This release includes the following enhancements:
Release date: May 31, 2024
|
Enhanced Security Compliance Pack
- The Security Pack has been extended with new CWE Top 25 2023 and CWE Top 25 + on the Cusp 2023 test configurations to help you achieve compliance with the security standards.
- The DISA ASD STIG rule set and the DISA-ASD-STIG test configuration have been updated to reflect the changes in the DISA-ASD-STIG 2022-09 standard.
Enhanced Static Analysis
- The flow analysis engine has been enhanced to better support modern C++ constructs, including if statements with initializers and structured bindings. These enhancements enable more precise code execution simulations and improve the accuracy of reported findings.
- The accuracy of selected MISRA C++ 2023 rules has been improved.
- Support for rule parametrization has been extended for selected rules.
- New code analysis rules have been added to extend coverage of compliance standards. See New Rules and Updated Rules for the lists of new and updated rules.
Enhanced Coverage Analysis
Support for reporting code coverage has been enhanced. You can now enable a reporting mode where branches/decisions with the outcome known at the compilation time are ignored. For details, see Ignoring Decision/Branching Points When the Decision Outcome is Known at Compile Time.
Support for Compilers
The following compilers are now supported:
| Compiler Name | Compiler Identifier |
|---|---|
| GCC for Tricore 4.9.x | tricoregcc_4_9 |
| HighTec Clang C/C++ Compiler 8.1 (aarch32/arm)* | hightec-clang_8_1-aarch32 |
| IAR Compiler for ARM v. 9.40x | iccarm_9_40 |
| IAR Compiler for ARM v. 9.50x | iccarm_9_50 |
| QNX GCC 8.x (ARM64) ** | qccarm_8-64 |
| QNX GCC 8.x (x86_64) ** | qcc_8-64 |
* - Static analysis only.
** - Support level has been updated from Standard to Extended.
See Compilers.
Support for IDEs
Support for Eclipse versions 4.21 (2021-09) - 4.31 (2024-03) has been added.
New and Updated Test Configurations
The Security Compliance Pack has been extended by adding support for the following test configurations:
- CWE Top 25 2023
- CWE Top 25 + On the Cusp 2023
- OWASP API Security Top 10-2023
The following test configuration has been updated with new rules:
- DISA-ASD-STIG
Additional Updates
- Bazel build system integration has been enhanced. Collecting code coverage for Bazel is now supported. For details, see Integrating with Bazel.
- Authentication can now be enabled for connecting to a standalone License Server if it is configured to require authentication; see Licensing and license.network.auth.enabled.
- You can now specify custom parameters to be added to the report.xml header using the report.xml.param{n}.key and report.xml.param{n}.value settings.
- Coverage instrumentation may be disabled or enabled for specific functions by using the
parasoft-instrumentation coveragecomments. See Disabling Coverage Instrumentation Selectively. - The shipped JRE has been upgraded to version 17.0.10+7.
Deprecated and Removed Support
Compilers to Be Deprecated
Support for the following compilers will be deprecated in future releases:
- ARM Compiler 5.0
- ARM Compiler 5.0 for uVision
- GNU GCC 4.9.x (mips64el)
- Green Hills Software Compiler for PPC v. 2013.1.x
- IAR Compiler for MSP430 v. 6.1x
- Microchip MPLAB C30 Compiler for dsPIC v3.2x
- National Instruments LabWindows/CVI 2015 Clang C/C++ Compiler v3.3 for Win32
- Renesas RX C/C++ Compiler 2.5x
Deprecated Compilers
Support for the following compilers is deprecated and will be removed in future releases:
- GNU GCC 5.x
- GNU GCC 5.x (x86_64)
- GNU GCC 6.x
- GNU GCC 6.x (x86_64)
- Green Hills Software Compiler for ARM64 v. 2014.1.x
- Green Hills Software Compiler for PPC v. 4.2.x
- Green Hills Software Compiler for PPC v. 5.0.x
- Green Hills Software Compiler for V850 v. 2014.1.x
- IAR Compiler for ARM v. 7.4x
- IAR Compiler for ARM v. 7.8x
- IAR Compiler for M16C & R8C v. 3.5x
- Microsoft Visual C++ 14.0
- Microsoft Visual C++ 14.0 (x64)
- SH Series C/C++ Compiler V.9.04.xx
- Vx-toolset for TriCore C/C++ Compiler 6.2
- Wind River GCC 4.8.x
Removed Support for Compilers
The following compilers are no longer supported:
- Clang C/C++ Compiler v 6.0
- FR Family Softune C/C++ Compiler V6
- TI MSP430 C/C++ Compiler GNU GCC 6.x
- TI TMS320C2000 C/C++ Compiler v16.9
Resolved Bugs and FRs
Bug/FR ID | Description |
|---|---|
CPP-36809 | [coverage] Ignore decision / branching points when the decision outcome is known at compile time |
CPP-50180 | [static] MISRA2004-10_1_a (MISRA2008-5_0_4_a) reports false positives for enumeration constants |
CPP-51512 | [coverage] Document "parasoft-instrumentation coverage off/on" comments |
CPP-52296 | [compiler] Support for IAR ARM 9.40 (windows, extended, full) |
CPP-52872 | [static] Improve mapping for AUTOSAR M5-8-1 |
CPP-52955 | [static] Extend mapping for MISRA2008 5-8-1 (AUTOSAR M5-8-1) rule |
CPP-54945 | [engine] instrumentation does not compile - error: invalid redeclaration of member function template |
CPP-55003 | [static] Improve mapping for MISRA2008-7_5_4 / AUTOSAR-A7_5_2-a |
CPP-55518 | [compiler] Support for HighTec C compiler for ARM (based on LLVM 13.x) - Static Analysis |
CPP-55598 | [static] Add mapping for CWE 390 Error Without Action |
CPP-55599 | [static] Add mapping for CWE 398 Poor Code Quality |
CPP-55734 | [static] Analysis hanging on CDD-DUPI on RapidJSON project |
CPP-55746 | [static] Improve mapping for the HIC++ 7.1.6 requirement |
CPP-55821 | [compiler] Support for HighTec TriCore 4.9 (windows, extended, full) |
CPP-56183 | [static] CODSTA-14 reports false positives on casts from non-pointer/non-reference types |
CPP-56220 | [static] CODSTA-CPP-92 (MISRA2008-10_2_1-a, AUTOSAR-M10_2_1) does not report violations for classes defined in different files or for classes with the same base name used in the inheritance hierarchy |
CPP-56270 | [static] CODSTA-CPP-62 (MISRA2008-4_10_1, AUTOSAR-A4_10_1-a, AUTOSAR-M4_10_1-a) does not report violation when 'NULL' macro expands to value different than literal '0' |
CPP-56272 | [engine] error: "final" is not a function or static data member |
CPP-56284 | [static] CODSTA-MCPP-11_a_cpp11 (AUTOSAR-A7_1_2-a) reports false positives on compiler generated variables |
CPP-56286 | [static] Improve mapping for MISRACPP2023 Rule 6.7.2 |
CPP-56434 | [static] Split CODSTA-63 rule to (optionally) exclude reporting positive const integer values used in bitwise operators |
CPP-56435 | [engine] Double definition with _attribute_((overloadable)) in Android NDK |
CPP-56463 | [static] Introduce additional exception in MISRA C++:2023 7.0.1 and 7.0.3 to allow discarding values returned from functions (CODSTA-CPP-211, CODSTA-316) |
CPP-56467 | [build] cpptesttrace error with space in file path |
CPP-56491 | [static] Improve mapping for MISRACPP2023 Rule 16.6.1 |
CPP-56502 | [static] CODSTA-60 (CERT_C-EXP20-a) does not report violations when a line with 'TRUE' contains the use of a macro |
CPP-56507 | [static] Update documentation for OPT-03 (AUTOSAR-A0_1_4-a) for parameters used in 'if constexpr' in templates |
CPP-56508 | [static] INTERNAL-GLOBAL-ONEUSEVAR_1 reports python error on templates |
CPP-56513 | [engine] Parse error: atomic constraint depends on itself |
CPP-56566 | [static] Improve mapping for MISRACPP2023 Rule 8.2.5 |
CPP-56572 | [engine] parse error: parameter pack "types_t" was referenced but not expanded |
CPP-56582 | [ide] Optimize static analysis in C/C++test Pro for large workspaces |
CPP-56583 | [engine] error: more than one instance of function "<unnamed>::TraceInternals::GetProcAddress" matches the argument list |
CPP-56584 | [engine] Command-line error: invalid macro definition when using /D with # |
CPP-56592 | [compiler] Extended support for QNX GCC 8 (x86-64, arm64) |
CPP-56601 | [engine] error: a ref-qualifier is not allowed here |
CPP-56656 | [static] MISRACPP2023-9_5_1-a (CODSTA-315) false positives on perceived loop counter vs. loop bound type mismatch |
CPP-56658 | [static] Improve mapping for CWE-190 Integer Overflow |
CPP-56660 | [static] Add mapping for CWE-366 Race Condition Within Thread |
CPP-56663 | [static] OPT-05 (AUTOSAR-M0_1_3-c) reports false positive when private members are used in a function of inner class |
CPP-56665 | [engine] error: no instance of overloaded function rapidjson::GenericValue |
CPP-56676 | [engine] Add support for new built-in types to edgtk mangler |
CPP-56717 | [static] CODSTA-CPP-82 (MISRACPP2023-6_7_2-a) reports false positive on global constexpr variables |
CPP-56722 | [static] MISRA2004-14_1_a (MISRACPP2023-0_0_1-a) reports false positive on the code after 'if constexpr' statement with 'else' |
CPP-56728 | [rulewizard] Empty statement incorrectly detected after 'if constrexpr-else' construct |
CPP-56735 | [engine] cpptestcc crash when instrumenting for coverage |
CPP-56745 | [static] Do not report header file without corresponding source file in total number of files to test |
CPP-56749 | [engine] hexagon_clang's target_gnu_version is wrong and breaks designated initializers |
CPP-56783 | [static] MISRACPP2023-9_5_1-a: improve violation message |
CPP-56784 | [static] INIT-19 (MISRACPP2023-15_1_4-a) reports false positive for defaulted copy and move constructors |
CPP-56785 | [static] MISRACPP2023-6_7_2-a reports false positive for global constexpr variable |
CPP-56786 | [static] FORMAT-48 (MISRACPP2023-6_0_1-b) reports false positive for parameters used in noexcept |
CPP-56788 | [static] MISRACPP2023-16_6_1-a reports false positive violation for operator << which is not symmetrical |
CPP-56789 | [static] MISRACPP2023-5_10_1-a false positive on nested "posix" namespace |
CPP-56801 | [static] Modify default value of "Report on variable declarations > including unused non-initialized primitives and pointers." param for built-in clones of BD-PB-VOVR |
CPP-56804 | [engine] Update edg.microsoft_version to 1939 for vc_14_3 compiler |
CPP-56911 | [engine] C/C++test doesn't recognize stubs in functions that use std::tuple |
CPP-56918 | [build] cpptest_bdf.bzl has two coding errors |
CPP-56924 | [engine] Flexible array member init parsing error with IAR Compiler 9.10 |
CPP-56925 | [engine] error: the template argument list of the partial specialization includes a nontype argument whose type depends on a template parameter |
CPP-57059 | [engine] class template is not compatible with template template parameter |
CPP-57360 | [engine] Support generalized template template parameters in Clang 10 and above |
CPP-57372 | [engine] Program received signal 11 at: Stack trace: 0# 0x00007FC1B9C81090 in /lib/x86_64-linux-gnu/libc.so.6 |
FA-9453 | Incorrectly modelled realloc function from the C standard library Juliet/CWE-401 |
FA-9689 | BD-PB-VOVR throws java.lang.OutOfMemoryError |
FA-9692 | BD-PB-ARRAY(MISRAC2012-DIR_4_1-a) - false positive |
FA-9713 | BD-PB-OVERFFMT False Positive for '*' string precision |
FA-9736 | Incorrect value stored for the union member |
FA-9787 | BD-PB-OVERFNZT false positives |
FA-9795 | BD-PB-NOTINIT false positive |
FA-9841 | BD-PB-ARRAY false positive |
FA-9842 | BD-PB-CC false positive |
FA-9847 | Incorrect results of incremental analysis possible when using compiler with sizeof byte != 8 |
FA-9852 | BD-PB-ARRAY inconsistent behavior |
FA-9856 | BD-PB-NOTINIT false positive on array initialized in called function via reference |
FA-9866 | Possible MISRA false positives (BD-API-STRSIZE, BD-PB-OVERFRD) |
FA-9883 | BD-PB-ARRAY triggers for nested structures |
Updates to Rules
New Rules
Rule ID | Header |
|---|---|
APSC_DV-000060-a | Use secure temporary file name functions |
APSC_DV-000060-b | Call 'umask' before calling 'mkstemp' |
APSC_DV-000510-a | Call 'umask' before calling 'mkstemp' |
APSC_DV-000510-b | Call 'chdir' if you call 'chroot' |
APSC_DV-001350-a | Do not use weak encryption functions |
APSC_DV-001360-a | Do not use weak encryption functions |
APSC_DV-001370-a | Standard random number generators should not be used to generate randomness for security reasons |
APSC_DV-001370-b | Do not use weak encryption functions |
APSC_DV-002020-a | Standard random number generators should not be used to generate randomness for security reasons |
APSC_DV-002020-b | Do not use weak encryption functions |
APSC_DV-002030-a | Standard random number generators should not be used to generate randomness for security reasons |
APSC_DV-002030-b | Do not use weak encryption functions |
APSC_DV-002040-a | Standard random number generators should not be used to generate randomness for security reasons |
APSC_DV-002040-b | Do not use weak encryption functions |
APSC_DV-002050-a | Standard random number generators should not be used to generate randomness for security reasons |
APSC_DV-002050-b | The random number generator functions 'rand()' and 'srand()' should not be used |
APSC_DV-002050-c | Properly seed pseudorandom number generators |
APSC_DV-002380-a | A pointer to a structure should not be passed to a function that can copy data to the user space |
APSC_DV-002485-a | Do not hard code string literals |
APSC_DV-002485-b | Usage of system properties (environment variables) should be restricted |
APSC_DV-002580-a | Avoid passing sensitive data to functions that write to log files |
APSC_DV-002580-b | Do not print potentially sensitive information, resulting from an application error into exception messages |
APSC_DV-003100-a | Do not use weak encryption functions |
APSC_DV-003120-a | Avoid passing sensitive data to functions that write to log files |
APSC_DV-003120-b | Do not print potentially sensitive information, resulting from an application error into exception messages |
APSC_DV-003120-c | A pointer to a structure should not be passed to a function that can copy data to the user space |
APSC_DV-003140-a | Do not use weak encryption functions |
APSC_DV-003235-c | If a function returns error information, then that error information shall be tested |
APSC_DV-003235-d | Where multiple handlers are provided in a single try-catch statement or function-try-block for a derived class and some or all of its bases, the handlers shall be ordered most-derived to base class |
APSC_DV-003280-a | Do not hard code string literals |
APSC_DV-003320-a | Avoid using the 'vfork()' function |
APSC_DV-003320-b | Avoid using thread-unsafe functions |
APSC_DV-003320-c | Validate potentially tainted data before it is used to determine the size of memory allocation |
APSC_DV-003320-d | Validate potentially tainted data before it is used in the controlling expression of a loop |
AUTOSAR-A12_8_5-b | User-provided move assignment operators shall handle self-assignment |
AUTOSAR-A15_5_2-d | The 'terminate' function should not be used |
AUTOSAR-A3_1_1-b | Functions and non-const objects with internal linkage should not be declared in header files |
AUTOSAR-M5_0_21-b | Bitwise operators shall not use positive integer literals as operands |
AUTOSAR-M5_8_1-b | The right-hand operand of a constant expression shift operator shall lie between zero and one less than the width in bits of the essential type of the left-hand operand |
BD-SECURITY-TDINTOVERF | Avoid potential integer overflow/underflow on tainted data |
CERT_C-INT13-b | Operands of shift operators shall have an unsigned type |
CERT_C-INT16-b | Bitwise operators shall not use positive integer literals as operands |
CODSTA-244 | The signal handling facilities of signal.h, except for a call to the 'signal()' function with a value of SIG_IGN, shall not be used |
CODSTA-63_a | Bitwise operators shall not use positive integer literals as operands |
CODSTA-CPP-20_b | Symmetrical operators should only be implemented as non-member functions |
CODSTA-CPP-213 | Pass only 'noexcept' functions to exception-unfriendly functions |
CODSTA-MCPP-62 | A variable initialized by a constant expression of a standard integer type should not be defined with the 'auto' specifier |
CWE-125-e | Avoid tainted data in array indexes |
CWE-190-j | Avoid data loss when converting between integer types |
CWE-190-k | Avoid potential integer overflow/underflow on tainted data |
CWE-366-a | There shall be no data races between threads |
CWE-390-a | Empty 'catch' blocks should not be used |
CWE-390-b | Avoid using 'if' statements with empty bodies |
CWE-787-h | Avoid tainted data in array indexes |
HICPP-5_6_1-b | Bitwise operators shall not use positive integer literals as operands |
JSF-039_b | Functions and non-const objects with internal linkage should not be declared in header files |
MISRA2008-3_1_1_b | It shall be possible to include any header file in multiple translation units without violating the One Definition Rule |
MISRA2008-5_0_21_b | Bitwise operators shall not use positive integer literals as operands |
MISRA2008-5_8_1_b | The right-hand operand of a constant expression shift operator shall lie between zero and one less than the width in bits of the underlying type of the left-hand operand |
MISRACPP2023-15_8_1-b | User-provided move assignment operators shall handle self-assignment |
MISRACPP2023-18_4_1-c | Pass only 'noexcept' functions to exception-unfriendly functions |
MISRACPP2023-18_5_2-d | The 'terminate' function should not be used |
MISRACPP2023-7_11_2-b | An object of array type should not be passed as a variadic argument to a function |
OOP-34_b | User-provided move assignment operators shall handle self-assignment |
OPT-49 | Null statements should not be used |
OPT-50 | Empty compound statements should not be used |
OPT-51 | Avoid using 'if' statements with empty bodies |
OWASP2023-API10-a | Avoid tainted data in array indexes |
OWASP2023-API10-b | Avoid potential integer overflow/underflow on tainted data |
OWASP2023-API10-c | Avoid passing unvalidated binary data to log methods |
OWASP2023-API10-d | Protect against command injection |
OWASP2023-API10-e | Avoid printing tainted data on the output console |
OWASP2023-API10-f | Protect against environment injection |
OWASP2023-API10-g | Exclude unsanitized user input from format strings |
OWASP2023-API10-h | Protect against SQL injection |
OWASP2023-API10-i | Protect against file name injection |
OWASP2023-API10-j | Untrusted data is used as a loop boundary |
OWASP2023-API2-a | Do not use weak encryption functions |
OWASP2023-API3-a | Sensitive data should be cleared before being deallocated |
OWASP2023-API3-b | Avoid passing sensitive data to functions that write to log files |
OWASP2023-API3-c | Do not print potentially sensitive information, resulting from an application error into exception messages |
OWASP2023-API4-a | Validate potentially tainted data before it is used to determine the size of memory allocation |
OWASP2023-API4-b | Validate potentially tainted data before it is used in the controlling expression of a loop |
OWASP2023-API4-c | Do not create variables on the stack above the defined limits |
OWASP2023-API4-d | Ensure resources are freed |
OWASP2023-API8-a | Where multiple handlers are provided in a single try-catch statement or function-try-block for a derived class and some or all of its bases, the handlers shall be ordered most-derived to base class |
OWASP2023-API8-b | Empty 'catch' blocks should not be used |
OWASP2023-API8-c | Properly use errno value |
OWASP2023-API9-a | All usage of assembler shall be documented |
OWASP2023-API9-b | Objects or functions with external linkage shall be declared in a header file |
OWASP2023-API9-c | All uses of the #pragma directive shall be documented and explained |
OWASP2023-API9-d | Document functions in comments that precede function definitions |
PB-41_c | An object of array type should not be passed as a variadic argument to a function |
PB-75_d | The 'terminate' function should not be used |
PFO-01_b | Functions and non-const objects with internal linkage should not be declared in header files |
PORT-01_b | The lowercase form of 'L' shall not be used as the first character in a literal suffix |
TEMPL-07_b | A template constructor shall not participate in overload resolution for a single argument of the enclosing class type |
Updated Rules
Category ID | Rule IDs |
|---|---|
AUTOSAR C++14 Coding Guidelines | AUTOSAR-A0_1_1-a, AUTOSAR-A0_4_4-a, AUTOSAR-A12_4_1-a, AUTOSAR-A12_8_5-a, AUTOSAR-A14_5_1-a, AUTOSAR-A15_0_2-a, AUTOSAR-A15_1_4-a, AUTOSAR-A15_3_3-a, AUTOSAR-A15_5_2-b, AUTOSAR-A15_5_2-c, AUTOSAR-A15_5_3-d, AUTOSAR-A15_5_3-e, AUTOSAR-A18_0_2-a, AUTOSAR-A27_0_1-g, AUTOSAR-A27_0_1-h, AUTOSAR-A27_0_2-a, AUTOSAR-A3_1_1-a, AUTOSAR-A3_1_4-a, AUTOSAR-A3_3_1-b, AUTOSAR-A4_10_1-a, AUTOSAR-A5_10_1-a, AUTOSAR-A5_2_4-a, AUTOSAR-A5_2_5-a, AUTOSAR-A6_6_1-a, AUTOSAR-A7_1_2-a, AUTOSAR-A7_1_2-b, AUTOSAR-A7_5_2-a, AUTOSAR-A8_5_0-a, AUTOSAR-M0_1_1-c, AUTOSAR-M0_1_2-ac, AUTOSAR-M0_1_3-c, AUTOSAR-M0_1_4-a, AUTOSAR-M0_3_1-d, AUTOSAR-M0_3_1-g, AUTOSAR-M0_3_1-h, AUTOSAR-M0_3_1-i, AUTOSAR-M10_2_1-a, AUTOSAR-M15_1_3-a, AUTOSAR-M16_0_7-a, AUTOSAR-M18_0_3-a, AUTOSAR-M18_0_3-b, AUTOSAR-M18_0_3-c, AUTOSAR-M18_7_1-a, AUTOSAR-M4_10_1-a, AUTOSAR-M5_0_16-a, AUTOSAR-M5_0_21-a, AUTOSAR-M5_18_1-a, AUTOSAR-M5_2_12-a, AUTOSAR-M5_8_1-a, AUTOSAR-M6_6_2-a, AUTOSAR-M7_3_1-a |
Coding Conventions for C++ | CODSTA-CPP-09, CODSTA-CPP-211, CODSTA-CPP-212, CODSTA-CPP-36, CODSTA-CPP-62, CODSTA-CPP-66, CODSTA-CPP-82, CODSTA-CPP-92, CODSTA-CPP-95_b |
Coding Conventions for Modern C++ | CODSTA-MCPP-11_a_cpp11, CODSTA-MCPP-11_b_cpp11, CODSTA-MCPP-26 |
Coding Conventions | CODSTA-110, CODSTA-125, CODSTA-14, CODSTA-301, CODSTA-302, CODSTA-305, CODSTA-313, CODSTA-315, CODSTA-316, CODSTA-60, CODSTA-63, CODSTA-77 |
Common Weakness Enumeration | CWE-119-a, CWE-119-c, CWE-119-d, CWE-125-a, CWE-125-c, CWE-20-b, CWE-20-d, CWE-20-e, CWE-20-f, CWE-20-g, CWE-20-h, CWE-20-i, CWE-22-a, CWE-401-a, CWE-668-a, CWE-704-c, CWE-77-a, CWE-770-a, CWE-772-a, CWE-78-a, CWE-787-a, CWE-787-c, CWE-89-a |
DISA ASD STIG | APSC_DV-000480-a, APSC_DV-001290-a, APSC_DV-001300-a, APSC_DV-002000-a, APSC_DV-002400-a, APSC_DV-002510-a, APSC_DV-002520-a, APSC_DV-002520-b, APSC_DV-002520-c, APSC_DV-002520-f, APSC_DV-002520-h, APSC_DV-002520-i, APSC_DV-002520-j, APSC_DV-002530-a, APSC_DV-002530-b, APSC_DV-002530-c, APSC_DV-002530-f, APSC_DV-002530-h, APSC_DV-002530-i, APSC_DV-002530-j, APSC_DV-002540-a, APSC_DV-002550-a, APSC_DV-002550-b, APSC_DV-002550-c, APSC_DV-002550-f, APSC_DV-002550-h, APSC_DV-002550-i, APSC_DV-002550-j, APSC_DV-002560-a, APSC_DV-002560-b, APSC_DV-002560-c, APSC_DV-002560-f, APSC_DV-002560-h, APSC_DV-002560-i, APSC_DV-002560-j, APSC_DV-002590-a, APSC_DV-002590-b, APSC_DV-002590-c, APSC_DV-002590-g, APSC_DV-003235-a, APSC_DV-003235-b |
Exceptions | EXCEPT-06, EXCEPT-07, EXCEPT-25 |
Flow Analysis | BD-API-BADPARAM, BD-API-VALPARAM, BD-CO-ITINVCOMP, BD-PB-ARRAY, BD-PB-BADSHIFT, BD-PB-CC, BD-PB-MCCSTR, BD-PB-NOTINIT, BD-PB-OVERFFMT, BD-PB-OVERFNZT, BD-PB-OVERFRD, BD-PB-UCMETH, BD-PB-VOVR, BD-RES-LEAKS, BD-SECURITY-TDALLOC, BD-SECURITY-TDCMD, BD-SECURITY-TDCONSOLE, BD-SECURITY-TDENV, BD-SECURITY-TDFNAMES, BD-SECURITY-TDINPUT, BD-SECURITY-TDLOOP, BD-SECURITY-TDSQL, BD-TRS-THRDR |
Formatting | FORMAT-48 |
Global Static Analysis | GLOBAL-ONEUSEVAR |
High Integrity C++ | HICPP-15_3_2-b, HICPP-1_2_1-a, HICPP-1_2_1-h, HICPP-1_2_1-i, HICPP-4_1_1-a, HICPP-4_2_2-f, HICPP-5_1_2-i, HICPP-5_2_1-a, HICPP-5_4_1-b, HICPP-5_6_1-a, HICPP-5_7_2-a, HICPP-6_3_1-b, HICPP-8_4_1-a |
Initialization | INIT-101, INIT-19 |
Joint Strike Fighter | JSF-021_b, JSF-023, JSF-024, JSF-024_b, JSF-024_d, JSF-039_a, JSF-081, JSF-097_d, JSF-098, JSF-164, JSF-168_b, JSF-183_b, JSF-185, JSF-186_a, JSF-189, JSF-207 |
MISRA C 2004 | MISRA2004-10_1_g, MISRA2004-12_10, MISRA2004-14_1_a, MISRA2004-14_4, MISRA2004-19_11_b, MISRA2004-20_10, MISRA2004-20_11, MISRA2004-20_11_b, MISRA2004-20_11_d, MISRA2004-20_8_b, MISRA2004-8_12 |
MISRA C 2012 (Legacy) | MISRA2012-DIR-4_11, MISRA2012-DIR-4_13_a, MISRA2012-DIR-4_14_b, MISRA2012-DIR-4_14_e, MISRA2012-DIR-4_14_f, MISRA2012-DIR-4_14_g, MISRA2012-DIR-4_14_j, MISRA2012-DIR-4_14_k, MISRA2012-DIR-4_14_l, MISRA2012-DIR-4_1_a, MISRA2012-DIR-4_1_d, MISRA2012-DIR-4_1_e, MISRA2012-DIR-4_1_g, MISRA2012-DIR-5_1_c, MISRA2012-RULE-11_2, MISRA2012-RULE-11_8, MISRA2012-RULE-12_2, MISRA2012-RULE-12_2_b, MISRA2012-RULE-12_3, MISRA2012-RULE-14_3_zc, MISRA2012-RULE-15_1, MISRA2012-RULE-15_2, MISRA2012-RULE-18_1_a, MISRA2012-RULE-1_3_b, MISRA2012-RULE-1_3_d, MISRA2012-RULE-20_9_b, MISRA2012-RULE-21_14, MISRA2012-RULE-21_17_a, MISRA2012-RULE-21_21, MISRA2012-RULE-21_5_b, MISRA2012-RULE-21_6, MISRA2012-RULE-21_7, MISRA2012-RULE-21_8, MISRA2012-RULE-21_8_b, MISRA2012-RULE-21_8_c, MISRA2012-RULE-22_1, MISRA2012-RULE-2_1_a, MISRA2012-RULE-2_1_h, MISRA2012-RULE-2_2_b, MISRA2012-RULE-8_11, MISRA2012-RULE-8_12, MISRA2012-RULE-9_1 |
MISRA C 2023 (MISRA C 2012) | MISRAC2012-DIR_4_1-a, MISRAC2012-DIR_4_1-d, MISRAC2012-DIR_4_1-e, MISRAC2012-DIR_4_1-g, MISRAC2012-DIR_4_11-a, MISRAC2012-DIR_4_13-a, MISRAC2012-DIR_4_14-b, MISRAC2012-DIR_4_14-e, MISRAC2012-DIR_4_14-f, MISRAC2012-DIR_4_14-g, MISRAC2012-DIR_4_14-j, MISRAC2012-DIR_4_14-k, MISRAC2012-DIR_4_14-l, MISRAC2012-DIR_5_1-c, MISRAC2012-RULE_11_2-a, MISRAC2012-RULE_11_8-a, MISRAC2012-RULE_12_2-a, MISRAC2012-RULE_12_2-b, MISRAC2012-RULE_12_3-a, MISRAC2012-RULE_14_3-ac, MISRAC2012-RULE_15_1-a, MISRAC2012-RULE_15_2-a, MISRAC2012-RULE_18_1-a, MISRAC2012-RULE_1_3-b, MISRAC2012-RULE_1_3-d, MISRAC2012-RULE_20_9-b, MISRAC2012-RULE_21_14-a, MISRAC2012-RULE_21_17-a, MISRAC2012-RULE_21_21-a, MISRAC2012-RULE_21_5-b, MISRAC2012-RULE_21_6-a, MISRAC2012-RULE_21_7-a, MISRAC2012-RULE_21_8-a, MISRAC2012-RULE_21_8-b, MISRAC2012-RULE_21_8-c, MISRAC2012-RULE_22_1-a, MISRAC2012-RULE_2_1-a, MISRAC2012-RULE_2_1-h, MISRAC2012-RULE_2_2-b, MISRAC2012-RULE_8_11-a, MISRAC2012-RULE_8_12-a, MISRAC2012-RULE_9_1-a |
MISRA C++ 2008 | MISRA2008-0_1_1_a, MISRA2008-0_1_2_aa, MISRA2008-0_1_3_c, MISRA2008-0_1_4, MISRA2008-0_1_6, MISRA2008-0_3_1_a, MISRA2008-0_3_1_d, MISRA2008-0_3_1_e, MISRA2008-0_3_1_g, MISRA2008-10_2_1, MISRA2008-15_1_3, MISRA2008-15_3_2, MISRA2008-15_5_3_d, MISRA2008-15_5_3_e, MISRA2008-16_0_7_b, MISRA2008-18_0_2, MISRA2008-18_0_3, MISRA2008-18_0_3_b, MISRA2008-18_0_3_d, MISRA2008-18_7_1_b, MISRA2008-3_1_1, MISRA2008-3_1_3, MISRA2008-4_10_1, MISRA2008-5_0_16_a, MISRA2008-5_0_21, MISRA2008-5_18_1, MISRA2008-5_2_12, MISRA2008-5_2_4, MISRA2008-5_8_1, MISRA2008-6_6_2, MISRA2008-7_3_1, MISRA2008-7_5_4 |
MISRA C++ 2023 | MISRACPP2023-0_0_1-a, MISRACPP2023-0_0_2-a, MISRACPP2023-0_1_1-a, MISRACPP2023-0_2_4-a, MISRACPP2023-0_3_2-a, MISRACPP2023-10_2_3-a, MISRACPP2023-11_6_1-a, MISRACPP2023-11_6_2-a, MISRACPP2023-11_6_3-a, MISRACPP2023-12_2_2-b, MISRACPP2023-13_3_4-a, MISRACPP2023-15_1_4-a, MISRACPP2023-15_8_1-a, MISRACPP2023-16_6_1-a, MISRACPP2023-18_1_2-a, MISRACPP2023-18_3_1-a, MISRACPP2023-18_5_2-a, MISRACPP2023-18_5_2-b, MISRACPP2023-18_5_2-c, MISRACPP2023-19_1_3-a, MISRACPP2023-21_10_3-a, MISRACPP2023-21_2_1-a, MISRACPP2023-21_2_3-a, MISRACPP2023-30_0_1-b, MISRACPP2023-4_1_3-a, MISRACPP2023-5_10_1-a, MISRACPP2023-5_13_5-a, MISRACPP2023-6_0_1-b, MISRACPP2023-6_0_2-a, MISRACPP2023-6_0_3-a, MISRACPP2023-6_2_4-a, MISRACPP2023-6_7_2-a, MISRACPP2023-7_0_1-a, MISRACPP2023-7_0_2-a, MISRACPP2023-7_0_3-a, MISRACPP2023-7_11_2-a, MISRACPP2023-8_19_1-a, MISRACPP2023-8_2_2-a, MISRACPP2023-8_2_3-a, MISRACPP2023-8_2_5-a, MISRACPP2023-8_7_1-a, MISRACPP2023-8_7_1-c, MISRACPP2023-8_7_1-e, MISRACPP2023-9_5_1-a, MISRACPP2023-9_6_1-a, MISRACPP2023-9_6_3-a |
Object Oriented | OOP-31, OOP-34 |
Optimization | OPT-05, OPT-22 |
OWASP API Security Top 10 (2019) | OWASP2019-API3-b, OWASP2019-API3-d, OWASP2019-API3-e, OWASP2019-API3-f, OWASP2019-API4-a, OWASP2019-API4-b, OWASP2019-API7-c, OWASP2019-API8-a, OWASP2019-API8-b, OWASP2019-API8-c, OWASP2019-API8-d, OWASP2019-API8-e, OWASP2019-API8-f |
OWASP Top 10 (2017) | OWASP2017-A1-b, OWASP2017-A1-c, OWASP2017-A1-d, OWASP2017-A1-e, OWASP2017-A1-f, OWASP2017-A5-a, OWASP2017-A6-b |
OWASP Top 10 (2021) | OWASP2021-A1-a, OWASP2021-A3-b, OWASP2021-A3-c, OWASP2021-A3-d, OWASP2021-A3-e, OWASP2021-A3-f, OWASP2021-A5-b |
Physical File Organization | PFO-01 |
Possible Bugs | PB-41, PB-41_b, PB-58, PB-75, PB-75_b, PB-75_c |
Security | SECURITY-48, SECURITY-48_b |
SEI CERT C++ | CERT_CPP-CTR53-b, CERT_CPP-CTR54-a, CERT_CPP-DCL53-a, CERT_CPP-ERR50-d, CERT_CPP-ERR50-e, CERT_CPP-ERR50-l, CERT_CPP-ERR50-n, CERT_CPP-ERR56-b, CERT_CPP-ERR57-a, CERT_CPP-ERR62-a, CERT_CPP-EXP53-a, CERT_CPP-EXP57-b, CERT_CPP-FIO51-a, CERT_CPP-OOP54-a, CERT_CPP-STR50-b |
SEI CERT C | CERT_C-ARR30-a, CERT_C-ARR38-a, CERT_C-ARR38-c, CERT_C-ARR38-d, CERT_C-ARR39-a, CERT_C-CON30-a, CERT_C-CON37-a, CERT_C-DCL16-a, CERT_C-DCL22-a, CERT_C-ENV33-a, CERT_C-ERR02-a, CERT_C-ERR04-a, CERT_C-ERR04-b, CERT_C-ERR04-c, CERT_C-ERR05-a, CERT_C-ERR05-b, CERT_C-ERR05-c, CERT_C-ERR07-a, CERT_C-ERR34-a, CERT_C-EXP08-b, CERT_C-EXP20-a, CERT_C-EXP33-a, CERT_C-FIO22-a, CERT_C-FIO32-a, CERT_C-FIO37-a, CERT_C-FIO42-a, CERT_C-FLP32-a, CERT_C-INT04-a, CERT_C-INT13-a, CERT_C-INT16-a, CERT_C-INT34-a, CERT_C-MEM00-e, CERT_C-MEM12-a, CERT_C-MEM31-a, CERT_C-MSC07-a, CERT_C-MSC07-i, CERT_C-MSC12-a, CERT_C-MSC12-i, CERT_C-MSC12-j, CERT_C-MSC19-a, CERT_C-MSC24-a, CERT_C-POS30-a, CERT_C-SIG00-a, CERT_C-SIG01-a, CERT_C-SIG02-a, CERT_C-STR02-a, CERT_C-STR02-b, CERT_C-STR02-c, CERT_C-STR03-a, CERT_C-STR31-a, CERT_C-STR32-a, CERT_C-WIN30-a |
Removed Rules
Rule ID | Notes |
|---|---|
AUTOSAR-A18_0_2-b | Removed from AUTOSAR C++ 14 configuration. For other configurations, MISRA2004-20_10 can be used as a replacement. |
AUTOSAR-A2_5_1-b | Removed from AUTOSAR C++ 14 configuration. For other configurations, MISRA2004-4_2 can be used as a replacement. |
AUTOSAR-A9_5_1-b | Removed from AUTOSAR C++ 14 configuration. For other configurations, MISRA2004-18_4 can be used as a replacement. |
AUTOSAR-M0_3_1-j | Removed from AUTOSAR C++ 14 configuration. For other configurations, BD-PB-CC or BD-PB-NP can be used as a replacement. |
BD-PB-DEREF | BD-PB-CC can be used as a replacement. |
BD-PB-INTOVERF | BD-PB-INTDL, BD-PB-INTUB, BD-PB-INTVC or BD-PB-INTWRAP can be used as a replacement. |
BD-PB-POVR | BD-PB-VOVR can be used as a replacement. |
CODSTA-63_b | CODSTA-307 and CODSTA-308 can be used as a replacement. |
CWE-476-b | Removed from CWE Top 25 configuration. For other configurations, BD-PB-CC or BD-PB-NP can be used as a replacement. |
HICPP-4_1_1-b | Removed from High Integrity C++ configuration. For other configurations, PB-41_b can be used as a replacement. |
MISRA2008-0_3_1_f | Removed from MISRA C++ 2008 configuration. For other configurations, BD-PB-CC or BD-PB-NP can be used as a replacement. |
MISRA2012-DIR-4_1_f | Removed from MISRA C 2012 (Legacy) configuration. For other configurations, BD-PB-CC or BD-PB-NP can be used as a replacement. |
MISRAC2012-DIR_4_1-f | Removed from MISRA C 2023 (MISRA C 2012) configuration. For other configurations, BD-PB-CC or BD-PB-NP can be used as a replacement. |
MISRACPP2023-7_0_3-b | Removed from MISRA C++ 2023 configuration. For other configurations, MISRA2004-6_2 can be used as a replacement. |