What's new in Klocwork 2020.3
Here are the highlights for Klocwork 2020.3. If you're upgrading, also see the Limitations for items that affect how you use Klocwork.
Building on our improvements to have full support for Java 9 in Klocwork 2020.2, we have added partial support up to Java 11.
- lambda functions
- CWE-611: SV.XXE.DBF, SV.XXE.SF, SV.XXE.SPF, SV.XXE.TF, SV.XXE.XIF, SV.XXE.XRF
- CWE-426: SV.EXEC.PATH
- CWE-400: JD.INF.ALLOC
- CWE-20: SV.LOADLIB.INJ
We improved the 2019 top-25 CWE taxonomy for Java by simplifying the mapping structure, mapping existing checkers SV.PASSWD.PLAIN and SV.WEAK.CRYPT to CWE-287, and correcting a small number of incorrect mappings.
- split JD.CAST.COL into JD.CAST.COL.MIGHT and JD.CAST.COL.MUST
- reduced false positives for SV.EXPOSE.MUTABLEFIELD
CWE Top 25
The checkers we've developed for Java and C# add coverage for several additional 2019 CWE Top 25 Most Dangerous Software Errors. For more information, see 2019 CWE Top 25 Most Dangerous Software Errors mapped to Klocwork checkers.
- developing six new security-focused checkers that map to the 2019 CWE Top 25 Most Dangerous Software Errors
- improving analysis accuracy
- adding support for custom Path checkers in C# analysis. For help developing custom Path checkers, contact Static Code Analysis Professional Services to discuss assistance via a services engagement.
C/C++ analysis improvements
We have updated our C/C++ Logical Error Finder to 64-bit on Windows, which enables Klocwork analysis to run to completion on very large and complex compilation units. We also now support 64-bit custom checkers.
We have seen minor performance improvements on some of our OSS test projects.
We've also improved how we handle new and delete keywords and initializer lists.
MISRA C 2012 Amendment 2 (C11)
We've added a new taxonomy that maps Klocwork checkers to MISRA C 2012 Amendment 2 (C11). For more information, see MISRA-C 2012 with Amendment 2 (C11) checker reference.
Option to rebuild Lucene index
We've added an option to the dbvalidate tool that rebuilds the Lucene index for the specified project, which often reduces the size of the index. For more information, see Validate your database (mandatory).
Klocwork checker improvements
From release to release, we improve issue detection to bring state-of-the-art capabilities to our customers. As a result, expect your analysis results to change as accuracy and coverage improve.
New Klocwork checkers
|CS.INFORMATION_EXPOSURE.ALL||This C# checker flags potentially unintended logging or printing to the console of any program data.|
|CS.INFORMATION_EXPOSURE.ATTR||This C# checker flags potentially unintended logging or printing to the console of data fields specifically marked with the attribute [SecurityCritical] or [SecuritySafeCritical].|
|CS.RESOURCE.LOOP||This C# checker reports a defect whenever any object is created inside the body of a loop that has no explicit exit condition.|
|CS.SV.TAINTED.CALL.GLOBAL||This C# checker flags whenever tainted data is used to assign a globally visible data field via a function call.|
|CS.SV.TAINTED.GLOBAL||This C# checker flags whenever tainted data is used to assign a globally visible data field.|
|CS.SV.TAINTED.LOOP_BOUND.RESOURCE||This C# checker flags code where an unvalidated argument is used as a loop boundary while any resource, managed or unmanaged, is allocated within the loop.|
|JD.CAST.COL.MIGHT||This Java checker flags when more than one type is stored in the same collection (Map or List) and at least one of the stored types is related to the type used for a type cast.|
|JD.CAST.COL.MUST||This Java checker flags when none of the types used to store values in collections is related to the type used in an immediate cast.|
|JD.INF.ALLOC||This Java checker flags when large sections of memory are consumed within an infinite loop and there is no verification of available memory.|
|SV.EXEC.PATH||This Java checker flags when an application searches for critical resources by using a short or relative path that can point to resources that are not under the application's direct control.|
|SV.LOADLIB.INJ||This Java checker flags the use of ‘System.loadLibrary’ or ‘Runtime.loadLibrary’, both of which are vulnerable to environment injection.|
|This C/C++ checker flags potential cross-site scripting issues for CGI scripts (web servers that use a Common Gateway Interface).|
|SV.XXE.DBF||This Java checker flags when XML input is processed by a weakly-configured XML parser, DocumentBuilderFactory.|
|SV.XXE.SF||This Java checker flags when XML input is processed by a weakly-configured XML parser, SchemaFactory.|
|SV.XXE.SPF||This Java checker flags when XML input is processed by a weakly-configured XML parser, SAXParserFactory.|
|SV.XXE.TF||This Java checker flags when XML input is processed by a weakly-configured XML parser, TransformerFactory.|
|SV.XXE.XIF||This Java checker flags when XML input is processed by a weakly-configured XML parser, XMLInputFactory.|
|SV.XXE.XRF||This Java checker flags when XML input is processed by a weakly-configured XML parser, XMLReaderFactory.|
Modified Klocwork checkers
|CWARN.BITOP.SIZE||Fewer false positives are expected|
|LV_UNUSED.GEN||Fewer false positives are expected|
|MISRA.COMP.WRAPAROUND||Fewer false positives are expected|
|MISRA.CVALUE.IMPL.CAST||New defects detected and fewer false positives are expected|
|MISRA.ETYPE.ASSIGN.2012||New defects detected|
|MISRA.FUNC.NOPROT.CALL||Fewer false positives are expected|
|NPD.FUNC.MUST||New defects detected and fewer false positives are expected|
|STRONG.TYPE.ASSIGN.INIT||Fewer false positives are expected|
|STRONG.TYPE.ASSIGN.RETURN||Fewer false positives are expected|
|SV.EXPOSE.MUTABLEFIELD||Fewer false positives are expected|
|UNINIT.STACK.MUST||Fewer false positives are expected|
Enabled or disabled checkers
The checker JD.CAST.COL is deprecated; use JD.CAST.COL.MIGHT and JD.CAST.COL.MUST instead.
The checkers CS.WRONG.CAST and CS.WRONG.CAST.MIGHT are no longer enabled by default.
As part of our installation, we offer several custom taxonomy files that map our checkers to standards such as MISRA, CWE, OWASP, and DISA STIG.
We added references to the following checkers:
We added references to the following checkers:
Updated the reference for SV.CSRF.GET to map to CWE-352.
We updated the reference for RLK.FIELD to map to CWE-772.
For cwe_all_java.tconf and cwe_all_java_ja.tconf we also mapped the checker SV.LOADLIB.INJ to CWE-114.
|misra_c_2012_with_amd2_c11.tconf and misra_c_2012_with_amd2_c11_ja.tconf||These are new taxonomies that map Klocwork checkers to MISRA C:2012 Amendment 2.|
Improvements to supported compilers
We've improved support for the following compilers:
For the full list of supported C/C++ compilers, see C/C++ compilers supported for build integration.
Changes to the Path API
In Klocwork 2016, we made a number of changes to the C++ version of our Path API. Chapter 2 of the Klocwork C/C++ Path Analysis API Reference contains a list of deprecated functions and provides a proposed replacement for each. As of Klocwork 2020.3, these functions are fully deprecated and checkers will fail to load if one of the deprecated methods is used. For more information, see Important changes to the Path API in version 11.2.
Solaris and AIX support
Downloads for Solaris and AIX are now by request. To obtain Solaris or AIX product downloads, please contact Klocwork Customer Support.
Solaris installation packages, build tools, and desktop tools are available for Klocwork release 2020.1. Downloads are not available for later releases.
2019 licenses are not compatible with Klocwork 2020.4. You need a new license to use the latest version of the product. Contact firstname.lastname@example.org to obtain a new license.
We upgraded the version of FlexNet Publisher that we support for Windows and Linux to version 2018 R4 (11.16.2). If you are using your own FlexNet Publisher license server, ensure you upgrade to this or a newer version. You can also use the license server included with Klocwork 2020.1 and beyond.
Maintenance for Klocwork 2018 ended
Maintenance for all versions of Klocwork 2018 ended February 29, 2020. The end of maintenance (EOM) date and end of sale (EOS) date was also February 29, 2020. For information about the availability of support for any release of Klocwork, see the Klocwork Product Lifecycle.
Portal licensing changes
Klocwork has implemented additional licensing checks related to running the Klocwork Server, which, among other things, underpins the Klocwork portal. We recommend you validate your licensing needs to ensure you have a sufficient number of web service licenses.
Changes to system requirements
- Windows 10 versions above 1909 to 2004
- Debian 10.4
- Red Hat Enterprise Linux versions 7.8 and 8.2
- Oracle Linux versions 7.8 and 8.2
- CentOS versions 7.8 and 8.2
- Ubuntu 20.04 LTS
- Fedora 32
- OpenSUSE Leap 15.2
- Eclipse version 4.16
- Android Studio versions above 3.6 to 4.0
- Visual Studio 2017 versions up to 15.9.24
- Visual Studio 2019 versions up to 16.6.3
- IntelliJ IDEA 2019 versions above 19.3.3 to 19.3.5
- IntelliJ IDEA 2020.1 versions up to 2020.1.2
- Wind River Workbench 4 SR0640
- CLion 2020.1 version 2020.1.2
- Internet Explorer versions above 11.0.175 to 11.0.195
- Edge versions 81.x and 83.x
- Firefox versions 78.x
- Chrome versions above 80.x to 83.x
- Jenkins versions above 2.204.5 to 2.243
- Gradle versions above 6.2.1 to 6.5.1
- Windows 10, version 1803
- Ubuntu version 19.10
- Fedora 30
- SUSE Enterprise 12 SP1
- Eclipse versions 3.4 to 3.7