What's new in Klocwork 2022.2

Here are the highlights for Klocwork 2022.2. If you're upgrading, also see the kwlimitations.htm for items that affect how you use Klocwork.

Project streams

Klocwork’s project streams feature now provides improved efficiency in dealing with multiple versions of the same codebase with respect to working with stream projects, results storage, and project migration. This release

  • enables support for desktop plugins to recognize streams, allowing developers to switch context between projects and their streams, and then load results to the selected stream
  • completes stream support across all Klocwork's toolchain and plugins
  • introduces parallelized stream build loading and provides improved performance when loading analysis results to Klocwork’s Validate platform
  • provides a path to migrate to streams from older legacy projects

Java

This release includes support for incremental/differential analysis:

  • Differential Analysis uses system context data from the server to analyze only the files that were changed, while providing a diff analysis as if the entire system were analyzed, resulting in the shortest analysis times.
  • When using these features, our internally benchmarked OSS projects showed up to a 63% reduction in analysis time.

C/C++ analysis engine

You can use the defect suppression feature to focus on issues that matter. Filter out noisy defects or issues in code you’re not responsible for, such as third-party code, libraries, and headers.

Microsoft Visual Studio 2022 IDE Plugin

Use the Visual Studio 2022 Extension to quickly and easily detect and then fix issues before check-in. The Extension supports C/C++, C#, as well as mixed projects and solutions.

Coding standards

This release includes new and expanded standards coverage for the following coding standards:

  • CERT
  • CWE for Java, JavaScript, and Python
  • DISA STIG Version 5 for Java
  • OWASP Top 10 2021 for C/C++, Java, JavaScript, and Python

Klocwork Portal rebranded to Validate

We’re excited to announce that Validate is the new name for the Klocwork Portal.

Our vision for the Validate platform is to be the single source of truth for Perforce Static Analysis products, Klocwork and Helix QAC. This journey begins with a new name, installer, and look and feel.

Stay tuned for more improvements going forward!

Klocwork checker improvements

From release to release, we improve issue detection to bring state-of-the-art capabilities to our customers. As a result, expect your analysis results to change as accuracy and coverage improve.

New Klocwork checkers

Checker Description

ABV.GENERAL.MULTIDIMENSION

This C/C++ checker flags array bounds violations for multi-dimensional arrays.
CERT.EXIT.HANDLER_TERMINATE This C/C++checker flags code that calls an exit function from an exit handler function.
CERT.FIO.NO_FLUSH This C/C++ checker flags cases where a flush or positioning function call is missing.
CERT.FSETPOS.VALUE This C/C++ checker flags cases where the 'fsetpos()' function is called by an argument of the type fpos_t that was not created by the 'fgetpos()' function.
CERT.STDLIB.SIGNAL This C/C++ checker flags returns from a computational exception signal handler for SIGFPE, SIGBUS, SIGSEGV, SIGILL, SIGEMT, and SIGTRAP.
CERT.VA_ARG.TYPE This C/C++ checker flags cases where the type passed to va_arg() does not match the type passed to a variadic function after argument promotions.
CERT.VA_START.TYPE

This C/C++ checker flags cases where an unsupported object type is passed to va_start() as the second argument.

SV.SSRF.URI This Java checker flags cases where the Java web server application receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Modified Klocwork checkers

Checker Description
ABV.GENERAL Reduced false positives
ABV.STACK Reduced false positives
AUTOSAR.ADD.NULLPTR Reduced false positives
AUTOSAR.ARRAY.CSTSLE Reduced false positives
AUTOSAR.ASSIGN.REF_QUAL Reduced false positives
MISRA.FUNC.UNMATCHED.PARAMS Reduced false positives
MISRA.INCL.UNSAFE New defects detected
MLK.MUST New defects detected
NPD.GEN.MUST Reduced false positives
NNTS.MUST New defects detected
RI.IGNORED New defects detected
SV.FMT_STR.SCAN_FORMAT_MISMATCH.BAD Reduced false positives

Enabled or disabled checkers

The following checkers were added to the default enabled field of the checker configuration files for this release:

  • ABV.GENERAL.MULTIDIMENSION
  • SV.SSRF.URI

Taxonomy improvements

As part of our installation, we offer several custom taxonomy files that map our checkers to standards such as MISRA, CWE, OWASP, and DISA STIG.

Taxonomy New/Updated

autosar_cpp_18_10.tconf and autosar_cpp_18_10_ja.tconf

autosar_cpp_18_10_strict.tconf and autosar_cpp_18_10_strict_ja.tconf

Modified checker mapping for the following rule:

  • A5-2-5

cert_c.tconf and cert_c_ja.tconf renamed to cert_c_rules.tconf and cert_c_rules_ja.tconf

Added or modified checker mappings to the following rules:

  • CERT ARR30-C
  • CERT ARR38-C

  • CERT ENV32-C

  • CERT EXP47-C

  • CERT FIO39-C

  • CERT FIO44-C

  • CERT POS30-C

  • CERT SIG35-C

  • CERT STR32-C

Removed a mapping to the following rule:

  • CERT EXP00-C

cert_c_all.tconf and cert_c_all_ja.tconf

Added or modified checker mappings to the following rules:

  • CERT ARR00-C
  • CERT ARR30-C

  • CERT ARR38-C

  • CERT ENV01-C

  • CERT ENV32-C

  • CERT ERR30-C

  • CERT EXP08-C

  • CERT EXP47-C

  • CERT FIO39-C

  • CERT FIO44-C

  • CERT POS30-C

  • CERT SIG35-C

cert_cpp.tconf and cert_cpp_ja.tconf Added or modified checker mappings to the following rules:
  • CERT CTR50-CPP

  • CERT ENV32-C

  • CERT EXP08-CPP

  • CERT EXP47-C

  • CERT EXP50-CPP

  • CERT EXP58-CPP

  • CERT FIO39-C

  • CERT FIO44-C

  • CERT INT04-CPP

  • CERT MSC51-CPP

  • CERT POS30-C

  • CERT SIG35-C

cwe_2019_top_25_cxx.tconf and cwe_2019_top_25_cxx_ja.tconf

cwe_2020_top_25_cxx.tconf and cwe_2020_top_25_cxx_ja.tconf

cwe_2021_top_25_cxx.tconf and cwe_2021_top_25_cxx_ja.tconf

Added or modified checker mappings to the following weaknesses:

  • CWE-119

  • CWE-125

  • CWE-787

cwe_2021_top_25_java.tconf and cwe_2021_top_25_java_ja.tconf

Added or modified checker mappings to the following weaknesses:

  • CWE-276

  • CWE-918

  • CWE-77

cwe_all_cxx.tconf and cwe_all_cxx_ja.tconf

Added or modified checker mappings to the following weaknesses:

  • CWE-119

  • CWE-120

  • CWE-122

  • CWE-125

  • CWE-193

  • CWE-251

  • CWE-787

  • CWE-788

  • CWE-805

cwe_all_java.tconf and cwe_all_java_ja.tconf

Added or modified checker mappings to the following weaknesses:

  • CWE-918

disa_stig_10_java.tconf and disa_stig_10_java_ja.tconf Removed these taxonomies.
disa_stig_v5_cxx.tconf and disa_stig_v5_cxx_ja.tconf

Added or modified checker mappings to the following IDs:

  • V-222612 (APSC-DV-002590)
disa_stig_v5_java.tconf and disa_stig_v5_java_ja.tconf New taxonomies that map Klocwork Java checkers to DISA STIG version 5 IDs.
Helix QAC taxonomies The Helix QAC taxonomies have been updated to Helix QAC version 2022.2.
kw_quality_std_cxx.tconf and kw_quality_std_cxx_ja.tconf

Mapped a checker to the following category:

  • Buffer Overflow

misra_c_2012_c90_all_checkers.tconf and misra_c_2012_c90_all_checkers_ja.tconf

misra_c_2012_c90_all_checkers_certified.tconf and misra_c_2012_c90_all_checkers_certified_ja.tconf

misra_c_2012_c99_all_checkers.tconf and misra_c_2012_c99_all_checkers_ja.tconf

misra_c_2012_c99_all_checkers_certified.tconf and misra_c_2012_c99_all_checkers_certified_ja.tconf

Added or modified checker mappings to the following rules:

  • Dir. 4.1

  • Dir. 4.2

  • 18.1

misra_c_2012_with_amd1_c90_all_checkers.tconf and misra_c_2012_with_amd1_c90_all_checkers_ja.tconf

misra_c_2012_with_amd1_c90_certified and misra_c_2012_with_amd1_c90_certified_ja.tconf

misra_c_2012_with_amd1_c99_all_checkers.tconf and misra_c_2012_with_amd1_c99_all_checkers_ja.tconf

misra_c_2012_with_amd1_c99_certified.tconf and misra_c_2012_with_amd1_c99_certified_ja.tconf

misra_c_2012_with_amd2_c11_all_checkers.tconf and misra_c_2012_with_amd2_c11_all_checkers_ja.tconf

misra_c_2012_with_amd2_c11_certified.tconf and misra_c_2012_with_amd2_c11_certified_ja.tconf

Added or modified checker mappings to the following rules:

  • Dir. 4.1

  • Dir. 4.2

  • 18.1

  • 21.17

  • 21.18

owasp_2021_10_cxx.tconf and owasp_2021_10_cxx_ja.tconf

owasp_2021_10_java.tconf and owasp_2021_10_java_ja.tconf

owasp_2021_10_js.base.tconf and owasp_2021_10_js_ja.base.tconf

owasp_2021_10_py2.tconf and owasp_2021_10_py2_ja.tconf

owasp_2021_10_py3.tconf and owasp_2021_10_py3_ja.tconf

New taxonomies that map Klocwork checkers to the OWASP Top 10:2021.

pci_3_2_1_community_cs.tconf and pci_3_2_1_community_cs_ja.tconf

pci_3_2_1_community_cxx.tconf and pci_3_2_1_community_cxx_ja.tconf

pci_3_2_1_community_java.tconf and pci_3_2_1_community_java_ja.tconf

Removed "community" from the file names.

Improvements to supported compilers

We've added or improved support for the following compilers:

  • IAR Systems C
  • QNX
  • Tensilica Xtensa C/C++

For the full list of supported C/C++ compilers, see C/C++ compilers supported for build integration.

Licensing

Klocwork now supports Reprise License Manager (RLM). FLEXlm/FlexNet Publisher support is deprecated, but will continue to work until the release of Klocwork 2023.1. You can continue to use your existing FLEX license files for the remainder of the Klocwork 2022 releases. If you need new license files, please contact license@perforce.com.

2021 licenses are not compatible with Klocwork 2022.2. You need a new license to use the latest version of the product. Contact license@perforce.com to obtain a new license.

Log4j libraries upgraded to v2

The log4j libraries used by Klocwork have been upgraded to v2. Although Klocwork was previously using log4j v1, which was not affected by the log4shell vulnerability, we have updated the log4j libraries to the latest version to deliver enhanced security for Klocwork.

Changes to system requirements

In this release, we've added support for

  • Microsoft Visual Studio 2022, up to version 17.2.4

For the complete list of supported versions, see System Requirements.

Maintenance for Klocwork 2020 ended

Maintenance for all versions of Klocwork 2020 ended March 31, 2022. The end of maintenance (EOM) date and end of sale (EOS) date was also March 31, 2022. For information about the availability of support for any release of Klocwork, see the Klocwork Product Lifecycle.

Pre-announcements

Take note of the following changes we have planned for upcoming releases.

Path API version upgrade in Klocwork 2022.3

After Klocwork 2022.3 is released, we recommend you review your custom checkers for potential race conditions and recompile by using the 2022.3 Klocwork Path API headers and library. Old custom checkers that are not recompiled will continue to work, but will not be able to use the parallelization feature improvements.

End of Life notice for FLEXlm/FlexNet Publisher as of Klocwork 2023.1

This is a six-month notice for the End-Of-Life and support for FLEXlm/FlexNet Publisher license files.

Klocwork is changing its license management tool by moving from FLEXlm/FlexNet Publisher to Reprise License Manager (RLM) as of Klocwork 2023.1.

New product license files will be generated for Reprise, and if you require a FLEX license file for older Klocwork versions we will provide this for you.

End of Life notice for macOS as of Klocwork 2023.1

Beginning with Klocwork 2023.1, the following operating systems and installers will not be supported:

  • macOS