CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy
CodeChecker store
about twice as fast (#3777)
This small change from a regex to a string search is expected to shave off the time it takes to run a CodeChecker store
command by as much as 50%!bugprone-assignment-in-if-condition
: extreme (no longer in the sensitive
and default
profiles)bugprone-signal-handler
: default (new), security (new), sensitive, extremebugprone-suspicious-realloc-usage
(new): default, sensitive, extremebugprone-stringview-nullptr
(new): default, sensitive, extremebugprone-unchecked-optional-access
(new): extremecert-sig30-c
: removed from all profiles (as it is an alias to bugprone-signal-handler)cppcoreguidelines-avoid-const-or-ref-data-members
: sensitive (new), extremecppcoreguidelines-avoid-do-while
(new): extrememisc-const-correctness
: removed from all profiles (it was too extreme even for extreme)misc-misleading-bidirectional
: default, security (new), sensitive, extrememisc-misleading-identifier"
(new): default, security, sensitive, extremealpha.unix.Errno
: sensitive (new), extremecore.uninitialized.NewArraySize
(new): default, sensitive, extremealpha.unix.cstring.UninitializedRead
(new): extreme--help
messages.README
(#3763)
CodeChecker cmd diff
to the server got an incorrect results, which this PR fixes.CodeChecker parse --export html
produced an invalid HTMl file.--analyzer-config
options are given to CodeChecker then only the last one was taken into account. From this version both are handled: --analyzer-config <option1> --analyzer-config <option2>
. The old format is also still available: --analyzer-config <option1> <option2>
. This is especially useful when you specify the base analysis parameters in the codechecker_config file and you want to override certain parameters in the command line.Changed handling of in-code suppressions (e.g. //codechecker_suppress [ all ] This is a false warning) (#3580) Review status is now connected to the individual reports instead of the (all reports) with the same report hash. This makes it possible to mark a bug as a false positive on one branch (and store it in a run) and mark it as intentional on another branch. Warning: The different handling of such rare cases can cause a change in the checker statistics.
Changed handing of suppressions in the GUI (#3646) If you handle suppressions in the GUI instead of the source code, the suppressions remain effective for all reports identified by the same bug hash. These are called "suppression rules". You can list and manage such rules in the "Review Status Rules" window:
Changed visualization of false positive and intentional reports in the Oustanding Reports Statistics Outstanding report statistics excluded false positive reports from the graphs even for time periods, when these reports were active. After this change, the reports will be counted in the outstanding reports graphs until the time they were classified as false positive. So you will be able to see a decreasing trend in the outstanding reports graph, after you classify reports false positive.
A new filter option has been introduced which returns all reports where the file is involved at any part of the bug path.
--trim-path-prefix
flag may now contain joker characters (#3674)
--trim-path-prefix
flag helps to remove a given prefix of each file path during report storage. This prefix may now contain joker characters too. The longest matching prefix will be eliminated from each file path.clangtidy:take-config-from-directory=true
is specified (#3698)
clangtidy:take-config-from-directory
is an analyzer config that makes ClangTidy get its arguments from a .clang-tidy
file, and only from that
file. What this implies, is that all other options on the command line for ClangTidy will be ignored. The problem was that this also ignores compiler warnings, so it has been fixed.CodeChecker cmd suppress run_name -i <import_file>
will only import suppressions for the run indicated by run_name
, and not all reports in all runs.CodeChecker cmd runs --details
(#3669)
This command now lists the files that are failed to analyze..git
directory but the user who is running the CodeChecker store command doesn't have permission to this file then the storage failed.alpha.unix.Errno
: extremebugprone-assignment-in-if-condition
: default, sensitive, extrememisc-const-correctness
: extrememisc-confusable-identifiers
: default, sensitive, extrememodernize-macro-to-enum
: extremeREADME.md
(#3512)clang-extdef-mapping
utility during CTU analysis. This collects for each function definition in which file they have been defined. The format of this mapping file changed, and this change needs to be adapted in CodeChecker.dev_package
make target (#3682)
This make target results symlinks in the build directory to the source files. This way it is not necessary to rebuild CodeCompass for each source code change during the development. Known issue: CC_LIB_DIR
needs to be set to .../build/CodeChecker/lib/python3
directory.--analyzer-config
options are given to CodeChecker then only the last one was taken into account. From this version both are handled: --analyzer-config <option1> --analyzer-config <option2>
. The old format is also still available: --analyzer-config <option1> <option2>
.Changed handling of in-code suppressions (e.g. //codechecker_suppress [ all ] This is a false warning) (#3580) Review status is now connected to the individual reports instead of the (all reports) with the same report hash. This makes it possible to mark a bug as a false positive on one branch (and store it in a run) and mark it as intentional on another branch. Warning: The different handling of such rare cases can cause a change in the checker statistics.
Changed handing of suppressions in the GUI (#3646) If you handle suppressions in the GUI instead of the source code, the suppressions remain effective for all reports identified by the same bug hash. These are called "suppression rules". You can list and manage such rules in the "Review Status Rules" window:
Changed visualization of false positive and intentional reports in the Oustanding Reports Statistics Outstanding report statistics excluded false positive reports from the graphs even for time periods, when these reports were active. After this change, the reports will be counted in the outstanding reports graphs until the time they were classified as false positive. So you will be able to see a decreasing trend in the outstanding reports graph, after you classify reports false positive.
A new filter option has been introduced which returns all reports where the file is involved at any part of the bug path.
--trim-path-prefix
flag may now contain joker characters (#3674)
--trim-path-prefix
flag helps to remove a given prefix of each file path during report storage. This prefix may now contain joker characters too. The longest matching prefix will be eliminated from each file path.clangtidy:take-config-from-directory=true
is specified (#3698)
clangtidy:take-config-from-directory
is an analyzer config that makes ClangTidy get its arguments from a .clang-tidy
file, and only from that
file. What this implies, is that all other options on the command line for ClangTidy will be ignored. The problem was that this also ignores compiler warnings, so it has been fixed.CodeChecker cmd suppress run_name -i <import_file>
will only import suppressions for the run indicated by run_name
, and not all reports in all runs.CodeChecker cmd runs --details
(#3669)
This command now lists the files that are failed to analyze..git
directory but the user who is running the CodeChecker store command doesn't have permission to this file then the storage failed.alpha.unix.Errno
: extremebugprone-assignment-in-if-condition
: default, sensitive, extrememisc-const-correctness
: extrememisc-confusable-identifiers
: default, sensitive, extrememodernize-macro-to-enum
: extremeREADME.md
(#3512)clang-extdef-mapping
utility during CTU analysis. This collects for each function definition in which file they have been defined. The format of this mapping file changed, and this change needs to be adapted in CodeChecker.dev_package
make target (#3682)
This make target results symlinks in the build directory to the source files. This way it is not necessary to rebuild CodeCompass for each source code change during the development. Known issue: CC_LIB_DIR
needs to be set to .../build/CodeChecker/lib/python3
directory.--stats
flag (#3630, #3633)
CodeChecker analyze
command has --stats
flag if there is at least one checker contating statisticsbased
in its name. We are using the checker listing function to determine the list of checkers but by default it excludes modeling checkers. This default behavior should be overridden when checking if underlying Clang supports statistics based checkers.-sdkroot
option to COMPILE_FLAGS structure (#3631)
A special downstream compiler duplicated the --sysroot
option, and CodeChecker is not aware of the option chosen by this downstream
compiler. Adding these entries enables CodeChecker to not drop or strip the arguments to this option when interpreted and driven from a
compile_commands.json
file.pyyaml
dependency to the web part to fix docker container (#3626)For more information check the milestone.
CodeChecker version -o json
command wasn't a valid JSON format. From this release CodeChecker will provide a valid JSON output for this command.
For more information see the documentation.Clang Static Analyzer
checker is disabled in CodeChecker, clang is invoked with the analyzer-disable-checker
flag. This allows the user disabling core modeling checkers such as unix.DynamicMemoryModeling
. This causes malfunctioning of depending checkers.
From this release modeling
and debug
checkers (listed with clang -cc1 -analyzer-checker-help-developer
) will not be listed and cannot be disabled through CodeChecker with the --enable
and --disable
flags.
They can be enabled/disabled through the Clang Static Analyzer specific --saargs
flag only.node
version (#3581, #3586)
The minimum supported node version to build CodeChecker after this release is >=14.17.0
.print-steps
option to CodeChecker cmd diff
command (#3555)
Without bug steps it is hard to understood the problem by a programmer. With this commit we will introduce a new option for the CodeChecker cmd diff
command which can be used to print bug steps similar what we are doing at the CodeChecker parse
command. This patch also solve the problem to print bug steps in HTML files for reports which comes from a CodeChecker server.--config
option which allow the configuration from an explicit configuration file. The parameters in the config file will be emplaced as command line arguments. Previously we supported only JSON
format but the limitation of this format is that we can't add comments in this file for example why we enabled/disabled a checker, why an option is important etc.
From this release we will also support YAML
format:
analyzer:
# Enable/disable checkers.
- --enable=core.DivideZero
For more information see the documentation.--file
and skipfile
option to be given together and analyze header file (#3616)
The CodeChecker VSCodePlugin uses the --file
parameter to analyze single files. Large projects load in their configuration using the --config
parameter and if there is a -i skipfile
given in the config, CodeChecker analyze
call drops an error. From this release CodeChecker will allow -i skipfile
and --file
to be given together.
Also if a header file is given to the --file
option CodeChecker under the hood will try to figure out which source files are depends on the given header file and we will analyze these source files.:
in run names with \:
(#3536)
In certain scenarios, the run name might contain a :
character that does NOT separate a tag from a name. Commands such as server
and cmd results
accept :
as a literal in the name, but cmd diff
previously cut it as the "run tag" separator.TLS1
and TLS1.1
were deprecated in RFC8996. From this release CodeChecker will enforce the newer TLS1.2
or TLS1.3
.a.cpp
+ b.cpp
) the CodeChecker cmd diff
command in HTML format generated HTML files for each source file but inserted the same list of reports in all of the HTML files. From this release CodeChecker will insert only those reports to a generated HTML file which are really related to that file.doc_url
value's to absolute file paths in the CodeChecker checkers
output. This way other tools can open and view these documentation files easily.bugprone-shared-ptr-array-mismatch
: default
, extreme
, sensitive
misc-misleading-bidirectional
: default
, extreme
, sensitive
readability-container-contains
: default
, extreme
, sensitive
cppcoreguidelines-narrowing-conversions
: extreme
CodeChecker check
in case of exception (#3603).readability-duplicate-include
(#3592)--enable-all
(#3611)python-ldap
to 3.4.0
(#3550)lxml
to 4.7.1
(#3553)npm
packages (#3581, #3586)3.9.7
in docker image (#3591)For more information check the milestone.
We are proud to announce the official release of CodeChecker VSCode plugin.
6.18.2
or later and optionally add it to the PATH
environment variable.bugprone-easily-swappable-parameters
from sensitive
profile (#3579).
The checker warns for a bugprone coding style at function definitions. It is mostly useful for new code, where new functions are being defined. On the other hand, the checker required too many changes in legacy projects with non-matching coding style.CodeChecker cmd diff
when path trimming was used in the stored results.v-html
attribute on the UI side to dinamically rendering comments and analyzer commands. This can be very dangerous because it can easily lead to XSS vulnerabilities. To solve this problem the server will always return the escaped version of these values which can be safely rendered on the UI.CC_REPORT_URL
is defined and gerrit
format is used at CodeChecker parse
or CodeChecker cmd diff
commands, the output will contain the value of this environment variable wrapped inside quotes. When this output is sent to gerrit, it will convert URL links to HTML a
tags. Unfortunately gerrit will think that the ending quote is part of the URL, so it will not remove it. This way the URL will be invalid.For more information check the milestone.
markdownlint
(#3505).cppcoreguidelines-virtual-class-destructor
in profiles (#3532).bugprone-unhandled-exception-at-new
to default profile (#3531).--file
filter option for CodeChecker parse
command (#3454).6.18.0
release (#3530).CC_REPO
) for docker image (#3543).lxml
to 4.6.4
(#3528).For more information check the milestone.
CodeChecker can be installed and used from multiple repositories:
For more information see the installation guide.
CodeChecker can be used as a generic tool for visualizing analyzer results of multiple static and dynamic analyzers:
For details see supported code analyzers documentation and the Report Converter Tool.
The JSON
output of the CodeChecker parse command was not stable enough and the structure was very similar to the plist structure. Our plan is to support reading/parsing/storing of multiple analyzer output types not only plist but for example sarif format as well (http://docs.oasis-open.org/sarif/sarif/v2.0/csprd01/sarif-v2.0-csprd01.html). For this reason we changed the format of the JSON
output of the CodeChecker parse
and CodeChecker cmd diff
command. The new format is described in #3519.
Create a new global role (PERMISSION_VIEW
) which will be used to allow the users to fetch access control information from a running
CodeChecker server by using the CodeChecker cmd permissions
subcommand.
-mfp16-format
, -fmacro-prefix-map
, -fno-defer-pop
, -fstack-usage
flags (#3433, #3445).For more information check the milestone.
With this feature it will be possible for a developer to check who modified the source line last where a CodeChecker error appears.
CodeChecker store
command will store blame information for every source files which are not stored yet.Cleanup plans can be used to track progress of reports in your product. The conception is similar to the github Milestones.
You can do the following:
If you want to use CodeChecker in your project but you don't want to run a CodeChecker server and to fix every reports found by CodeChecker for the first time (legacy findings) with this feature you can do the following:
./reports
).CodeChecker parse ./reports -e baseline -o reports.baseline
. Note: it is recommended to store this baseline file (reports.baseline
) in your repository.CodeChecker diff
command to get the new reports:
CodeChecker cmd diff -b ./reports.baseline -n ./reports --new
The report-converter
tool is extended with LeakSanitizer which is a run-time memory leak detector for C programs.
# Compile your program.
clang -fsanitize=address -g lsan.c
# Run your program and redirect the output to a file.
ASAN_OPTIONS=detect_leaks=1 ./a.out > lsan.output 2>&1
# Generate plist files from the output.
report-converter -t lsan -o ./lsan_results lsan.output
# Store reports.
CodeChecker store ./lsan_results -n lsan
For more information see.
Previously the properties of checkers (severity, profile, guideline) are read from several JSON files. The goal was to handle all these and future properties of checkers in a common manner. This new solution uses labels which can be added to checkers.
The collection of labels is found in config/labels directory. The goal of these labels is that you can enable or disable checkers by these labels.
# List checkers in "sensitive" profile.
CodeChecker checkers --label profile:sensitive
# List checkers in "HIGH" severity.
CodeChecker checkers --label severity:HIGH
# List checkers covering str34-c SEI-CERT rule.
CodeChecker checkers --label sei-cert:str-34-c
# List checkers covering all SEI-CERT rules.
CodeChecker checkers --label guideline:sei-cert
# List available profiles, guidelines and severities.
CodeChecker checkers --profile
CodeChecker checkers --guideline
CodeChecker checkers --severity
# List labels and their available values.
CodeChecker checkers --label
CodeChecker checkers --label severity
# Enable HIGH checkers during analysis.
CodeChecker analyze \
./compile_commands.json \
-o ./reports
-e severity:HIGH
Note: with this new feature we also added severity levels for pylint (#3414) and cppcheck (#3415) analyzers.
PyPI
package support (#3251, #3301).PyPI is the most commonly used central repository for Python packages. For this reason from this release we will provide an official PyPI package for CodeChecker. This PyPi package can be easily installed on both Unix and Windows based systems easily by using the pip
command: pip install codechecker
.
CodeChecker was extended with a tool that can capture compilation database of a Bazel
built product without actually performing compilation. For more information see.
CodeChecker cmd
(#3116)New command line options are introduced (CodeChecker cmd export
and CodeChecker cmd import
) which can be used to export comments and review status for a particular run in a JSON based format from a running CodeChecker server and import it to another server.
# Export data from one server.
CodeChecker cmd export -n myrun \
--url https://first-server.codechecker.com:443 2>/dev/null | python -m json.tool > myrun_export.json
# Import data to another server.
CodeChecker cmd import -i myrun_export.json --url https://second-server.codechecker.com:443
The report-converter
tool was extend with two more analyzers:
Sparse
which is a semantic checker for C programs; it can be used to find a number of potential problems with kernel code.CppLint
which is a lint-like tool which checks C++ code against Google C++ Style Guide.For more information see.
maximum CPU
resources by default during analysis (#3249).ccache
compiler detection (#3204).altera-unroll-loops
to the list of checkers (#3266).cyclic-import
and consider-iterating-dictionary
checks (#3314).