This release includes the following enhancements:
Release date: June 22, 2022
Enhanced Automotive Compliance Pack
We've extended the Automotive Pack to help you achieve compliance with the automotive standards.
Updates for MISRA C:2012 Technical Corrigendum 2
We've updated the MISRA C 2012 rule set, test configuration and compliance reporting to reflect changes brought in by MISRA’s Technical Corrigendum 2.
Enhanced Security Compliance Pack
We've extended the Security Pack to help you achieve compliance with the security standards.
New Rule Set for DISA ASD STIG Compliance
We've added a new DISA ASD STIG rule set for compliance with DISA STIG security standard. Existing DISA-ASD-STIG test configuration has been updated to use the new rule set.
Enhanced Static Analysis
We’ve enhanced the flow analysis engine to better support modern C++ constructs, including smart pointers such as unique_ptr, shared_ptr, auto_ptr, and weak_ptr. These enhancements in smart pointers semantics understanding enable precise tracking of resource use and improve the quality and accuracy of reported findings.
Support for Platforms
Windows 11 is now supported by C/C++test.
Support for Compilers
We've added support for the following compilers:
| Compiler Name | Compiler Identifier |
|---|---|
| GNU GCC 10.x (x86_64) | gcc_10-64 |
| GNU GCC 11.x (x86_64) | gcc_11-64 |
| Microsoft Visual C++ 14.3 | vc_14_3 |
| Microsoft Visual C++ 14.3 (x64) | vc_14_3-64 |
| Qualcomm Hexagon Clang 8.4 | hexagon-clang_8_4 |
| Synopsys Metaware ARC 2020.06 | ccac_2020_06 |
| Tasking TriCore 4.2 | vxtc_4_2 |
| Tasking TriCore 6.3 | vxtc_6_3 |
New and Updated Code Analysis Rules
We've added new static analysis rules to extend coverage of coding standards. See New Rules and Updated Rules for the lists of new and updated rules.
New and Updated Test Configurations
We’ve updated the following test configurations:
- AUTOSAR C++14 Coding Guidelines
- CWE Top 25 + On the Cusp 2019
- CWE Top 25 2019
- DISA-ASD-STIG
- Flow Analysis Aggressive
- Flow Analysis Fast
- Flow Analysis Standard
- High Integrity C++
- MISRA C 2004
- MISRA C 2012
- MISRA C++ 2008
- SEI CERT C Guidelines
- SEI CERT C Rules
- SEI CERT C++ Rules
Changes to the Command Line Interface
- We've added a new command line flag "-property", which allows you to specify additional configuration settings directly in the command line. See cli Options.
- The "-localsettings" command line flag has been renamed to "-settings". See cli Options.
Licensing
This release requires updating license keys.
Upgrading to 2022.1 might cause machine ID change on Windows. Verify your machine ID before requesting a new license from Parasoft. For information about verifying your machine ID, see Setting the Local License in the GUI.
For details, please contact your Parasoft representative.
Other Changes
- OIDC authentication with Azure AD is now supported for IDE-based workflows. See Configuring OpenID Connect in the GUI.
- OIDC authentication with device code is now supported for the command line-based workflows. See Configuring OpenID Connect in the Command Line.
- IPv6 is now supported.
- The TCP connection type for license servers is no longer supported. Legacy license servers using a TCP connection type should switch to HTTP/S. For details about the settings to use for HTTP/S connection (instead of TCP), see Setting a Network License in the GUI or Licensing Settings (command line options).
Deprecated and Removed Support
Removed Support for IDEs
Support for the following IDEs is now removed:
- Visual Studio 2012
- Visual Studio 2013
Removed Support for Compilers
Support for the following compilers is now removed:
- Microsoft Visual C++ 9.0
- Microsoft Visual C++ 9.0 (x64)
- Microsoft Visual C++ 10.0
- Microsoft Visual C++ 10.0 (x64)
Removed Features
- The deprecated Suppressions view has been removed. If you upgrade C/C++test when the Suppressions view is open in you IDE, you may need to manually close the view after upgrade.
- Publishing reports to and importing reports from the Team Server is no longer supported.
Deprecated Features
- The following functions of the Team Server are now deprecated:
- Storing test configurations, rules, and rule maps on Team Server
- Editing Team Server test configurations in graphical editor in IDE
- Global goals management
- Author reassignment on Team Server
Resolved Bugs and FRs
| Bug/FR ID | Description |
|---|---|
| CPP-36108 | [coverage] Add code coverage for classes and lambdas defined inside template functions |
| CPP-48321 | [engine][EDG] error: pack expansion does not make use of any argument packs |
| CPP-48585 | [engine][EDG] Instrumentation error "std::enable_if<false, void>" has no member "type" for ASIO library |
| CPP-49194 | [static] FORMAT-11 reports false positive on reference declaration |
| CPP-49198 | [static] GLOBAL-ONEUSEVAR (AUTOSAR-M0_1_4-a) reports violations on const variables in header files |
| CPP-49658 | [ide] No validation message when importing an incorrect path in "C/C++ advanced settings" |
| CPP-49695 | [static] CODSTA-119 (MISRA2012-RULE-16_4_b) reports false positive on break after block with comment |
| CPP-49701 | [static] AUTOSAR-A11_3_1-a false positive |
| CPP-49704 | [engine][EDG] Incorrect initializer_range for in-class field initializers (when initializing with constant values?) |
| CPP-49715 | [engine][EDG] error: class "std::__2::enable_if<false, bool>" has no member "type" |
| CPP-49766 | [static] AUTOSAR-A7_1_7-a: false positive |
| CPP-49767 | [static] MISRA2004-16_7 reports false positive when an element of array that is a pointer is passed as non-const pointer |
| CPP-49768 | [engine][EDG] error: a reference of type "std::pair<DataAccess::Common::Geometry::TCoordScaleNDS::TBaseType, DataAccess::Common::Geometry::TCoordScaleNDS::TBaseType> &" (not const-qualified) cannot be initialized with a value |
| CPP-49773 | [rulewizard] The 'Body' property for 'Class' node does not work correctly for static members defined outside template classes |
| CPP-49777 | [compiler] Improve handling of --relaxed_ansi option for tiarm compilers |
| CPP-49779 | [compiler] Add support for __builtin_addressof for tiarm_18_2 |
| CPP-49808 | [engine] cpptestcc compile error: label â€anonymous__CPTR_0’ used but not defined |
| CPP-49847 | [rulewizard] static_cast is detected as normal cast in copy elision of a bit-wise copy initialization |
| CPP-49854 | [static] MISRA2004-12_8 should not report when the number of bits is ensured by bitwise & operator |
| CPP-49857 | [static] MISRA2004-16_10 (AUTOSAR-M0_3_2-a) reports false positive on overloaded assignment operators |
| CPP-49867 | [static] OPT-41 should check filenames as case insensitive in Windows systems |
| CPP-49868 | [engine][EDG] internal error: assertion failed at: "scope_stk.c", line 10905 in get_enclosing_template_params_and_args |
| CPP-49889 | [engine] Error on test case data generation when routine has VLA parameter |
| CPP-49908 | [docs] Fix documentation for OIDC settings |
| CPP-49909 | [rulewizard] Functional casts are detected as C-style casts on initializations of non-aggregates inside aggregates |
| CPP-49949 | [static] IndexError: list index out of range in SECURITY-14 |
| CPP-49950 | [static] C++Test output doesn't show error on second run |
| CPP-49966 | [static] COMMENT-14 fails on error in own internal procedure |
| CPP-49984 | [rulewizard] Incorrectly detected class in template specialization function instantiated by const class type |
| CPP-49991 | [static] MISRA2004-12_4_a (MISRAC2012-RULE_13_5-a) does not report violation on access to a volatile object |
| CPP-49993 | [ide] Some assertion macros missing from Test Case Editor |
| CPP-49994 | [static] AUTOSAR-M0_1_3-a(OPT-02) does not correctly parse structured binding in C++17 |
| CPP-50002 | [EDG] error: operand types are incompatible |
| CPP-50061 | [compiler] renrx and gcc: improve config for compiler options changing plain 'char' type signedness |
| CPP-50062 | [static] False positive for AUTOSAR-M5_0_4-a |
| CPP-50087 | [ide] Creating new test configuration enables some unselected metrics |
| CPP-50089 | [compiler] LSI fails for TIC compilers if project path contain spaces |
| CPP-50100 | [static] AUTOSAR-A12_1_1-a false positive |
| CPP-50103 | [static] AUTOSAR-M3_4_1-a: false positive |
| CPP-50106 | [rulewizard] Template function's unnamed parameter not connected with correct line in code |
| CPP-50107 | [static] MISRA2004-14_1_b reports false positive when the return statement is used after extern array declaration in function |
| CPP-50108 | [static] Improve mapping for AUTOSAR-A2-13-1 |
| CPP-50110 | [static] FORMAT-25 reports false positives because does not support sizeof... operator |
| CPP-50111 | [ide] C/C++test Professional cannot find IAppFile when pointing to symlink file |
| CPP-50113 | [static] HICPP-5_8_1-a (AUTOSAR-A5_16_1-a) reports false positive on conditional operator used as separate expression |
| CPP-50123 | [static] CODSTA-CPP-101 (AUTOSAR-A13_2_3-a) reports false positive on template conversion operators |
| CPP-50125 | [static] EXCEPT-22 reports false positive when template function with @throw specification is called |
| CPP-50128 | [static] EXCEPT-14 (AUTOSAR-A15_5_3-h) reports false positive when an exception is catch inside function in try-catch block |
| CPP-50134 | [static] AUTOSAR-A15_4_5-a false positive |
| CPP-50139 | [static] MISRA2004-14_1_f (AUTOSAR-M0_1_1-e) reports false positive when 'return' statement is used inside 'catch' block |
| CPP-50148 | [static] Improve mapping for AUTOSAR-M12-1-1 |
| CPP-50149 | [static] CODSTA-CPP-78 (AUTOSAR-M9_3_3-a) reports false positive when captured 'this' is modified in lambda expression in non-const function |
| CPP-50168 | [engine][EDG] cpptestcc instrumentation compilation error: incomplete type is not allowed |
| CPP-50171 | [static] Improve mapping for CERT_C-PRE31 |
| CPP-50181 | [coverage] For longer method names "Coverage Summary" columns are heavily unaligned making report unreadable |
| CPP-50209 | [compiler] VC++ 2017 (and newer): add support for /external option |
| CPP-50220 | [vscode] Improve showing suppressions (quick-fixes) for multiple violations in the same line |
| CPP-50234 | [static] FORMAT-06 (AUTOSAR-A7_1_7-a) reports false positive when multiline C-style comment is used inside statement |
| CPP-50235 | [static] EXCEPT-08 (AUTOSAR-M15_3_1-a/AUTOSAR-A15_5_3-f) reports false positives on calls to constexpr functions |
| CPP-50236 | [static] MISRA2004-9_2_c (AUTOSAR-M8_5_2-c) reports false positive when the struct with static const variables is initialized |
| CPP-50246 | [static] CODSTA-MCPP-04 (AUTOSAR-A4_10_1-b) reports false positive when a 'new' with the '0' constant is assigned to a pointer |
| CPP-50255 | [engine][EDG] cpptestcc internal error: assertion failed: gen_paren_or_brace_dynamic_init: bad kind (cp_gen_be.c, line 22147 in gen_paren_or_brace_dynamic_init) |
| CPP-50260 | [static] TEMPL-12 (AUTOSAR-M14_6_1-a) reports false positives on implicit calls of function from non-dependent base class |
| CPP-50263 | [static] MISRA2004-8_4 internal error (zh_CN only) |
| CPP-50272 | [coverage] Improve coverage integration for CMake with incremental builds (GNU/clang compilers; Ninja/Make generator) |
| CPP-50281 | [static] Inconsistent behaviour of MISRAC2012-RULE_17_7-a |
| CPP-50296 | [static] HICPP-18_2_4-a reports false positive on pattern that is not Double-Checked Locking |
| CPP-50312 | [engine] GNU make is leaking file descriptors if cpptesttrace is used |
| CPP-50360 | [static] COMMENT-14_b (AUTOSAR-A2_7_3-b) should ignore [in], [out] and [in,out] in comment for @param tags |
| CPP-50361 | [static] MISRA2004-14_1_a (HICPP-1_2_1-a) reports false positive on 'if' with condition containing enum constant dependent from template type |
| CPP-50387 | [static] OPT-32 (AUTOSAR-M0_1_8-a) reports false positive violations on functions containing implicit calls of constructors with side effects |
| CPP-50397 | [static][change output message] CODSTA-178 (MISRAC2012-RULE_5_1-a) - remove line number from output message |
| CPP-50398 | [rulewizard] RuleWizard a(b) block doesn't match the builtin function __builtin_choose_expr() |
| CPP-50419 | [static] MISRA2004-5_2_b (MISRA2008-2_10_2_b) reports false positive for unrelated enum class identifiers |
| CPP-50467 | [static] CODSTA-122_a (CERT_C-ERR33-a) reports false positive when function call is used in condition of ternary operator |
| CPP-50565 | STL-23 (HICPP-17_5_1-a) reports false positive when the result of the 'remove_if' function is used as argument in the call to the 'erase' |
| CPP-50586 | [EDG] assertion failed at: "overload.c" during class template arguments deduction |
| CPP-50695 | Cannot run static analysis successfully with "-f" compiler option |
| FA-7833 | BD-RES-LEAKS reports false positives on resources managed by smart pointers |
| FA-8047 | BD-PB-NP false negative |
| FA-8531 | Improve documentation of BD-PB-VOVR rule |
| FA-8562 | BD-PB-NOTINIT false positive on nested anonymous structures |
| FA-8625 | BD-PB-OVERFNZT reports bogus violation cause memcpy makes first arg non-zero terminated again |
| FA-8696 | Improve documentation of BD-TRS-DIFCS rule |
| FA-8697 | BD-RES-LEAKS false negative |
| FA-8701 | Flow Analysis uses incorrect assumption on the size of the unknown buffer pointed to by void* |
| FA-8736 | BD-PB-CC false positive caused by read |
| FA-8739 | BD.PB.ARRAY false positive |
| FA-8774 | BD-API-VALPARAM false positive as squared value of variable cannot be < 0 |
| FA-8792 | BD-PB-VALRANGE false positive |
| FA-8824 | BD.SECURITY.TDALLOC potential false negative |
| FA-8839 | BD-PB-NP false negative because FA does not understand shared_ptr semantics. |
| FA-8853 | BD-PB-CC false positive as Flow Analysis does not fully take into account that fgets changes contents of the buffer |
| FA-8884 | BD-TRS-MLOCK violations are missing in the incremental run |
| FA-8901 | MISRAC2012-DIR_4_11-a (BD-API-VALPARAM) false positive |
| FA-8910 | BD-PB-VOVR false positive when variable is used only to calculate a constant value |
New Rules
Rule ID | Header |
|---|---|
| APSC_DV-000160-a | Do not use weak encryption functions |
| APSC_DV-000170-a | Do not use weak encryption functions |
| APSC_DV-000480-a | Protect against SQL injection |
| APSC_DV-000500-a | Observe correct revocation order while relinquishing privileges |
| APSC_DV-000650-a | Do not print potentially sensitive information, resulting from an application error into exception messages |
| APSC_DV-001290-a | Protect against SQL injection |
| APSC_DV-001290-b | Untrusted data is used as a loop boundary |
| APSC_DV-001290-c | Avoid passing user input into methods as parameters |
| APSC_DV-001290-d | Avoid using unsecured shell functions that may be affected by shell metacharacters |
| APSC_DV-001300-a | Protect against SQL injection |
| APSC_DV-001740-a | Avoid passing sensitive data to functions that write to log files |
| APSC_DV-001750-a | Avoid passing sensitive data to functions that write to log files |
| APSC_DV-001850-a | Avoid passing sensitive data to functions that write to log files |
| APSC_DV-001860-a | Do not use weak encryption functions |
| APSC_DV-001995-a | Avoid race conditions when using fork and file descriptors |
| APSC_DV-001995-b | Avoid race conditions while checking for the existence of a symbolic link |
| APSC_DV-001995-c | Avoid race conditions while accessing files |
| APSC_DV-001995-d | Use locks to prevent race conditions when modifying bit fields |
| APSC_DV-001995-e | Do not use global variable with different locks set |
| APSC_DV-001995-f | Avoid using thread-unsafe functions |
| APSC_DV-001995-g | Usage of functions prone to race is not allowed |
| APSC_DV-001995-h | Avoid using the 'vfork()' function |
| APSC_DV-001995-i | Properly define signal handlers |
| APSC_DV-002000-a | Ensure resources are freed |
| APSC_DV-002010-a | Do not use weak encryption functions |
| APSC_DV-002290-a | Do not use the rand() function for generating pseudorandom numbers |
| APSC_DV-002290-b | Properly seed pseudorandom number generators |
| APSC_DV-002290-c | The 'random_shuffle' identifier should not be used |
| APSC_DV-002290-d | Avoid functions which use random numbers from standard C library |
| APSC_DV-002350-a | Do not use weak encryption functions |
| APSC_DV-002390-a | Disable resolving XML external entities (XXE) in libxerces-c |
| APSC_DV-002390-b | Do not process structured text data natively |
| APSC_DV-002390-c | Do not use scanf and fscanf functions without specifying variable size in format string |
| APSC_DV-002390-d | Do not use mbstowcs() function |
| APSC_DV-002400-a | Exclude unsanitized user input from format strings |
| APSC_DV-002400-b | The execution of a function registered with 'std::atexit()' or 'std::at_quick_exit()' should not exit via an exception |
| APSC_DV-002400-c | Avoid using the 'vfork()' function |
| APSC_DV-002400-d | Avoid using thread-unsafe functions |
| APSC_DV-002440-a | Avoid passing sensitive data to functions that write to log files |
| APSC_DV-002460-a | Avoid passing sensitive data to functions that write to log files |
| APSC_DV-002470-a | Avoid passing sensitive data to functions that write to log files |
| APSC_DV-002480-a | Do not print potentially sensitive information, resulting from an application error into exception messages |
| APSC_DV-002510-a | Protect against command injection |
| APSC_DV-002520-a | Protect against environment injection |
| APSC_DV-002520-b | Protect against file name injection |
| APSC_DV-002520-c | Protect against SQL injection |
| APSC_DV-002520-d | Never use unfiltered data from an untrusted user as the format parameter |
| APSC_DV-002520-e | Avoid tainted data in array indexes |
| APSC_DV-002520-f | Protect against integer overflow/underflow from tainted data |
| APSC_DV-002520-g | Avoid passing unvalidated binary data to log methods |
| APSC_DV-002520-h | Protect against command injection |
| APSC_DV-002520-i | Avoid printing tainted data on the output console |
| APSC_DV-002520-j | Exclude unsanitized user input from format strings |
| APSC_DV-002520-k | Untrusted data is used as a loop boundary |
| APSC_DV-002530-a | Protect against environment injection |
| APSC_DV-002530-b | Protect against file name injection |
| APSC_DV-002530-c | Protect against SQL injection |
| APSC_DV-002530-d | Never use unfiltered data from an untrusted user as the format parameter |
| APSC_DV-002530-e | Avoid tainted data in array indexes |
| APSC_DV-002530-f | Protect against integer overflow/underflow from tainted data |
| APSC_DV-002530-g | Avoid passing unvalidated binary data to log methods |
| APSC_DV-002530-h | Protect against command injection |
| APSC_DV-002530-i | Avoid printing tainted data on the output console |
| APSC_DV-002530-j | Exclude unsanitized user input from format strings |
| APSC_DV-002530-k | Untrusted data is used as a loop boundary |
| APSC_DV-002540-a | Protect against SQL injection |
| APSC_DV-002550-a | Protect against environment injection |
| APSC_DV-002550-b | Protect against file name injection |
| APSC_DV-002550-c | Protect against SQL injection |
| APSC_DV-002550-d | Never use unfiltered data from an untrusted user as the format parameter |
| APSC_DV-002550-e | Avoid tainted data in array indexes |
| APSC_DV-002550-f | Protect against integer overflow/underflow from tainted data |
| APSC_DV-002550-g | Avoid passing unvalidated binary data to log methods |
| APSC_DV-002550-h | Protect against command injection |
| APSC_DV-002550-i | Avoid printing tainted data on the output console |
| APSC_DV-002550-j | Exclude unsanitized user input from format strings |
| APSC_DV-002550-k | Untrusted data is used as a loop boundary |
| APSC_DV-002560-a | Protect against environment injection |
| APSC_DV-002560-b | Protect against file name injection |
| APSC_DV-002560-c | Protect against SQL injection |
| APSC_DV-002560-d | Never use unfiltered data from an untrusted user as the format parameter |
| APSC_DV-002560-e | Avoid tainted data in array indexes |
| APSC_DV-002560-f | Protect against integer overflow/underflow from tainted data |
| APSC_DV-002560-g | Avoid passing unvalidated binary data to log methods |
| APSC_DV-002560-h | Protect against command injection |
| APSC_DV-002560-i | Avoid printing tainted data on the output console |
| APSC_DV-002560-j | Exclude unsanitized user input from format strings |
| APSC_DV-002560-k | Untrusted data is used as a loop boundary |
| APSC_DV-002570-a | Avoid passing sensitive data to functions that write to log files |
| APSC_DV-002570-b | Do not print potentially sensitive information, resulting from an application error into exception messages |
| APSC_DV-002590-a | Avoid buffer overflow due to defining incorrect format limits |
| APSC_DV-002590-b | Avoid overflow due to reading a not zero terminated string |
| APSC_DV-002590-c | Avoid overflow when reading from a buffer |
| APSC_DV-002590-d | Avoid overflow when writing to a buffer |
| APSC_DV-002590-e | Avoid integer overflows |
| APSC_DV-002590-f | Prevent buffer overflows from tainted data |
| APSC_DV-002590-g | Protect against integer overflow/underflow from tainted data |
| APSC_DV-002590-h | Avoid buffer overflow from tainted data due to defining incorrect format limits |
| APSC_DV-002590-i | Avoid buffer read overflow from tainted data |
| APSC_DV-002590-j | Avoid buffer write overflow from tainted data |
| APSC_DV-002590-k | Ensure the output buffer is large enough when using path manipulation functions |
| APSC_DV-003110-a | Do not hard code string literals |
| APSC_DV-003235-a | Avoid passing unvalidated binary data to log methods |
| APSC_DV-003235-b | Avoid passing sensitive data to functions that write to log files |
| AUTOSAR-M12_1_1-b | Do not use dynamic type of an object under destruction |
| BD-PB-MEMOPT | Avoid calls to memory-setting functions that can be optimized out by the compiler |
| BD-PB-PATHBUF | Ensure the output buffer is large enough when using path manipulation functions |
| BD-SECURITY-SENSFREE | Sensitive data should be cleared before being deallocated |
| BD-SECURITY-TDLOOP | Validate potentially tainted data before it is used in the controlling expression of a loop |
| CERT_C-MEM03-a | Sensitive data should be cleared before being deallocated |
| CERT_C-MSC06-a | Avoid calls to memory-setting functions that can be optimized out by the compiler |
| CODSTA-108_b | The facilities that are specified as being provided bytgmath.hshould not be used |
| CODSTA-224 | The conditional operator should not be used as a sub-expression |
| CODSTA-CPP-60_b | Only those escape sequences that are defined in ISO/IEC 14882:2014 shall be used |
| CODSTA-MCPP-55 | Use std::call_once rather than the Double-Checked Locking pattern |
| CWE-119-k | Ensure the output buffer is large enough when using path manipulation functions |
| CWE-787-g | Ensure the output buffer is large enough when using path manipulation functions |
| MISRA2004-16_8_b | All exit paths from a function, except main(), with non-void return type shall have an explicit return statement with an expression |
| MISRA2008-12_1_1_b | Do not use dynamic type of an object under destruction |
| MISRA2012-RULE-17_4_b | All exit paths from a function, except main(), with non-void return type shall have an explicit return statement with an expression |
| MISRA2012-RULE-21_11_b | The facilities that are specified as being provided bytgmath.hshould not be used |
| MISRAC2012-RULE_17_4-b | All exit paths from a function, except main(), with non-void return type shall have an explicit return statement with an expression |
| MISRAC2012-RULE_21_11-b | The facilities that are specified as being provided bytgmath.hshould not be used |
| OOP-11_b | Friend declarations shall not be used except declarations of comparison operators |
Updated Rules
Category ID | Rule IDs |
|---|---|
| AUTOSAR C++14 Coding Guidelines | AUTOSAR-A0_1_1-a, AUTOSAR-A0_4_4-a, AUTOSAR-A11_3_1-a, AUTOSAR-A12_1_1-a, AUTOSAR-A12_8_3-a, AUTOSAR-A13_2_3-a, AUTOSAR-A15_0_2-a, AUTOSAR-A15_1_4-a, AUTOSAR-A15_4_5-a, AUTOSAR-A15_5_3-f, AUTOSAR-A15_5_3-h, AUTOSAR-A16_2_2-a, AUTOSAR-A18_1_1-a, AUTOSAR-A18_9_4-a, AUTOSAR-A23_0_2-a, AUTOSAR-A26_5_2-a, AUTOSAR-A27_0_1-g, AUTOSAR-A27_0_1-h, AUTOSAR-A27_0_2-a, AUTOSAR-A27_0_2-b, AUTOSAR-A2_10_1-b, AUTOSAR-A2_13_1-a, AUTOSAR-A2_7_3-a, AUTOSAR-A3_3_1-a, AUTOSAR-A4_10_1-b, AUTOSAR-A5_16_1-a, AUTOSAR-A5_2_5-a, AUTOSAR-A5_2_5-c, AUTOSAR-A5_3_2-a, AUTOSAR-A5_6_1-a, AUTOSAR-A7_1_7-a, AUTOSAR-A7_6_1-a, AUTOSAR-A8_4_2-a, AUTOSAR-A8_5_0-a, AUTOSAR-M0_1_1-b, AUTOSAR-M0_1_1-e, AUTOSAR-M0_1_2-ac, AUTOSAR-M0_1_3-a, AUTOSAR-M0_1_4-a, AUTOSAR-M0_1_8-a, AUTOSAR-M0_3_1-b, AUTOSAR-M0_3_1-d, AUTOSAR-M0_3_1-e, AUTOSAR-M0_3_1-f, AUTOSAR-M0_3_1-g, AUTOSAR-M0_3_2-a, AUTOSAR-M12_1_1-a, AUTOSAR-M14_6_1-a, AUTOSAR-M15_3_1-a, AUTOSAR-M3_4_1-a, AUTOSAR-M5_0_16-a, AUTOSAR-M5_0_16-b, AUTOSAR-M5_14_1-a, AUTOSAR-M5_8_1-a, AUTOSAR-M7_1_2-b, AUTOSAR-M7_3_1-a, AUTOSAR-M8_5_2-c, AUTOSAR-M9_3_3-a |
| Flow Analysis | BD-API-VALPARAM, BD-CO-ITMOD, BD-CO-ITOUT, BD-MISC-DC, BD-PB-ARRAY, BD-PB-CC, BD-PB-INVRET, BD-PB-NORETURN, BD-PB-NOTINIT, BD-PB-NP, BD-PB-OVERFNZT, BD-PB-OVERFWR, BD-PB-OVERFZT, BD-PB-OVERLAP, BD-PB-PTRARR, BD-PB-SUBSEQ, BD-PB-SUBSEQFRWD, BD-PB-SUBSEQMOVE, BD-PB-VALRANGE, BD-PB-VCTOR, BD-PB-VDTOR, BD-PB-VOVR, BD-PB-ZERO, BD-RES-LEAKS, BD-SECURITY-RAND, BD-SECURITY-TDALLOC, BD-SECURITY-TDCMD, BD-SECURITY-TDCONSOLE, BD-SECURITY-TDENV, BD-SECURITY-TDFNAMES, BD-SECURITY-TDINPUT, BD-SECURITY-TDSQL, BD-TRS-BITLOCK, BD-TRS-DIFCS, BD-TRS-MLOCK |
| SEI CERT C | CERT_C-API01-a, CERT_C-ARR30-a, CERT_C-ARR38-b, CERT_C-ARR38-d, CERT_C-ARR39-a, CERT_C-CON30-a, CERT_C-CON32-a, CERT_C-CON43-a, CERT_C-DCL01-b, CERT_C-DCL13-a, CERT_C-DCL15-a, CERT_C-DCL19-a, CERT_C-DCL22-a, CERT_C-ENV01-c, CERT_C-ENV34-a, CERT_C-ERR33-a, CERT_C-ERR33-c, CERT_C-EXP02-a, CERT_C-EXP08-b, CERT_C-EXP12-a, CERT_C-EXP33-a, CERT_C-EXP34-a, CERT_C-FIO22-a, CERT_C-FIO32-a, CERT_C-FIO37-a, CERT_C-FIO42-a, CERT_C-FLP03-a, CERT_C-FLP32-a, CERT_C-INT10-a, CERT_C-INT31-a, CERT_C-INT31-b, CERT_C-INT31-i, CERT_C-INT31-j, CERT_C-INT31-k, CERT_C-INT33-a, CERT_C-INT36-b, CERT_C-MEM00-e, CERT_C-MEM12-a, CERT_C-MEM31-a, CERT_C-MSC07-b, CERT_C-MSC07-f, CERT_C-MSC12-b, CERT_C-MSC12-f, CERT_C-MSC19-a, CERT_C-MSC19-b, CERT_C-MSC32-d, CERT_C-MSC37-a, CERT_C-POS30-a, CERT_C-POS49-a, CERT_C-POS54-a, CERT_C-POS54-c, CERT_C-STR02-a, CERT_C-STR02-b, CERT_C-STR02-c, CERT_C-STR03-a, CERT_C-STR31-a, CERT_C-STR31-b, CERT_C-STR32-a, CERT_C-WIN00-a, CERT_C-WIN30-a |
| SEI CERT C++ | CERT_CPP-CON52-a, CERT_CPP-CTR50-a, CERT_CPP-CTR51-a, CERT_CPP-ERR50-f, CERT_CPP-ERR50-h, CERT_CPP-ERR55-a, CERT_CPP-ERR57-a, CERT_CPP-ERR58-a, CERT_CPP-EXP53-a, CERT_CPP-EXP63-a, CERT_CPP-FIO51-a, CERT_CPP-MSC51-a, CERT_CPP-MSC52-a, CERT_CPP-MSC53-a, CERT_CPP-OOP50-c, CERT_CPP-OOP50-d, CERT_CPP-STR50-b, CERT_CPP-STR50-c, CERT_CPP-STR51-a, CERT_CPP-STR53-a |
| Coding Conventions | CODSTA-04, CODSTA-119, CODSTA-122_a, CODSTA-127_b, CODSTA-161_a, CODSTA-161_b, CODSTA-162, CODSTA-163_b, CODSTA-164_a, CODSTA-164_b, CODSTA-221 |
| Coding Conventions for C++ | CODSTA-CPP-101, CODSTA-CPP-36, CODSTA-CPP-60, CODSTA-CPP-78, CODSTA-CPP-82 |
| Coding Conventions for Modern C++ | CODSTA-MCPP-04 |
| Comments | COMMENT-14 |
| Common Weakness Enumeration | CWE-119-a, CWE-119-e, CWE-125-a, CWE-20-d, CWE-20-e, CWE-20-f, CWE-20-g, CWE-20-h, CWE-20-i, CWE-22-a, CWE-362-c, CWE-362-e, CWE-426-a, CWE-476-a, CWE-704-e, CWE-770-a, CWE-772-a, CWE-78-a, CWE-787-a, CWE-787-d, CWE-89-a |
| Exceptions | EXCEPT-08, EXCEPT-14, EXCEPT-22 |
| Formatting | FORMAT-06, FORMAT-11, FORMAT-23, FORMAT-24, FORMAT-25 |
| Global Static Analysis | GLOBAL-ONEUSEVAR |
| High Integrity C++ | HICPP-12_4_1-b, HICPP-12_4_1-c, HICPP-13_2_2-a, HICPP-17_3_3-a, HICPP-17_5_1-a, HICPP-18_2_2-a, HICPP-1_2_1-b, HICPP-1_2_1-f, HICPP-1_2_1-i, HICPP-2_5_3-a, HICPP-3_1_1-b, HICPP-4_2_2-a, HICPP-5_1_6-d, HICPP-5_2_1-a, HICPP-5_2_1-c, HICPP-5_5_1-a, HICPP-6_3_2-a, HICPP-6_4_1-a, HICPP-8_4_1-a, HICPP-9_1_1-a |
| Joint Strike Fighter | JSF-037, JSF-042, JSF-098, JSF-105, JSF-115, JSF-118, JSF-135_b, JSF-136_b, JSF-137, JSF-143_a, JSF-157, JSF-186_b, JSF-186_f, JSF-207 |
| MISRA C 1998 | MISRA-022, MISRA-023, MISRA-038, MISRA-071_a |
| MISRA C 2004 | MISRA2004-12_4_a, MISRA2004-12_8, MISRA2004-13_2, MISRA2004-14_1_b, MISRA2004-14_1_f, MISRA2004-16_10, MISRA2004-16_7, MISRA2004-5_2_b, MISRA2004-8_10, MISRA2004-8_1_a, MISRA2004-9_2_c |
| MISRA C++ 2008 | MISRA2008-0_1_1_b, MISRA2008-0_1_1_f, MISRA2008-0_1_2_aa, MISRA2008-0_1_3_a, MISRA2008-0_1_4, MISRA2008-0_1_6, MISRA2008-0_1_8, MISRA2008-0_3_1_a, MISRA2008-0_3_1_b, MISRA2008-0_3_1_c, MISRA2008-0_3_1_e, MISRA2008-0_3_1_h, MISRA2008-0_3_2, MISRA2008-12_1_1, MISRA2008-12_1_2, MISRA2008-14_6_1, MISRA2008-15_3_1, MISRA2008-15_5_2, MISRA2008-15_5_3_f, MISRA2008-15_5_3_h, MISRA2008-2_10_2_b, MISRA2008-2_13_1, MISRA2008-3_3_1, MISRA2008-3_4_1_a , MISRA2008-5_0_16_a, MISRA2008-5_0_16_b, MISRA2008-5_14_1, MISRA2008-5_8_1, MISRA2008-7_1_2_a, MISRA2008-7_3_1, MISRA2008-8_5_2_c, MISRA2008-9_3_3 |
| MISRA C 2012 (Legacy) | MISRA2012-DIR-4_11, MISRA2012-DIR-4_13_a, MISRA2012-DIR-4_14_e, MISRA2012-DIR-4_14_f, MISRA2012-DIR-4_14_g, MISRA2012-DIR-4_14_j, MISRA2012-DIR-4_14_k, MISRA2012-DIR-4_14_l, MISRA2012-DIR-4_1_a, MISRA2012-DIR-4_1_b, MISRA2012-DIR-4_1_c, MISRA2012-DIR-4_1_e, MISRA2012-DIR-4_1_h, MISRA2012-RULE-10_1_a, MISRA2012-RULE-10_1_b, MISRA2012-RULE-10_2, MISRA2012-RULE-10_3_b, MISRA2012-RULE-10_4_a, MISRA2012-RULE-10_4_b, MISRA2012-RULE-12_1_c, MISRA2012-RULE-12_2, MISRA2012-RULE-13_5, MISRA2012-RULE-14_3_zc, MISRA2012-RULE-14_4, MISRA2012-RULE-16_1_f, MISRA2012-RULE-16_4_b, MISRA2012-RULE-17_7_a, MISRA2012-RULE-18_1_a, MISRA2012-RULE-18_1_c, MISRA2012-RULE-19_1_c, MISRA2012-RULE-1_3_a, MISRA2012-RULE-1_3_b, MISRA2012-RULE-1_3_e, MISRA2012-RULE-21_17_a, MISRA2012-RULE-21_17_b, MISRA2012-RULE-21_20, MISRA2012-RULE-22_1, MISRA2012-RULE-2_1_b, MISRA2012-RULE-2_1_f, MISRA2012-RULE-2_2_b, MISRA2012-RULE-5_3_b, MISRA2012-RULE-8_13_a, MISRA2012-RULE-9_1 |
| MISRA C 2012 | MISRAC2012-DIR_4_1-a, MISRAC2012-DIR_4_1-b, MISRAC2012-DIR_4_1-c, MISRAC2012-DIR_4_1-e, MISRAC2012-DIR_4_1-h, MISRAC2012-DIR_4_11-a, MISRAC2012-DIR_4_13-a, MISRAC2012-DIR_4_14-e, MISRAC2012-DIR_4_14-f, MISRAC2012-DIR_4_14-g, MISRAC2012-DIR_4_14-j, MISRAC2012-DIR_4_14-k, MISRAC2012-DIR_4_14-l, MISRAC2012-RULE_10_1-a, MISRAC2012-RULE_10_1-b, MISRAC2012-RULE_10_2-a, MISRAC2012-RULE_10_3-b, MISRAC2012-RULE_10_4-a, MISRAC2012-RULE_10_4-b, MISRAC2012-RULE_12_1-c, MISRAC2012-RULE_12_2-a, MISRAC2012-RULE_13_5-a, MISRAC2012-RULE_14_3-ac, MISRAC2012-RULE_14_4-a, MISRAC2012-RULE_16_1-f, MISRAC2012-RULE_16_4-b, MISRAC2012-RULE_17_7-a, MISRAC2012-RULE_18_1-a, MISRAC2012-RULE_18_1-c, MISRAC2012-RULE_19_1-c, MISRAC2012-RULE_1_3-a, MISRAC2012-RULE_1_3-b, MISRAC2012-RULE_1_3-e, MISRAC2012-RULE_21_17-a, MISRAC2012-RULE_21_17-b, MISRAC2012-RULE_21_20-a, MISRAC2012-RULE_22_1-a, MISRAC2012-RULE_2_1-b, MISRAC2012-RULE_2_1-f, MISRAC2012-RULE_2_2-b, MISRAC2012-RULE_5_3-b, MISRAC2012-RULE_8_13-a, MISRAC2012-RULE_9_1-a |
| Naming Conventions | NAMING-06, NAMING-18 |
| Optimization | OPT-01, OPT-02, OPT-32, OPT-41 |
| OWASP Top 10 2017 | OWASP2017-A1-b, OWASP2017-A1-c, OWASP2017-A1-d, OWASP2017-A1-e, OWASP2017-A1-f, OWASP2017-A3-a, OWASP2017-A5-a |
| OWASP Top 10 2019 | OWASP2019-API3-b, OWASP2019-API3-e, OWASP2019-API3-g, OWASP2019-API3-k, OWASP2019-API4-a, OWASP2019-API4-b, OWASP2019-API8-a, OWASP2019-API8-b, OWASP2019-API8-c, OWASP2019-API8-d, OWASP2019-API8-e, OWASP2019-API8-f, OWASP2019-API8-h, OWASP2019-API9-e |
| OWASP Top 10 2021 | OWASP2021-A1-a, OWASP2021-A2-a, OWASP2021-A3-b, OWASP2021-A3-c, OWASP2021-A3-d, OWASP2021-A3-e, OWASP2021-A3-f, OWASP2021-A8-a |
| Possible Bugs | PB-43 |
| Security | SECURITY-04, SECURITY-14 |
| STL Best Practices | STL-23, STL-37 |
| Templates | TEMPL-12 |
Removed Rules
Rule ID | Notes |
|---|---|
| PB-36 | Consider using BD-PB-VCTOR, BD-PB-VDTOR instead |
We've improved the violation message in the following rules:
- BD-SECURITY-TDALLOC
- BD-SECURITY-TDCMD
- BD-SECURITY-TDCONSOLE
- BD-SECURITY-TDENV
- BD-SECURITY-TDFNAMES
- BD-SECURITY-TDINPUT
- BD-SECURITY-TDLOOP
- BD-SECURITY-TDSQL
As a result, existing DTP-based suppressions and in-file suppressions may no longer apply.
