cppcheck

I launched a Kickstarter project today. https://www.kickstarter.com/projects/3300446/cppcheck-variable-constraints I will add configuration of variable constraints. With such configuration, Cppcheck will get both better precision and better ... [More] soundness. To start with I only plan to use the constraints in the bug hunting analysis. However in the long run, the constraints can be used in traditional analysis also. [Less]

This is a minor release. We have tweaked build scripts. * When you use USE_Z3=yes, we will handle new versions of z3 better. If you have an old z3 library and get compilation problems you will need to add a z3_version.h in externals. * The cmake ... [More] scripts was updated. There was a couple of bug fixes. New check: * for "expression % 1" the result is always 0. [Less]

As of today: * there has been 601,753 downloads on sourceforge; https://sourceforge.net/projects/cppcheck/files/cppcheck/stats/timeline?dates=2007-02-09+to+2020-05-25 * there has been 398,248 downloads from github; ... [More] https://somsubhra.com/github-release-stats/?username=danmar&repository=cppcheck The download count is now above 1 million! Those statistics are not complete. But those are the known downloads. For instance we do not know how many have downloaded through apt-get or how many grabbed the source code directly from github and compiled that - the github download count is only for the windows installers. [Less]

Overview The command line is not changed drastically. Your old cppcheck scripts should work as before. Compiling: There is a new dependency Z3. When compiling with the Makefile it is highly recommended to use "USE_Z3=yes". Improved clang-tidy ... [More] integration Several fixes to; improve parsing detect more bugs with existing checks fix false alarms Clang import Clang is a C/C++ compiler that has a very robust and well made parser. Cppcheck will always use its internal parser by default. However there is now an option to use the Clang parser instead. It is recommended that you use the default internal Cppcheck parser unless you notice that it fails to parse your code properly (syntax errors, strange false alarms). Bug hunting There is a new "soundy" analysis in Cppcheck that should detect most bugs. You should expect false alarms, however the false alarms will not be overwhelming. This new "soundy" analysis is not intended to replace normal Cppcheck analysis. There are use cases where false alarms can not be tolerated. We have added 1 checker and that checks for division by zero: It detects all "integer division by zero" bugs in the Juliet test suite. It detects all "division by zero" bugs in the ITC test suite. There was 28 division by zero CVEs published in 2019 for C/C++ open source projects, and we could quickly see that 21 of the bugs are found by Cppcheck. There is no CVE bug that we know Cppcheck fails to diagnose. But there are 7 CVEs that would require additional investigation to establish if it is really detected or not. You can read more about this analysis in the "Bug hunting" chapter in the manual. [Less]

I launched a new Kickstarter project today. https://www.kickstarter.com/projects/3300446/diagnose-buffer-overflow-cve Thousands of software vulnerabilities are found in released software each year. I will investigate the reported vulnerabilities and ... [More] pick a buffer overflow that is not diagnosed by Cppcheck yet. Then I will fix Cppcheck so it detects such overflows. This is a small step, but in the long run it should be possible to detect most buffer overflows by using Cppcheck. [Less]

I launched a new Kickstarter project today. https://www.kickstarter.com/projects/3300446/add-all-missing-10x-misra-rules If this is funded 4 MISRA rules will be added in the misra addon.

Cppcheck-1.90 has been released. New check: * alias to vector element invalid after vector is changed Improved checking: * improved value flow analysis for struct members * improved value flow analysis for pointer alias CERT: * Added ENV33-C: Do ... [More] not call system() MISRA: * Added rule 2.7 * Added rule 3.2 * Added rule 4.2 * Added rule 14.2 * Added rule 21.1 * Added rule 21.12 Addons: * Add --recursive option. You can check dump files recursively. [Less]

I have launched one more Kickstarter project. This project is about "Software verification". A new analysis mode that will be added in Cppcheck later. It will make it possible to detect much more bugs. Here is the link: https://www.kickstarter.com/projects/3300446/software-verification-1

Together with Georgy Komarov, I started a new Kickstarter project. We want to implement two additional MISRA C 2012 rules: Do not define or undefine reserved identifiers or macro names Do not use exception handling features of The MISRA addon is ... [More] still very much incomplete. To make the rule coverage acceptable we need to get funding. The project is available here: https://www.kickstarter.com/projects/3300446/improve-misra-checking-2 [Less]

Cppcheck-1.89 has been released Command line: * The default warning message format was changed. The new format is similar to GCC. If you want to get warnings in the old format, add --template=cppcheck1 to the command line. Compiling: * From now ... [More] on, use FILESDIR instead of CFGDIR to specify the path for Cppcheck data files. The readme.txt describes the available flags. Improved checking: * improved value flow analysis for pointer aliases * improved checking for uninitialized variables/structs * better checking of smart pointers * better checking of global variables * Added Cppcheck annotations cppcheck_low(VALUE) and cppcheck_high(VALUE) * shadow variables; warn when argument is shadowed * warn if local reference variable can be const CERT: * Added API01-C: Avoid laying out strings in memory directly before sensitive data * Added MSC24-C: Do not use deprecated or obsolescent functions * Added STR11-C: Do not specify the bound of a character array initialized with a string literal MISRA: * Added rule 17.2 * Added rule 18.4 * Added rule 18.7 GUI: * Minor tweaks [Less]