What's new in Klocwork 2024.2

Released July 2024

Here are the highlights for Klocwork 2024.2. If you're upgrading Klocwork, see the Limitations for items that might affect your upgrade and usage.

Enhanced security and user experience with SAML and OIDC authentication

You can now integrate your identity provider (IdP) with Validate using Security Assertion Markup Language (SAML) or OpenID Connect (OIDC) authentication to enjoy benefits such as:

Enhanced security through centralized authentication
Simplified user management and experience through single sign-on (SSO)

Validate has been tested with the following identity providers:

SAML: Keycloak, Okta, AWS, Cisco, and Github
OIDC: Keycloak, Google, Microsoft Entra (formerly Azure AD), and AWS

To learn how to set up and configure SAML and OIDC, see Setting up SAML access control and Setting up OIDC access control.

Authenticate using application tokens

In release 2024.2, ltokens have been replaced by application tokens. If you relied on ltokens for scripting before release 2024.2, see Transitioning from ltokens to application tokens.

To authenticate with a Validate server that is supported by SAML or OpenID Connect, install version 24.2 or newer of kwauth from one of the following packages: kwauthtools, kwbuildtools, or the kw-cmd-installer found in kw-desktop-tools. See Installing the Auth Tools package.

You can now create application tokens in Validate to securely authenticate with SAML or OIDC supported servers for the following tasks:

Sign in to the command line tools using kwauth or validate auth. This is helpful on headless machines, where you cannot sign in with a username and password in a browser. See Authentication using application tokens.
Import projects from Validate or the Web API. You will need an application token to authenticate instead of a username and password. You will still need a username and password to import projects from servers that use classic authentication. See Import or migrate projects using application tokens and Import your existing projects into a new projects root.

Note that SAML or OIDC device authorization (including for the desktop plug-ins) happens through the Validate login page, and uses an access code generated by kwauth or validate auth. To learn more, see Accessing Validate by Perforce.

Manage user sessions and tokens in Validate

Administrators can now manage individual user sessions through Validate. With this permission is enabled, you can log users out of their Validate sessions and revoke user tokens. To learn more, see Managing user sessions and tokens.

Enhanced password security in Validate

If you use basic authentication, you can now implement a secure password policy for Validate accounts. This requires your password to meet the following criteria:

A minimum of 8 characters
At least one uppercase letter
At least one lowercase letter
At least one number
At least one special character (such as !, @, # or $)

Existing passwords are not affected by this new policy. To learn more, see Enabling secure passwords.

Klocwork utility enhancements

You can now specify which Java Virtual Machine (JVM) the Klocwork Java tools use, by setting the KW_JAVA environment variable.

When this variable is set, the Klocwork Java tools will run using the JVM defined by KW_JAVA instead of the default JVM. This allows for greater flexibility and compatibility with different Java environments.

C and C++ enhancements

The Klocwork analysis engine for C/C++ can be run using classic, standard, or modern mode. If you do not specify an option, standard mode (recommended) is used by default. To learn more, see Specifying the C/C++ analysis engine mode.

Java enhancements

Instead of having to modify the build specification to focus on a select set of Java files for analysis, you can now use the --ignore-files option in kwandroid.

Plug-in and tool enhancements

The following enhancements were made to the Klocwork plug-ins and tools:

Depending on the version of your Validate server, plug-in, and tools, you can now connect to a project or stream in any plug-in using either classic authentication, or SAML or OIDC authentication. Simply refer to the instructions in the documentation for your desktop analysis tool, and follow the prompts on your screen.
To streamline the deployment of your Klocwork analysis tools in automated environments, the continuous integration tools are now included in the Build Tools package.

Expanded coverage for coding standards

This release includes new and expanded coverage for the following coding standards:

CWE for Kotlin

Plug-ins and extensions

Depending on the version of your Validate server, plug-in, and tools, you can now connect to a project or stream in any plug-in using either classic authentication, or SAML or OIDC authentication. Refer to the instructions in the documentation for your desktop analysis tool, and follow the prompts on your screen.

Checker improvements

New checkers

The following checkers were added in this release:

Checker	Description
MISRA.TOKEN.WRONGESC.C.2004 and MISRA.TOKEN.WRONGESC.CPP.2008	These MISRA checkers provide support for MISRA-C Rule 4.1 (required): Incorrect escape sequence in a literal and MISRA-C++ Rule 2-13-1 (required): Only those escape sequences that are defined in ISO/IEC 14882:2003 shall be used.

Modified checkers

Checker	Description
A_UNUSED.GEN	Finds fewer false positives
AUTOSAR.ADD.ENUM.OP	Finds fewer false positives
FUNCRET.GEN	Finds fewer false positives
LOCRET.RET	Finds fewer false positives
MISRA.ETYPE.INAPPR.CAST.2012	Finds fewer false positives
MISRA.TOKEN.WRONGESC	Finds fewer false positives
MISRA.VAR.UNIQUE.STATIC	Finds additional defects
MLK.MUST	Finds fewer false positives
NNTS.MUST	Finds fewer false positives
NPD.CHECK.MIGHT	Finds fewer false positives
NPD.FUNC.MIGHT	Finds fewer false positives
NPD.FUNC.MUST	Finds fewer false positives
SV.BRM.HKEY_LOCAL_MACHINE	Overall improvements to the checker
UNINIT.CTOR.MUST	Finds fewer false positives
UNINIT.HEAP.MUST	Finds fewer false positives
UNINIT.STACK.MIGHT	Finds fewer false positives
UNINIT.STACK.MUST	Finds fewer false positives

Enabled or disabled checkers

No checkers were added to or removed from the default enabled field of the checker configuration files in this release.

Taxonomy improvements

As part of the installation, you will find several custom taxonomy files that map Klocwork checkers to coding standards such as MISRA, CWE, OWASP, and DISA STIG.

Taxonomy	Improvements
cert_c_all.tconf and cert_c_all_ja.tconf	Added or modified checker mappings to the following rules: CERT POS02-C
cert_cpp.tconf and cert_cpp_ja.tconf	Substantial reorganization of the cert_cpp.tconf and cert_cpp_ja.tconf taxonomies.
cwe_all_kt.tconf and cwe_all_kt_ja.tconf	Added new taxonomies that map Klocwork Kotlin checkers to the CWE IDs.
Helix QAC taxonomies	Updated the Helix QAC taxonomies to Helix QAC version 2024.2.
misra_c_2023_c99.tconf and misra_c_2023_c99_ja.tconf misra_c_2023_c90.tconf and misra_c_2023_c90_ja.tconf misra_c_2023_c11.tconf and misra_c_2023_c11_ja.tconf misra_c_2012_with_amd2_c99.tconf and misra_c_2012_with_amd2_c99_ja.tconf misra_c_2012_with_amd2_c90.tconf and misra_c_2012_with_amd2_c90_ja.tconf misra_c_2012_with_amd2_c11.tconf and misra_c_2012_with_amd2_c11_ja.tconf misra_c_2004.tconf and misra_c_2004_ja.tconf misra_cpp_2023.tconf and misra_cpp_2023_ja.tconf misra_cpp_2008.tconf and misra_cpp_2008_ja.tconf	Substantial reorganization of The MISRA C and C++ taxonomies. Each taxonomy is now defined by using a rule-first approach, where the checkers are subcategories of rules in the taxonomies.

Improvements to supported compilers

You'll find additional or improved support for the following compilers:

Clang
Clang-cl
GCC
IAR
Renesas

For the full list of supported C and C++ compilers, see C/C++ compilers supported for build integration.

Licensing

Klocwork supports Reprise License Manager (RLM).

2023 licenses are not compatible with Klocwork 2024.1 or newer. To use the latest version of the product, obtain a new license by contacting Perforce at license@perforce.com.

For more information, see Supported versions of RLM and Operating systems that support RLM dongles.

Changes to system requirements

In this release, we added support for:

AlmaLinux 9.4
Amazon Linux 2 (2.0.20240529.0 Update)
Android Studio Iguana (2023.2.1 Patch 2)
Chrome 115.x to 126.x
CLion 2023.1.7, 2023.2.4
Eclipse 4.32 (2024-06)
Fedora 40
Firefox 115.x to 127.x, 115.x ESR
Glibc 2.39
Gradle 8.8
IntelliJ IDEA 2023.1, 2023.2.7
Microsoft Edge 115.x to 126.x
openSUSE Leap 15.6
Oracle Linux 9.4
Red Hat Enterprise Linux 9.4
Rocky Linux 9.4
Ubuntu 22.04 to 22.04.4 LTS
Visual Studio 2017 version 15.9.63
Visual Studio 2019 version 16.11.37
Visual Studio 2022 version 17.10.3
VS Code 1.80.2 to 1.90.2

In this release, we ended support for:

Chrome 111.x to 114.x
Fedora 38
Firefox 111.x to 114.x
Jenkins plug-in
Microsoft Edge 111.x to 114.x
VS Code 1.76.2 to 1.80.1

For the complete list of supported versions, see System Requirements.

Removal of the Jenkins plug-in starting in 2024.2

Starting in Klocwork 2024.2, the Jenkins plug-in has been removed from Klocwork and the installation package is no longer provided.

Removal of Validate Code Review starting in 2024.2

Starting in Klocwork 2024.2, the Code Review function and its associated command line tools have been removed from Validate.

Discontinuation of NIS access control starting in Klocwork 2024.3

Starting in Klocwork 2024.3, NIS access control will no longer be supported. Some functionalities may be affected in Klocwork 2024.2.

When migrating from an earlier version to Klocwork 2024.2, you will need to switch to a different authentication method. It is recommended that you switch authentication methods before migrating, to ensure that you can continue to sign in after the upgrade. For migration information, see Setting up NIS access control.

End of life notice for CentOS Linux 7 starting in Klocwork 2024.3

Starting in Klocwork 2024.3, the following operating systems and installers are not supported:

CentOS Linux 7

Maintenance ending for Klocwork 2022

Maintenance (including end of maintenance and end of sale) for all 2022 versions of Klocwork ended on March 31, 2024. To learn about the support available for all Klocwork releases, see the Klocwork Product Lifecycle.

Discontinuation of docs.roguewave.com in 2024

The docs.roguewave.com site was discontinued in early 2024. For Klocwork versions 2021 and earlier, see the offline documentation that is included with the product.

Discontinuation of Klocwork Server installations in release 2023.4

Starting from release 2023.4, Klocwork Server installations have been discontinued. You can transition to a Validate installation, which is designed to provide a more streamlined and integrated experience.

When transitioning from Klocwork to Validate:

Stop your Klocwork instance and back up the projects_root directory.
During Validate install, set the projects_root directory location to your current projects_root directory.
If you are currently using non-default values for ports or license server, be sure to set the same values when you install Validate.

Discontinuation of issue grouping

Starting from Klocwork 2023.3, issue grouping is turned off by default for new projects.

To help avoid issues, turn off issue grouping before you upgrade Klocwork.