What's new in Klocwork 2023.1

Here are the highlights for Klocwork 2023.1. If you're upgrading, see the Limitations for items that affect how you use Klocwork.

Manage your Differential Analysis for CI/CD pipelines

Manage your differential analysis continuous integration builds by using the new CI Builds tab in Validate. By running CI builds, you can identify issues much faster and manage these issues in the same ways as you manage server issues, without having to run a full build. For more information see, Managing your Differential Analysis for CI/CD pipelines. We've also added API actions to create, update, or delete CI builds, and to retrieve CI issue details. For more information, see Issue and metric API examples.

C/C++

In this release we

  • improved the speed of the analysis phase for projects by enhancing the parallelization of the analysis

  • added support for several MISRA rules and increased coverage for MISRA C 2012 (up to AMD2) from 97.5% to 99%

  • increased coverage for DISA STIG high severity rules

C#

We improved support for version 8.0 of the C# language specification by adding support for

  • const member declarations in interfaces

  • readonly instance members

  • static local functions

  • default interface methods

  • nullable reference types

  • async streams

  • using declarations

  • disposable ref structs

Java

We've added many new Java checkers that substantially improve our coverage of DISA STIG standards. See the Checkers section below for a complete list.

We enhanced support for Java 14 and have added partial support for Java 15:

  • Improved support for Java 14 in PATH analysis includes improved support for switch expressions in PATH analysis.
  • Klocwork now supports Java 15 for build integration commands such as kwant, kwgradle, and kwmaven and the Java 15 API for the Java knowledge base.

The kwandroid command now supports the --lang option that you can use generate separate build specification for C++ or Java.

JavaScript, Kotlin, Python

We upgraded and improved JavaScript, Kotlin, and Python analysis engines and checkers, including adding syntax highlighting for code samples in the documentation to enhance usability.

The Python checkers taxonomy was modified so that you can provide checker arguments that customize Python checkers.

JavaScript analysis was also improved by adding support for the the .eslintignore file. This file lists ignored paths that should be skipped during JavaScript analysis.

Visual Studio extension

You can now configure the Visual Studio extension to run with an external analysis engine such as the kwcheck command. If you have a large project, using the kwcheck command may reduce your analysis time. For more information, see Analysis and Appearance tabs.

Coding standards

This release includes new and expanded standards coverage for the following coding standards:

  • CWE
  • DISA STIG
  • Joint Strike Fighter Air Vehicle C++
  • OWASP
  • MISRA

Checker improvements

From release to release, we improve issue detection to bring state-of-the-art capabilities to our customers. As a result, expect your analysis results to change as accuracy and coverage improve.

New checkers

Checker Description
CXX.SV.INSECURE_COOKIE This C/C++ checker detects when an application uses cookies over a potentially unsecured network communication.
CXX.SV.PERSISTENT_COOKIE This C/C++ checker detects when an application uses persistent cookies for tracking changes while on a website instead of using session cookies.
CXX.SV.XXE This C/C++ checker detects when applications are vulnerable to XML-oriented attacks.
MISRA.INCL.LANG.FEATURES.2012 This MISRA checker provides support for MISRA C 2012 AMD2 Rules 1.4: Emergent language features shall not be used.
MISRA.INCL.LANG.FEATURES.MT.2012 This MISRA checker provides support for MISRA C 2012 AMD2 Rules 1.4: Emergent language features shall not be used.
MISRA.LANG.FEATURES.2012 This MISRA checker provides support for MISRA C 2012 AMD2 Rules 1.4: Emergent language features shall not be used.
MISRA.LANG.FEATURES.MT.2012 This MISRA checker provides support for MISRA C 2012 AMD2 Rules 1.4: Emergent language features shall not be used.
MISRA.RESOURCES.FILE.OPEN_READ_WRITE.2012 This MISRA checkers provides support for MISRA C 2012 Rule 22.3: The same file shall not be open for read and write access at the same time on different streams.
MISRA.STDLIB.SYSTEM.2012_AMD2 This MISRA checker provides support for MISRA C 2012 Rule 21.21 : The Standard Library function system of <stdlib.h> shall not be used.
SV.CERT.INVALID This Java checker detects when an X509 certificate is not validated and then generated by using Trust Anchors.
SV.ECV.TRUSTMANAGER This Java checker detects when an implementation of the X509TrustManager does not control the validity of the certificate, that is, no exception is raised.
SV.IL.SESSION This Java checker detects when the session ID of the server or client is logged into application logs.
SV.PASSWD.HC.MINLEN This Java checker detects when a hardcoded string is used by a method that accepts passwords or by a method that performs encryption.
SV.SESSION.FIXATION.COOKIE This Java checker detects when a tainted value is used to set the JSESSIONID cookie.
SV.SPRING.FIXATION This Java checker detects whenever session fixation protection is disabled.
SV.WEAK.KEYS.AES This Java checker detects when the AES cryptographic algorithm is used with a key that is of insufficient size.
SV.WEAK.KEYS.DH This Java checker detects when the DH cryptographic algorithm is used with a key that is of insufficient size.
SV.WEAK.KEYS.DSA This Java checker detects when the DSA cryptographic algorithm is used with a key that is of insufficient size.
SV.WEAK.KEYS.EC This Java checker detects when the EC cryptographic algorithm is used with a key that is of insufficient size.
SV.WEAK.KEYS.RSA This Java checker detects when the RSA cryptographic algorithm is used with a key that is of insufficient size.
SV.WEAK.TLS This Java checker detects if a weak TLS protocol such as 1.0 or 1.1 is used.
SV.XSS.COOKIE.SECURE This Java checker detects when a cookie that is used to store a session ID for a client's interaction with a website is not sent on a secure protocol such as HTTPS and SSL.

Modified checkers

Checker Description

ABV.GENERAL

 New defects detected and reduced false positives
ABV.STACK New defects detected
CL.SHALLOW.ASSIGN New defects detected
CONC.DL Overall improvements to the checker
DBZ family of checkers New defects detected
FUNCRET.GEN Reduced false positives
JD_LOCK Overall improvements to the checker

Enabled or disabled checkers

The following checkers were added to the default enabled field of the checker configuration files for this release.

  • SV.CERT.INVALID
  • SV.IL.SESSION
  • SV.IL.SESSION.CLIENT

  • SV.PASSWD.HC.MINLEN

  • SV.PERMS.WIDE
  • SV.SESSION.FIXATION.COOKIE

  • SV.SPRING.FIXATION

  • SV.WEAK.KEYS.AES

  • SV.WEAK.KEYS.DH

  • SV.WEAK.KEYS.DSA

  • SV.WEAK.KEYS.EC

  • SV.WEAK.KEYS.RSA

  • SV.WEAK.TLS

  • SV.XSS.COOKIE.SECURE

Taxonomy improvements

As part of our installation, we offer several custom taxonomy files that map our checkers to standards such as MISRA, CWE, OWASP, and DISA STIG.

Taxonomy New/updated

cert_c_all.tconf and cert_c_all_ja.tconf

cert_c_rules.tconf and cert_c_rules_ja.tconf

Added or modified checker mappings to the following rules:

  • CERT EXP33-C

cwe_2019_top_25_cxx.tconf and cwe_2019_top_25_cxx_ja.tconf

cwe_2020_top_25_cxx.tconf and cwe_2020_top_25_cxx_ja.tconf

cwe_2021_top_25_cxx.tconf and cwe_2021_top_25_cxx_ja.tconf

Added or modified checker mappings to the following weaknesses:

  • CWE-611
cwe_all_cxx.tconf and cwe_all_cxx_ja.tconf

Added or modified checker mappings to the following weaknesses:

  • CWE-539

  • CWE-611

  • CWE-614
cwe_all_java.tconf and cwe_all_java_ja.tconf

Added or modified checker mappings to the following weaknesses:

  • CWE-295

  • CWE-311

  • CWE-315

  • CWE-326

  • CWE-327

  • CWE-384

  • CWE-614

  • CWE-807

disa_stig_v4_cxx.tconf and disa_stig_v4_cxx_ja.tconf

disa_stig_v5_cxx.tconf and disa_stig_v5_cxx_ja.tconf

Added or modified checker mappings to the following rules:

  • V-222577 (APSC-DV-002230)

  • V-222578 (APSC-DV-002240)

  • V-222596 (APSC-DV-002440)

  • V-222608 (APSC-DV-002550)
disa_stig_v4_java.tconf and disa_stig_v4_java_ja.tconf

Added or modified checker mappings to the following rules:

  • V-222396 (APSC-DV-000160)

  • V-222397 (APSC-DV-000170)

  • V-222536 (APSC-DV-001680)

  • V-222542 (APSC-DV-001740)

  • V-222543 (APSC-DV-001750)

  • V-222550 (APSC-DV-001810)

  • V-222555 (APSC-DV-001860)

  • V-222569 (APSC-DV-002010)

  • V-222571 (APSC-DV-002030)

  • V-222572 (APSC-DV-002040)

  • V-222585 (APSC-DV-002310)

  • V-222589 (APSC-DV-002350)

  • V-222596 (APSC-DV-002500)

  • V-222612 (APSC-DV-002590)

  • V-222641 (APSC-DV-003100)
Helix QAC taxonomies The Helix QAC taxonomies have been updated to Helix QAC version 2023.1.
jsf_av_rev_c_cpp.tconf and jsf_av_rev_c_cpp_ja.tconf

Added or modified checker mappings to the following rules:

  • Rule 001

  • Rule 003

  • Rule 110

misra_c_2012_c90_all_checkers.tconf and misra_c_2012_c90_all_checkers_ja.tconf

misra_c_2012_c90_certified.tconf and misra_c_2012_c90_certified_ja.tconf

misra_c_2012_c99_all_checkers.tconf and misra_c_2012_c99_all_checkers_ja.tconf

misra_c_2012_c99_certified.tconf and misra_c_2012_c99_certified_ja.tconf

Added or modified checker mappings to the following rules:

  • Rule 22.3

misra_c_2012_with_amd1_c90_all_checkers.tconf and misra_c_2012_with_amd1_c90_all_checkers_ja.tconf

misra_c_2012_with_amd1_c90_certified and misra_c_2012_with_amd1_c90_certified_ja.tconf

misra_c_2012_with_amd1_c99_all_checkers.tconf and misra_c_2012_with_amd1_c99_all_checkers_ja.tconf

misra_c_2012_with_amd1_c99_certified.tconf and misra_c_2012_with_amd1_c99_certified_ja.tconf

 

Added or modified checker mappings to the following rules:

  • Rule 22.3

misra_c_2012_with_amd2_c11_all_checkers.tconf and misra_c_2012_with_amd2_c11_all_checkers_ja.tconf

misra_c_2012_with_amd2_c11_certified.tconf and misra_c_2012_with_amd2_c11_certified_ja.tconf

Added or modified checker mappings to the following rules:

  • Rule 1.4

  • Rule 21.21

  • Rule 22.3

misra_c_2012_with_amd2_c90_all_checkers.tconf and misra_c_2012_with_amd2_c90_all_checkers_ja.tconf

misra_c_2012_with_amd2_c90_certified and misra_c_2012_with_amd2_c90_certified_ja.tconf

misra_c_2012_with_amd2_c99_all_checkers.tconf and misra_c_2012_with_amd2_c99_all_checkers_ja.tconf

misra_c_2012_with_amd2_c99_certified.tconf and misra_c_2012_with_amd2_c99_certified_ja.tconf

Added or modified checker mappings to the following rules:

  • Rule 21.21

  • Rule 22.3
owasp_2021_10_cxx.tconf and owasp_2021_10_cxx_ja.tconf

Added or modified checker mappings to the following weaknesses:

  • A5

owasp_2017_10_java.tconf and owasp_2017_10_java_ja.tconf

 

Added or modified checker mappings to the following weaknesses:

  • A2

  • A3

  • A6

owasp_2021_10_java.tconf and owasp_2021_10_java_ja.tconf

 

Added or modified checker mappings to the following weaknesses:

  • A2

  • A4

  • A7
py.base.tconf and py.base_ja.tconf Renamed from python.py3.tconf and python.py3_ja.tconf.

Improvements to supported compilers

We've added or improved support for the following compilers:

  • ARM Optimizing C/C++
  • Clang
  • IAR Systems C compiler/linker
  • Lapis Technology CCU8

For the full list of supported C/C++ compilers, see C/C++ compilers supported for build integration.

Licensing

Klocwork supports Reprise License Manager (RLM).

2022 licenses are not compatible with Klocwork 2023.2. You need a new license to use the latest version of the product. Contact license@perforce.com to obtain a new license.

End of Life notice for FLEXlm/FlexNet Publisher as of Klocwork 2023.1

Klocwork has changed its license management tool by moving from FLEXlm/FlexNet Publisher to Reprise License Manager (RLM) as of Klocwork 2023.1. FLEXlm/FlexNet Publisher is no longer supported.

New product license files will be generated for Reprise; if you require a FLEXlm license file for older Klocwork versions, we can provide this for you.

For more information on transitioning, see Transition license from FlexLM to Reprise.

Changes to system requirements

In this release, we've added support for

  • Debian 11.6
  • Oracle Linux 8.7

  • Amazon Linux 2 (2.0.20230119.1 Update)

  • Eclipse 2022-12 (4.26)

  • Android Studio Electric Eel (2022.1.1 Patch 1)

  • Visual Studio 2019 version 16.11.23

  • Visual Studio 2022 version 17.4.4

  • Visual Studio Code 1.65.2 (up to 1.75.1)

  • IntelliJ IDEA 2022.3 (up to 2022.3.2)

  • CLion 2022.3 (up to 2022.3.2)

  • Microsoft Edge 99.x, to 110.x

  • Firefox 98.x, to 110.x

  • Chrome 99.x to 110.x

  • Jenkins 2.391

In this release, we've ended support for

  • FLEXlm/FlexNet Publisher

  • macOS

  • SUSE Enterprise 15

  • Visual Studio Code 1.63.2 to 1.65.1

  • IntelliJ IDEA 2016.x to 2018.x (up to 2018.3.6)

  • Microsoft Edge 96.x to 98.x

  • Firefox 96.x to 97.x

  • Chrome 97.x to 98.x

For the complete list of supported versions, see System Requirements.

Maintenance for Klocwork 2021 ending

Maintenance for all versions of Klocwork 2021 ends March 31, 2023. The end of maintenance (EOM) date and end of sale (EOS) date is also March 31, 2023. For information about the availability of support for any release of Klocwork, see the Klocwork Product Lifecycle.

Path API version upgrade in Klocwork 2023.1

We have upgraded the Path API version to accommodate multi-threaded execution within path analysis instances. The upgraded API is not backward compatible with previous versions. All custom checkers using the Path API need to be updated and recompiled by using the 2023.1 Klocwork Path API headers and library. For more information, see the Path API documentation.

End of Life notice for macOS as of Klocwork 2023.1

Beginning with Klocwork 2023.1, the following operating systems and installers are not supported:

  • macOS