PVS-Studio release history
- Watch, don't read (YouTube)
- PVS-Studio 7.28 (December 5, 2023)
- PVS-Studio 7.27 (October 11, 2023)
- PVS-Studio 7.26 (August 9, 2023)
- PVS-Studio 7.25 (June 7, 2023)
- PVS-Studio 7.24 (April 5, 2023)
- PVS-Studio 7.23 (February 8, 2023)
- PVS-Studio 7.22 (December 7, 2022)
- PVS-Studio 7.21 (October 11, 2022)
- PVS-Studio 7.20 (August 10, 2022)
- PVS-Studio 7.19 (June 8, 2022)
- PVS-Studio 7.18 (April 6, 2022)
- PVS-Studio 7.17 (February 9, 2022)
- PVS-Studio 7.16 (December 8, 2021)
- PVS-Studio 7.15 (October 7, 2021)
- PVS-Studio 7.14 (August 9, 2021)
- PVS-Studio 7.13 (May 31, 2021)
- PVS-Studio 7.12 (March 11, 2021)
- PVS-Studio 7.11 (December 17, 2020)
- PVS-Studio 7.10 (November 5, 2020)
- PVS-Studio 7.09 (August 27, 2020)
- PVS-Studio 7.08 (June 18, 2020)
- PVS-Studio 7.07 (April 16, 2020)
- PVS-Studio 7.06 (February 27, 2020)
- PVS-Studio 7.05 (December 10, 2019)
- PVS-Studio 7.04 (September 4, 2019)
- PVS-Studio 7.03 (June 25, 2019)
- PVS-Studio 7.02 (April 25, 2019)
- PVS-Studio 7.01 (March 13, 2019)
- PVS-Studio 7.00 (January 16, 2019)
- Release history for old versions
PVS-Studio is an actively developing analyzer. For example, our team is constantly improving its integration with such systems as PlatformIO, Azure DevOps, Travis CI, CircleCI, GitLab CI/CD, Jenkins, SonarQube, etc. However, the best way to demonstrate the development of analyzer capabilities is to show the graph of the number of diagnostics.
Figure 1. Graph of increasing the number of diagnostics in PVS-Studio
As you can see, we are actively improving the capabilities of the analyzer to detect new error patterns and at the same time are pushing the development of other tools :). More detailed information on innovations in various versions of the analyzer is presented below.
Watch, don't read (YouTube)
PVS-Studio 7.28 (December 5, 2023)
- Now the PVS-Studio analyzers can be used on the ARM architecture on Windows. PVS-Studio works in x64 compatibility mode. Next year, we plan to implement the native ARM analyzer version for macOS.
- PVS-Studio for C# now supports the analysis of .NET 8 projects. The C# analyzer on Linux and macOS will be working under .NET 8.
- We added the support for relative paths in the SARIF reports.
- When analyzing Unreal Engine projects with PVS-Studio, we often encounter issues with high memory usage and analysis slowdown. They are usually encountered when individual translation units are combined into a single file (the Unity Build system). Although the merging of translation units may have a positive impact on the compilation time, the large file size may increase the resource requirements for analysis. We have added a new section to the documentation on analyzing Unreal Engine projects, which describes how to configure the analysis without Unity Build, while keeping the opportunity to use this mode for building the project.
- Added support for PVS-Studio plugin for Qt Creator v. 12.0.x.
- Now the analyzer supports wildcard-patterns in the compile commands for the compiler monitoring utility on Windows (CLMonitor).
- In the C# analyzer, we enhanced and standardized the enabling and disabling of separate diagnostic rules via the analyzer configuration files (.pvsconfig). You can read more about .pvsconfig in the documentation.
- In the C# analyzer, we enhanced the handling of parameters that have null as the default value. It enables the V3080 diagnostic rule to detect more errors related to null dereferencing.
- We fixed the compatibility issues between PVS-Studio and Visual Assist plugins for Visual Studio IDE.
- V1103. The values of padding bytes are unspecified. Comparing objects with padding using 'memcmp' may lead to unexpected result.
- V2624. MISRA. The initializer for an aggregate or union should be enclosed in braces.
- V3193. Data processing results are potentially used before asynchronous output reading is complete. Consider calling 'WaitForExit' overload with no arguments before using the data.
- V4005. Unity Engine. The expensive operation is performed inside method or property. Using such member in performance-sensitive context can lead to decreased performance.
- V6107. The constant NN is being utilized. The resulting value could be inaccurate. Consider using the KK constant.
PVS-Studio 7.27 (October 11, 2023)
- Now the PVS-Studio plugin for Visual Studio Code supports the analysis of .NET projects. In the plugin, you can run the analysis, view the analysis report, suppress warnings, etc. You can find more details in the documentation.
- We enhanced the mechanism of parsing C++ standard library for macOS.
- The automatic algorithm for selecting the number of simultaneously analyzed files was improved for C++ analyzer under Linux and macOS. Now not only the available logical cores are considered but also the amount of RAM available in the system. This enables the analyzer to set more optimal values for the default settings.
- In the PVS-Studio plugin for Rider, you can analyze Unreal Engine projects that are opened directly in Rider. Also, the plugin is now available for Rider 2023.2. You can find the documentation at this link.
- In the pvsconfig configuration file, you can now specify the paths in the analyzer report to be set relative to the solution directory. The new option is supported both when launching the analysis and when viewing the analyzer results in IDE plugins. The feature will make it easier to handle the analysis report when spreading it between the machines with different directory structures. You can find the documentation for pvsconfig here.
- Support for v80 and v90 platform toolsets was returned to CLMonitor utility.
- We completely revised the Java analyzer documentation. Now each usage scenario has a separate section: Maven integration, Gradle integration, using PVS-Studio in IntelliJ IDEA and Android Studio, and using the Java analyzer directly from the command line.
- V1102. Unreal Engine. Violation of naming conventions may cause Unreal Header Tools to work incorrectly.
- V2623. MISRA. Macro identifiers should be distinct.
- V3192. Type member is used in the 'GetHashCode' method but is missing from the 'Equals' method.
- V4004. Unity Engine. New array object is returned from method and property. Using such member in performance-sensitive context can lead to decreased performance
PVS-Studio 7.26 (August 9, 2023)
- Now the PVS-Studio plugin for Visual Studio Code supports analysis of C and C++ projects that use the CMake build system. You can also set the baseline level for warnings. It enables you to "clean" the old project code from PVS-Studio warnings and start analyzing only the code written after the analyzer has been introduced.
- The PVS-Studio plugin for Qt Creator now supports checking projects that use QMake, CMake, or Qbs. Moreover, warning suppression via suppress files is now available directly in the plugin. You can find the documentation for the plugin here.
- The Spoon library used by the Java analyzer for code analysis has been updated to version 10.3.0. This enables you to check projects that use JDK 20 and Java 20 language constructs while maintaining backward compatibility with all previous versions.
- The PVS-Studio analysis results can now be integrated with DefectDojo, the system for managing the application security workflow. The documentation is available here.
- Now the C# analyzer recognizes the 'NotNullWhen' and 'NotNullIfNotNull' attributes in projects that use nullable context.
- In the C++ analyzer, we have enhanced the user annotation mechanism. Now it is possible to write annotations for functions at any nesting level. You can also use the function name without specifying the class and namespace when annotating. Guidelines for user annotations can be found here.
- The PVS-Studio warning classification page according to the CWE Top 25 Most Dangerous Software Weaknesses has been updated to the 2023 edition. PVS-Studio detects 64% of the listed types of vulnerabilities.
- V838. Temporary object is constructed during lookup in ordered associative container. Consider using a container with heterogeneous lookup to avoid construction of temporary objects.
- V1100. Unreal Engine. Declaring a pointer to a type derived from 'UObject' in a class that is not derived from 'UObject' is dangerous. The pointer may start pointing to an invalid object after garbage collection.
- V1101. Changing the default value of a virtual function parameter in a derived class may result in unexpected behavior.
- V3191. Iteration through collection makes no sense because it is always empty.
- V4002. Unity Engine. Avoid storing consecutive concatenations inside a single string in performance-sensitive context. Consider using StringBuilder to improve performance.
- V4003. Unity Engine. Avoid capturing variable in performance-sensitive context. This can lead to decreased performance.
PVS-Studio 7.25 (June 7, 2023)
- We updated the documentation on analysis in commit and branch merge mode (pull/merge requests). The documentation now also has separate pages on using the analyzer in AppVeyor and Buddy.
- We also added instructions for integrating the C# analysis results into SonarQube under Linux. You can find it here.
- The PVS-Studio plugin for Qt Creator is now available for versions 10.0.x. The plugin for Rider now supports versions 2022.2.3 and higher.
- We updated versions of the MSBuild and Roslyn libraries used by the analyzer. This helped solve issues related to the analysis of C# projects where code is generated via attributes.
- The decreased analysis performance on Intel 12th gen processors is now fixed. This enhancement is relevant for analysis of C++ projects for MSBuild.
- New features for the analysis and diagnostic configuration files (pvsconfig): specifying the loading priority of these files, enabling individual diagnostics (C++ only), as well as the ability to ignore global settings from Settings.xml (only when working via Visual Studio or PVS-Studio_Cmd.exe). You can find the details in the documentation.
- V837. The 'emplace' / 'insert' function does not guarantee that arguments will not be copied or moved if there is no insertion. Consider using the 'try_emplace' function.
- V1098. The 'emplace' / 'insert' function call contains potentially dangerous move operation. Moved object can be destroyed even if there is no insertion.
- V1099. Using the function of uninitialized derived class while initializing the base class will lead to undefined behavior.
- V2020. The loop body contains the 'break;' / 'continue;' statement. This may complicate the control flow.
- V3190. Concurrent modification of a variable may lead to errors.
- V4001. Unity Engine. Boxing inside a frequently called method may decrease performance.
PVS-Studio 7.24 (April 5, 2023)
- Now the analyzer has a better understanding of 'null' comparisons in Unity-based projects. PVS-Studio now issues fewer false positives for Unity projects, allowing you to focus only on the relevant warnings.
- Improved support for C# 9: PVS-Studio now takes into account that expressions with the postfix '!' (null-forgiving operator) do not return 'null'. Yet, whether or not the postfix is present, the analyzer nonetheless issues warnings on dereferences of expressions whose values are definitely equal to 'null'.
- The interface for handling suppress files (*.suppress) in the plugin for Visual Studio has been considerably expanded. Now you can have multiple suppress files for each project, view warnings from selected suppress files, transfer warnings between suppress files, etc. You can find the details in the documentation.
- A new Suppression mode is available in the PVS-Studio_Cmd.exe and pvs-studio-dotnet utilities. Now you can suppress warnings by diagnostics codes, groups, or file paths, as well as to add new suppress files into the project and so on. You can find more information on the new mode in the documentation.
- The PVS-Studio C++ analyzer now better chooses specializations for class templates.
- V1095. Usage of potentially invalid handle. The value should be non-negative.
- V1096. Variable with static storage duration is declared inside the inline function with external linkage. This may lead to ODR violation.
- V1097. Line splice results in a character sequence that matches the syntax of a universal-character-name. Using this sequence lead to undefined behavior.
- V3187. Parts of an SQL query are not delimited by any separators or whitespaces. Executing this query may lead to an error.
- V3188. The value of an expression is a potentially destroyed Unity object or null. Member invocation on this value may lead to an exception.
- V3189. The assignment to a member of the readonly field will have no effect when the field is of a value type. Consider restricting the type parameter to reference types.
PVS-Studio 7.23 (February 8, 2023)
- The PVS-Studio plugin is now available for Qt Creator 9.0.x versions. It can also now be used not only on Windows and Linux but also on macOS on the x86-64 architecture.
- We added a description of the analysis configuration file (Settings.xml) into the documentation. You can use this file to set up the analysis in PVS-Studio plugins for IDEs.
- We fixed an issue with the Java analyzer starting, appeared due to undetected dependency libraries on some Linux distributions.
- Now the CMake module works correctly on projects that use the NMake generator and contain a large number of files.
- V1093. The result of the right shift operation will always be 0. The right operand is greater than or equal to the number of bits in the left operand.
- V1094. Conditional escape sequence in literal. Its representation is implementation-defined.
- V3184. The argument's value is greater than the size of the collection. Passing the value into the 'Foo' method will result in an exception.
- V3185. An argument containing a file path could be mixed up with another argument. The other function parameter expects a file path instead.
- V3186. The arguments violate the bounds of collection. Passing these values into the method will result in an exception.
PVS-Studio 7.22 (December 7, 2022)
- We released the PVS-Studio plugin for Visual Studio Code. The plugin allows you to handle analyzer reports: view warnings, filter them, etc. You can't run code analysis yet — we plan to add this feature in future releases. The documentation is available here.
- We released the PVS-Studio plugin for Qt Creator. The functionality is the same as that of the plugin for Visual Studio Code: you can handle reports, but you can't run analysis yet. The documentation is available here.
- The Best Warnings mechanism is improved: we enhanced algorithms and adjusted the "weights" of diagnostics — the selection of the most interesting warnings became better. Also, we changed the interface: the filter button is now located on the main panel of the PVS-Studio window. If needed, you can hide the button in the settings (the "Show Best Warnings Button" option). The updated documentation on Best Warnings is available here.
- Best Warnings is now available not only in the plugin for Visual Studio but also in the C and C++ Compiler Monitoring UI utility, as well as in plugins for IntelliJ IDEA, Rider, CLion.
- PVS-Studio C# now supports the analysis of .NET 7 projects and projects using C#11. The C# analyzer on Linux and macOS now works on .NET 7.
- The C# analyzer now checks @code blocks in .razor files. This will help to run deeper analysis of web projects.
- PlogConverter and plog-converter utilities now provide new filtering capabilities of the analyzer reports. You can filter warnings and leave only those that are issued for certain files (the --includePaths flag). Also, you can do the opposite: exclude warnings issued for the specified files from the report (--excludePaths). You can find the details in the documentation.
- V836. Decreased performance. Unnecessary copying is detected when declaring a variable. Consider declaring the variable as a reference.
- V2018. Cast should not remove 'const' qualifier from the type that is pointed to by a pointer or a reference.
- V2019. Cast should not remove 'volatile' qualifier from the type that is pointed to by a pointer or a reference.
- V3183. Code formatting implies that the statement should not be a part of the 'then' branch that belongs to the preceding 'if' statement.
- V5626. OWASP. Possible ReDoS vulnerability. Potentially tainted data is processed by regular expression that contains an unsafe pattern.
- V5627. OWASP. Possible NoSQL injection. Potentially tainted data is used to create query.
- V5628. OWASP. Possible Zip Slip vulnerability. Potentially tainted data is used in the path to extract the file.
PVS-Studio 7.21 (October 11, 2022)
- The PVS-Studio analyzer's results now can be converted into reports compatible with GitLab Code Quality. The documentation describes how to do it.
- We continue to enhance PVS-Studio's integration with Unreal Engine. We made a pull request that allows to use more of the analyzer's settings in UE projects analysis. For example, you can specify a timeout for file analysis. The changes have already been committed to the engine's code. The new features will be available in the next version of Unreal Engine.
- Unreal Engine projects can be checked not only on Windows, but also on Linux. You can learn more about it in the documentation.
- The PVS-Studio analyzer now works better with a larger number of types specific to Unreal Engine.
- All the necessary information about diagnostic configuration files (.pvsconfig files) is gathered on a separate documentation page.
- Now you can automatically filter analyzer warnings whose messages contain the specified text. The feature allows you to suppress specific diagnostics' warnings that match a template — without disabling the diagnostics completely. You can create a filter of this kind in .pvsconfig files (C++, C#) or directly in code (C++ only).
- The PVS-Studio plugin for Visual Studio now supports JSON suppress files. This format was previously supported only in utilities on Linux and macOS. This simplifies the use of suppress files in cross-platform scenarios. It is also now easier to integrate PVS-Studio in the development process of cross-platform projects that contain legacy code.
- V1090. The 'std::uncaught_exception' function is deprecated since C++17 and is removed in C++20. Consider replacing this function with 'std::uncaught_exceptions'.
- V1091. The pointer is cast to an integer type of a larger size. Casting pointer to a type of a larger size is an implementation-defined behavior.
- V1092. Recursive function call during the static/thread_local variable initialization might occur. This may lead to undefined behavior.
- V3178. Calling method or accessing property of potentially disposed object may result in exception.
- V3179. Calling element access method for potentially empty collection may result in exception.
- V3180. The 'HasFlag' method always returns 'true' because the value '0' is passed as its argument.
- V3181. The result of '&' operator is '0' because one of the operands is '0'.
- V3182. The result of '&' operator is always '0'.
PVS-Studio 7.20 (August 10, 2022)
- The Unreal Engine developers fixed the engine's inability to find PVS-Studio by the default path. Starting from Unreal Engine 5.0.3 you can analyze your projects without any workarounds.
- We've enhanced the analysis of projects on Unreal Engine. PVS-Studio now issues fewer false positives and understands more about types native for this engine. For example, about analogues for containers from the C++ standard library.
- PVS-Studio learned to search for dependencies with known vulnerabilities in C# projects. To find them, the tool performs software composition analysis (SCA). You can read more about this in the documentation for the V5625 diagnostic rule.
- PVS-Studio covers all categories from the OWASP Top 10 2021. We covered the last, A06, by implementing SCA. You can see which diagnostic rules search for security weaknesses from OWASP Top 10 2021 on a special page.
- pvs-studio-analyzer and CompilerCommandsAnalyzer perform cross-platform analysis of C and C++ projects. Now these utilities better determine compilers used in projects. If they failed to determine the compiler type, you can specify it explicitly. This feature is especially useful in embedded development, where compilers have many different names. Read more here: the '--compiler' flag.
- We also enhanced these utilities (pvs-studio-analyzer and CompilerCommandsAnalyzer) to make cross-platform analysis of C and C++ projects even more user-friendly. The new documentation section contains description of their use case scenarios, command-line flags, exit codes.
- We supported analysis of projects based on the compilation database (compile_commands.json) created in Qt Creator. You can read about the compilation database generation here.
- We supported the latest versions (2022.2) of the JetBrains IDEs: Rider, CLion, IntelliJ IDEA.
- V1086. Call of the 'Foo' function will lead to buffer underflow.
- V1087. Upper bound of case range is less than its lower bound. This case may be unreachable.
- V1088. No objects are passed to the 'std::scoped_lock' constructor. No locking will be performed. This can cause concurrency issues.
- V1089. Waiting on condition variable without predicate. A thread can wait indefinitely or experience a spurious wake up.
- V3177. Logical literal belongs to second operator with a higher priority. It is possible literal was intended to belong to '??' operator instead.
- V5624. OWASP. Use of potentially tainted data in configuration may lead to security issues.
- V5625. OWASP. Referenced package contains vulnerability.
PVS-Studio 7.19 (June 8, 2022)
- We've updated the documentation on using PVS-Studio with Unreal Engine based projects. The updates touch upon the differences in configuring analysis for distinct engine versions, and also describe excluding files from analysis and baselining analyzer results on your legacy codebase. Important notice: despite PVS-Studio being fully compatible with the latest Unreal Engine 5.0 and later versions, there is currently an unresolved bug in the integration between the analyzer and the engine build system, at the build engine side. We are working together with engine developers to resolve this issue. There are available workarounds, described in our documents, until the issue is resolved at the engine side.
- PVS-Studio C++ analyzer improved its recognition of target platform for QNX Momentics QCC compiler family. Incorrect recognition of platform had caused potential false positives in previous analyzer versions.
- PVS-Studio extension for SonarQube continuous code quality assurance system can now read JSON cross platform analyzer reports. This allows you to utilize a single analyzer report format independent of the platform used to run the analysis.
- Continuing the subject of improving the handling of analyzer reports - a new section of our documentation summarizes all the facilities available in PVS-Studio for generating, handling and converting analysis results on all of supported platforms.
- Automatic developer notification tool blame-notifier now supports sending configurable email notifications: you can attach various files (including a full analyzer report) to the message, as well as set the subject of the message.
- It is now possible to analyze Unreal Engine based projects under PVS-Studio free license. As a reminder, PVS-Studio free license is available for students and is activated by appending special comments to the analyzed source code. Previous PVS-Studio versions limited Unreal Engine analysis to Enterprise-level licenses only.
- V834. Incorrect type of a loop variable. This leads to the variable binding to a temporary object instead of a range element.
- V835. Passing cheap-to-copy argument by reference may lead to decreased performance.
- V1083. Signed integer overflow in arithmetic expression. This leads to undefined behavior.
- V1084. The expression is always true/false. The value is out of range of enum values.
- V1085. Negative value is implicitly converted to unsigned integer type in arithmetic expression.
- V3175. Locking operations must be performed on the same thread. Using 'await' in a critical section may lead to a lock being released on a different thread.
- V3176. The '&'= or '|=' operator is redundant because the right operand is always true/false.
- V5622. OWASP. Possible XPath injection. Potentially tainted data is used in the XPath expression.
- V5623. OWASP. Possible open redirect vulnerability. Potentially tainted data is used in the URL.
PVS-Studio 7.18 (April 6, 2022)
- PVS-Studio expands its support of OWASP Top 10 list of the most common Web-application security risks. At the moment, 9 out of 10 categories are covered. We plan to expand the analyzer to the last remaining category, A6 Vulnerable and Outdated Components, in one of the upcoming future releases, by implementing SCA (Software Composition Analysis) capabilities in PVS-Studio C# analyzer.
- This release brings an improved and updated semantic analysis system to PVS-Studio C and C++ analyzer, which is based on a new representation of type system of the analyzed source code. Adopting new type system representation allows the analyzer to significantly improve its understanding of modern C++ language, with its complex expressions, templates, standard library, etc. Many analyzer rules will benefit from this by expanding the variety and number of potentially dangerous code fragments they can discover, and also by reducing the number of mistakes that the rules can potentially make. However, considering the fundamental nature of the change in the analyzer, it is possible that new false-positive messages can also appear. If you experience such new false-positives, please write us - we always strive to fix any remaining analyzer mistakes as soon as possible.
- The PVS-Studio compiler monitoring system for Windows introduces a new 'wrapping' trace mode based on IFEO (Image File Execution Options) settings. Compiler monitoring is an all-round way of 'seamless' integration into any build system, as long as such build system utilizes one of the compilers supported by PVS-Studio. The new mode requires additional configuration before it can be used, making it a bit harder to set up. However, it solves a significant flaw of the monitoring system - skipping of short-lived processes. This flaw is especially devastating while using monitoring on tracing the compilation of C code for embedded platforms. The new wrapping mode allows to use compiler monitoring for such scenarios without skipping a single source file.
- A new section of documentation contains instructions on working with PVS-Studio analysis results from Visual Studio Code editor. The ability to convert analyzer report to the universal SARIF format also allows this report to be loaded into Visual Studio Code with the help of SARIF Viewer extension.
- A new dedicated section in analyzer documentation explores direct integration with CMake build automation system through native Cmake module for PVS-Studio. CMake module can now also be used under Microsoft Windows, and supports baselining analyzer results though suppress files.
- Yet another new documentation section talks about setting-up PVS-Studio analysis inside GitHub Action cloud CI system.
- PVS-Studio C++ analyzer for Visual Studio now supports analyzing Microsoft GDK (Game Development Kit) projects.
- New multiline navigation variants of errorfile, tasklist and SARIF log output formats were added to plog-converter log conversion tools.
- V1079. Parameter of 'std::stop_token' type is not used inside function's body.
- V1080. Call of 'std::is_constant_evaluated' function always returns the same value.
- V1081. Argument of abs() function is minimal negative value. Such absolute value can't be represented in two's complement. This leads to undefined behavior.
- V1082. Function marked as 'noreturn' may return control. This will result in undefined behavior.
- V5619. OWASP. Possible log injection. Potentially tainted data is written into logs.
- V5620. OWASP. Possible LDAP injection. Potentially tainted data is used in a search filter.
- V5621. OWASP. Error message contains potentially sensitive data that may be exposed.
PVS-Studio 7.17 (February 9, 2022)
- PVS-Studio analyzer for C and C++ languages now supports analyzing projects for C6000-CGT - a compiler for embedded systems developed by Texas Instruments. You can check the full list of platforms and compilers supported by PVS-Studio on our site.
- You can now suppress and unsuppress analyzer messages in Unreal Engine projects directly from PVS-Studio IDE extensions for Microsoft Visual Studio and JetBrains Rider. You can read more about baselining analyzer results in Unreal Engine projects from command line and IDE extensions in our documentation (see sections ' Suppression of analyzer warnings in Unreal Engine projects' and ' Suppression of analyzer warnings in the PVS-Studio plugins for CLion and Rider').
- We added a range of new annotations to PVS-Studio C# analyzer for the most common classes in ASP.NET Core libraries. This will allow the analyzer to better understand the code from projects that utilize ASP.NET.
- There is a partial change in the hash algorithm used by both the cross-platform LLVM Compilation Database analysis and tracing tool (pvs-studio-analyzer), and analysis log conversion tool (plog-converter). The hash algorithm is used by these tools to generate json message suppression files intended for baselining analysis results. The support for old-format suppress files still remains as a backward compatibility. However, if you wish to append your suppress files, we do advise to re-generate the suppress files in the new format. This change is necessary to make json suppress files fully cross-platform for all use-case scenarios of PVS-Studio in the upcoming future releases.
- V1077. Constructor contains potentially uninitialized members.
- V1078. An empty container is iterated. The loop will not be executed.
- V2017. String literal is identical to variable name. It is possible that the variable should be used instead of the string literal.
- V3174. Suspicious subexpression in a sequence of similar comparisons.
- V5617. OWASP. Assigning potentially negative or large value as timeout of HTTP session can lead to excessive session expiration time.
- V5618. OWASP. Possible server-side request forgery. Potentially tainted data is used in the URL.
PVS-Studio 7.16 (December 8, 2021)
- PVS-Studio now supports Microsoft Visual Studio 2022. Analyzer can be used with Visual C++ and C# projects targeting new compiler versions and standard C++ and C# libraries available in this new IDE version.
- PVS-Studio C# analyzer now supports Microsoft .NET 6 platform and a new version of C# language: C# 10.0.
- Support for MISRA C safety and reliability coding standard has reached 80% in this release, with full coverage of Mandatory and most of the Required categories. In future releases we plan to give more focus to other security standards, as well as to the general-purpose diagnostic rules.
- The baselining of analyzer messages through message suppression is extended to support Unreal Engine projects. Though in the current version of PVS-Studio the baselining for UE projects will only be available for the command line analyzer, the next release will feature baselining integration with Microsoft Visual Studio and JetBrains Rider PVS-Studio extensions.
- Also, we have a new documentation section explaining how to use PVS-Studio to check projects whose build model is represented in the JSON Compilation Database format. This method is available for projects based on CMake, QBS, Ninja, etc.
- PVS-Studio plug-ins for JetBrains IDEA and Android Studio, Rider and CLion now support re-assigning shortcuts for the most common commands: handling analyzer report, running the analysis, etc.
- V833. Using 'std::move' function with const object disables move semantics.
- V1076. Code contains invisible characters that may alter its logic. Consider enabling the display of invisible characters in the code editor.
- V2615. MISRA. A compatible declaration should be visible when an object or function with external linkage is defined.
- V2616. MISRA. All conditional inclusion preprocessor directives should reside in the same file as the conditional inclusion directive to which they are related.
- V2617. MISRA. Object should not be assigned or copied to an overlapping object.
- V2618. MISRA. Identifiers declared in the same scope and name space should be distinct.
- V2619. MISRA. Typedef names should be unique across all name spaces.
- V2620. MISRA. Value of a composite expression should not be cast to a different essential type category or a wider essential type.
- V2621. MISRA. Tag names should be unique across all name spaces.
- V2622. MISRA. External object or function should be declared once in one and only one file.
- V5616. OWASP. Possible command injection. Potentially tainted data is used to create OS command.
PVS-Studio 7.15 (October 7, 2021)
- This release introduces, for the users of PVS-Studio plug-in for Visual Studio, a new way of checking analysis log for the most interesting warnings among all others found in an analyzed project. The name of this new mode is Analyzer Best Warnings. PVS-Studio have always grouped its warnings into 3 certainty levels, and these levels were usually used for prioritizing the most interesting ones when reviewing the analysis results - the best ones were expected to be on the 1st level. In this new version of the analyzer, we developed a more sophisticated and precise algorithm of evaluating the reliability of warning messages. Besides warning message levels, it takes into account a number of other criteria, which can be subdivided into the static (an average 'value' of an analyzer rule) and dynamic ones, based on the warnings generated on a particular source code base (such as, for example, the total number of warnings for a particular rule). In future releases we plan on expanding this new mode, as well as adding it to our other supported IDEs and analyzer integrations. You can find more details on the Analyzer Best Warnings mode in our blog and documentation.
- We now provide a mapping for PVS-Studio rules with CWE Top 25 Most Dangerous Software Weaknesses list. PVS-Studio analyzers for C, C++, C# and Java already provide coverage for more than a half of CWE Top 25 categories, and we plan on expanding this coverage in future releases.
- In order to increase the quality of analysis for Unreal Engine projects, annotations for several hundred functions from the game engine were added to PVS-Studio C++ analyzer.
- The coverage for the list of the most common and dangerous threats to application security, OWASP Top 10 2017, was increased up to 9 categories our of 10. This makes only a single category remaining that is not covered by PVS-Studio - using components with known vulnerabilities. This category is usually covered by a distinct class of specialized tools - SCA (Software Composition Analysis). In future releases of PVS-Studio, to cover the last remaining OWASP Top 10 category, we plan on implementing SCA for PVS-Studio C# analyzer.
- Support for MISRA C safety and reliability coding standard is increased up to 70% in this release. We plan on further increasing the coverage for this standard up to 80% percent or more until the end of this year.
- Visual Studio plug-in now allows you to set-up and reassign shortcuts for false positive and message suppression, as well as for marking analyzer messages.
- Analysis log conversion tools now support generating a compliance report based on the MISRA Compliance standard. You can find more information about MISRA compliance report and how to generate in in our blog.
- We further increased the performance of PVS-Studio C# analyzer by optimizing the time it takes to evaluate (parse) the projects before the analysis. You can read about it in our blog.
- PVS-Studio C++ analyzer now supports a standardized way of printing the ranges of variables for very high values. This may lead to some analyzer messages changing their text representation, which, it turn, could cause some of the analyzer warnings that were suppressed by baselining to reappear. If you encounter this, please re-suppress these analyzer messages.
- V1075. The function expects the file to be opened in one mode, but it was opened in different mode.
- V2604. MISRA. Features from <stdarg.h> should not be used.
- V2605. MISRA. Features from <tgmath.h> should not be used.
- V2606. MISRA. There should be no attempt to write to a stream that has been opened for reading.
- V2607. MISRA. Inline functions should be declared with the static storage class.
- V2608. MISRA. The 'static' storage class specifier should be used in all declarations of object and functions that have internal linkage.
- V2609. MISRA. There should be no occurrence of undefined or critical unspecified behaviour.
- V2610. MISRA. The ', " or \ characters and the /* or // character sequences should not occur in a header file name.
- V2611. MISRA. Casts between a pointer to an incomplete type and any other type shouldn't be performed.
- V2612. MISRA. Array element should not be initialized more than once.
- V2613. MISRA. Operand that is a composite expression has more narrow essential type than the other operand.
- V2614. MISRA. External identifiers should be distinct.
- V3173. Possible incorrect initialization of variable. Consider verifying the initializer.
- V3555. AUTOSAR. The 'static' storage class specifier should be used in all declarations of functions that have internal linkage.
- V5612. OWASP. Do not use old versions of SSL/TLS protocols as it may cause security issues.
- V5613. OWASP. Use of outdated cryptographic algorithm is not recommended.
- V5614. OWASP. Potential XXE vulnerability. Insecure XML parser is used to process potentially tainted data.
- V5615. OWASP. Potential XEE vulnerability. Insecure XML parser is used to process potentially tainted data.
PVS-Studio 7.14 (August 9, 2021)
- PVS-Studio now provides a plugin for JetBrains CLion which allows to comfortably use the analyzer with this IDE. You can read about our experience with developing the plugin in our blog. And here you can find all other JetBrains IDEs which already support native PVS-Studio integration.
- PVS-Studio C++ analyzer now supports intermodular analysis. This new mode allows the analyzer to recognize invocations of methods declared in different translation units. Intermodular analysis is also already supported in C# (at project level) and Java (at package level) PVS-Studio analyzers. This mode is disabled by default in PVS-Studio C++ analyzer because currently it can decrease the overall analysis speed. You can read about specific details of this new mode's operation and implementation in our blog.
- PVS-Studio now covers 6 out of 10 categories in the OWASP Top 10 - a list of most common and dangerous threats to security of Web-applications. Current release adds diagnostic rules to the A5 Broken Access Control, A7 Cross-Site Scripting (XSS) and A8 Insecure Deserialization categories. PVS-Studio plans to increase the OWASP Top 10 cover to 9 categories in the upcoming releases this year.
- Support for MISRA C code safety standard is increased up to 60%. In the upcoming releases we plan to continue increasing the MISRA C support up to 80% in this year. Also, PVS-Studio is currently implementing support for MISRA C Compliance standard to be available in future releases this year.
- PVS-Studio SonarQube plugin now supports SonarQube 8.9 LTS.
- PVS-Studio C# analyzer analysis speed was increased up to 2 times when analyzing large-scale (in the range of 10 000 source files) projects. C# analyzer can now utilize multi-core processors much more efficiently. We shared some of the insights we've discovered while optimizing our C# analyzer in our blog - some of these can be used to boost the performance for other classes of .NET applications as well.
- Individual C++ analyzer rules can now be switched off for a range of source code lines.
- V2015. An identifier declared in an inner scope should not hide an identifier in an outer scope.
- V2016. Consider inspecting the function call. The function was annotated as dangerous.
- V2584. MISRA. Expression used in condition should have essential Boolean type.
- V2585. MISRA. Casts between a void pointer and an arithmetic type should not be performed.
- V2586. MISRA. Flexible array members should not be declared.
- V2587. MISRA. The '//' and '/*' character sequences should not appear within comments.
- V2588. MISRA. All memory or resources allocated dynamically should be explicitly released.
- V2589. MISRA. Casts between a pointer and a non-integer arithmetic type should not be performed.
- V2590. MISRA. Conversions should not be performed between pointer to function and any other type.
- V2591. MISRA. Bit fields should only be declared with explicitly signed or unsigned integer type.
- V2592. MISRA. An identifier declared in an inner scope should not hide an identifier in an outer scope.
- V2593. MISRA. Single-bit bit fields should not be declared as signed type.
- V2594. MISRA. Controlling expressions should not be invariant.
- V2595. MISRA. Array size should be specified explicitly when array declaration uses designated initialization.
- V2596. MISRA. The value of a composite expression should not be assigned to an object with wider essential type.
- V2597. MISRA. Cast should not convert pointer to function to any other pointer type.
- V2598. MISRA. Variable length array types are not allowed.
- V2599. MISRA. The standard signal handling functions should not be used.
- V2600. MISRA. The standard input/output functions should not be used.
- V2601. MISRA. Functions should be declared in prototype form with named parameters.
- V2602. MISRA. Octal and hexadecimal escape sequences should be terminated.
- V2603. MISRA. The 'static' keyword shall not be used between [] in the declaration of an array parameter.
- V3172. The 'if/if-else/for/while/foreach' statement and code block after it are not related. Inspect the program's logic.
- V3552. AUTOSAR. Cast should not convert a pointer to a function to any other pointer type, including a pointer to function type.
- V3553. AUTOSAR. The standard signal handling functions should not be used.
- V3554. AUTOSAR. The standard input/output functions should not be used.
- V5609. OWASP. Possible path traversal vulnerability. Potentially tainted data is used as a path.
- V5610. OWASP. Possible XSS vulnerability. Potentially tainted data might be used to execute a malicious script.
- V5611. OWASP. Potential insecure deserialization vulnerability. Potentially tainted data is used to create an object using deserialization.
PVS-Studio 7.13 (May 31, 2021)
- PVS-Studio C# analyzer can now analyze projects for .NET 5 platform. You can read about this in more detail in our blog.
- A new diagnostic rule for OWASP ASVS standard, that was added in this release to PVS-Studio C# analyzer, can find SQL Injection tainted data patterns (the rule V5608). The tainted data category of potential security vulnerabilities holds an important position in OWASP Top 10 rating. In future releases we plan to expand PVS-Studio capabilities to include the detection of more tainted data patterns.
- The Blame Notifier automatic analysis report generation and notification tool now supports sorting analyzer messages by commit numbers and dates based on blame information retrieved from version control system. This allows you to identify analyzer warnings that appeared on a particular day. You can read about this new mode in more detail in our blog.
- Continuing on the topic of automatic publication of analyzer reports - it is now possible to accomplish this without using our Blame Notifier tool. One of our users created a lightweight alternative (which does not depend upon .NET) which you can find on GitHub.
- Support for analyzing Ninja projects under Windows though JSON Compilation Database (compile_commands.json) was improved for PVS-Studio C++ analyzer.
- By using clang to build PVS-Studio C++ analyzer we've achieved an overall improvement in analyzer's performance up to 10% when analyzing source files on Windows operating system.
- PVS-Studio JetBrains Rider plugin now supports Rider 2021.1.
- File with suppressed analyzer messages can now be specified directly through command line for PVS-Studio_Cmd.exe, a tool for analyzing C++ and C# Visual Studio projects. Previous analyzer versions could only read suppression files through project or solution.
- V832. It's better to use '= default;' syntax instead of empty body.
- V1070. Signed value is converted to an unsigned one with subsequent expansion to a larger type in ternary operator.
- V1071. Consider inspecting the 'foo' function. The return value is not always used.
- V1072. The buffer is securely cleared not on all execution paths.
- V1073. Consider checking for misprints. Check the following code block after the 'if' statement.
- V1074. Boundary between numeric escape sequence and string is unclear. The escape sequence ends with a letter and the next character is also a letter. Check for typos.
- V2577. MISRA. The function argument corresponding to a parameter declared to have an array type should have an appropriate number of elements.
- V2578. MISRA. An identifier with array type passed as a function argument should not decay to a pointer.
- V2579. MISRA. Macro should not be defined with the same name as a keyword.
- V2580. MISRA. The 'restrict' specifier should not be used.
- V2581. MISRA. Single-line comments should not end with a continuation token.
- V2582. MISRA. Block of memory should only be freed if it was allocated by a Standard Library function.
- V2583. MISRA. Line whose first token is '#' should be a valid preprocessing directive.
- V3170. Both operands of the '??' operator are identical.
- V3171. Potentially negative value is used as the size of an array.
- V3551. AUTOSAR. An identifier with array type passed as a function argument should not decay to a pointer.
- V5013. OWASP. Storing credentials inside source code can lead to security issues.
- V5608. OWASP. Possible SQL injection. Potentially tainted data is used to create SQL command.
PVS-Studio 7.12 (March 11, 2021)
- PVS-Studio now provides mapping for its diagnostic rules to the list of most common security threats OWASP Top 10 Web Application Security Risks. This list is based on the consensus of security experts from around the world and is intended to give developers and security specialists the necessary information for prompt identification and removal of security risks from their applications.
- We extended the analyzer's capabilities for handling security (SEI CERT, OWASP ASVS) and safety (MISRA C, MISRA C++, AUTOSAR C++ 14 Coding Guidelines) standards. Now PVS-Studio not only provides the mapping of its diagnostic rules on web resources, but also renders the relevant information into all of its report formats (XML, Json, HTML, etc.), IDE integrations (Visual Studio, IntelliJ IDEA, Jetbrains Rider) and SonarQube integration (Security Category section and tags). You can read about all of the new PVS-Studio security-related capabilities in our blog.
- PVS-Studio C++ analyzer on Linux now supports IAR ARM and QNX compilers.
- CLMonitor.exe, a tool for monitoring and tracing C++ compiler invocations, now supports specification of individual source files for analysis, including the ability to specify individual header files (with support from compilation dependency system). This mode can be used to automate the analysis of merge and pull requests.
- Additional mode for disabling individual analyzer rules or groups of rules according to warning certainty levels was implemented for .pvsconfig rules configuration files and rule control comments in the source code (C++ analyzer only). You can find examples and details of this new mode in our documentation (Complete warning disabling subsection).
- Analyzing projects for MPLAB XC8 is now supported.
- V1068. Do not define an unnamed namespace in a header file.
- V1069. Do not concatenate string literals with different prefixes.
- V2575. MISRA. The global namespace should only contain 'main', namespace declarations and 'extern "C"' declarations.
- V2576. MISRA. The identifier 'main' should not be used for a function other than the global function 'main'.
- V3167. Parameter of 'CancellationToken' type is not used inside function's body.
- V3168. Awaiting on expression with potential null value can lead to throwing of 'NullReferenceException'.
- V3169. Suspicious return of a local reference variable which always equals null.
- V3501. AUTOSAR. Octal constants should not be used.
- V3502. AUTOSAR. Size of an array is not specified.
- V3503. AUTOSAR. The 'goto' statement shouldn't jump to a label declared earlier.
- V3504. AUTOSAR. The body of a loop\conditional statement should be enclosed in braces.
- V3505. AUTOSAR. The function with the 'atof/atoi/atoll/atoll' name should not be used.
- V3506. AUTOSAR. The function with the 'abort/exit/getenv/system' name should not be used.
- V3507. AUTOSAR. The macro with the 'setjmp' name and the function with the 'longjmp' name should not be used.
- V3508. AUTOSAR. Unbounded functions performing string operations should not be used.
- V3509. AUTOSAR. Unions should not be used.
- V3510. AUTOSAR. Declaration should contain no more than two levels of pointer nesting.
- V3511. AUTOSAR. The 'if' ... 'else if' construct should be terminated with an 'else' statement.
- V3512. AUTOSAR. Literal suffixes should not contain lowercase characters.
- V3513. AUTOSAR. Every switch-clause should be terminated by an unconditional 'break' or 'throw' statement.
- V3514. AUTOSAR. The 'switch' statement should have 'default' as the last label.
- V3515. AUTOSAR. All integer constants of unsigned type should have 'u' or 'U' suffix.
- V3516. AUTOSAR. A switch-label should only appear at the top level of the compound statement forming the body of a 'switch' statement.
- V3517. AUTOSAR. The functions from time.h/ctime should not be used.
- V3518. AUTOSAR. A switch-expression should not have Boolean type. Consider using of 'if-else' construct.
- V3519. AUTOSAR. The comma operator should not be used.
- V3520. AUTOSAR. Any label should be declared in the same block as 'goto' statement or in any block enclosing it.
- V3521. AUTOSAR. The loop counter should not have floating-point type.
- V3522. AUTOSAR. Unreachable code should not be present in the project.
- V3523. AUTOSAR. Functions should not have unused parameters.
- V3524. AUTOSAR. The value of uninitialized variable should not be used.
- V3525. AUTOSAR. Function with a non-void return type should return a value from all exit paths.
- V3526. AUTOSAR. Expression resulting from the macro expansion should be surrounded by parentheses.
- V3527. AUTOSAR. The return value of non-void function should be used.
- V3528. AUTOSAR. The address of an object with local scope should not be passed out of its scope.
- V3529. AUTOSAR. Floating-point values should not be tested for equality or inequality.
- V3530. AUTOSAR. Variable should be declared in a scope that minimizes its visibility.
- V3531. AUTOSAR. Expressions with enum underlying type should have values corresponding to the enumerators of the enumeration.
- V3532. AUTOSAR. Unary minus operator should not be applied to an expression of the unsigned type.
- V3533. AUTOSAR. Expression containing increment (++) or decrement (--) should not have other side effects.
- V3534. AUTOSAR. Incorrect shifting expression.
- V3535. AUTOSAR. Operand of sizeof() operator should not have other side effects.
- V3536. AUTOSAR. A pointer/reference parameter in a function should be declared as pointer/reference to const if the corresponding object was not modified.
- V3537. AUTOSAR. Subtraction, >, >=, <, <= should be applied only to pointers that address elements of the same array.
- V3538. AUTOSAR. The result of an assignment expression should not be used.
- V3539. AUTOSAR. Array indexing should be the only form of pointer arithmetic and it should be applied only to objects defined as an array type.
- V3540. AUTOSAR. There should be no implicit integral-floating conversion.
- V3541. AUTOSAR. A function should not call itself either directly or indirectly.
- V3542. AUTOSAR. Constant expression evaluation should not result in an unsigned integer wrap-around.
- V3543. AUTOSAR. Cast should not remove 'const' / 'volatile' qualification from the type that is pointed to by a pointer or a reference.
- V3544. AUTOSAR. The 'operator &&', 'operator ||', 'operator ,' and the unary 'operator &' should not be overloaded.
- V3545. AUTOSAR. Operands of the logical '&&' or the '||' operators, the '!' operator should have 'bool' type.
- V3546. AUTOSAR. Conversions between pointers to objects and integer types should not be performed.
- V3547. AUTOSAR. Identifiers that start with '__' or '_[A-Z]' are reserved.
- V3548. AUTOSAR. Functions should not be declared at block scope.
- V3549. AUTOSAR. The global namespace should only contain 'main', namespace declarations and 'extern "C"' declarations.
- V3550. AUTOSAR. The identifier 'main' should not be used for a function other than the global function 'main'.
- V5001. OWASP. It is highly probable that the semicolon ';' is missing after 'return' keyword.
- V5002. OWASP. An empty exception handler. Silent suppression of exceptions can hide the presence of bugs in source code during testing.
- V5003. OWASP. The object was created but it is not being used. The 'throw' keyword could be missing.
- V5004. OWASP. Consider inspecting the expression. Bit shifting of the 32-bit value with a subsequent expansion to the 64-bit type.
- V5005. OWASP. A value is being subtracted from the unsigned variable. This can result in an overflow. In such a case, the comparison operation can potentially behave unexpectedly.
- V5006. OWASP. More than N bits are required to store the value, but the expression evaluates to the T type which can only hold K bits.
- V5007. OWASP. Consider inspecting the loop expression. It is possible that the 'i' variable should be incremented instead of the 'n' variable.
- V5008. OWASP. Classes should always be derived from std::exception (and alike) as 'public'.
- V5009. OWASP. Unchecked tainted data is used in expression.
- V5010. OWASP. The variable is incremented in the loop. Undefined behavior will occur in case of signed integer overflow.
- V5011. OWASP. Possible overflow. Consider casting operands, not the result.
- V5012. OWASP. Potentially unsafe double-checked locking.
- V5301. OWASP. An exception handling block does not contain any code.
- V5302. OWASP. Exception classes should be publicly accessible.
- V5303. OWASP. The object was created but it is not being used. The 'throw' keyword could be missing.
- V5304. OWASP. Unsafe double-checked locking.
- V5305. OWASP. Storing credentials inside source code can lead to security issues.
- V5601. OWASP. Storing credentials inside source code can lead to security issues.
- V5602. OWASP. The object was created but it is not being used. The 'throw' keyword could be missing.
- V5603. OWASP. The original exception object was swallowed. Stack of original exception could be lost.
- V5604. OWASP. Potentially unsafe double-checked locking. Use volatile variable(s) or synchronization primitives to avoid this.
- V5605. OWASP. Unsafe invocation of event, NullReferenceException is possible. Consider assigning event to a local variable before invoking it.
- V5606. OWASP. An exception handling block does not contain any code.
- V5607. OWASP. Exception classes should be publicly accessible.
- V6102. Inconsistent synchronization of a field. Consider synchronizing the field on all usages.
- V6103. Ignored InterruptedException could lead to delayed thread shutdown.
- V6104. A pattern was detected: A || (A && ...). The expression is excessive or contains a logical error.
- V6105. Consider inspecting the loop expression. It is possible that different variables are used inside initializer and iterator.
- V6106. Casting expression to 'X' type before implicitly casting it to other type may be excessive or incorrect.
PVS-Studio 7.11 (December 17, 2020)
- A change was made to the activation procedure of pvs-studio-analyzer tool for free PVS-Studio version, that requires appending special comments to the header of each analyzed source file. Before first run of the analyzer, a special license key should be entered with the following command: pvs-studio-analyzer credentials PVS-Studio Free FREE-FREE-FREE-FREE.
- To increase reliability of mass analyzer message suppression, hash algorithm was modified for messages that are generated on lines of code containing non-latin symbols. For example, when the messages are generated on a line of code with comments. If such messages were already suppressed in suppress files, these messages can reappear in the analyzer's output - they can be re-suppressed after the update.
- pvs-studio-analyzer tool now supports IAR Arm compilers.
- pvs-studio-analyzer tool can now trace compilers invoked through ld-linux.
- V2574. MISRA. Functions shall not be declared at block scope.
- V3165. The expression of the 'char' type is passed as an argument of the 'A' type whereas similar overload with the string parameter exists.
- V3166. Calling the 'SingleOrDefault' method may lead to 'InvalidOperationException'.
- V6100. An object is used as an argument to its own method. Consider checking the first actual argument of the 'Foo' method.
- V6101. compareTo()-like methods can return not only the values -1, 0 and 1, but any values.
PVS-Studio 7.10 (November 5, 2020)
- PVS-Studio capabilities as a SAST (Static Application Security Testing) solution are increasing as we are launching the effort to support OWASP ASVS and AUTOSAR C++14 Coding Guidelines standards. Mapping tables between existing PVS-Studio rules and those two standards are now available. In future versions, PVS-Studio will increase its coverage for MISRA and AUTOSAR coding standards, as well as implement new rules based on OWASP Top 10 list for the most common and critical vulnerabilities.
- PVS-Studio plugin for JetBrains Rider IDE can now be used for checking Unreal Engine projects (JetBrains Rider for Unreal Engine is currently available in early access)
- PVS-Studio SonarQube plugin now supports classification of analyzer warnings that have a CWE (Common Weakness Enumeration) identifier as security defects in the Security Category tab.
- PVS-Studio analysis log conversion tools (PlogConverter.exe for Windows and plog-converter for Linux\macOS) now support converting analysis results to SARIF (Static Analysis Results Interchange Format). SARIF is a universal and open format for presenting result output from tools that are dedicated to finding software errors, security and safety flaws and vulnerabilities. This format is supported by a large number of static analyzer tools, and facilitates collaborative use of different code quality assurance tools in common infrastructures.
- V830. Decreased performance. Consider replacing the use of 'std::optional::value()' with either the '*' or '->' operator.
- V831. Decreased performance. Consider replacing the call to the 'at()' method with the 'operator[]'.
- V1064. The left operand of integer division is less than the right one. The result will always be zero.
- V1065. Expression can be simplified: check similar operands.
- V1066. The 'SysFreeString' function should be called only for objects of the 'BSTR' type.
- V1067. Throwing from exception constructor may lead to unexpected behavior.
- V3156. The argument of the method is not expected to be null.
- V3157. Suspicious division. Absolute value of the left operand is less than the right operand.
- V3158. Suspicious division. Absolute values of both operands are equal.
- V3159. Modified value of the operand is not used after the increment/decrement operation.
- V3160. Argument of incorrect type is passed to the 'Enum.HasFlag' method.
- V3161. Comparing value type variables with 'ReferenceEquals' is incorrect because compared values will be boxed.
- V3162. Suspicious return of an always empty collection.
- V3163. An exception handling block does not contain any code.
- V3164. Exception classes should be publicly accessible.
- V6093. Automatic unboxing of a variable may cause NullPointerException.
- V6094. The expression was implicitly cast from integer type to real type. Consider utilizing an explicit type cast to avoid the loss of a fractional part.
- V6095. Thread.sleep() inside synchronized block/method may cause decreased performance.
- V6096. An odd precise comparison. Consider using a comparison with defined precision: Math.abs(A - B) < Epsilon or Math.abs(A - B) > Epsilon.
- V6097. Lowercase 'L' at the end of a long literal can be mistaken for '1'.
- V6098. A method does not override another method from the base class.
- V6099. The initial value of the index in the nested loop equals 'i'. Consider using 'i + 1' instead.
PVS-Studio 7.09 (August 27, 2020)
- PVS-Studio is included in the Forrester Research report "Now Tech: Static Application Security Testing, Q3 2020" as a SAST specialist. Adopting Static Application Security Testing (SAST) methodology improves application security and helps to reduce the impact of security flaws in application lifecycle. Forrester Research is a leading emerging-technology research firm providing data and analysis that defines the impact of technology change on business. The report is available by purchase or with a subscription with Forrester Research.
- Navigation for interprocedural analyzer messages was improved in PVS-Studio C# analyzer, for Visual Studio and Rider PVS-Studio extensions. It is now possible to navigate to potentially dangerous code fragments inside a method when the analyzer produces a warning at this method's invocation.
- It is now possible to redefine default severity levels for PVS-Studio C# analyzer rules in rule configuration files (.pvsconfig).
- V012. Some warnings could have been disabled. PVS-Studio C++ analyzer's report can now include the exclusion rules that are defined in the rule configuration files (.pvsconfig).
- V826. Consider replacing standard container with a different one.
- V827. Maximum size of a vector is known at compile time. Consider pre-allocating it by calling reserve(N).
- V828. Decreased performance. Moving an object in a return statement prevents copy elision.
- V829. Lifetime of the heap-allocated variable is limited to the current function's scope. Consider allocating it on the stack instead.
- V1059. Macro name overrides a keyword/reserved name. This may lead to undefined behavior.
- V1060. Passing 'BSTR ' to the 'SysAllocString' function may lead to incorrect object creation.
- V1061. Extending 'std' or 'posix' namespace may result in undefined behavior.
- V1062. Class defines a custom new or delete operator. The opposite operator must also be defined.
- V1063. The modulo by 1 operation is meaningless. The result will always be zero.
- V3154. The 'a % b' expression always evaluates to 0.
- V3155. The expression is incorrect or it can be simplified.
- V6082. Unsafe double-checked locking.
- V6083. Serialization order of fields should be preserved during deserialization.
- V6084. Suspicious return of an always empty collection.
- V6085. An abnormality within similar comparisons. It is possible that a typo is present inside the expression.
- V6086. Suspicious code formatting. 'else' keyword is probably missing.
- V6087. InvalidClassException may occur during deserialization.
- V6088. Result of this expression will be implicitly cast to 'Type'. Check if program logic handles it correctly.
- V6089. It's possible that the line was commented out improperly, thus altering the program's operation logics.
- V6090. Field 'A' is being used before it was initialized.
- V6091. Suspicious getter/setter implementation. The 'A' field should probably be returned/assigned instead.
- V6092. A resource is returned from try-with-resources statement. It will be closed before the method exits.
PVS-Studio 7.08 (June 18, 2020)
- PVS-Studio C# analyzer for .NET Framework and .NET Core projects is now available under Linux and macOS systems.
- PVS-Studio C# analyzer can now be used from JetBrains Rider IDE.
- It is now very easy to try PVS-Studio analyzer on C and C++ code examples, without downloading and installing the analyzer's distribution, with the help of Compiler Explorer service. Please note - the Compiler Explorer service allows to try the analyzer on a small, isolated code fragment or synthetic example. For a comprehensive evaluation of analyzer's capabilities, please download and install full version of PVS-Studio.
- The new file list analysis mode in PVS-Studio_Cmd.exe command line tool under Windows now supports analysis of C, C++ and C# files and can track compile dependencies (source files dependency from header files). This mode can be used to configure merge and pull request analysis with PVS-Studio analyzer.
- PVS-Studio C# analyzer's analysis of Unity projects was improved - additional annotations for the most common types from Unity libraries were added.
- The 'plog-converter' log conversion utility (Linux, macOS) now supports TeamCity log output format.
- Blame Notifier developer automatic notification tool now supports Perforce version control system.
- V824. It is recommended to use the 'make_unique/make_shared' function to create smart pointers.
- V825. Expression is equivalent to moving one unique pointer to another. Consider using 'std::move' instead.
- V1056. The predefined identifier '__func__' always contains the string 'operator()' inside function body of the overloaded 'operator()'.
- V1057. Pseudo random sequence is the same at every program run. Consider assigning the seed to a value not known at compile-time.
- V1058. Nonsensical comparison of two different functions' addresses.
- V6078. Potential Java SE API compatibility issue.
- V6079. Value of variable is checked after use. Potential logical error is present. Check lines: N1, N2.
- V6080. Consider checking for misprints. It's possible that an assigned variable should be checked in the next condition.
- V6081. Annotation that does not have 'RUNTIME' retention policy will not be accessible through Reflection API.
PVS-Studio 7.07 (April 16, 2020)
- PVS-Studio C++ analyzer can now parse concepts. Concepts are an extension of C++ templates, which were introduced in C++20 language standard. The V003 analyzer error, that was caused by using concepts in analyzed code, was fixed.
- PVS-Studio SonarQube plugin now supports macOS.
- XML log conversion tool (PlogConverter) now supports output format for TeamCity continuous integration server.
- It is now possible to include and exclude specific projects from analysis in command line analyzer for Visual Studio \ MSBuild projects (PVS-Studio_Cmd.exe) through --selectProjects / --excludeProjects flags.
- Occasional hanging of PVS-Studio Visual Studio plugin while opening solutions, caused by double initialization, was fixed.
- V1053. Calling the 'foo' virtual function in the constructor/destructor may lead to unexpected result at runtime.
- V1054. Object slicing. Derived class object was copied to the base class object.
- V1055. The 'sizeof' expression returns the size of the container type, not the number of elements. Consider using the 'size()' function.
- V2573. MISRA. Identifiers that start with '__' or '_[A-Z]' are reserved.
PVS-Studio 7.06 (February 27, 2020)
- PVS-Studio can now be used with PlatformIO cross-platform IDE for embedded development. Additional details on configuring PVS-Studio in PlatformIO are available here.
- Memory allocation was optimized for PVS-Studio C# analyzer. This can speed-up the analysis of large-scale projects.
- New command line arguments were added to PVS-Studio C# analyzer: --excludeDefines / --appendDefines. These arguments can be used to undefine / define preprocessor symbols, which will be used during the analysis.
- PVS-Studio C# analyzer can now correctly understand Unity-specific null-checks of variables, when such variables are implicitly cast to bool type.
- V823. Decreased performance. Object may be created in-place in a container. Consider replacing methods: 'insert' -> 'emplace', 'push_*' -> 'emplace_*'.
- V1050. The uninitialized class member is used when initializing the base class.
- V1051. Consider checking for misprints. It's possible that an assigned variable should be checked in the next condition.
- V1052. Declaring virtual methods in a class marked as 'final' is pointless.
- V2562. MISRA. Expressions with pointer type should not be used in the '+', '-', '+=' and '-=' operations.
- V2563. MISRA. Array indexing should be the only form of pointer arithmetic and it should be applied only to objects defined as an array type.
- V2564. MISRA. There should be no implicit integral-floating conversion.
- V2565. MISRA. A function should not call itself either directly or indirectly.
- V2566. MISRA. Constant expression evaluation should not result in an unsigned integer wrap-around.
- V2567. MISRA. Cast should not remove 'const' / 'volatile' qualification from the type that is pointed to by a pointer or a reference.
- V2568. MISRA. Both operands of an operator should be of the same type category.
- V2569. MISRA. The 'operator &&', 'operator ||', 'operator ,' and the unary 'operator &' should not be overloaded.
- V2570. MISRA. Operands of the logical '&&' or the '||' operators, the '!' operator should have 'bool' type.
- V2571. MISRA. Conversions between pointers to objects and integer types should not be performed.
- V2572. MISRA. Value of the expression should not be converted to the different essential type or the narrower essential type.
- V3150. Loop break conditions do not depend on the number of iterations.
- V3151. Potential division by zero. Variable was used as a divisor before it was compared to zero. Check lines: N1, N2.
- V3152. Potential division by zero. Variable was compared to zero before it was used as a divisor. Check lines: N1, N2.
- V3153. Dereferencing the result of null-conditional access operator can lead to NullReferenceException. Consider removing parentheses around null-conditional access expression.
- V6077. Label is present inside a switch(). It is possible that these are misprints and 'default:' operator should be used instead.
PVS-Studio 7.05 (December 10, 2019)
- Blame Notifier tool, which provides notification of developers about analyzer results, is now available on all of the platforms supported by the analyzer (Windows, Linux, macOS). Blame Notifier uses information from version control system (SVN, Git, Mercurial) to identify a person responsible for writing the code that triggered an analyzer message.
- PVS-Studio can now be installed from Chocolatey package manager.
- Analysis of .NET Core 3 and 3.1 projects is now supported in C# analyzer.
- It is now possible, in Windows version of the analyzer, to specify the directories excluded from the analysis under specific Visual Studio projects and solutions inside .pvsconfig files.
- Memory footprint of PVS-Studio C# analyzer was optimized when it is used to analyze large-scale projects.
- V822. Decreased performance. A new object is created, while a reference to an object is expected.
- V1044. Loop break conditions do not depend on the number of iterations.
- V1045. The DllMain function throws an exception. Consider wrapping the throw operator in a try..catch block.
- V1046. Unsafe usage of the 'bool' and integer types together in the operation '&='.
- V1047. Lifetime of the lambda is greater than lifetime of the local variable captured by reference.
- V1048. Variable 'foo' was assigned the same value.
- V1049. The 'foo' include guard is already defined in the 'bar1.h' header. The 'bar2.h' header will be excluded from compilation.
- V2558. MISRA. A pointer/reference parameter in a function should be declared as pointer/reference to const if the corresponding object was not modified.
- V2559. MISRA. Subtraction, >, >=, <, <= should be applied only to pointers that address elements of the same array.
- V2560. MISRA. There should be no user-defined variadic functions.
- V2561. MISRA. The result of an assignment expression should not be used.
- V3146. Possible null dereference. A method can return default null value.
- V3147. Non-atomic modification of volatile variable.
- V3148. Casting potential 'null' value to a value type can lead to NullReferenceException.
- V3149. Dereferencing the result of 'as' operator can lead to NullReferenceException.
- V6072. Two similar code fragments were found. Perhaps, this is a typo and 'X' variable should be used instead of 'Y'.
- V6073. It is not recommended to return null or throw exceptions from 'toString' / 'clone' methods.
- V6074. Non-atomic modification of volatile variable.
- V6075. The signature of method 'X' does not conform to serialization requirements.
- V6076. Recurrent serialization will use cached object state from first serialization.
PVS-Studio 7.04 (September 4, 2019)
- PVS-Studio plugin for IntelliJ IDEA now supports IDEA version 192.
- PVS-Studio plugins for Visual Studio can now automatically load analysis report when analyzing Unreal Engine projects.
- PVS-Studio C# analyzer can now analyze projects for .NET Core 3 Preview.
- PVS-Studio C# analyzer now supports getting return values from async methods and get\set property accessors.
- Compiler monitoring tool under Windows now supports tracing only the child processes from a specified parent process.
- Added a new mode to ignore cache for compiler monitoring under for Linux.
- PVS-Studio plugin for displaying analysis results in Jenkins can now be used under Linux and macOS hosts (previously it was available only under Windows).
- PVS-Studio plugin for SonarQube now supports SonarQube 7.9 LTS.
- V1040. Possible typo in the spelling of a pre-defined macro name.
- V1041. Class member is initialized with dangling reference.
- V1042. This file is marked with copyleft license, which requires you to open the derived source code.
- V1043. A global object variable is declared in the header. Multiple copies of it will be created in all translation units that include this header file.
- V2551. MISRA. Variable should be declared in a scope that minimizes its visibility.
- V2552. MISRA. Expressions with enum underlying type should have values corresponding to the enumerators of the enumeration.
- V2553. MISRA. Unary minus operator should not be applied to an expression of the unsigned type.
- V2554. MISRA. Expression containing increment (++) or decrement (--) should not have other side effects.
- V2555. MISRA. Incorrect shifting expression.
- V2556. MISRA. Use of a pointer to FILE when the associated stream has already been closed.
- V2557. MISRA. Operand of sizeof() operator should not have other side effects.
- V3140. Property accessors use different backing fields.
- V3141. Expression under 'throw' is a potential null, which can lead to NullReferenceException.
- V3142. Unreachable code detected. It is possible that an error is present.
- V3143. The 'value' parameter is rewritten inside a property setter, and is not used after that.
- V3144. This file is marked with copyleft license, which requires you to open the derived source code.
- V3145. Unsafe dereference of a WeakReference target. The object could have been garbage collected before the 'Target' property was accessed.
- V6068. Suspicious use of BigDecimal class.
- V6069. Unsigned right shift assignment of negative 'byte' / 'short' value.
- V6070. Unsafe synchronization on an object.
- V6071. This file is marked with copyleft license, which requires you to open the derived source code.
PVS-Studio 7.03 (June 25, 2019)
- PVS-Studio analyzer documentation now contains a section describing the use of analyzer inside containers under Docker.
- Support for analyzing QNX Momentics projects, QCC compiler.
- V1038. It's odd that a char or string literal is added to a pointer.
- V1039. Character escape is used in multicharacter literal. This causes implementation-defined behavior.
- V2543. MISRA. Value of the essential character type should be used appropriately in the addition/subtraction operations.
- V2544. MISRA. Values of the essential appropriate types should be used at expressions.
- V2545. MISRA. Conversion between pointers of different object types should not be performed.
- V2546. MISRA. Expression resulting from the macro expansion should be surrounded by parentheses.
- V2547. MISRA. The return value of non-void function should be used.
- V2548. MISRA. The address of an object with local scope should not be passed out of its scope.
- V2549. MISRA. Pointer to FILE should not be dereferenced.
- V2550. MISRA. Floating-point values should not be tested for equality or inequality.
- V3138. String literal contains potential interpolated expression.
- V3139. Two or more case-branches perform the same actions.
- V6067. Two or more case-branches perform the same actions.
PVS-Studio 7.02 (April 25, 2019)
- PVS-Studio now supports Visual Studio 2019. Visual C++,.NET Framework and .NET Core projects from Visual Studio 2019 can be analyzed from IDE itself, or from command line through PVS-Studio_Cmd.exe tool.
- PVS-Studio C# analyzer now supports new syntax from C# 8.0.
- PVS-Studio C# now can detect potential null dereferences (V3080 rule) inside methods when potential null value is passed to a method as an argument.
- Plugin for PVS-Studio Java analyzer is now available in the official JetBrains plugin repository. You can now also install integration with IDEA through our Windows Installer.
- PVS-Studio plugins for IDEA, Maven and Gradle now provide mass suppression of analyzer messages, which can be used to hide analyzer warnings on a legacy code during analyzer integration into development process.
- Compiler monitoring for Windows now can correctly work when monitoring a build under Keil uVision in case a Windows user name contains non-Latin characters.
- V1037. Two or more case-branches perform the same actions.
- V2530. MISRA. The loop should be terminated with no more than one 'break' or 'goto' statement.
- V2531. MISRA. Expression of the essential 'foo' type should not be cast to the essential 'bar' type.
- V2532. MISRA. String literal should not be assigned to object unless it has type of pointer to const-qualified char.
- V2533. MISRA. C-style and functional notation casts should not be performed.
- V2534. MISRA. The loop counter should not have floating-point type.
- V2535. MISRA. Unreachable code should not be present in the project.
- V2536. MISRA. Function should not contain labels not used by any 'goto' statements.
- V2537. MISRA. Functions should not have unused parameters.
- V2538. MISRA. The value of uninitialized variable should not be used.
- V2539. MISRA. Class destructor should not exit with an exception.
- V2540. MISRA. Arrays should not be partially initialized.
- V2541. MISRA. Function should not be declared implicitly.
- V2542. MISRA. Function with a non-void return type should return a value from all exit paths.
PVS-Studio 7.01 (March 13, 2019)
- The limit that existed in the trial version of the analyzer for Visual Studio plugin, restricting a number of analyzer's messages that can be viewed in the source code, is no more! Now, PVS-Studio for Windows uses the same trial mode as PVS-Studio on other platforms - you can get a fully functional trial license by filling out a form on the analyzer's download page.
- PVS-Studio C# rule V3080 (null dereference) is now able to detect potential dereferences when a reference can receive null in one of the execution branches. Inter-procedural analysis was improved.
- PVS-Studio Visual Studio plugin can now perform automatic checkouts on suppress files that are stored in TFVC (Team Foundation Version Control). This mode can be enabled on 'Options... > Specific Analyzer Settings' page.
- V1036. Potentially unsafe double-checked locking.
- V2529. MISRA. Any label should be declared in the same block as 'goto' statement or in any block enclosing it.
PVS-Studio 7.00 (January 16, 2019)
- PVS-Studio 7.00 now provides static analyzer for Java. You can read about all new features of PVS-Studio 7.00 in our blog.
- PVS-Studio plugin for SonarQube is updated to support latest SonarQube version 7.4. The minimal SonarQube version supported by PVS-Studio plugin is now raised to LTS SonarQube version 6.7.
- V2526. MISRA. The function with the 'clock/time/difftime/ctime/ asctime/gmtime/localtime/mktime' name should not be used.
- V2527. MISRA. A switch-expression should not have Boolean type. Consider using of 'if-else' construct.
- V2528. MISRA. The comma operator should not be used.
- V6001. There are identical sub-expressions to the left and to the right of the 'foo' operator.
- V6002. The switch statement does not cover all values of the enum.
- V6003. The use of 'if (A) {...} else if (A) {...}' pattern was detected. There is a probability of logical error presence.
- V6004. The 'then' statement is equivalent to the 'else' statement.
- V6005. The 'x' variable is assigned to itself.
- V6006. The object was created but it is not being used. The 'throw' keyword could be missing.
- V6007. Expression is always true/false.
- V6008. Potential null dereference.
- V6009. Function receives an odd argument.
- V6010. The return value of function 'Foo' is required to be utilized.
- V6011. The expression contains a suspicious mix of integer and real types
- V6012. The '?:' operator, regardless of its conditional expression, always returns one and the same value.
- V6013. Comparison of arrays, strings, collections by reference. Possibly an equality comparison was intended.
- V6014. It's odd that this method always returns one and the same value of NN.
- V6015. Consider inspecting the expression. Probably the '!='/'-='/'+=' should be used here.
- V6016. Suspicious access to element by a constant index inside a loop.
- V6017. The 'X' counter is not used inside a nested loop. Consider inspecting usage of 'Y' counter.
- V6018. Constant expression in switch statement.
- V6019. Unreachable code detected. It is possible that an error is present.
- V6020. Division or mod division by zero.
- V6021. The value is assigned to the 'x' variable but is not used.
- V6022. Parameter is not used inside method's body.
- V6023. Parameter 'A' is always rewritten in method body before being used.
- V6024. The 'continue' operator will terminate 'do { ... } while (false)' loop because the condition is always false.
- V6025. Possibly index is out of bound.
- V6026. This value is already assigned to the 'b' variable.
- V6027. Variables are initialized through the call to the same function. It's probably an error or un-optimized code.
- V6028. Identical expressions to the left and to the right of compound assignment.
- V6029. Possible incorrect order of arguments passed to method.
- V6030. The function located to the right of the '|' and '&' operators will be called regardless of the value of the left operand. Consider using '||' and '&&' instead.
- V6031. The variable 'X' is being used for this loop and for the outer loop.
- V6032. It is odd that the body of 'Foo_1' function is fully equivalent to the body of 'Foo_2' function.
- V6033. An item with the same key has already been added.
- V6034. Shift by N bits is inconsistent with the size of type.
- V6035. Double negation is present in the expression: !!x.
- V6036. The value from the uninitialized optional is used.
- V6037. An unconditional 'break/continue/return/goto' within a loop.
- V6038. Comparison with 'double.NaN' is meaningless. Use 'double.isNaN()' method instead.
- V6039. There are two 'if' statements with identical conditional expressions. The first 'if' statement contains method return. This means that the second 'if' statement is senseless.
- V6040. The code's operational logic does not correspond with its formatting.
- V6041. Suspicious assignment inside the conditional expression of 'if/while/do...while' statement.
- V6042. The expression is checked for compatibility with type 'A', but is cast to type 'B'.
- V6043. Consider inspecting the 'for' operator. Initial and final values of the iterator are the same.
- V6044. Postfix increment/decrement is senseless because this variable is overwritten.
- V6045. Suspicious subexpression in a sequence of similar comparisons.
- V6046. Incorrect format. Consider checking the N format items of the 'Foo' function.
- V6047. It is possible that this 'else' branch must apply to the previous 'if' statement.
- V6048. This expression can be simplified. One of the operands in the operation equals NN. Probably it is a mistake.
- V6049. Classes that define 'equals' method must also define 'hashCode' method.
- V6050. Class initialization cycle is present.
- V6051. Use of jump statements in 'finally' block can lead to the loss of unhandled exceptions.
- V6052. Calling an overridden method in parent-class constructor may lead to use of uninitialized data.
- V6053. Collection is modified while iteration is in progress. ConcurrentModificationException may occur.
- V6054. Classes should not be compared by their name.
- V6055. Expression inside assert statement can change object's state.
- V6056. Implementation of 'compareTo' overloads the method from a base class. Possibly, an override was intended.
- V6057. Consider inspecting this expression. The expression is excessive or contains a misprint.
- V6058. The 'X' function receives objects of incompatible types.
- V6059. Odd use of special character in regular expression. Possibly, it was intended to be escaped.
- V6060. The reference was used before it was verified against null.
- V6061. The used constant value is represented by an octal form.
- V6062. Possible infinite recursion.
- V6063. Odd semicolon ';' after 'if/foreach' operator.
- V6064. Suspicious invocation of Thread.run().
- V6065. A non-serializable class should not be serialized.
- V6066. Passing objects of incompatible types to the method of collection.
Release history for old versions
Please read release history for old versions here.