What’s new in PVS-Studio in 2021?

Website update

Since we’re talking about websites. If you visit our website from time to time, you probably noticed that we completely redesigned it. Besides, we finally moved to the pvs-studio.com domain. We increased the website’s usability: the articles now have likes/dislikes, the documentation now has the dropdown menu, and much more. You can read about it all here.

Safety and security

We continue to develop PVS-Studio as a SAST (Static Application Security Testing) solution, and in 2021 we dedicated a lot of time and effort to this.

Visual Studio 2022 support

In the beginning of 2021, Microsoft announced Visual Studio 2022. They promised a lot of features, but the main one — the IDE would be 64-bit.

Display of the Analyzer Best Warnings

When users run a static analyzer for the first time, they may encounter a large number of warnings. This is especially true of projects with much legacy code.

  • look through a dozen of warnings, run into mostly false positives and get discouraged.

Notifications about warnings issued for new code

PVS-Studio has the blame-notifier utility, which notifies developers and managers about warnings issued by the analyzer. The use of blame-notifier in CI, combined with regular analysis, allows developers to quickly see warnings that they may have missed, and managers to monitor the overall situation.

Java

Unfortunately, the Java analyzer doesn’t have any major updates except SAST identifiers and diagnostics from OWASP ASVS. :(

C, C++

Intermodular analysis

Now the C++ analyzer supports intermodular analysis. In this mode, when parsing code, the analyzer takes into account information about functions defined in other translation units.

Plugin for CLion

PVS-Studio has plugins for various JetBrains IDEs: Rider, IntelliJ IDEA. Somehow we missed another popular IDE — CLion. Our clients expressed an increasing interest in this feature. Moreover, the PVS-Studio plugin for CLion as a cross-platform IDE would make it possible to work comfortably with the C++ analyzer regardless of the environment in which the developer works: on Windows, Linux or macOS.

Enhanced Unreal Engine support

One of the technologies used in static analysis is annotating functions of popular libraries. The developer studied the documentation of such functions and notes useful facts in form of annotations. The analyzer uses these annotations to make the project analysis more accurate.

MISRA

We collected feedback from our clients and saw interest in checking projects for compliance with the MISRA C 2012 standard. After that we started developing this direction to a competitive level. Our goal was to increase the standard coverage to 80% with our diagnostics. As a result, we made 57 new MISRA diagnostics. As we planned, now PVS-Studio covers 80% of MISRA C 2012.

C#

Taint analysis, OWASP

In 2021, we implemented taint analysis in the C# analyzer. In short, this is the analysis technology that tracks tainted data transmission over an application. Data is considered potentially tainted when it comes from an external source and could have been compromised by an attacker. If tainted data gets into some places of an application (like a raw SQL-query), this data causes potential vulnerabilities. Find more information about taint analysis in this article.

Performance

We spent a lot of time optimizing the C# analyzer and wrote a number of articles about that. The graph below shows how the analysis time for large projects decreased between PVS-Studio 7.11 and PVS-Studio 7.14 releases.

Support projects on .NET 5 and .NET 6

A little late, but this year we taught the analyzer to work with projects on .NET 5. After that we taught it to work with .NET 6. This time we weren’t late. The analyzer can also parse the C# 10 code now.

Conclusion

Of course we didn’t mention all the features that appeared in our analyzer in 2021. We continued to develop general analysis diagnostics and fix false positives, we introduced some other enhancements. For example, we supported new compilers, enhanced the ability to fine-tune the analysis with .pvsconfig files, etc. You can read more about features shipped with every PVS-Studio release here.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Unicorn Developer

Unicorn Developer

609 Followers

The developer, the debugger, the unicorn. I know all about static analysis and how to find bugs and errors in C, C++, C#, and Java source code.