Release Notes for Cppcheck 2.15
New checks:
GUI:
Changed interface:
--cpp-header-probe
(and --no-cpp-header-probe
) to probe headers and extension-less files for Emacs marker (see https://trac.cppcheck.net/ticket/10692 for more details)... read moreFixes:
Release Notes for Cppcheck 2.14.0
Summary:
- Fixed 23 "crash" tickets
- Fixed 69 "false positive" tickets
- Fixed 36 "improve check" tickets
New checks:
- eraseIteratorOutOfBounds: warns when erase() is called on an iterator that is out of bounds
- returnByReference: warns when a large class member is returned by value from a getter function
GUI:
-Make it possible to suppress warnings in all files in a folder... read more
Release Notes for Cppcheck 2.13
New checks:
- passedByValueCallback for functions which take a parameter by value but are used as callbacks (subset of passedByValue)
- returnImplicitInt for C functions without return type (previously reported as a debug message)
- iterateByValue for iterating by value in a range-based for loop when a const reference could be used
Changed interface:
- Final report of active checkers is reported as a normal information message instead.... read more
New checks:
- uselessOverride finds overriding functions that either duplicate code from or delegate back to the base class implementation
- knownPointerToBool finds pointer to bool conversions that are always true or false
Improved checking:
- truncLongCastAssignment and truncLongCastReturn check additional types, including float/double/long double
- duplInheritedMember also reports duplicated member functions
- constParameter/constVariable checks find more instances of pointers/references that can be const, e.g. when calling library functions... read more
New checks:
Improved checking:
Cppcheck has been added in the Gartner "Application Security Testing" Peer Insights listing.
The Gartner Peer Insights lists various tools and show reviews. The reviews are verified by Gartner. A user that use the tool professionally can write a review.
Please help us getting reviews. If you work at a company that uses Cppcheck then please review us. Both open source Cppcheck and Cppcheck Premium users are welcome to review. The link below takes you to the review form:
https://gtnr.io/J81zesfzL
Analysis:
- Many improvements and fixes in checkers.
- Windows binaries currently default to the "win32A" and "win64" platform respectively. Starting with Cppcheck 2.13 they will default to 'native' instead. Please specify '--platform=win32A' or '--platform=win64' explicitly if you rely on this.
- New check: use memset/memcpy instead of loop
CLI:
- if the file provided via "--file-list" cannot be opened it will now error out
- add command-line option "--disable=<id>" to individually disable checks... read more</id>
match
function to addon similiar to Token::Match
used internally by cppcheck:|
for either-or tokens(ie struct|class
to match either struct
or class
)!!
to negate a token%any%
, %assign%
, %comp%
, %name%
, %op%
, %or%
, %oror%
, and %var%
keywords(*)
, {*}
, [*]
, and <*>
to match links@
can be added to bind the token to a name**
can be used to match until a tokenthis
pointersdebug_valueflow
and debug_valuetype
to show more detail including source backtraces... read moreToday, Cppcheck-2.7 is released
Add support for container views. The view
attribute has been added to the <container>
library tag to specify the class is a view. The lifetime analysis has been updated to use this new attribute to find dangling lifetime containers.
Various checker improvements.
Fixed false positives.
Today a tool with the name Cppcheck Premium is launched.
It integrates the open source Cppcheck tool and a premium addon into a package.
You will get:
* Open source Cppcheck command line tool.
* Analysis; Extra checking for memory errors, diagnoses one of the bugs reported in CVE-2019-15048.
* Security: Binaries and installer are signed using an organization certificate. (This removes the "Unknown Publisher" warning).
* Currently, Cppcheck Premium only includes a Windows installer. Feel free to contact us if you want Linux binaries.... read more
New checks in core cppcheck:
* missing return in function
* writing overlapping data, detect undefined behavior
* compared value is out of possible type range
* [perf] Copy elision optimization can't be applied for return std::move(local)
* file can not be opened for read and write access at the same time on different streams
Various improvements:
* Color output for diagnostics are added for unix-based platforms.
* Added symbolic analysis for ValueFlow. A simple delta is used to compute the difference between two unknown variable.
* Rules using the "define" tokenlist can also match #include as well.
* Library <function>
tags can now use <container>
tag, so free functions that accept containers such as std::size
, std::empty
, std::begin
, std::end
, etc. can specify the yields
or action
for the container.
* Library <smart-pointer>
tag can specify a <unique>
tag for smart pointers that have unique ownership. Cppcheck now warns about dangling references to smart pointers with unique ownership.
* Fixed problems when --cppcheck-build-dir is used, that should now work better. It is recommended to use --cppcheck-build-dir to speedup Cppcheck analysis.
* htmlreport can now output author information (using git blame)
* More warnings about variables that is not const but can be const... read more
A new Cppcheck release
Parser:
* various fixes
* checked that all features in c++11, c++14, c++17 are supported
* c++20 support is improved but not complete yet
Core:
* improved library files, better knowledge about APIs
* improved checks to detect more bugs
* fixed checks to avoid unwanted warnings
Changed output:
* try to use relative paths when using compile databases, if compile database is accessed with relative path
* updated XML; The file0 attribute is moved from <location> to <error>... read more</error></location>
There has been questions before about how well Cppcheck handles the latest C++ standard language features. And unfortunately I feel I could not answer that very well.
Lately I have been investigating C++20 (and below) support. Cppcheck-2.4.1 has pretty good support overall for C++17 (and lower) and it also handle a few C++20 features. We have improved the parser and I now feel that latest Cppcheck development build support all C++17 language features and a couple of additional C++20 features. The improved parser will be available in Cppcheck-2.5.... read more
We have made a fix release with this little fix:
The windows installer was fixed, there was a missing file for the Misra addon.
Fixed false negatives and false positives
New check; Detect one definition rule violations
Various improvements:
* MISRA improvements
* ImportProject fixes
* Various bug hunting improvements
* Fixes when importing AST from clang
Improved C++ parser
- types
- wrong operands in ast
- better simplification of templates
Improved clang import, various fixes.
Improved value flow analysis
Fixed false positives
Improved configuration in library files
- boost.cfg
- googletest.cfg
- qt.cfg
- windows.cfg
- wxwidgets.cfg
Added several Misra rules:
- 6.1
- 6.2
- 7.2
- 7.4
- 9.2
- 10.2
- 15.4
Added platforms:
- elbrus e1c+
- pic
- pic8
- mips
New checks:
* incorrect usage of mutexes and lock guards
* Dereference end iterator
* Iterating a known empty container
* outOfBounds check for iterators to containers
Removed 'operator=' check that ensures reference to self is returned. That is not about safety.
Improved parser
* various ast fixes
Clang parser
* The Clang import feature in Cppcheck should be considered to be experimental for now. There are problems.... read more
I have launched one more Kickstarter project. Its goal is to improve the Clang import feature in Cppcheck.
There are two tasks:
* Comparison of Clang/Cppcheck syntax tree. This will help us ensure that Cppcheck and Clang import work properly.
* The Cppcheck SymbolDatabase has a few fields for Variables that are not set properly by Clang import.
Link to project:
https://www.kickstarter.com/projects/3300446/cppcheck-clang-import
I launched a Kickstarter project today.
https://www.kickstarter.com/projects/3300446/cppcheck-variable-constraints
I will add configuration of variable constraints. With such configuration, Cppcheck will get both better precision and better soundness.
To start with I only plan to use the constraints in the bug hunting analysis. However in the long run, the constraints can be used in traditional analysis also.
This is a minor release.
We have tweaked build scripts.
* When you use USE_Z3=yes, we will handle new versions of z3 better. If you have an old z3 library and get compilation problems you will need to add a z3_version.h in externals.
* The cmake scripts was updated.
There was a couple of bug fixes.
New check:
* for "expression % 1" the result is always 0.
As of today:
* there has been 601,753 downloads on sourceforge; https://sourceforge.net/projects/cppcheck/files/cppcheck/stats/timeline?dates=2007-02-09+to+2020-05-25
* there has been 398,248 downloads from github; https://somsubhra.com/github-release-stats/?username=danmar&repository=cppcheck
The download count is now above 1 million!
Those statistics are not complete. But those are the known downloads. For instance we do not know how many have downloaded through apt-get
or how many grabbed the source code directly from github and compiled that - the github download count is only for the windows installers.
The command line is not changed drastically. Your old cppcheck scripts should work as before.
Compiling: There is a new dependency Z3. When compiling with the Makefile it is highly recommended to use "USE_Z3=yes".
Improved clang-tidy integration
Several fixes to;
Clang is a C/C++ compiler that has a very robust and well made parser.... read more
I launched a new Kickstarter project today.
https://www.kickstarter.com/projects/3300446/diagnose-buffer-overflow-cve
Thousands of software vulnerabilities are found in released software each year.
I will investigate the reported vulnerabilities and pick a buffer overflow that is not diagnosed by Cppcheck yet. Then I will fix Cppcheck so it detects such overflows.
This is a small step, but in the long run it should be possible to detect most buffer overflows by using Cppcheck.