commands, see Command Reference.