What's new in Klocwork 2023.2

Here are the highlights for Klocwork 2023.2. If you're upgrading, see the Limitations for items that affect how you use Klocwork.

Validate

We've made it easier for you to investigate issues in Validate. You can now view, modify, and navigate the issue search list without leaving the Issue Details page. Use the new File Navigation pane to search individual files and explore issues. These new UI panes are configurable and configurations persist between session when using the same browser.

You can now import and export QAC metrics in Validate. For a list of QAC metrics, see QAC metrics reference. We've improved the Metrics report designer: You can edit threshold and total-metric-value report definitions in Validate. We've also enhanced the report selection page.

We've updated the names of a few of the commands you can use with Validate. To learn more, see Validate command reference.

Visual Studio extension

We've improved the performance of build specification generation for the Visual Studio extension when you use the kwcheck command as your external analysis engine. This means you'll be able to start analysis much sooner.

Streams

We've dramatically reduced the time it takes to display and be able to use the project list for streams.

C/C++

In this release we

added support for several MISRA rules and increased coverage for MISRA C 2012 (up to AMD2).
increased coverage for DISA STIG high severity rules
improved coverage for CERT, OWASP, and CWE, including adding a taxonomy for the 2022 CWE Top 25 Most Dangerous Software Weaknesses
enhanced support for C++14 and C++17 analysis

*maximum coverage for MISRA C 2012 requires an additional package from Customer Support.

C#

We improved support for version 8.0 of the C# language specification by

adding support for static constructors
adding support for nested types and operator declarations in interfaces
improving support for verbatim interpolated strings
improving support for ranges and indices by supporting the .. and ^ operators

Java

We added

support for Jakarta EE
checkers that improve coverage of DISA STIG and CWE
improved support for Java 14 switch expressions

JavaScript

We added a --project-dir option to the kwjsspec command so that you can specify the JavaScript project root directory. This option helps capture the .eslintignore file (if present at the project root directory) for analysis.

Coding standards

This release includes new and expanded standards coverage for the following coding standards:

CERT
CWE
DISA STIG
MISRA
OWASP

Checker improvements

From release to release, we improve issue detection to bring state-of-the-art capabilities to our customers. As a result, expect your analysis results to change as accuracy and coverage improve.

New checkers

Checker	Description
CXX.SV.PRIVATE_KEY.EMPTY_PASSWD	This C/C++ checker detects when an empty password is used to store a private key in a public key infrastructure (PKI) based authentication.
CXX.SV.PRIVATE_KEY.UNENCRYPTED	This C/C++ checker detects when an unencrypted cipher is used to store a private key in a public key infrastructure (PKI) based authentication, which can lead to unauthorized access.
CXX.SV.PWD_INPUT.REVIEW	This C/C++ checker detects when password authentication is used in applications. Designers can review the defects to ensure that their company authentication policy is enforced.
CXX.SV.PWD.PLAIN	This C/C++ checker detects when an application attempts to set a password or PIN by using a string written in plain text.
CXX.SV.PWD.PLAIN.LENGTH	This C/C++ checker detects when an application attempts to set a plain text password that is fewer than 15 characters.
CXX.SV.PWD.PLAIN.LENGTH.ZERO	This C/C++ checker detects when an application attempts to set a plain text password that is zero characters long.
CXX.SIZEOF.CSTRING	This Community C/C++ checker detects the use of sizeof on a char*.
JAVA.SV.EMAIL.HOST	This Java checker detects cases where mail server hostname verification functions haven't been configured properly to ensure that a server presents the correct certificate.
JAVA.SV.XML.INVALID	This Java checker detects potential XML injection vulnerabilities by checking that XML data is XDS-validated before being processed.
MISRA.MEMCMP.NTS.2012_AMD1	This MISRA checker provides support for MISRA 2012 AMD1: Rule 21.14 (Required): The Standard Library function memcmp shall not be used to compare null terminated strings.
MISRA.MEMCMP.NTS.GLOBAL.2012_AMD1	This MISRA checker provides support for MISRA 2012 AMD1: Rule 21.14 (Required): The Standard Library function memcmp shall not be used to compare null terminated strings.
MISRA.STDLIB.ABORT.2012_AMD2	This MISRA checker provides support for MISRA C 2012 AMD2 Rule 21.8: The library termination functions of `<stdlib.h>` shall not be used
MISRA.STDLIB.EOF.BAD_CMP.2012_AMD1	This MISRA checker provides support for MISRA 2012 AMD1: Rule 22.7 (Required): The macro EOF shall only be compared with the unmodified return value from any Standard Library function capable of returning EOF.

Modified checkers

Checker	Description
ABV.GENERAL	New defects detected
ABV.STACK	Overall improvements to the checker
ANDROID.RLK.SQLOBJ	Reduced false positives
CS.HIDDEN.MEMBER.LOCAL.CLASS	Reduced false positives
CS.HIDDEN.MEMBER.PARAM.CLASS	Reduced false positives
CS.NRE.FUNC.MIGHT	Reduced false positives
DBZ.GENERAL	New defects detected
FUNCRET.GEN	Reduced false positives
INVARIANT_CONDITION.UNREACH	Reduced false positives
LOCRET.ARG	Reduced false positives
LV_UNUSED.GEN	Reduced false positives
MISRA.ASSIGN.OVERLAP	New defects detected
MISRA.CAST.PTR.UNRELATED	Reduced false positives
MISRA.INIT.BRACES	Reduced false positives
MISRA.TYPEDEF.NOT_UNIQUE	Reduced false positives
RNPD. DEREF	New defects detected
UNREACH.GEN	Reduced false positives

Enabled or disabled checkers

The following checkers were added to the default enabled field of the checker configuration files for this release.

JAVA.SV.EMAIL.HOST
JAVA.SV.XML.INVALID
PY3.E0001
PY3.E0011
PY3.E0013
PY3.E0014
PY3.E0015
PY3.F0001
PY3.F0002
PY3.F0010
PY3.F0011
PY3.R0022
PY3.W0012

Taxonomy improvements

As part of our installation, we offer several custom taxonomy files that map our checkers to standards such as MISRA, CWE, OWASP, and DISA STIG.

Taxonomy	New/updated
cert_c_all.tconf and cert_c_all_ja.tconf cert_c_rules.tconf and cert_c_rules_ja.tconf cert_cpp.tconf and cert_cpp_ja.tconf	Added or modified checker mappings to the following rules: CERT MSC41-C
cwe_2019_top_25_cxx.tconf and cwe_2019_top_25_cxx_ja.tconf cwe_2020_top_25_cxx.tconf and cwe_2020_top_25_cxx_ja.tconf	Added or modified checker mappings to the following weaknesses: CWE-287
cwe_2021_top_25_cxx.tconf and cwe_2021_top_25_cxx_ja.tconf	Added or modified checker mappings to the following weaknesses: CWE-276 CWE-287
cwe_2021_top_25_java.tconf and cwe_2021_top_25_java_ja.tconf	Added or modified checker mappings to the following weaknesses: CWE-20
cwe_2022_top_25_cxx.tconf and cwe_2022_top_25_cxx_ja.tconf	Added new taxonomies that map Klocwork checkers to the 2022 CWE Top 25 Most Dangerous Software Weaknesses.
cwe_all_cs.tconf and cwe_all_cs_ja.tconf	Added or modified checker mappings to the following weaknesses: CWE-562 CWE-672 CWE-896
cwe_all_cxx.tconf and cwe_all_cxx_ja.tconf	Added or modified checker mappings to the following weaknesses: CWE-80 CWE-99 CWE-121 CWE-122 CWE-127 CWE-131 CWE-195 CWE-196 CWE-256 CWE-259 CWE-276 CWE-287 CWE-307 CWE-311 CWE-312 CWE-321 CWE-412 CWE-467 CWE-522 CWE-672 CWE-682 CWE-690 CWE-704 CWE-786 CWE-798 CWE-805 CWE-843 CWE-896 CWE-910 CWE-1335
cwe_all_java.tconf and cwe_all_java_ja.tconf	Added or modified checker mappings to the following weaknesses: CWE-74 CWE-295
disa_stig_v4_cxx.tconf and disa_stig_v4_cxx_ja.tconf disa_stig_v5_cxx.tconf and disa_stig_v5_cxx_ja.tconf	Added or modified checker mappings to the following rules: V-222432 (APSC-DV-000530) V-222536 (APSC-DV-001680) V-222551 (APSC-DV-001820) V-222554 (APSC-DV-001850)
disa_stig_v5_java.tconf and disa_stig_v5_java_ja.tconf	Added or modified checker mappings to the following rules: V-222555 (APSC-DV-001860)
Helix QAC taxonomies	The Helix QAC taxonomies have been updated to Helix QAC version 2023.2.
jsf_av_rev_c_cpp.tconf and jsf_av_rev_c_cpp_ja.tconf	Added or modified checker mappings to the following rules: Rule 001 Rule 003 Rule 110
misra_c_2012_c90_all_checkers.tconf and misra_c_2012_c90_all_checkers_ja.tconf misra_c_2012_c90_certified.tconf and misra_c_2012_c90_certified_ja.tconf misra_c_2012_c99_all_checkers.tconf and misra_c_2012_c99_all_checkers_ja.tconf misra_c_2012_c99_certified.tconf and misra_c_2012_c99_certified_ja.tconf	Added or modified checker mappings to the following rules: Rule 5.6
misra_c_2012_with_amd1_c90_all_checkers.tconf and misra_c_2012_with_amd1_c90_all_checkers_ja.tconf misra_c_2012_with_amd1_c90_certified and misra_c_2012_with_amd1_c90_certified_ja.tconf misra_c_2012_with_amd1_c99_all_checkers.tconf and misra_c_2012_with_amd1_c99_all_checkers_ja.tconf misra_c_2012_with_amd1_c99_certified.tconf and misra_c_2012_with_amd1_c99_certified_ja.tconf	Added or modified checker mappings to the following rules: Rule 5.6 Rule 21.4 Rule 22.7
misra_c_2012_with_amd2_c11_all_checkers.tconf and misra_c_2012_with_amd2_c11_all_checkers_ja.tconf misra_c_2012_with_amd2_c11_certified.tconf and misra_c_2012_with_amd2_c11_certified_ja.tconf misra_c_2012_with_amd2_c90_all_checkers.tconf and misra_c_2012_with_amd2_c90_all_checkers_ja.tconf misra_c_2012_with_amd2_c90_certified and misra_c_2012_with_amd2_c90_certified_ja.tconf misra_c_2012_with_amd2_c99_all_checkers.tconf and misra_c_2012_with_amd2_c99_all_checkers_ja.tconf misra_c_2012_with_amd2_c99_certified.tconf and misra_c_2012_with_amd2_c99_certified_ja.tconf	Added or modified checker mappings to the following rules: Rule 5.6 Rule 21.4 Rule 21.8 Rule 22.7
py.base.tconf and py.base_ja.tconf	Added or modified checker mappings to the following categories: Basic Classes Exceptions Imports Standard Library Issues Typecheck

Taxonomy

New/updated

cert_c_all.tconf and cert_c_all_ja.tconf

cert_c_rules.tconf and cert_c_rules_ja.tconf

cert_cpp.tconf and cert_cpp_ja.tconf

Added or modified checker mappings to the following rules:

CERT MSC41-C

cwe_2019_top_25_cxx.tconf and cwe_2019_top_25_cxx_ja.tconf

cwe_2020_top_25_cxx.tconf and cwe_2020_top_25_cxx_ja.tconf

Added or modified checker mappings to the following weaknesses:

CWE-287

cwe_2021_top_25_cxx.tconf and cwe_2021_top_25_cxx_ja.tconf

Added or modified checker mappings to the following weaknesses:

CWE-276
CWE-287

cwe_2021_top_25_java.tconf and cwe_2021_top_25_java_ja.tconf

Added or modified checker mappings to the following weaknesses:

CWE-20

cwe_2022_top_25_cxx.tconf and cwe_2022_top_25_cxx_ja.tconf

Added new taxonomies that map Klocwork checkers to the 2022 CWE Top 25 Most Dangerous Software Weaknesses.

cwe_all_cs.tconf and cwe_all_cs_ja.tconf

Added or modified checker mappings to the following weaknesses:

CWE-562
CWE-672
CWE-896

cwe_all_cxx.tconf and cwe_all_cxx_ja.tconf

Added or modified checker mappings to the following weaknesses:

CWE-80
CWE-99
CWE-121
CWE-122
CWE-127
CWE-131
CWE-195
CWE-196
CWE-256
CWE-259
CWE-276
CWE-287
CWE-307
CWE-311
CWE-312
CWE-321
CWE-412
CWE-467
CWE-522
CWE-672
CWE-682
CWE-690
CWE-704
CWE-786
CWE-798
CWE-805
CWE-843
CWE-896
CWE-910
CWE-1335

cwe_all_java.tconf and cwe_all_java_ja.tconf

Added or modified checker mappings to the following weaknesses:

CWE-74
CWE-295

disa_stig_v4_cxx.tconf and disa_stig_v4_cxx_ja.tconf

disa_stig_v5_cxx.tconf and disa_stig_v5_cxx_ja.tconf

Added or modified checker mappings to the following rules:

V-222432 (APSC-DV-000530)
V-222536 (APSC-DV-001680)
V-222551 (APSC-DV-001820)
V-222554 (APSC-DV-001850)

disa_stig_v5_java.tconf and disa_stig_v5_java_ja.tconf

Added or modified checker mappings to the following rules:

V-222555 (APSC-DV-001860)

Helix QAC taxonomies

The Helix QAC taxonomies have been updated to Helix QAC version 2023.2.

jsf_av_rev_c_cpp.tconf and jsf_av_rev_c_cpp_ja.tconf

Added or modified checker mappings to the following rules:

Rule 001
Rule 003
Rule 110

misra_c_2012_c90_all_checkers.tconf and misra_c_2012_c90_all_checkers_ja.tconf

misra_c_2012_c90_certified.tconf and misra_c_2012_c90_certified_ja.tconf

misra_c_2012_c99_all_checkers.tconf and misra_c_2012_c99_all_checkers_ja.tconf

misra_c_2012_c99_certified.tconf and misra_c_2012_c99_certified_ja.tconf

Added or modified checker mappings to the following rules:

Rule 5.6

misra_c_2012_with_amd1_c90_all_checkers.tconf and misra_c_2012_with_amd1_c90_all_checkers_ja.tconf

misra_c_2012_with_amd1_c90_certified and misra_c_2012_with_amd1_c90_certified_ja.tconf

misra_c_2012_with_amd1_c99_all_checkers.tconf and misra_c_2012_with_amd1_c99_all_checkers_ja.tconf

misra_c_2012_with_amd1_c99_certified.tconf and misra_c_2012_with_amd1_c99_certified_ja.tconf

Added or modified checker mappings to the following rules:

Rule 5.6
Rule 21.4
Rule 22.7

misra_c_2012_with_amd2_c11_all_checkers.tconf and misra_c_2012_with_amd2_c11_all_checkers_ja.tconf

misra_c_2012_with_amd2_c11_certified.tconf and misra_c_2012_with_amd2_c11_certified_ja.tconf

misra_c_2012_with_amd2_c90_all_checkers.tconf and misra_c_2012_with_amd2_c90_all_checkers_ja.tconf

misra_c_2012_with_amd2_c90_certified and misra_c_2012_with_amd2_c90_certified_ja.tconf

misra_c_2012_with_amd2_c99_all_checkers.tconf and misra_c_2012_with_amd2_c99_all_checkers_ja.tconf

misra_c_2012_with_amd2_c99_certified.tconf and misra_c_2012_with_amd2_c99_certified_ja.tconf

Added or modified checker mappings to the following rules:

Rule 5.6
Rule 21.4
Rule 21.8
Rule 22.7

py.base.tconf and py.base_ja.tconf

Added or modified checker mappings to the following categories:

Basic
Classes
Exceptions
Imports
Standard Library Issues
Typecheck

Improvements to supported compilers

We've added or improved support for the following compilers:

Clang

For the full list of supported C/C++ compilers, see C/C++ compilers supported for build integration.

Licensing

Klocwork supports Reprise License Manager (RLM).

2022 licenses are not compatible with Klocwork 2023.2. You need a new license to use the latest version of the product. Contact license@perforce.com to obtain a new license.

End of Life notice for FLEXlm/FlexNet Publisher as of Klocwork 2023.1

Klocwork has changed its license management tool by moving from FLEXlm/FlexNet Publisher to Reprise License Manager (RLM) as of Klocwork 2023.1. FLEXlm/FlexNet Publisher is no longer supported.

New product license files will be generated for Reprise; if you require a FLEXlm license file for older Klocwork versions, we can provide this for you.

To learn more about transitioning, see Transition license from FlexLM to Reprise.

Changes to system requirements

In this release, we've added support for

Debian 11.7
Red Hat Enterprise Linux 8.8
Oracle Linux 8.7
Amazon Linux 2 (2.0.20230515.0 Update)
Ubuntu 22.04 to 22.04.2 LTS
Fedora 38
Eclipse 4.27 (2023-03)
Android Studio Flamingo 2022.2.1 Patch 2
Visual Studio 2017 version 15.9.54
Visual Studio 2019 version 16.11.26
Visual Studio 2022 version 17.6.1
Visual Studio Code 1.78.2
IntelliJ IDEA 2022.2.5, 2022.3.3
CLion 2022.2.5, 2022.3.3, 2023.1 (up to 2023.1.3)
Microsoft Edge 113.x
Firefox 113.x
Chrome 112.x
Jenkins 2.406

In this release, we've ended support for

Fedora 36
Visual Studio Code 1.65.2 to 1.69.1
Microsoft Edge 99.x to 102.x
Firefox 98.x to 102.x
Chrome 99.x to 102.x
Safari 13.x

For the complete list of supported versions, see System Requirements.

Maintenance for Klocwork 2021 ended

Maintenance for all versions of Klocwork 2021 ended March 31, 2023. The end of maintenance (EOM) date and end of sale (EOS) date was also March 31, 2023. For information about the availability of support for any release of Klocwork, see the Klocwork Product Lifecycle.

Path API version upgrade in Klocwork 2023.1

We upgraded the Path API version to accommodate multi-threaded execution within path analysis instances. The upgraded API is not backward compatible with previous versions. All custom checkers using the Path API need to be updated and recompiled by using the 2023 Klocwork Path API headers and library. To learn more, see the Path API documentation.

End of Life notice for macOS as of Klocwork 2023.1

Beginning with Klocwork 2023.1, the following operating systems and installers are not supported:

macOS