What's new in Klocwork 2023.3

Here are the highlights for Klocwork 2023.3. If you're upgrading, see the Limitations for items that affect how you use Klocwork.

Identify builds with build tags

We have introduced build tags for both system (regular) builds and CI builds. Build tags brief elements of information that allow you to

  • better identify specific builds, by using useful tags such as branch names, commit IDs, platforms, or architecture

  • add arbitrary metadata to a build, that can be used in your scripts

  • associate a commit or branch with a build, which can then be queried and used to help generate the file matching overrides file in an automated fashion

There are many ways to add, edit, and view build tags. They are accessible through the web Portal, the web API, kwadmin or validate admin's load & list-builds commands, and kwciagent's run and sync commands. To learn more, see Using build tags.

Manually specify file matches using an overrides file

We have added a file matching overrides file option to manually specify file matches.

The overrides file is a simple text file that allows you to mark files as added, deleted, or renamed. Using an overrides file gives you a better control over complex scenarios and reduces file mismatches.

To apply the overrides file, use the file-overrides option with kwadmin load or validate admin load. See Use file matching overrides file for more information and examples.

Recommendations for loading builds

Klocwork uses an auto-matching algorithm when loading builds to determine which files have changed or moved when compared to previous builds. This is the foundation for matching issues between builds, and has a big impact on the accuracy of results build over build.

In order to get the best matching results when loading Klocwork builds, we encourage you to:

  • always use replace path

  • enable exact file matching

  • use a file matching overrides file

  • use build tags

  • create logical stream structures

For more information, see Recommended mechanisms for loading builds.

Plugins and extensions

From Klocwork 2023.3, analysis done in Visual Studio will default to the kwcheck external analysis engine. Having kwcheck.exe as your default engine allows you to bypass indexing to start your analysis sooner, and lets you use the same underlying analysis framework both on the desktop and on the server, resulting in improved consistency and efficiency in resolving your defects.

In order to use the external engine, ensure that you have installed kwcheck. To configure kwcheck, navigate to Extensions > Klocwork > Options.

Streams

We've further enhanced the speed and performance when working with, editing, and deleting streams in a project.

C/C++

In this release we

  • added tracking of array values when using constant indices

  • improved the C/C++ analysis engine for stability and accuracy

  • enhanced support for C++14 and C++17 analysis

  • added a new taxonomy for CWE 2023 Top 25 for C/C++

  • added a new taxonomy for MISRA C:2023

Java

In this release we

  • added full support for Java 14 analysis

Coding standards

This release includes new and expanded standards coverage for the following coding standards:

  • CWE
  • CWE 2023 Top 25 for C/C++
  • DISA-STIG for C/C++
  • HKMC Secure Coding Standard
  • MISRA C:2023

Checker improvements

From release to release, we improve issue detection to bring state-of-the-art capabilities to our customers. As a result, expect your analysis results to change as accuracy and coverage improve.

New checkers

Checker Description
PRECISION.LOSS.INIT This C/C++ checker detects when an implicit cast to a smaller data type during initialization may cause a loss of precision (data).

Modified checkers

Checker Description
INFINITE_LOOP.GLOBAL New defects detected
INFINITE_LOOP.LOCAL New defects detected
LOCRET.ARG Reduced false positives
MISRA.EXPANSION.UNSAFE New defects detected
MLK.MUST New defects detected
NPD.FUNC.MIGHT Reduced false positives
RH.LEAK Reduced false positives

RLK.OUT

 New defects detected

SV.SSRF.URI

 New defects detected

SV.USAGERULES.PROCESS_ VARIANTS

Updated the documentation with sample codes
UNINIT.STACK.MUST Reduced false positives
UNREACH.GEN Reduced false positives
VA_UNUSED.INIT Reduced false positives

Enabled or disabled checkers

The following checkers were removed from the default enabled field of the checker configuration files for this release.

  • PY3.E0001

  • PY3.E0013

  • PY3.E0014

  • PY3.E0015

  • PY3.F0001

  • PY3.F0002

  • PY3.F0010

  • PY3.F0011

Taxonomy improvements

As part of our installation, we offer several custom taxonomy files that map our checkers to standards such as MISRA, CWE, OWASP, and DISA STIG.

Taxonomy New/updated
cwe_2023_top_25_cxx.tconf and cwe_2023_top_25_cxx_ja.tconf

Added new taxonomies that map Klocwork checkers to the 2023 CWE Top 25 Most Dangerous Software Weaknesses.

cwe_all_cxx.tconf and cwe_all_cxx_ja.tconf

Substantial reorganization of the cwe_all_cxx.tconf and cwe_all_cxx_ja.tconf taxonomies.

disa_stig_v4_cxx.tconf and disa_stig_v4_cxx_ja.tconf

Added or modified checker mappings to the following rules:

  • APSC-DV-002590

  • APSC-DV-003170

disa_stig_v5_cxx.tconf and disa_stig_v5_cxx_ja.tconf

Added or modified checker mappings to the following rules:

  • APSC-DV-002590

  • APSC-DV-003170

  • APSC-DV-002010

hkmc_c.tconf and hkmc_c_ja.tconf

Added or modified checker mappings to the following rules:

  • C-INT-001

  • C-INT-003

misra_c_2023_c11_all_checkers.tconf and
misra_c_2023_c11_all_checkers_ja.tconf

misra_c_2023_c11_certified.tconf and
misra_c_2023_c11_certified_ja.tconf

misra_c_2023_c90_all_checkers.tconf and
misra_c_2023_c90_all_checkers_ja.tconf

misra_c_2023_c90_certified.tconf and
misra_c_2023_c90_certified_ja.tconf

misra_c_2023_c99_all_checkers.tconf and
misra_c_2023_c99_all_checkers_ja.tconf

misra_c_2023_c99_certified.tconf and
misra_c_2023_c99_certified_ja.tconf

Added new taxonomies that map Klocwork checkers to the MISRA C:2023 standards.

Improvements to supported compilers

We've added or improved support for the following compilers:

  • Clang

  • GNU

  • TI Arm Clang

  • TI tms320c28x

  • TI msp430 C/C++

  • TI tms320c6x, TI tms320c55x, and TI C7000 Optimizing C/C++

For the full list of supported C/C++ compilers, see C/C++ compilers supported for build integration.

Licensing

Klocwork supports Reprise License Manager (RLM).

2022 licenses are not compatible with Klocwork 2023.3. You need a new license to use the latest version of the product. Contact license@perforce.com to obtain a new license.

In this release, we have added information about using RLM dongles with Klocwork. For more information, see Supported versions of RLM and Operating systems that support RLM dongles.

End of Life notice for FLEXlm/FlexNet Publisher as of Klocwork 2023.1

Klocwork has changed its license management tool by moving from FLEXlm/FlexNet Publisher to Reprise License Manager (RLM) as of Klocwork 2023.1. FLEXlm/FlexNet Publisher is no longer supported.

New product license files will be generated for Reprise; if you require a FLEXlm license file for older Klocwork versions, we can provide this for you.

To learn more about transitioning, see Transition license from FlexLM to Reprise.

Changes to system requirements

In this release, we've added support for

  • Windows 11 (version 22H2)

  • AlmaLinux versions 9.0 to 9.2

  • Amazon Linux 2 (2.0.20230808.0 Update)

  • Oracle Linux 8.8

  • Rocky Linux versions 9.0 to 9.2

  • Eclipse 4.28 (2023-06)

  • Android Studio Giraffe 2022.3.1

  • CLion 2023.1 (up to 2023.1.5)

  • Visual Studio 2017 version 15.9.56

  • Visual Studio 2019 version 16.11.29

  • Visual Studio 2022 version 17.7.1

  • Visual Studio Code 1.81.1 (minimum supported version is 1.72.2)

  • Microsoft Edge 115.x

  • Firefox 116.x

  • Chrome 116.x

  • Jenkins 2.419

In this release, we've ended support for

  • Visual Studio Code 1.69.1 to 1.72.1

  • Microsoft Edge 103.x to 105.x

  • Firefox 103.x to 105.x

  • Chrome 103.x to 105.x

For the complete list of supported versions, see System Requirements.

Deprecation of issue grouping

Issue grouping is deprecated as of Klocwork 2023.3. If you are upgrading from a previous version, we recommend turning off issue grouping before performing a migration.

Maintenance for Klocwork 2021 ended

Maintenance for all versions of Klocwork 2021 ended March 31, 2023. The end of maintenance (EOM) date and end of sale (EOS) date was also March 31, 2023. For information about the availability of support for any release of Klocwork, see the Klocwork Product Lifecycle.

Path API version upgrade in Klocwork 2023.1

We upgraded the Path API version to accommodate multi-threaded execution within path analysis instances. The upgraded API is not backward compatible with previous versions. All custom checkers using the Path API need to be updated and recompiled by using the 2023 Klocwork Path API headers and library. To learn more, see the Path API documentation.

End of Life notice for macOS as of Klocwork 2023.1

Beginning with Klocwork 2023.1, the following operating systems and installers are not supported:

  • macOS