This release includes the following enhancements:

Release date: November 15, 2021

Integration with Azure DevOps and GitLab

We've added enhancements to help you streamline your workflows with CI systems. You can now conveniently review results reported by C/C++test directly in Azure Pipelines or GitLab.

Integration with Azure DevOps

We've added the C/C++test extension for Azure DevOps, which allows you to easily integrate C/C++test with your Azure DevOps pipeline. The extension provides a task for running analysis with C/C++test and generating the C/C++test report in the Azure DevOps-specific SARIF format. The analysis results are then displayed in build results for each execution of your pipeline. See https://marketplace.visualstudio.com/items?itemName=parasoft.cpptest-azure-devops for details.

Integration with GitLab

You can now integrate with GitLab by modifying your GitLab workflow to run analysis with C/C++test and generate the analysis report in the SAST format. This allows you to review results reported by C/C++test as code vulnerabilities in GitLab. See https://gitlab.com/parasoft/cpptest-gitlab for details.

Enhanced C/C++test Extension for Visual Studio Code

We've extended the capabilities of the C/C++test extension for Visual Studio Code. You can now import analysis results from your repository in Azure DevOps. See Visual Studio Code Marketplace for details about the C/C++test extension for Visual Studio Code.

Streamlined Code Coverage Workflow

We've added new options to help you troubleshoot problems that occur when you collect coverage information with C/C++test. Now you can:

  • Display diagnostic data for the coverage workspace, including error and warning information.
  • Collect diagnostic data for the coverage workspace to send it to Parasoft Support.
  • Map file paths to enable collecting coverage information for files whose location has changed between instrumentation and report generation.
  • Automatically recover from instrumentation or compilation problems.
  • Collect multiple variants for coverage data for files compiled more than once during the build.

See Troubleshooting Code Coverage for details.

Support for Compilers

We've added support for the following compilers:

Compiler NameCompiler Acronym
ARM Compiler 6.16armclang_6_16
Clang C/C++ Compiler v 12.0 (x86_64)clang_12_0
GNU GCC 11.x (x86_64)gcc_11-64
IAR Compiler for ARM v. 9.10xiccarm_9_10

We've changed the support level for the following compilers:

  • TI ARM C/C++ Compiler v20.2 is now fully supported.
  • FR Family Softune C/C++ Compiler V6 – The support level has changed from Extended to Standard.
  • RX C/C++ Compiler 2.5x – The support level has changed from Extended to Standard.

See Supported Compilers for details.

Support for IDEs

We've added support for Eclipse versions 2020-06 (4.16) - 2021-06 (4.20).

New and Updated Code Analysis Rules

We've added new static analysis rules to extend coverage of compliance standards. See New Rules and Updated Rules for the lists of new and updated rules.

New and Updated Test Configurations

We've added the following test configurations:

  • OWASP Top 10 20211

1This is a preview version of the test configuration.

Accepting the Parasoft End User License Agreement

You must accept the Parasoft End User License Agreement (EULA) to use C/C++test. The Parasoft EULA is available in the C/C++test installation directory and at https://www.parasoft.com/license.

To agree to the terms of the EULA, enable the following setting in your cpptestcli.properties configuration file: parasoft.eula.accepted=true.

If you install the Parasoft Plugin in your IDE, you will be prompted to accept the EULA by the installation wizard and the EULA acceptance setting will be automatically added to the cpptestcli.properties file.

If you install the Parasoft Plugin for Visual Studio in a silent (non-interactive) mode, you must run the installer with the following command to accept the EULA: /acceptEula=yes.

Deprecated and Removed Support for Environments

Deprecated support for Visual Studio 2012 and 2013 will be removed in the next release.

Removed Support for IDEs

Support for the following IDEs is now removed:

  • Eclipse 4.3

Resolved Bugs and FRs

Bug/FR ID

Description

CPP-42644

Improve mapping for AUTOSAR A13-5-5

CPP-47158

Property 'IsCompilerGenerated' returns true for explicit calls of constructors in constructor init list

CPP-47452

Enum not reconstructed if attribute mode is used.

CPP-47816

error: no instance of overloaded function "getEnumInfo" matches the argument list

CPP-47861

Incorrect instrumentation of inline function with aligned static variable

CPP-47890

AUTOSAR-A10_3_2-a: false positive for final specifier

CPP-48213

The type of '*a' and 'a[b]' expressions is not detected as const/volatile

CPP-48214

Crash when generating string from constant

CPP-48221

METRICS-36: counts twice the same call when used in function declared and defined in the same TU

CPP-48252

CODSTA-26 (AUTOSAR-A5_1_1-a): false positive violations reported on constant used in initializer of constexpr variable

CPP-48260

Improve mapping for CERT-C INT15

CPP-48263

AUTOSAR-M0_1_4-a: false positive for static constexpr variable

CPP-48264

MISRA2004-20_3: should report violations only for functions which have a restricted input domain

CPP-48265

GLOBAL-UNUSEDFUNC: false positive when function used as a template parameter

CPP-48304

Violations are not auto-suppressed in some cases for calls to function-like macros for Renesas rx2.5 compiler

CPP-48310

Incorrect test case code generated by Test Case Wizard when 'min' or 'min positive' was selected for 'float' type value

CPP-48319

JSF-143: false positive violation on reference initializations

CPP-48320

data member initializer is not allowed

CPP-48342

test case with data source, output shows: Test Problem: Data source not found

CPP-48386

Malformed 'line' attribute of 'parasoft suppress' record may lead to more violations being suppressed

CPP-48390

Add customizable exceptions for NAMING-44/JSF-051

CPP-48395

CODSTA-81 (AUTOSAR-M3_3_2-a): false positive for explicitly specialized template

CPP-48396

Flag 'IsExplicitStatic' does not work correctly on template functions with explicit instance

CPP-48415

error: array is too large (cannot allocate >=2^32 elements)

CPP-48434

PB-50: false positive reported on calls to *scanf_s functions

CPP-48464

CODSTA-48 (AUTOSAR-A2_5_2-a): incorrectly detecting <:: token sequences as digraphs

CPP-48491

identifier "__builtin_arm_get_fpscr" is undefined

CPP-48500

argument of type "volatile void *" is incompatible with parameter of type "void *"

CPP-48544

STATUS_ACCESS_VIOLATION error when creating a operator_test stub

CPP-48555

Add support for enum bases in C mode to parser (clang extension)

CPP-48582

Parameter names automatically generated by parameterized test case creation in functions with enum arguments are inconsistent

CPP-48588

cwc internal error on bcc32_6_9 code: "pm_class_type: not a pointer to member type"

CPP-48629

PB-69: python errors when members of anonymous union are initialized by designated initializers

CPP-48639

Incorrect coverage instrumentation of static_cast operator

CPP-48670

Improve mapping for CERT-CPP DCL53

CPP-48703

Improve mapping for CERT-CPP ERR56

CPP-48713

Add support for -Hcppext= and -Hcext= options for ccac compiler

CPP-48714

Incorrect reconstruction of braced initializer

CPP-48976

Properties 'Type' and 'TypeTraverseReference' do not work for 'Friend' node

CPP-48977

Parse error on function attributes in VXTC compilers

CPP-49003

instrumentation error on empty structs for vxtc_6_3

CPP-49029

Coverage instrumentation reports compile error: inlining failed in call to always_inline

CPP-49037

Fix support for -Hcppext= and -Hcext= options for ccac compiler

CPP-49042

Property 'Fullname' for the 'using' node does not report scope prefixes

CPP-49048

INIT-06: false positive when const data member is defined with initializer in template class

CPP-49145

Improve configuration for http proxy

CPP-49162

Add property allowing to check the actual namespace used in the Using Declaration

CPP-49199

cpptestcc coverage instrumentation changes UTF-8 literal into regular string literal which changes behavior

CPP-49212

CODSTA-MCPP-11_b_cpp11 (AUTOSAR-A7_1_2-b) and CODSTA-MCPP-09 (AUTOSAR-A15_4_4-a): false positives on 'main' function

CPP-49657

array with __far IAR memory attribute crashes parser

FA-8388

CERT_C-POS39-a (BD-PB-BYTEORD) reporting a violation when sending/receiving data.

FA-8430

BD-PB-OVERFNZT false negative.

FA-8477

BD-RES-FREE false negative when the usage element is also reassignment of the freed variable.

FA-8541

BD-PB-OVERFNZT false positive.

FA-8548

BD-PB-OVERFNZT false negatives on strdupa and strverscmp.

FA-8551

BD-PB-NP false negative.

FA-8557

False positive on BD-PB-VALPARAM.

FA-8573

False positives for BD-PB-UCMETH.

FA-8597

Incremental analysis stops reporting violations when the same rule is used in subsequent runs with different aliases (rule mapping).

FA-8634

BD-SECURITY-LOG false positive

XT-39166 Issues with checking locally modified lines on Git. 
XT-39322 Proxy settings are not applied when requesting for license in lightweight Parasoft Plugin
XT-39329 Report in SAST format is not opened in Eclipse UI 



New Rules

Rule ID

Header

AUTOSAR-A13_5_5-b

Comparison operators shall be non-member functions with identical parameter types and noexcept

CERT_CPP-DCL53-c

Avoid function declarations that are syntactically ambiguous

CERT_CPP-ERR56-b

Do not leave 'catch' blocks empty

CODSTA-CPP-107

Comparison operators shall be non-member functions

CODSTA-CPP-107_b

Comparison operators shall be non-member functions with identical parameter types and noexcept

FORMAT-48

Parameter names in function declarations should not be enclosed in parentheses

FORMAT-49

Local variable names in variable declarations should not be enclosed in parentheses

OWASP2021-A1-a

Protect against file name injection

OWASP2021-A1-b

Observe correct revocation order while relinquishing privileges

OWASP2021-A1-c

Ensure that privilege relinquishment is successful

OWASP2021-A2-a

Properly seed pseudorandom number generators

OWASP2021-A3-a

Avoid passing unvalidated binary data to log methods

OWASP2021-A3-b

Protect against command injection

OWASP2021-A3-c

Avoid printing tainted data on the output console

OWASP2021-A3-d

Protect against environment injection

OWASP2021-A3-e

Exclude unsanitized user input from format strings

OWASP2021-A3-f

Protect against SQL injection

OWASP2021-A4-a

Avoid passing sensitive data to functions that write to log files

OWASP2021-A5-a

Where multiple handlers are provided in a single try-catch statement or function-try-block for a derived class and some or all of its bases, the handlers shall be ordered most-derived to base class

OWASP2021-A5-b

Do not leave 'catch' blocks empty

OWASP2021-A5-c

Properly use errno value

OWASP2021-A5-d

Disable resolving XML external entities (XXE) in libxerces-c

OWASP2021-A7-a

Do not use weak encryption functions

OWASP2021-A8-a

Use care to ensure that LoadLibrary() will load the correct library

OWASP2021-A9-a

All exceptions should be rethrown or logged with standard logger

PB-78

Use intmax_t or uintmax_t for formatted IO on programmer-defined integer types

PB-79

Avoid function declarations that are syntactically ambiguous

Updated Rules

Category ID

Rule IDs

AUTOSAR C++14 Coding Guidelines

AUTOSAR-A0_1_1-a, AUTOSAR-A10_3_2-a, AUTOSAR-A12_1_1-b, AUTOSAR-A12_1_3-a, AUTOSAR-A13_5_5-a, AUTOSAR-A15_4_4-a, AUTOSAR-A20_8_2-a, AUTOSAR-A20_8_3-a, AUTOSAR-A20_8_4-a, AUTOSAR-A27_0_2-a, AUTOSAR-A2_5_2-a, AUTOSAR-A3_8_1-a, AUTOSAR-A5_1_1-a, AUTOSAR-A5_3_2-a, AUTOSAR-A7_1_2-b, AUTOSAR-M0_1_10-a, AUTOSAR-M0_1_4-a, AUTOSAR-M0_3_1-f, AUTOSAR-M0_3_1-g, AUTOSAR-M3_3_2-a

Flow Analysis

BD-PB-BYTEORD, BD-PB-NP, BD-PB-OVERFNZT, BD-PB-UCMETH, BD-PB-VALPARAM, BD-PB-VOVR, BD-RES-FREE, BD-SECURITY-LOG

SEI CERT C

CERT_C-ARR38-d, CERT_C-CON31-b, CERT_C-DCL10-a, CERT_C-DCL11-a, CERT_C-DCL11-b, CERT_C-DCL11-c, CERT_C-DCL11-d, CERT_C-DCL11-e, CERT_C-DCL11-f, CERT_C-DCL22-a, CERT_C-ERR33-c, CERT_C-EXP34-a, CERT_C-FIO46-a, CERT_C-FIO47-a, CERT_C-FIO47-b, CERT_C-FIO47-c, CERT_C-FIO47-d, CERT_C-FIO47-e, CERT_C-FIO47-f, CERT_C-INT15-a, CERT_C-MEM00-d, CERT_C-MEM01-a, CERT_C-MEM04-a, CERT_C-MEM07-a, CERT_C-MEM30-a, CERT_C-MSC19-b, CERT_C-POS30-a, CERT_C-POS39-a, CERT_C-POS54-c, CERT_C-STR03-a, CERT_C-STR32-a

SEI CERT C++

CERT_CPP-DCL53-a, CERT_CPP-DCL53-b, CERT_CPP-ERR56-a, CERT_CPP-EXP54-a, CERT_CPP-MEM50-a, CERT_CPP-STR50-b, CERT_CPP-STR51-a

Coding Conventions

CODSTA-26, CODSTA-48, CODSTA-81

Coding Conventions for Modern C++

CODSTA-MCPP-05, CODSTA-MCPP-09, CODSTA-MCPP-11_b_cpp11, CODSTA-MCPP-29, CODSTA-MCPP-30

Common Weakness Enumeration

CWE-20-c, CWE-415-a, CWE-416-a, CWE-476-a

Global Static Analysis

GLOBAL-ONEUSEVAR, GLOBAL-UNUSEDFUNC

High Integrity C++

HICPP-10_2_1-a, HICPP-12_4_2-a, HICPP-1_2_1-h, HICPP-2_2_1-a, HICPP-5_1_1-a, HICPP-5_2_1-c, HICPP-8_4_1-b

Initialization

INIT-06, INIT-17

Joint Strike Fighter

JSF-012, JSF-051, JSF-071_b, JSF-138_b, JSF-143, JSF-151

Metrics

METRICS-36

MISRA C 2004

MISRA2004-20_3, MISRA2004-8_11

MISRA C++ 2008

MISRA2008-0_1_10_b, MISRA2008-0_1_4, MISRA2008-0_1_6, MISRA2008-0_3_1_b, MISRA2008-0_3_1_e, MISRA2008-2_5_1, MISRA2008-3_3_2

MISRA C 2012 (Legacy)

MISRA2012-DIR-4_13_b, MISRA2012-DIR-4_1_b, MISRA2012-DIR-4_1_e, MISRA2012-RULE-1_3_c, MISRA2012-RULE-21_17_a, MISRA2012-RULE-22_2_a, MISRA2012-RULE-22_6, MISRA2012-RULE-2_2_b, MISRA2012-RULE-8_8, MISRA2012-RULE-9_4

MISRA C 2012

MISRAC2012-DIR_4_1-b, MISRAC2012-DIR_4_1-e, MISRAC2012-DIR_4_13-b, MISRAC2012-RULE_1_3-c, MISRAC2012-RULE_21_17-a, MISRAC2012-RULE_22_2-a, MISRAC2012-RULE_22_6-a, MISRAC2012-RULE_2_2-b, MISRAC2012-RULE_8_8-a , MISRAC2012-RULE_9_4-a

Naming Conventions

NAMING-44

Optimization

OPT-26

OWASP Top 10 Most Critical Web Application Security Risks (2017)

OWASP2017-A1-a, OWASP2019-API3-e

Possible Bugs

PB-45, PB-46, PB-47, PB-48, PB-49, PB-50, PB-62, PB-69

  • No labels