This release includes the following enhancements:
Release date: November 15, 2021
Integration with Azure DevOps and GitLab
We've added enhancements to help you streamline your workflows with CI systems. You can now conveniently review results reported by C/C++test directly in Azure Pipelines or GitLab.
Integration with Azure DevOps
We've added the C/C++test extension for Azure DevOps, which allows you to easily integrate C/C++test with your Azure DevOps pipeline. The extension provides a task for running analysis with C/C++test and generating the C/C++test report in the Azure DevOps-specific SARIF format. The analysis results are then displayed in build results for each execution of your pipeline. See https://marketplace.visualstudio.com/items?itemName=parasoft.cpptest-azure-devops for details.
Integration with GitLab
You can now integrate with GitLab by modifying your GitLab workflow to run analysis with C/C++test and generate the analysis report in the SAST format. This allows you to review results reported by C/C++test as code vulnerabilities in GitLab. See https://gitlab.com/parasoft/cpptest-gitlab for details.
Streamlined Code Coverage Workflow
We've added new options to help you troubleshoot problems that occur when you collect coverage information with C/C++test. Now you can:
- Display diagnostic data for the coverage workspace, including error and warning information.
- Collect diagnostic data for the coverage workspace to send it to Parasoft Support.
- Map file paths to enable collecting coverage information for files whose location has changed between instrumentation and report generation.
- Automatically recover from instrumentation or compilation problems.
- Collect multiple variants for coverage data for files compiled more than once during the build.
See Troubleshooting Code Coverage for details.
Support for Compilers
We've added support for the following compilers:
| Compiler Name | Compiler Acronym |
|---|---|
| ARM Compiler 6.16 | armclang_6_16 |
| Clang C/C++ Compiler v 12.0 (x86_64) | clang_12_0 |
| GNU GCC 11.x (x86_64) | gcc_11-64 |
| IAR Compiler for ARM v. 9.10x | iccarm_9_10 |
We've changed the support level for the following compilers:
- TI ARM C/C++ Compiler v20.2 is now fully supported.
- FR Family Softune C/C++ Compiler V6 – The support level has changed from Extended to Standard.
- RX C/C++ Compiler 2.5x – The support level has changed from Extended to Standard.
See Compilers for details.
Support for IDEs
We've added support for Eclipse versions 2020-06 (4.16) - 2021-06 (4.20).
New and Updated Code Analysis Rules
We've added new static analysis rules to extend coverage of compliance standards. See New Rules and Updated Rules for the lists of new and updated rules.
New and Updated Test Configurations
We've added the following test configurations:
- OWASP Top 10 20211
1This is a preview version of the test configuration.
Accepting the Parasoft End User License Agreement
You must accept the Parasoft End User License Agreement (EULA) to use C/C++test. The Parasoft EULA is available in the C/C++test installation directory and at https://www.parasoft.com/license. You will be prompted to agree to the terms of EULA during C/C++test installation or on the first startup.
If you are using C/C++test's command line interface, you can accept the EULA by adding the following setting to your localsettings file: parasoft.eula.accepted=true.
Other Changes
- The Requirements View now supports Jama Connect (requires DTP 2021.2 or later). See Working with the Requirements View.
- The .parasoft C/C++test project configuration file has been optimized to only include recently customized C/C++test settings.
Deprecated and Removed Support for Environments
Removed Support for IDEs
Support for the following IDEs is now removed:
- Eclipse 4.3
Resolved Bugs and FRs
Bug/FR ID | Description |
|---|---|
CPP-42644 | Improve mapping for AUTOSAR A13-5-5 |
CPP-47158 | Property 'IsCompilerGenerated' returns true for explicit calls of constructors in constructor init list |
CPP-47452 | Enum not reconstructed if attribute mode is used. |
CPP-47816 | error: no instance of overloaded function "getEnumInfo" matches the argument list |
CPP-47861 | Incorrect instrumentation of inline function with aligned static variable |
CPP-47890 | AUTOSAR-A10_3_2-a: false positive for final specifier |
CPP-48213 | The type of '*a' and 'a[b]' expressions is not detected as const/volatile |
CPP-48214 | Crash when generating string from constant |
CPP-48221 | METRICS-36: counts twice the same call when used in function declared and defined in the same TU |
CPP-48252 | CODSTA-26 (AUTOSAR-A5_1_1-a): false positive violations reported on constant used in initializer of constexpr variable |
CPP-48260 | Improve mapping for CERT-C INT15 |
CPP-48263 | AUTOSAR-M0_1_4-a: false positive for static constexpr variable |
CPP-48264 | MISRA2004-20_3: should report violations only for functions which have a restricted input domain |
CPP-48265 | GLOBAL-UNUSEDFUNC: false positive when function used as a template parameter |
CPP-48304 | Violations are not auto-suppressed in some cases for calls to function-like macros for Renesas rx2.5 compiler |
CPP-48310 | Incorrect test case code generated by Test Case Wizard when 'min' or 'min positive' was selected for 'float' type value |
CPP-48319 | JSF-143: false positive violation on reference initializations |
CPP-48320 | data member initializer is not allowed |
CPP-48342 | test case with data source, output shows: Test Problem: Data source not found |
CPP-48386 | Malformed 'line' attribute of 'parasoft suppress' record may lead to more violations being suppressed |
CPP-48390 | Add customizable exceptions for NAMING-44/JSF-051 |
CPP-48395 | CODSTA-81 (AUTOSAR-M3_3_2-a): false positive for explicitly specialized template |
CPP-48396 | Flag 'IsExplicitStatic' does not work correctly on template functions with explicit instance |
CPP-48415 | error: array is too large (cannot allocate >=2^32 elements) |
CPP-48434 | PB-50: false positive reported on calls to *scanf_s functions |
CPP-48464 | CODSTA-48 (AUTOSAR-A2_5_2-a): incorrectly detecting <:: token sequences as digraphs |
CPP-48491 | identifier "__builtin_arm_get_fpscr" is undefined |
CPP-48500 | argument of type "volatile void *" is incompatible with parameter of type "void *" |
CPP-48544 | STATUS_ACCESS_VIOLATION error when creating a operator_test stub |
CPP-48555 | Add support for enum bases in C mode to parser (clang extension) |
CPP-48582 | Parameter names automatically generated by parameterized test case creation in functions with enum arguments are inconsistent |
CPP-48588 | cwc internal error on bcc32_6_9 code: "pm_class_type: not a pointer to member type" |
CPP-48629 | PB-69: python errors when members of anonymous union are initialized by designated initializers |
CPP-48639 | Incorrect coverage instrumentation of static_cast operator |
CPP-48670 | Improve mapping for CERT-CPP DCL53 |
CPP-48703 | Improve mapping for CERT-CPP ERR56 |
CPP-48713 | Add support for -Hcppext= and -Hcext= options for ccac compiler |
CPP-48714 | Incorrect reconstruction of braced initializer |
CPP-48976 | Properties 'Type' and 'TypeTraverseReference' do not work for 'Friend' node |
CPP-48977 | Parse error on function attributes in VXTC compilers |
CPP-49003 | instrumentation error on empty structs for vxtc_6_3 |
CPP-49029 | Coverage instrumentation reports compile error: inlining failed in call to always_inline |
CPP-49037 | Fix support for -Hcppext= and -Hcext= options for ccac compiler |
CPP-49042 | Property 'Fullname' for the 'using' node does not report scope prefixes |
CPP-49048 | INIT-06: false positive when const data member is defined with initializer in template class |
CPP-49145 | Improve configuration for http proxy |
CPP-49162 | Add property allowing to check the actual namespace used in the Using Declaration |
CPP-49199 | cpptestcc coverage instrumentation changes UTF-8 literal into regular string literal which changes behavior |
CPP-49212 | CODSTA-MCPP-11_b_cpp11 (AUTOSAR-A7_1_2-b) and CODSTA-MCPP-09 (AUTOSAR-A15_4_4-a): false positives on 'main' function |
CPP-49657 | array with __far IAR memory attribute crashes parser |
FA-8388 | CERT_C-POS39-a (BD-PB-BYTEORD) reporting a violation when sending/receiving data. |
FA-8430 | BD-PB-OVERFNZT false negative. |
FA-8477 | BD-RES-FREE false negative when the usage element is also reassignment of the freed variable. |
FA-8541 | BD-PB-OVERFNZT false positive. |
FA-8548 | BD-PB-OVERFNZT false negatives on strdupa and strverscmp. |
FA-8551 | BD-PB-NP false negative. |
FA-8557 | False positive on BD-PB-VALPARAM. |
FA-8573 | False positives for BD-PB-UCMETH. |
FA-8597 | Incremental analysis stops reporting violations when the same rule is used in subsequent runs with different aliases (rule mapping). |
FA-8634 | BD-SECURITY-LOG false positive |
FA-8650 | Incorrect CFG after trying to simplify chained casts |
| PT-914 | C/C++test Pro VS plugin cannot obtain license from DTP - HTTPS handshake_failure |
| PT-927 | Proxy settings are not applied when requesting for license. |
| PT-992 | Plain text credentials in Technical Support Archive |
New Rules
Rule ID | Header |
|---|---|
AUTOSAR-A13_5_5-b | Comparison operators shall be non-member functions with identical parameter types and noexcept |
CERT_CPP-DCL53-c | Avoid function declarations that are syntactically ambiguous |
CERT_CPP-ERR56-b | Do not leave 'catch' blocks empty |
CODSTA-CPP-107 | Comparison operators shall be non-member functions |
CODSTA-CPP-107_b | Comparison operators shall be non-member functions with identical parameter types and noexcept |
FORMAT-48 | Parameter names in function declarations should not be enclosed in parentheses |
FORMAT-49 | Local variable names in variable declarations should not be enclosed in parentheses |
OWASP2021-A1-a | Protect against file name injection |
OWASP2021-A1-b | Observe correct revocation order while relinquishing privileges |
OWASP2021-A1-c | Ensure that privilege relinquishment is successful |
OWASP2021-A2-a | Properly seed pseudorandom number generators |
OWASP2021-A3-a | Avoid passing unvalidated binary data to log methods |
OWASP2021-A3-b | Protect against command injection |
OWASP2021-A3-c | Avoid printing tainted data on the output console |
OWASP2021-A3-d | Protect against environment injection |
OWASP2021-A3-e | Exclude unsanitized user input from format strings |
OWASP2021-A3-f | Protect against SQL injection |
OWASP2021-A4-a | Avoid passing sensitive data to functions that write to log files |
OWASP2021-A5-a | Where multiple handlers are provided in a single try-catch statement or function-try-block for a derived class and some or all of its bases, the handlers shall be ordered most-derived to base class |
OWASP2021-A5-b | Do not leave 'catch' blocks empty |
OWASP2021-A5-c | Properly use errno value |
OWASP2021-A5-d | Disable resolving XML external entities (XXE) in libxerces-c |
OWASP2021-A7-a | Do not use weak encryption functions |
OWASP2021-A8-a | Use care to ensure that LoadLibrary() will load the correct library |
OWASP2021-A9-a | All exceptions should be rethrown or logged with standard logger |
PB-78 | Use intmax_t or uintmax_t for formatted IO on programmer-defined integer types |
PB-79 | Avoid function declarations that are syntactically ambiguous |
Updated Rules
Category ID | Rule IDs |
|---|---|
AUTOSAR C++14 Coding Guidelines | AUTOSAR-A0_1_1-a, AUTOSAR-A10_3_2-a, AUTOSAR-A12_1_1-b, AUTOSAR-A12_1_3-a, AUTOSAR-A13_5_5-a, AUTOSAR-A15_4_4-a, AUTOSAR-A20_8_2-a, AUTOSAR-A20_8_3-a, AUTOSAR-A20_8_4-a, AUTOSAR-A27_0_2-a, AUTOSAR-A2_5_2-a, AUTOSAR-A3_8_1-a, AUTOSAR-A5_1_1-a, AUTOSAR-A5_3_2-a, AUTOSAR-A7_1_2-b, AUTOSAR-M0_1_10-a, AUTOSAR-M0_1_4-a, AUTOSAR-M0_3_1-f, AUTOSAR-M0_3_1-g, AUTOSAR-M3_3_2-a |
Flow Analysis | BD-PB-BYTEORD, BD-PB-NP, BD-PB-OVERFNZT, BD-PB-UCMETH, BD-PB-VALPARAM, BD-PB-VOVR, BD-RES-FREE, BD-SECURITY-LOG |
SEI CERT C | CERT_C-ARR38-d, CERT_C-CON31-b, CERT_C-DCL10-a, CERT_C-DCL11-a, CERT_C-DCL11-b, CERT_C-DCL11-c, CERT_C-DCL11-d, CERT_C-DCL11-e, CERT_C-DCL11-f, CERT_C-DCL22-a, CERT_C-ERR33-c, CERT_C-EXP34-a, CERT_C-FIO46-a, CERT_C-FIO47-a, CERT_C-FIO47-b, CERT_C-FIO47-c, CERT_C-FIO47-d, CERT_C-FIO47-e, CERT_C-FIO47-f, CERT_C-INT15-a, CERT_C-MEM00-d, CERT_C-MEM01-a, CERT_C-MEM04-a, CERT_C-MEM07-a, CERT_C-MEM30-a, CERT_C-MSC19-b, CERT_C-POS30-a, CERT_C-POS39-a, CERT_C-POS54-c, CERT_C-STR03-a, CERT_C-STR32-a |
SEI CERT C++ | CERT_CPP-DCL53-a, CERT_CPP-DCL53-b, CERT_CPP-ERR56-a, CERT_CPP-EXP54-a, CERT_CPP-MEM50-a, CERT_CPP-STR50-b, CERT_CPP-STR51-a |
Coding Conventions | CODSTA-26, CODSTA-48, CODSTA-81 |
Coding Conventions for Modern C++ | CODSTA-MCPP-05, CODSTA-MCPP-09, CODSTA-MCPP-11_b_cpp11, CODSTA-MCPP-29, CODSTA-MCPP-30 |
Common Weakness Enumeration | CWE-20-c, CWE-415-a, CWE-416-a, CWE-476-a |
Global Static Analysis | GLOBAL-ONEUSEVAR, GLOBAL-UNUSEDFUNC |
High Integrity C++ | HICPP-10_2_1-a, HICPP-12_4_2-a, HICPP-1_2_1-h, HICPP-2_2_1-a, HICPP-5_1_1-a, HICPP-5_2_1-c, HICPP-8_4_1-b |
Initialization | INIT-06, INIT-17 |
Joint Strike Fighter | JSF-012, JSF-051, JSF-071_b, JSF-138_b, JSF-143, JSF-151 |
Metrics | METRICS-36 |
MISRA C 2004 | MISRA2004-20_3, MISRA2004-8_11 |
MISRA C++ 2008 | MISRA2008-0_1_10_b, MISRA2008-0_1_4, MISRA2008-0_1_6, MISRA2008-0_3_1_b, MISRA2008-0_3_1_e, MISRA2008-2_5_1, MISRA2008-3_3_2 |
MISRA C 2012 (Legacy) | MISRA2012-DIR-4_13_b, MISRA2012-DIR-4_1_b, MISRA2012-DIR-4_1_e, MISRA2012-RULE-1_3_c, MISRA2012-RULE-21_17_a, MISRA2012-RULE-22_2_a, MISRA2012-RULE-22_6, MISRA2012-RULE-2_2_b, MISRA2012-RULE-8_8, MISRA2012-RULE-9_4 |
MISRA C 2012 | MISRAC2012-DIR_4_1-b, MISRAC2012-DIR_4_1-e, MISRAC2012-DIR_4_13-b, MISRAC2012-RULE_1_3-c, MISRAC2012-RULE_21_17-a, MISRAC2012-RULE_22_2-a, MISRAC2012-RULE_22_6-a, MISRAC2012-RULE_2_2-b, MISRAC2012-RULE_8_8-a , MISRAC2012-RULE_9_4-a |
Naming Conventions | NAMING-44 |
Optimization | OPT-26 |
OWASP Top 10 Most Critical Web Application Security Risks (2017) | OWASP2017-A1-a, OWASP2019-API3-e |
Possible Bugs | PB-45, PB-46, PB-47, PB-48, PB-49, PB-50, PB-62, PB-69 |