What's new in Klocwork 2026.1

Released March 2026

Here are the highlights for Klocwork 2026.1. If you're upgrading Klocwork, see the Limitations for items that might affect your upgrade and usage.

Klocwork and Validate enhancements

This release includes the following enhancements.

Accelerate remediation with the Perforce SA MCP server

The Perforce SA MCP server has been implemented with VS Code and the GitHub Copilot Chat extension. The server provides static analysis data (such as defect information, fix guidance, and checker documentation) to the AI assistant in a standardized format, allowing you quickly implement accurate and compliant code fixes.

To learn more, see Using AI remediation for Visual Studio Code and Setting up the Perforce SA MCP server.

Enforce custom quality gates on CI Builds

The CI Quality Gate feature allows you to automatically determine whether CI builds pass or fail, based on your defined criteria.

Validate applies a custom issue query to each CI build, marking a pass or fail based on the results. CI builds display a dedicated Quality Gate status, and tools such as Kwciagent and qacli return specific exit codes for success, failure, or processing errors.

To learn more, see CI Quality Gate.

Analyze Rust code with Klocwork

Klocwork now provides early access support for Rust projects, allowing you to analyze Rust code using both Klocwork's native Rust checkers and the integrated Clippy linter.

For more information, see Run Rust integration build analysis.

Enable reverse proxy base URL configuration

Use the base.url property to allow Validate to generate correct external URLs when deployed behind a reverse proxy. Administrators can configure the public‑facing hostname using Kwservice or validate service, ensuring that all links (such as CI build links, hosted installer downloads, and API references) point to the externally reachable address instead of the internal server location.

For more information, see Use Validate behind a reverse proxy.

Include justification in compliance reports

You can now edit and enable the Justification field for all issues and defect statuses, to ensure clarity and consistency across compliance reports.

Get Web API search results in SARIF format

You can now output Web API search results in SARIF format.

Add new HIS metrics for call structure, goto usage, and recursion

We added additional HIS metrics to improve coverage of code structure analysis. For more information, see Function- and method-level metrics.

Java enhancements

This release supports up to version 19 of the Java language specification.

Plug-ins and extensions

You can now fix code defects with AI assistance using the MCP server for VS Code and the Microsoft Copilot Chat extension.

Expanded coverage for coding standards

In this release, you'll find enhancements to the following taxonomy rules and recommendations:

  • HIS metrics (100% coverage)

  • MISRA C:2023 mandatory (100% coverage) and required rules

  • MISRA C:2025 mandatory (100% coverage) and required rules

  • OWASP Top 10:2025

Checker improvements

This release includes new and modified C/C++ and Rust checkers. Some checkers work only with the modern analysis engine. Modern-only checkers are clearly identified in the documentation.

New checkers

The following checkers were added in this release:

Checker Description
MISRA.GENERIC.ASSOCIATION_TYPE.2023 This MISRA checker detects non-selectable types in _Generic associations after lvalue conversions.
MISRA.GENERIC.ETYPE.2023 This MISRA checker checks whether the essential type of the controlling expression of a generic selection matches its standard type.
MISRA.GENERIC_DEFAULT_POSITION.2023 This MISRA checker checks whether a default association is listed first or last in the association list.
MISRA.GENERIC_SELECTION_HAS_SIDE_EFFECT.2023 This MISRA checker flags when a generic selection that is not expanded from a macro contains potential side effects in the controlling expression.
MISRA.INIT.ATOMIC.2023 This MISRA checker checks whether atomic objects are appropriately initialized before being accessed.
MISRA.LANG.OBSOLESCENT.UNGETC_STREAM_START.2023 This MISRA checker looks for the use of the C language features deemed obsolescent, specifically the use of ungetc on a binary stream where the file position indicator is zero prior to the call.
MISRA.NORET.VOID.2023 This MISRA checker checks whether a function declared _Noreturn has void return type.
MISRA.OBJ_ALIGNAS_INCONSISTENT This MISRA checker checks whether all declarations of an object specify the same explicit alignment.
RS.DBZ.CONST.CALL This Rust checker checks whether an explicit zero constant value is passed directly to a function call.
RS.DBZ.GENERAL This Rust checker checks whether a zero‑valued variable is later used as a divisor without a zero check.
RS.DBZ.GENERAL.FLOAT This Rust checker checks whether a zero‑valued floating‑point variable is later used as a divisor without a zero check.
RS.DBZ.ITERATOR This Rust checker checks whether a loop iterator that becomes zero is later used as a divisor without a zero check.
RS.DBZ.ITERATOR.FLOAT This Rust checker checks whether a floating‑point loop iterator that becomes zero is later used as a divisor without a zero check.
RS.DBZ.PANIC.UNCONDITIONAL This Rust checker checks whether the Rust compiler has inserted an unconditional call to its panic function for division by zero.
RS.NPD.CHECK.CALL.MIGHT This Rust checker checks whether a pointer checked for null might later be passed to a function that might dereference it without a null check.
RS.NPD.CHECK.CALL.MUST This Rust checker checks whether a pointer checked for null is later passed to a function that dereferences it without a null check.
RS.NPD.CHECK.MIGHT This Rust checker checks whether a pointer checked for null might later be dereferenced or passed to a function that might dereference it without a null check.
RS.NPD.CHECK.MUST This Rust checker checks whether a pointer checked for null is later dereferenced or passed to a function that dereferences it without a null check.
RS.NPD.CONST.CALL This Rust checker checks whether a null‑pointer constant might be passed to a function that dereferences it without a null check.
RS.NPD.CONST.DEREF This Rust checker checks whether a null‑pointer constant is dereferenced directly or through a function call.
RS.NPD.FUNC.CALL.MIGHT This Rust checker checks whether a pointer from a function call that might return null might be passed to a function that might dereference it without a null check.
RS.NPD.FUNC.CALL.MUST This Rust checker checks whether a pointer from a function call that might return null is passed to a function that might dereference it without a null check.
RS.NPD.FUNC.MIGHT This Rust checker checks whether a pointer from a function call that might return null might later be dereferenced or passed to a function that might dereference it without a null check.
RS.NPD.FUNC.MUST This Rust checker checks whether a pointer from a function call that might return null is later dereferenced or passed to a function that dereferences it without a null check.
RS.NPD.GEN.CALL.MIGHT This Rust checker checks whether a pointer possibly set to a null constant might be passed to a function that dereferences it without a null check.
RS.NPD.GEN.CALL.MUST This Rust checker checks whether a pointer set to a null constant is passed to a function that dereferences it without a null check.
RS.NPD.GEN.MIGHT This Rust checker checks whether a pointer set to a null constant might later be dereferenced or passed to a function that might dereference it without a null check.
RS.NPD.GEN.MUST This Rust checker checks whether a pointer set to a null constant is later dereferenced or passed to a function that dereferences it without a null check.
Rust Clippy (RS.DBZ.*) checkers

These Clippy-based Rust checkers are Clippy lints created by The Rust Project Contributors.

For a complete list, see the Rust checker reference.

Modified checkers

The following checkers were modified in this release:

Checker Description
ABV.STACK Finds fewer false positives
MISRA.CAST.INCOMPLETE_PTR_TO_ANY.2012 Finds fewer false positives
MISRA.FUNC.RECUR Finds fewer false positives
MISRA.LANG.OBSOLESCENT.REALLOC_ZERO_SIZE.2023 Mapped the checker to rule MEM04-C in the cert_c_all.tconf taxonomy
MISRA.PTR.ARITH Finds fewer false positives
MISRA.VAR.MIN.VIS Finds fewer false positives
RH.LEAK Finds fewer false positives
SV.FMT_STR.PRINT_FORMAT_MISMATCH.BAD Finds fewer false positives
UNINIT.CTOR.MUST Finds fewer false positives
UNINIT.STACK.MUST Finds fewer false positives

Enabled or disabled checkers

The following checkers were added to the default enabled field of the checker configuration files in this release:

  • Rust dataflow (RS.NPD.*) checkers
  • Rust Clippy (RS.DBZ.*) checkers

Taxonomy improvements

As part of the installation, you will find several custom taxonomy files that map Klocwork checkers to coding standards such as MISRA, CWE, OWASP, and DISA STIG.

Taxonomy Improvements

cert_c_all.tconf and cert_c_all_ja.tconf

Added or modified checker mappings to rule MEM04-C (L2).
his_metrics_community.tconf

Added taxonomy with metrics mappings to the following categories:

  • ap_pg_cycle

  • CALLING

  • CALLS

  • COMF

  • GOTO

  • LEVEL

  • PARAMS

  • PATH

  • RETURN

  • STMT

  • v(G)

  • VOCF

misra_c_2023_c11.tconf and misra_c_2023_c11_ja.tconf

misra_c_2025_c11.tconf and misra_c_2025_c11_ja.tconf

Added or modified checker mappings to the following rules:

  • 1.5

  • 8.15

  • 9.7

  • 17.10

  • 23.2

  • 23.4

  • 23.6

  • 23.8

misra_c_2023_c99.tconf and misra_c_2023_c99_ja.tconf

misra_c_2025_c99.tconf and misra_c_2025_c99_ja.tconf

Added or modified checker mappings to rule 1.5.

owasp_2017_10_cs.tconf and owasp_2017_10_cs_ja.tconf

owasp_2017_10_java.tconf and owasp_2017_10_java_ja.tconf

 Deprecated the taxonomies.

owasp_2021_10_js.tconf and owasp_2021_10_js_ja.tconf

Renamed the taxonomies to follow Klocwork taxonomy naming standards.

owasp_2025_10_cs.tconf and owasp_2025_10_cs_ja.tconf

owasp_2025_10_cxx.tconf and owasp_2025_10_cxx_ja.tconf

Added taxonomies with checker mappings to the following rules:

  • A1-2025

  • A2-2025

  • A4-2025

  • A5-2025

  • A6-2025

  • A7-2025

  • A8-2025

  • A10-2025

owasp_2025_10_java.tconf and owasp_2025_10_java_ja.tconf

 

Added taxonomies with checker mappings to the following rules:

  • A1-2025

  • A2-2025

  • A3-2025

  • A4-2025

  • A5-2025

  • A6-2025

  • A7-2025

  • A8-2025

  • A9-2025

  • A10-2025

owasp_2025_10_js.tconf and owasp_2025_10_js_ja.tconf

 

Added taxonomies with checker mappings to rule A5-2025.

owasp_2025_10_kt.tconf and owasp_2025_10_kt_ja.tconf

 

Added taxonomies with checker mappings to rule A10-2025.

owasp_2025_10_py3.tconf and owasp_2025_10_py3_ja.tconf

 

Added taxonomies with checker mappings to rule A4-2025.
rs.base.tconf and rs.base_ja.tconf

Added taxonomies with checker mappings to the following categories:

  • Null Pointer Dereference

  • Invalid Arithmetic Operations
rs_clippy.tconf and rs_clippy_ja.tconf

Added taxonomies with checker mappings to the following categories:

  • Cargo
  • Complexity
  • Correctness
  • Nursery
  • Pedantic
  • Perf
  • Restriction
  • Style
  • Suspicious

Improvements to supported compilers

You'll find additional or improved support for the following compilers:

  • CL (Visual Studio)

  • Clang

  • clang-cl

  • GCC

  • QNX

For the full list of supported C and C++ compilers, see C/C++ compilers supported for build integration.

Licensing

Klocwork supports Reprise License Manager (RLM).

Changes to system requirements

We added support for the following environments:

  • Amazon Linux 2 (2.0.20260216.0 Update)

  • CLion 2025.2 (up to 2025.2.6), 2025.3 (up to 2025.3.3)

  • Debian 12.13

  • Eclipse 4.38 (2025-12)

  • Fedora 42 to 43

  • Google Chrome 134.x to 145.x

  • Gradle 8.14.4

  • Java 18 and 19

  • Maven 3.9.12

  • Microsoft Edge 134.x to 145.x

  • Mozilla Firefox 136.x to 148.x

  • Oracle Linux 10 to 10.1

  • Red Hat Enterprise Linux 10 to 10.1

  • Rocky Linux 10 to 10.1

  • Ubuntu 24.04 to 24.04.4 LTS

  • Visual Studio 2022 (up to 17.14.27)

  • VS Code 1.100.3 to 1.110

  • Windows Server 2025

We ended support for the following environments:

  • Fedora 41

  • Google Chrome 131.x to 133.x

  • Microsoft Edge 131.x to 133.x

  • Mozilla Firefox 133.x to 135.x

For the complete list of supported versions, see the System Requirements.

2026.1 Removal of hybrid analysis engine

Starting in release 2026.1, the hybrid analysis engine has been removed from the Klocwork plug-in for Visual Studio.

2025.4 End of life notice for Visual Studio 2015 plug-in

Starting in release 2025.4, the Klocwork Desktop plug-in for Visual Studio is no longer provided or supported for Visual Studio 2015 in alignment with Microsoft's end of extended support for Visual Studio 2015.

2025.2 Removal of compliance licenses for compliance reports

Starting in release 2025.2, a compliance license is no longer required to generate full (non-summary) compliance reports. To learn more about compliance reports, see Creating a compliance report.

2025.2 Removal of the kwmatch utility

Starting in release 2025.2, the kwmatch utility has been removed. If you are upgrading from a previous version, we recommend using streams to manage project branches and kwxsync for cross-project issue synchronization.

If you previously used kwmatch for specific projects and created a database for it, and then you migrate those projects to 2025.2 or later, your database will no longer be used and you can remove it.

2025.2 Removal of the dbvalidate cleanup utility

Starting in release 2025.2, you can no longer run the dbvalidate cleanup utility directly. Some dbvalidate commands for removing duplicated issues and comments remain available for use if advised specifically by Klocwork Support.

2025.1 Removal of separate licenses for streams

Starting in release 2025.1, separate licenses for streams are no longer required.