For Coverity Analysis, Coverity Platform, and Coverity Desktop.
Copyright © 2020 Synopsys, Inc. All rights reserved worldwide.
Support for this version of Coverity will be discontinued 18 months after the base version of this release.
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
This section provides release notes for Coverity Analysis components.
Support for this version of Coverity will be discontinued 18 months after the base version of this release.
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
Support for this version of Coverity will be discontinued 18 months after the base version of this release.
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
This section provides release notes for Coverity Platform components.
Support for this version of Coverity will be discontinued 18 months after the base version of this release.
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
This section provides release notes for Coverity Analysis components.
Support for this version of Coverity will be discontinued 18 months after the base version of this release.
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
This section provides release notes for Coverity Platform components.
Support for this version of Coverity will be discontinued 18 months after the base version of this release.
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
This section provides release notes for Coverity Analysis components.
For a summary of checkers that have been added or changed in this release, refer to the "Coverity Checker Change History" table in the Coverity Checker Reference.
Support for this version of Coverity will be discontinued 18 months after the base version of this release.
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
This section provides release notes for Coverity Platform components.
Coverity Compliance Solution helps quality managers and architects manage coding standards projects, those using MISRA, CERT, or AUTOSAR standards, which typically surface large numbers of findings. Using Compliance Solution, developers can focus on the most important issues and even prioritize these.
If you use coding standards and find you have a larger number of defects than you can comfortably handle, the Compliance Solution will let you do the following:
Visualize large numbers of findings and make decisions about how to handle them
Use those decisions to filter findings, excluding all that are not of interest now
Upload only the interesting findings to Coverity Connect
Compliance Solution is now in a beta phase. For documentation, tutorials, and information about the beta program, please see the solution's Community page: https://community.synopsys.com/s/coverity-compliance-solution
The threshold control on the Filter Policies/Threshold page does not work on some versions of Microsoft Edge browser. Workaround: Use a different browser.
The installer that the bootstrap script runs quits if you press Enter too many times during the display of the End User License Agreement. You can work around this by pressing 'q' once while the EULA is displayed.
When you run cov-upload-findings
, please ignore the warning message that says no EndPointIdentificationAlgorithm
has been configured for SslContextFactory
.
The installer executed by the bootstrap script fails to read the EULA agreement and quits if you select y
to read the EULA. You can work around this by selecting n
to read the EULA.
Line number and triage comments information are now displayed for an exported CSV file. (IM-21055)
Preview issues are now included in Coverity Connect URL construction query output. (IM-24420)
Made the following additions to the Defect service of the Coverity Web Services API:
Added these complex objects: standardAttributeIdDataObj
, standardAttributeValueFilterMapDataObj
, standardAttributeValueIdDataObj
.
Added a standardAttributeValueFilterMapList
field to the filterSpec
parameter of the getMergedDefectsForProjectScope
, getMergedDefectsForSnapshotScope
, and getMergedDefectsForStreams
operations. (IM-25015)
Made the following additions to the Configuration service of the Coverity Web Services API:
Added these operations: getStandardAttribute
, getStandardAttributes
.
Added these complex objects: standardAttributeDataObj
, standardAttributeIdDataObj
, standardAttributeValueDataObj
, standardAttributeValueIdDataObj
. (IM-25127)
Coverity Connect and Coverity Policy Manager support for Linux was inadvertently omitted from the Coverity Installation and Deployment Guide in releases 2019.06 and 2019.09. Support information for Linux was reinstated in the documentation in release 2019.12. Support for Linux Kernel v2.6.32 or higher, glibc 2.12 or higher, and GTK2+ or higher has in fact been continuous through this period and continues in the current release.
CIM Web Services example code has been fixed.
Documentation has been updated to clarify the column names in Status Reports view.
A description for the getOutputFileForSnapshot
operation has been added to the "Coverity Platform Web Services API Reference".
A bug was fixed for the Checker View on the Dashboard - all the checker names in the Bar type chart appeared to be truncated.
The getDeveloperStreamsProjects
operation was added to the Configuration service in the Coverity Platform Web Services API v8 as part of Coverity release 7.0.1.1 but was inadvertently omitted from the documentation. The Coverity Platform Web Services API Reference has been updated with documentation for this method.
A solution was provided for a situation in which Connect was unable to establish the certificate chain of trust to the mail server.
Improved the performance of the following methods of the Defect Service Web Service: getMergedDefectsForProjectScope
, getMergedDefectsForStreams
, getMergedDefectsForSnapshotScope
.
This resulted in improving the performance of the cov-manage-im
command. In some internal tests the latencies were reduced from about 120 seconds to about 8 seconds and from about 13 hours to about 15 minutes.
Increased the maximum allowed value of the pageSize
field of the pageSpec
parameter of the aforementioned methods. As a result, the maximum allowed value of the --page
parameter of the cov-manage-im
command also increased. While this change contributes to the aforementioned performance improvements, it is not the major one, but simply one visible to a user.
An issue was fixed with the Coverity Server not Responding to cov-commit-defects
.
The server can now handle a heavier load of incoming commit-related connections.
Fixed an issue where filtering or grouping by standard atrribute returns an error if the column is not visible.
An issue has been fixed which now shows Standard Attribute information that was missing from Issues by Snapshot Views as well as from Policy Manager Reports.
An issue was fixed that prevented users from changing their password from the Preferences dialog.
Updated documentation to show that the component views does not include data from outdated streams.
Port redirection is not supported with the default self-signed certificate server/base/conf/server.xml
.
Fixed an issue that required the user to type password twice to cov-commit-defects
command.
Downloading the binaries to update Java and/or PSQL for security fixes might fail on slow internet connections. Please make sure you have a fast internet connection and retry.
In order to use Coverity Connect with a mail server (https option) or Bugzilla (https option), and some other cases, the user has to import certificates into cim/jre/lib/security/cacerts
. After running the updater, all of these certificates are gone.
Changing the summary metric name on a coordinator causes the summary metric to disappear from all reports on subscribers. To work around this issue, add the new summary metric back into the reports on subscriber
User and password information in coverity_config.xml
do not override options specified on the command line.
Collisions might occur if triage data is deleted from a cluster (used for testing, for example), and then up-to-date triage data is imported from a production instance. This is because deleting triage stores does not delete related CIDs. It is recommended you rebuild the cluster from scratch using the production data.
In a cluster environment, deletion of triage data on the coordinator is not recommended unless it can be verified that there are no subscriber dependencies. Synchronization problems between subscribers and the coordinator might result.
The selected value is not displayed for a Coverity Connect field when using Chrome browser version 47.0.2526.80 on Windows 7.
Using a custom defect export handler script might on occasion create an error when attempting to export data to a bug tracking system.
To prevent database constraint violations on subscribers in a cluster, when a user is deleted, it is marked for deletion instead of being completely (hard) deleted. This status subsequently synchronizes across the cluster.
When configuring Coverity Connect to connect to an LDAP server, you must specify (in the Host Name field) the hostname of the machine hosting the LDAP server. Using the IP address of the LDAP server is not supported. For more information, refer to the section "Configuring LDAP server settings" in the Coverity Platform 2020.03 User and Administrator Guide.
The Coverity Platform Web Services API Reference has been clarified to point out that the snapshotScope
parameter to the Defect Service's getMergedDefectsForStreams
operation is optional.
Internet Explorer 11 breaks on functionalities using file upload.
Translations for standard attribute descriptions that are displayed when an issue is selected are not provided in this release.
When upgrading from a database in 2020.03 or 2020.06, two columns are shown for PCI DSS info: 1) Standard: Payment Card Industry Data Security Standard (PCI DSS) 2018 and 2) PCI DSS 2018. Use the information in the PCI DSS 2018 column for correct results.
Although the Upgrade Guide states that 32-bit to 64-bit in-place database format upgrades are not permitted, some will succeed, yielding valid results. Because in-place upgrade is preferable to backup-and-restore upgrade, we recommend that you try your upgrade in-place and, if it fails, fallback to backup-and-restore upgrade.
If Java 1.7.0_xx is used, and even if the system has a large amount of available RAM, using Java1.7.0_xx and older, Out of Memory
errors might occur despite having sufficient/available RAM. The workaround is to use the Java version shipped with Coverity Platform, or to specify a max heap setting for cov-im-daemon
.
Due to a Red Hat Enterprise Linux issue (Bug 1484079), the Coverity Platform installer on Centos7or RHEL v7.4 might fail due to an ArrayIndexOutOfBoundsException
error and a stack trace indicating an error with fonts. This can be resolved by installing the dejavu-serif-fonts
package.
For customers upgrading their Coverity Platform server from unsupported Coverity versions (such as version 5.x), we recommended that you upgrade to a supported intermediate version (such as2018.03) before upgrading to 2018.06. We also recommended that you perform a backup of your data beforehand with the Upgrade Preparation feature.
All Coverity installers for Linux have a known issue related to missing fonts.
If you are installing a Coverity product on Linux from the command line,
the installer might fail before asking for user input if the target system does not have access to the fonts required by the installer.
Stack traces vary, but usually reference "fonts". You can work around this issue by installing the fontconfig
package.
For example, this command uses the apt-get
package manager to install fontconfig
:
apt-get install fontconfig
This command uses the yum
package manager to install fontconfig
:
yum install fontconfig
The Scan Date / Time has been added in all PDF reports - Security, Software Integrity, Cert C/C++, OWASP, PCI DSS, and CVSS Report. (RG-1421)
An issue has been fixed which now shows Standard Attribute information that was missing from Issues by Snapshot Views as well as from Policy Manager Reports.
A reference to Coverity as a "Synopsys company" has been fixed in Coverity Security Reports.
It is now possible to view the Coverity Severity and Severity level from Security report together.
Documentation was updated to note that value passed on the command line for project name will override the config file setting.
An issue was fixed wherein the project description field was cropped in Integrity Report.
For ATP-based systems, you might receive an error message during report generation. If you do receive an error message, you are likely missing these libraries: libgl1
, libgl1-mesa-dri
, and libgl1-mesa-glx
.You can install the missing libraries by using the following command syntax:
apt-get installlibgl1
, apt-getlibgl1-mesa-dri
, and apt-getlibgl1-mesa-glx
.
During report generation, you might receive the following error: "Loading library prism_es2
from resource failed: java.lang.UnsatisfiedLinkError:"
If you encounter this error message, please install these missing libraries: apt-get install libgl1
, apt-get libgl1-mesa-dri
, and apt-get libgl1-mesa-glx
.
In the Security Report, "Issues Without CWE Numbers" has been renamed "Non-security Issues" to address a complaint about a mismatch between the reported count of issues without CWE numbers and Coverity Connect output sorted by outstanding defects.
The Security Report now points to BDBA instead of Poretcode SC.
This section provides release notes for Coverity Analysis components.
Support for all operating systems is deprecated as of 2020.06 and will be removed in a future release.
For a summary of checkers that have been added or changed in this release, refer to the "Coverity Checker Change History" table in the Coverity Checker Reference.
The HEADER_INJECTION
checker now supports VB.NET (SAT-26272)
The new C/C++ Y2K38_SAFETY
checker points out two potential issues with the rollover of the 32-bit signed integer counter of seconds since epoch in the UNIX time_t
type. (SAT-27539)
Enhanced NO_EFFECT
checker to detect useless continue
statements, that is, any continue
statements that are the last statement executed in a loop. (SAT-31515)
The new CUDA.SHARE_FUNCTION
checker searches for violations of specific function calls to the device-only function in a host execution space, and vice-versa. (SAT-31595)
The new CUDA CUDA.SPECIFIERS_INCONSISTENCY
checker looks for inconsistencies in CUDA execution space and kernel function specifiers across function declarations. (SAT-31603)
The --field-offset-escape
option no longer affects checkers such as UNINIT_CTOR
that care about writes but not frees. (SAT-32483)
Improved DEADCODE
reporting when the dead code is due to a condition on a variable, and that variable is always assigned a constant when reaching that condition. (SAT-32861)
Added support for MISRA-C: 2012 Amendment 2. (SAT-33918)
The SCRIPT_CODE_INJECTION
checker now supports android taints for Java. (SAT-34011)
The UNSAFE_JNI
checker now supports Android taints for Java. (SAT-34060)
The ANDROID_CAPABILITY_LEAK
checker now supports configurable Android API levels (SAT-34663)
The TAINTED_SCALAR
checker can now treat assembly swap instructions as source of tainted data. (SAT-34820)
For the FORWARD_NULL
checker, updated description of the boolean option aggressive_null_sources
. (SAT-34889)
Added suppport for these CERT C POSIX rules: POS30-C (v.79), POS33-C (v.101), POS34-C (v.126), POS35-C (v.86), POS36-C (v.67), POS37-C (v.79), POS38-C (v.35), POS39-C (v.51), POS44-C (v.23), POS47-C (v.58), POS49-C (v.24), POS50-C (v.17), POS52-C (v.23), POS54-C (v.32) (SAT-34936)
Added Go language support to all options for the OPEN_REDIRECT
checker. (SAT-34977)
Updated the INSECURE_COMMUNICATION
checker for Java to support Spring Roo configuration files. (SAT-34987)
The HEADER_INJECTION
checker now supports Visual Basic. (SAT-34996)
Added modeling for the Boost property_map
API. (SAT-35017)
The new Java CONFIG.SPRING_SECURITY_WEAK_PASSWORD_HASH
checker finds cases that create an instance of a class implementing the PasswordEncoder
interface using weak hashing algorithms or no hashing algorithm at all. (SAT-35033)
Added a new option to cov-analyze
command. The --resolve-calls-to-all-delegates
option might allow reporting more defects involving calls to delegates, notably LOCK_INVERSION
defects. It might cause a higher false positive rate. (SAT-35036)
The new Java CONFIG.SPRING_SECURITY_DEPRECATED_XSS_HEADER
checker finds cases where the soon to be deprecated X-XSS-Protection header is explicitly enabled. (SAT-35062)
The XML_INJECTION
checker now supports VB.NET
. (SAT-35132)
The new Java VERBOSE_ERROR_REPORTING
checker finds cases where an application has been configured to allow exception information or stack traces to be displayed in an error page. (SAT-35134)
The new C/C++ Y2K38_SAFETY
checker points out two potential issues with the rollover of the 32-bit signed integer counter of seconds since epoch in the UNIX time_t
type. (SAT-35167)
Added two options to the ANDROID_CAPABILITY_LEAK
checker: ANDROID_CAPABILITY_LEAK:default_targetSdk:<integer>
(sets which Android API level the application targets), and ANDROID_CAPABILITY_LEAK:detect_targetSdk:<boolean>
(sets whether the analysis will auto-detect the Android API level that the application targets). (SAT-35196)
Added support of SEI CERT C coding standard for Clang-based compilers. (SAT-35313)
The new CUDA.SHARE_OBJECT_STREAM_ASSOCIATED
checker finds instances when managed global variables associated with a stream are accessed from a different stream. (SAT-35390)
Added security models for the libpq
library. (SAT-35399)
Added support for 3 more rules in AUTOSAR C++14 standard on both EDG-based and Clang-based compilers: A1-1-1, A14-5-2, A15-0-7 (SAT-35468)
Updated the Java CONFIG.SPRING_SECURITY_SESSION_FIXATION
checker to support cases where the session fixation protection is explicitly disabled in the source code. (SAT-35498)
The new Java CONFIG.SPRING_BOOT_SSL_DISABLED
checker finds cases when SSL is disabled in configuration files of Spring Boot applications. (SAT-35505)
The INSECURE_COOKIE
checker now supports C# applications. (SAT-35528)
Added a new option to the NO_EFFECT'
checker. The NO_EFFECT:report_useless_continue:false
option is supported for C, C++, Objective-C, Objective-C++; it reports the continue
statements that can be removed without affecting code execution. (SAT-35541)
The new Java CONFIG.SPRING_SECURITY_CSRF_PROTECTION_DISABLED
checker finds cases where the Spring Security cross-site request forgery (CSRF) protection is explicitly disabled. (SAT-35542)
The new CUDA.INVALID_MEMORY_ACCESS
checker finds cases where pointers into host or device memory are used incorrectly. (SAT-35560)
The new Java CONFIG.JAVAEE_MISSING_SERVLET_MAPPING
checker finds cases where a deployment descriptor XML configuration file contains a servlet entry without a corresponding servlet mapping, enabling dangerous implicit mapping. (SAT-35562)
The INSECURE_COMMUNICATION
checker now supports configuration files for Java projects. (SAT-35605)
Added support for 2 new CERT-JAVA rules: CERT IDS16-J and CERT IDS17-J. (SAT-35687)
Brakeman version has been upgraded to 4.8.2. (SAT-35697)
Reference to the renamed checker __CONFIG.SPRING_SECURITY_DEBUG_MODE_JAVA
has been removed.
Fixed TAINTED_SCALAR
checker to report different defects on different fields of the same variable on a given path.
The CSRF
checker now detects Spring CSRF protection enablement using the Spring version and handles the <csrf disabled=“true”> tag correctly.
A false negative for the FLOATING_POINT_EQUALITY
checker (vector types containing floats) has been fixed.
Add resource leak primitive for URLConnection::getInputStream and URLConnection::getOutputStream.
A false positive was fixed for the NO_EFFECT
checker.
Added model for g_slice_free_chain_with_offset
to fix false positive for the ALLOC_FREE_MISMATCH
checker.
A false positive was fixed for the UNINIT_CTOR
checker.
Fixed a false positive in BAD_OVERRIDE
when the overriding function differed only in const
/volatile
qualifiers on the outermost level of the parameter type specification.
The option suppress_under_related_conditional
to the NULL_RETURNS
checker was not actually effective for C, C++, Objective-C, and Objective-C++. The behavior has now been implemented, and is enabled by default.
An issue was fixed for a NO_EFFECT
false positive when comparing an unsigned integer with 0 within an impossible condition.
An issue was fixed: The UNCAUGHT_EXCEPT
checker now flags situations in which a bad_alloc
exception is thrown when the string function fails to allocate storage.
Added string equality models to fix false positives for the TAINTED_SCALAR
checker on Visual Studio.
An issue was fixed that produced a false negative for theSQLI
checker for PHP source.
Fixed an issue in the OVERLAPPING_COPY
checker that could cause a recoverable failure if a negative number was supplied for the size
argument.
Fixed a source of UNINIT
false positives when multiple members of a struct are initialized together using a function such as memset
given the address of the first of those members.
Fixed performance regression in C/C++ security checkers by removing unnecessary taint tracking.
CSRF
False Positives have been fixed in those cases where users have implemented a homemade ActionFilter
.
Fixed a false positive for the CUDA.INACTIVE_THREAD_AT_COLLECTIVE_WARP
checker.
Fixed a source of OVERRUN
false positives when a pointer argument is cast after having an offset added in a callee.
Fixed a recoverable analysis crash with message "While generating WUP for per-TU reports (...) assertion failed: Invalid index" when analyzing an intermediate directory with no define
functions using HIS metrics.
Fixed a recoverable analysis crash with message "Disjoining != NULL"
A false positive for the CONFIG.ATS_INSECURE
checker has been fixed.
A false positive for the UNINIT_CTOR
checker has been fixed.
An issue has been fixed with Brakeman Pro when HOME
is a relative path.
A false negative was fixed for Javascript DOM XSS.
CodeXM documentation has been updated with information about regular expressions, as well as descriptions of the allFunctionCode
and allFunctionsAndGlobalVariableCode
patterns.
In the Learning CodeXM document, the use of patterns to match loops has been clarified.
Fixed some inconsistent analysis results from Kotlin security analysis with mutually recursive functions. Analysis results will be more consistent across analysis runs. However, Kotlin analysis results might gain or lose a small number of defects compared to the previous release.
The event message for CERT SIG30-C is now correctly translated in Japanese.
Fixed a false positive of MISRA C++-2008 Rule 6-6-5 regarding statementExpression
.
Fixed a false positive of AUTOSAR C++14 M3-2-3
about template function declarations.
Fixed a false positive of CERT EXP37-C
where __set_psw(unsigned char)
is called.
Fixed a false positive of MISRA C-2012 Rule 13.2 about two function calls with unrelated side effects.
Fixed false positives of AUTOSAR C++14 A4-7-1 related to casting already checked variables and constexpr
variables.
Fixed a false positive of AUTOSAR C++14 A12-1-5 when there were no other constructors to delegate to.
Fixed a false postive of AUTOSAR C++14 A5-2-2 where a function was cast to be used as a template parameter.
Fixed a false positive of CERT INT31-C about sizeof
operator.
Fixed a false positive of AUTOSAR C++14 A3-9-1 where the type was dependent on template arguments.
Fixed a false positive of AUTOSAR C++14 M6-4-2 where a throw
operator was wrapped in an else
statement.
Fixed a false negative of CERT CON39-C for C++ source files.
When using Buildless Capture with JavaScript projects, in some cases analysis might yield a large number of false positives for the EXPLICIT_THIS_EXPECTED
checker. In such cases, we recommend disabling this checker using the --disable EXPLICIT_THIS_EXPECTED
option for the cov-analyze
command.
Churn for the preview INTEGER_OVERFLOW
checker might be higher in this release compared to churn for other checkers.
The latest version of the integrated SpotBug software has a documented bug: FE_FLOATING_POINT_EQUALITY
defects won't be reported
The XSS
checker can report multiple occurrences of the same local defect under certain circumstances.
Added a new option to the cov-manage-emit
command. The --tu-sort
option specifies the sort order for TU output. (CMPG-3355)
Added a new option to the cov-configure
command. The --coverity-response-file=<response_file>
specifies a response file that contains a list of additional command line arguments, such as a list of input files. (CMPG-3357)
Added cov-archive
support of importing to coordinator. See the description of the --cluster-config
option in the cov-archive
documentation. (IM-25048)
Added the new --brakeman-aggressiveness-level
option to cov-analyze
. This option allows users to tune the aggressiveness of Brakeman Pro to only report defects above a certain confidence level. (SAT-34008)
For the cov-manage-emit'
command, under the "Translation unit pattern matching" section, added all
to regular expression values. (SAT-34919)
The cov-run-fortran
command now uses response files to communicate with the underlying analysis. This removes an earlier limitation due to the maximum command-line size (approx. 2^15 bytes on Windows; 2^17 bytes on other platforms). (SAT-35004)
For the cov-manage-emit
command, the following language patterns were added to the "Translation unit pattern matching" section: .NET bytecode, Fortran, Go, HTML, JSX, JVM bytecode, Kotlin, Python 2, Python 3, TypeScript, Vue.js SFC. (SAT-35187)
Coverity client tools will now accept all SSL/TLS cipher suites, allowing more flexibility in server configuration, in particular with reverse proxies. (SAT-35801)
Errors related to in-class initializers and incomplete type errors have been fixed.
Fixed an issue for cov-emit
: error #135 has no member "type".
An issue resulting from seeing assertion error when using cov-build
has been fixed.
Fix made for 2020.09 release: cov-internal-emit-clang now generates xrefs for variable templates used within namespaces.
And issue with the cov-build
command in Visual Studio has been fixed.
Logging was improved for cov-admin-db
by incorporating verbose mode.
Fixed cov-manage-im
checker filter option.
Fixed an issue that required the user to type password twice to cov-commit-defects
command.
An issue was fixed for a situation in which cov-run-desktop
would not take the -use-jshintrc
option.
Fixed an issue causing a server certificate to be rejected by cov-commit-defects
with the message "ASN CA path length larger than signer error" if the issuing root CA has a path length limit of 0.
An issue was fixed where cov-run-fortran
crashed for large projects. An internal command-line buffer was limited to 1500 characters. This limitation has been removed.
Fixed a cov-commit-defects
crash with message "Expected a value to be present for optional integer" when using an HTTP redirect to an HTTPS address with no port specified.
In the results from cov-run-fortran
, certain syntax errors (defects) were not being associated with any function. To track defects through line number changes, Coverity Platform requires a function name as part of the defect identifier.
Such syntax errors are now attributed to <module>%.MAIN.
if within a module, and to .MAIN
. otherwise.
The cov-run-fortran
command is now providing friendlier messages for abnormal exits.
An issue with cov-format-errors
has been fixed.
Fixed an issue for cov-commit-defects
failure due to long file names.
Fixed an issue that could cause results to change depending on compilation order, when multiple compilations of the same file were not within a single cov-build
command.
If you receive the following error message when using cov-build
, you can work around this issue by using the --instrument
option.
[WARNING] Compilations that use 32-bit Java tools running on 64-bit Windows were detected during this build. Such compilations are not supported at the moment; analysis might be incomplete or invalid because of that.
Workaround:
> cov-build --dir t1 --instrument ant
If you have KB2919355 (http://support.microsoft.com/kb/2919355
) installed on Windows 2012 system, you might encounter the build hanging under cov-build
if MSBuild is used. When this happens, the process tree will show MSBuild still running under cov-build
, even though there will be no output or progress from MSBuild. To work around this issue, you can do one of the following: Uninstall KB2919355, or Add the --instrument
flag to your cov-build
invocation; for example:
> cov-build --dir dir --instrument msbuild ..
On Windows, when preprocessing a file with cov-emit
to the Windows console, cov-emit
might fail with a catastrophic error if the character encoding of the preprocessed output is not compatible with the console encoding.
This error can be avoided by redirecting the preprocessed output to a file.
When in the Test Prioritization workflow, on the View Results page, clicking the Open in System Editor button might not work for some older Linux distributions.
Running cov-emit-java
to emit a web application (with --war
--findears
or similar) might fail if the number of JAR files in its classpath (including those found with --findjars
) exceeds the operating system's per-process file limit. To work around this case, either increase the per-process open file limit or remove unnecessary JARs from the classpath.
Support for OpenJDK 13 is dropped as of 2020.09. Support for Oracle JDK 13 is dropped as of 2020.09.
Coverity support for Go 1.11 and 1.12 has reached end of life and is dropped in Coverity 2020.09 release.
Support for Apple Clang 6.0 and 6.2 has been dropped as of 2020.09.
Coverity Analysis support for Ruby 2.3 and 2.4 is dropped as of 2020.09.
Support for IBM XLC versions 8–12 on AIX is dropped as of 2020.09.
Support for Linux versions of Intel C++ older than version 17 is dropped as of 2020.09.
Support for Keil Arm compiler RVCT 3.1, 4.0 for uVision is dropped as of 2020.09.
Support for .Net Core 3.0 has been dropped as of 2020.09
We no longer support Extend SDK on FreeBSD.
Support for Swift 5.2 is deprecated as of 2020.09
Added support for clang-cl 9.0 on Windows. (CMPCPP-10059)
Added support for ARM Clang 6.13.1. (CMPCPP-10064)
Added support for GNU GCC and G++ 10.1.0 compiler. (CMPCPP-10088)
Added support for the Texas Instruments ARM version 18.12.5 compiler on Windows. (CMPCPP-10157)
Added support for Microchip XC8 version 2.20 compiler on Windows and Linux. (CMPCPP-10261)
Added support for the Qualcomm Kalimba C version 2.06 compiler on Windows. (CMPCPP-10289)
Added support for the QNX 7 C++ compiler as a host compiler for the CUDA nvcc compiler. Use the cov-configure --cuda
command to configure support for this compiler combination. (CMPCPP-10344)
We now support -arch arm64
, -mcpu=cortex-a7
for the clang compiler. (CMPCPP-4449)
Added support for the .NET Core C# compiler on linux64. (CMPG-3388)
Added support for Java 14 language features. (CMPJ-1215)
Added a capability to the JavaScript front end to suppress secondary capture (capture of files imported by previously captured source files) of files that reside under a node_modules
directory. Contact Coverity support to enable this functionality. (CMPJS-733)
Added support for Open JDK 14. (COVP-2271)
Added support for Oracle JDK 14. (COVP-2272)
Docs have been updated to correct a discrepancy in the way that Maven versions were specified.
We are now flagging any usage of variadic macros (which contain ... ellipses representing multiple arguments), to be a violation of MISRA C 2004 Rule 1.1. We do this because variadic macros were introduced in the C99 standard, while Rule 1.1 requires adherence to C89. We are making an exception for variadic macros defined in system header files, since the customer might not be able to change any of these.
Keil ARM(armcc) compiler can recognize --C99
(Uppercase C), which cov-emit
can't.
The CIT nvcc:msvc
configuration for the CUDA nvcc compiler with Microsoft Visual C++ as the host compiler was corrected to ensure that CUDA-predefined macros are detected and emulated.
Fixed error when parsing non-zero nontype template arguments for Microsoft compilers.
Fixed an issue where Coverity failed with undefined __float128
for gcc.
An issue was fixed in which template function declarations resulted in two declaration locations.
Fix made for 2020.09 release: cov-internal-emit-clang now generates xrefs for variable templates used within namespaces.
Fixed a crash affecting clang compilers when a C++11 {{static_assert}}
declaration was used as the body of a selection or loop statement.
Resolved an issue that resulted from an exception signature mismatch in system headers.
An issue was fixed when a dll is seen in two locations in the same build, which could cause problems merging other idir's that use the same dll.
An issue was fixed when a local function was being used in a lambda expression in a generic method.
And issue with the cov-build
command in Visual Studio has been fixed.
A cov-analyze
issue with custom ValueTypes with a user defined conversion has been resolved.
Fixed an issue where cov-emit-java
crashed on long command line switches.
Kotlin front end now properly handles compiler plugins in maven.
Fixed a crash in Kotlin front end related to coroutines
and objects.
Removed references to the HPUX environment in documentation because this environment is no longer supported.
Upgraded webapp archive compilation to support JSP files that reference precompiled class files with class format versions up to 58.0, which corresponds to Java 14.
A cov-emit-java
hang that could occur when emitting the exoplayer project has been fixed.
An assertion failure for a Coverity Swift compiler has been fixed.
Fixed a recoverable error when analyzing static Spring MVC request handlers.
Fixed an issue that could cause results to change depending on compilation order, when multiple compilations of the same file were not within a single cov-build
command.
cov-build --instrument
has a known issue when running the xdcmake.exe
tool of VisualStudio 2010 when launched from a 32-bit process on Windows 10. This will currently fail with a System.BadImageFormatException
exception. To work around this issue you can do one of the following: Modify the build such that xdcmake.exe
is run from a 64-bit process, or
ignore the xdcmake.exe
process by adding --capture-ignore xdcmake.exe
to your cov-build
invocation.
When using JDK 14 on mac OS 10.14 or 10.15 cov-build
might miss capturing Java source. In this situation, please use buildless capture (cov-capture
) to capture your Java source.
Casts of ISO/IEC TR 18037 fixed point types are incorrectly rejected in code compiled in C++ mode for Clang based compilers. This issue is known to affect the Synopsys MetaWare ccac compiler.
The new build system introduced in Xcode 10 is not supported with Clang compilers. See the section "Building projects that use Xcode 10's new build system" in the "Coverity Analysis User and Administrator Guide" for details on how to work around this issue.
Coverity Swift front end does not support Mac Catalyst apps in 2020.06 release.
The default charset
for Java 1.8 VM on Mac appears to be UTF-8 if a charset has not been explicitly set. The Coverity Java compiler does not emulate this behavior. Make sure to explicitly set the character encoding by setting a locale using the LANG
or LC_CTYPE
environment variables
The JavaScript front end no longer supports nameless function statements. (Nameless function expressions are supported as before.) A function statement without a declared name is a syntax error according to the ECMAScript standard, but may be used in JavaScript source files with some frameworks.
The Coverity front end for TypeScript does not presently respect module=esnext
. As a result, Coverity tools cannot currently emit top-level awaits which are built using module=esnext
.
Scala Macro Paradise compiler plugin can be incompatible between different Scala 2.12.x patch versions and might cause emit failures.
If you are building ant projects from Netbeans, there is a failure to capture emitted files when launching Netbean build inside of cov-build
. To fix the issue set Ant Javac Task fork
attribute to yes/true. This tells ant to execute the OS level compiler externally. By default this is set to no
, which means that it compiles intrinsically,
and as a result, cov-build
wont see javac invokations at the OS level.
Support for all operating systems is deprecated as of 2020.06 and will be removed in a future release.
An issue has been fixed in which the cov-run-desktop
command now uses the same process to choose the latest emit of multiple compilations as the cov-analyze
command.
If Dynamic Analysis reports defects in classes that were compiled without debugging information, or classes that contain mangled information due to misbehaving code coverage or AOP tool, the defect report might contain nonsensical line numbers or file names.
Specifying certain combinations of the instrument-arrays
, instrument-collections
, detect-races
, and detect-deadlocks
options to the Dynamic Analysis agent causes unexpected behavior. In particular, Dynamic Analysis still reports races on arrays and collections according to the instrument-arrays
and instrument-collections
options when detect-races
is false and detect-deadlocks
is true. However, if both detect-races
and detect-deadlocks
are false, Dynamic Analysis reports races on neither collections nor arrays.
If you do not specify a class in the cov-start-da-brokerclasspath
option, the corresponding source file isn't committed, even if the source file is present on the source path.
The use of "--cs-coverage opencover" with Test Advisor may fail to capture any tests or coverage data on some versions of Windows if the user's account has Administrator permissions, .NET Framework 4.8 is installed, and user account control (UAC) is disabled. This can be worked around by manually registering the OpenCover profiler DLLs and passing "--cs-no-register-profiler" to your "cov-build --test-capture" invocation. This manual registration must be performed systemwide; your regsvr32 invocations must be run without the "/i:user" argument. For more details on this, see the documentation of cov-build's "--cs-no-register-profiler" switch in the Command Reference.
When using --java-coverage jacoco
, Test Advisor might consider lines that never run to completion, but instead always generate exceptions, to be uncovered.
cov-wizard
might not emit Java successfully with the default version that is installed in Ubuntu 18.04. (See https://bugs.launchpad.net/ubuntu/+source/openjdk-lts/+bug/1796027) To fix this issue, install a different version of Java and set it as the default Java version.
In the Coverity Wizard Policy Editor, the Link to Editor icon in the Outline View might be toggled as enabled, even though the editor is not actually linked with the Outline View.To enable outline linking, toggle the Link to Editor button to disabled, and back to enabled again.
Not all the Preference dialog text is translated into Japanese on the syntax coloring dialog.
In Coverity Wizard, after automatically configuring the compilers in the Configure Compilers screen, the status indicator for the Configure Compilers screen might not update from the exclamation mark icon to the check mark icon, which will appear as though the auto-configuration was unsuccessful. However, clicking anywhere in the Coverity Wizard window or changing pages will cause the indicator to update to the check mark icon.
The Guided Test Advisor Policy Creation Wizard uses Java regex validation instead of the Perl regex validation that Coverity Analysis Test Advisor uses. This should not cause any issues for most users, but if there is a difference, go to the more advanced Test Prioritization Policy Editor and Debugger to enter the proper regex.
The guided policy creation wizard Documentation link fails to open properly on Linux. Open the Coverity Wizard 2019.12 User Guide separately to view this documentation.
After upgrade, Coverity Wizard can sometimes give a ReferenceMap NullPointerExceptionapplication
error on startup. To work around this issue, delete the .orphan file in the <install_dir_sa>/jars/cwiz/configurations/org.eclipse.core.runtime
folder.
When using a self-signed certificate, if the user chooses not to trust a certificate, they might be prompted multiple times (asking to trust the certificate). If a user does not want to trust a self-signed certificate, they should change their Coverity Connect server settings to avoid the prompts. But just keep pressing no (to not trust the certificate), to get through the multiple prompts.
Coverity Wizard now warns the user every time they select the Test Prioritization'
workflow, even if they did not first work with the regular analysis workflow. This can be safely ignored
Using the Duplicate button for configuring compilers in Coverity Wizard does not work.
This section provides release notes for Coverity Desktop components.
Even though we have added support for Android Studio 3.6, Coverity Desktop plugin will fail to scan Android projects. It will work for Java and Gradle projects that are not Android based.
Android Studio does not show the proper scope
in the Issues view for local analysis. It just always says "External output file" currently when in local analysis mode.
Currently any source generated by Gradle Android projects will not be captured by the build process,and will be reported as "Uncaptured" by the IntelliJ and Android Studio IDEs. These files can be ignored by the "Uncaptured Source Files Dialog" or through the "File Exclusions" settings page. Auto-generated Gradle source files are captured when using Android Studio 3+.
Coverity markers in the editor gutter can sometimes be shown in duplicate with the IntelliJ/AndroidStudio Coverity Desktop plug-in.
For OXS 10.14 users with JDK-8136913 installed, using the hostname_regex
in the coverity.conf
file caused a 5 to 30 second delay. We've provided a workaround to fix this issue in our documentation.
Eclipse customers using Plastic SCM might see a failure during Analyze Modified Files, as Eclipse is unable to locate their cm executable file. This occurs when the cm.exe
file is located in /usr/local/bin/
rather than /usr/bin/
and can be resolved by adding a link to the executable in /usr/bin/
.
When using whole program checkers in IntelliJ, a warning about missing class files might be displayed in the console, which indicates missing class files with incorrect paths. Even if the paths do not seem correct, this should not affect analysis results
For Coverity Connect users using the Japanese locale, the Apply button in the triage panel was disabled unless the Owner was changed. To work around this, the IDE locale should be the same as the user account locale on the Coverity Connect server. Since IntelliJ currently only supports English, the user account locale on Coverity Connect must be set to English as well
Coverity Connect attributes and usernames in the Coverity Desktop plug-in are cached on start up,and not refreshed until IntelliJ is restarted. If you are missing a new username, or some other triage attribute, try restarting IntelliJ.
The Coverity Desktop plug-in does not currently work for the Alloy IDEA theme.
Android Studio does not show the proper scope
in the Issues view for local analysis. It just always says "External output file" currently when in local analysis mode.
The triage view will not resize while the History section is expanded. Collapsing the history section will cause the view contents to resize.
Currently any source generated by Gradle Android projects will not be captured by the build process,and will be reported as "Uncaptured" by the IntelliJ and Android Studio IDEs. These files can be ignored by the "Uncaptured Source Files Dialog" or through the "File Exclusions" settings page. Auto-generated Gradle source files are captured when using Android Studio 3+.
Coverity markers in the editor gutter can sometimes be shown in duplicate with the IntelliJ/AndroidStudio Coverity Desktop plug-in.
This section provides release notes for Coverity Documentation components.
The Coverity CodeXM C/C++ Library Reference documents added support for the CUDA platform. (SAT-34702)
Incorrect examples have been fixed in the "Learning CodeXM" document.
Corrected misuse of "analyses" throughout doc set.
The "Coverity Platform Web Services API Reference" has been updated to reflect the fact that the updateSignInConfiguration
operation no longer accepts an enableSessionTimeout
parameter and that the signInSettingsDataObj
complex type no longer contains an enableSessionTimeout
component.
Support for this version of Coverity will be discontinued 18 months after the base version of this release.
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
This section provides release notes for Coverity Platform components.
Support for this version of Coverity will be discontinued 18 months after the base version of this release.
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
This section provides release notes for Coverity Platform components.
Support for this version of Coverity will be discontinued 18 months after the base version of this release.
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
This section provides release notes for Coverity Analysis components.
For a summary of checkers that have been added or changed in this release, refer to the "Coverity Checker Change History" table in the Coverity Checker Reference.
Support for this version of Coverity will be discontinued 18 months after the base version of this release.
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
This section provides release notes for Coverity Platform components.
Support for this version of Coverity will be discontinued 18 months after the base version of this release.
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
This section provides release notes for Coverity Analysis components.
Support for this version of Coverity will be discontinued 18 months after the base version of this release.
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
This section provides release notes for Coverity Analysis components.
Corrected configuration of the nvcc compiler when used with Microsoft Visual C++ as the host compiler, to ensure that the implicitly included cuda_runtime.h
header file is correctly found.
Corrected implicit instantiation of function templates when compiling CUDA code to match the behavior of the nvcc compiler more closely. This avoids parse errors due to unexpected instantiations that don't occur with the nvcc compiler.
Kotlin front end now properly handles compiler plugins in maven.
Support for this version of Coverity will be discontinued 18 months after the base version of this release.
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
This section provides release notes for Coverity Platform components.
Coverity Compliance Solution helps quality managers and architects manage coding standards projects, those using MISRA, CERT, or AUTOSAR standards, which typically surface large numbers of findings. Using Compliance Solution, developers can focus on the most important issues and even prioritize these.
If you use coding standards and find you have a larger number of defects than you can comfortably handle, the Compliance Solution will let you do the following:
Visualize large numbers of findings and make decisions about how to handle them
Use those decisions to filter findings, excluding all that are not of interest now
Upload only the interesting findings to Coverity Connect
Compliance Solution is now in a beta phase. For documentation, tutorials, and information about the beta program, please see the solution's Community page: https://community.synopsys.com/s/coverity-compliance-solution
A bug was fixed where if Findings Manager host's hostname
command returns a name that is not known to DNS, Findings Manager does not know what streams are available from Coverity Connect, even though Coverity Connect is connected to the message bus.
A bug was fixed where files or directories were displayed under incorrect parent node when you drilled down by path in certain cases.
A bug was fixed for cases in which findings did not match upon drilling down in certain cases.
The threshold control on the Filter Policies/Threshold page does not work on some versions of Microsoft Edge browser. Workaround: Use a different browser.
The installer that the bootstrap script runs quits if you press Enter too many times during the display of the End User License Agreement. You can work around this by pressing 'q' once while the EULA is displayed.
When you run cov-upload-findings
, please ignore the warning message that says no EndPointIdentificationAlgorithm
has been configured for SslContextFactory
.
The installer executed by the bootstrap script fails to read the EULA agreement and quits if you select y
to read the EULA. You can work around this by selecting n
to read the EULA.
If a user chooses to undo changes on the Scoring Policies page and clicks on Cancel, the Included/Excluded label doesn't get updated. Clicking on Save after that updates the score that was cancelled. You can work around this by not clicking Save after Cancel and refreshing the page.
Dropped support for Web Services API version 6, 7, and 8.
The Coverity Platform Updater has reached end of life, and has been removed from the Coverity Connect installer.
It is now possible to automatically disable Coverity users and their access tokens when such users are disabled in LDAP. (IM-24188)
Coverity Connect now shows you which issues are associated with particular standards. The following standards are covered: AUTOSAR C++14, CERT C and CERT C++, DISA-STIG V4R3, DISA-STIG V4R3 Severity, DISA-STIG V4R10, DISA-STIG V4R10 Severity, ISO TS17961 2016, OWASP Mobile Top Ten 2016, OWASP Web Top Ten 2017, Payment Card Industry Data Security Standard (PCI DSS) 2018 (IM-24846)
Added filtering and segmentation by coding standards and vulnerability reports into the policy manager reports. (IM-24858)
Component views now exclude data from streams marked as "outdated". (IM-24905)
Fixed an issue with duplicating projects.
Fixed the issue that the remoteHost
field of the WebAccessEvent
in the usageLog.log
was not being populated.
A bug was fixed to make Last snapshot column for preview defects blank.
An optional caching feature was added to speed up the rendering of component views.
A bug was fixed that resulted in incorrect log messages being shown in usageLog.log
.
A bug was fixed: When using Chrome, users were unable to add a filter to 'Outstanding issue count' Summary Metric.
A bug was fixed that prevented an authentication key file from being downloaded for IE and Edge.
getComponentMetricsForProject
now works as expected.
A bug was fixed for slow commit performance with a large function_instance
table.
The documentation was updated to indicate that the cov-admin-db check-integrity
command supports only the embedded database. It does not support an external database.
A bug was fixed for problems arising when configuring Jira Cloud BTS and an API key was used for authentication.
Fixed absent column names for the security standards in email notifications
Add --autostart={true|false}
argument to enable or disable automatically starting Coverity Connect after a fresh install. The default is --autostart=true
.
Downloading the binaries to update Java and/or PSQL for security fixes might fail on slow internet connections. Please make sure you have a fast internet connection and retry.
In order to use Coverity Connect with a mail server (https option) or Bugzilla (https option), and some other cases, the user has to import certificates into cim/jre/lib/security/cacerts
. After running the updater, all of these certificates are gone.
Changing the summary metric name on a coordinator causes the summary metric to disappear from all reports on subscribers. To work around this issue, add the new summary metric back into the reports on subscriber
User and password information in coverity_config.xml
do not override options specified on the command line.
Collisions might occur if triage data is deleted from a cluster (used for testing, for example), and then up-to-date triage data is imported from a production instance. This is because deleting triage stores does not delete related CIDs. It is recommended you rebuild the cluster from scratch using the production data.
In a cluster environment, deletion of triage data on the coordinator is not recommended unless it can be verified that there are no subscriber dependencies. Synchronization problems between subscribers and the coordinator might result.
The selected value is not displayed for a Coverity Connect field when using Chrome browser version 47.0.2526.80 on Windows 7.
Using a custom defect export handler script might on occasion create an error when attempting to export data to a bug tracking system.
To prevent database constraint violations on subscribers in a cluster, when a user is deleted, it is marked for deletion instead of being completely (hard) deleted. This status subsequently synchronizes across the cluster.
When configuring Coverity Connect to connect to an LDAP server, you must specify (in the Host Name field) the hostname of the machine hosting the LDAP server. Using the IP address of the LDAP server is not supported. For more information, refer to the section "Configuring LDAP server settings" in the Coverity Platform 2020.03 User and Administrator Guide.
Internet Explorer 11 breaks on functionalities using file upload.
Although the Upgrade Guide states that 32-bit to 64-bit in-place database format upgrades are not permitted, some will succeed, yielding valid results. Because in-place upgrade is preferable to backup-and-restore upgrade, we recommend that you try your upgrade in-place and, if it fails, fallback to backup-and-restore upgrade.
If Java 1.7.0_xx is used, and even if the system has a large amount of available RAM, using Java1.7.0_xx and older, Out of Memory
errors might occur despite having sufficient/available RAM. The workaround is to use the Java version shipped with Coverity Platform, or to specify a max heap setting for cov-im-daemon
.
Due to a Red Hat Enterprise Linux issue (Bug 1484079), the Coverity Platform installer on Centos7or RHEL v7.4 might fail due to an ArrayIndexOutOfBoundsException
error and a stack trace indicating an error with fonts. This can be resolved by installing the dejavu-serif-fonts
package.
For customers upgrading their Coverity Platform server from unsupported Coverity versions (such as version 5.x), we recommended that you upgrade to a supported intermediate version (such as2018.03) before upgrading to 2018.06. We also recommended that you perform a backup of your data beforehand with the Upgrade Preparation feature.
All Coverity installers for Linux have a known issue related to missing fonts.
If you are installing a Coverity product on Linux from the command line,
the installer might fail before asking for user input if the target system does not have access to the fonts required by the installer.
Stack traces vary, but usually reference "fonts". You can work around this issue by installing the fontconfig
package.
For example, this command uses the apt-get
package manager to install fontconfig
:
apt-get install fontconfig
This command uses the yum
package manager to install fontconfig
:
yum install fontconfig
The CIR Report can now use low impacts for calculating defect density based on user input. (RG-1371)
Increased "issue-cutoff-count" value from 5000 to 10000 for security report. (RG-1392)
A bug was fixed: When exporting Outstanding Issues to CSV from Coverity server, the values of the OWASP Top 10 and PCI DSS columns always remain 0, even when Coverity Connect displays data.
Cov reports now have documentation.
A bug was fixed to remove the limit of 500 streams.
A bug was fixed where by Snapshot-ID-Date Report gets generated for the whole project.
A bug was fixed where project-contact-email was not a valid email.
For ATP-based systems, you might receive an error message during report generation. If you do receive an error message, you are likely missing these libraries: libgl1
, libgl1-mesa-dri
, and libgl1-mesa-glx
.You can install the missing libraries by using the following command syntax:
apt-get installlibgl1
, apt-getlibgl1-mesa-dri
, and apt-getlibgl1-mesa-glx
.
During report generation, you might receive the following error: "Loading library prism_es2
from resource failed: java.lang.UnsatisfiedLinkError:"
If you encounter this error message, please install these missing libraries: apt-get install libgl1
, apt-get libgl1-mesa-dri
, and apt-get libgl1-mesa-glx
.
In the Security Report, "Issues Without CWE Numbers" has been renamed "Non-security Issues" to address a complaint about a mismatch between the reported count of issues without CWE numbers and Coverity Connect output sorted by outstanding defects.
The Security Report now points to BDBA instead of Poretcode SC.
This section provides release notes for Coverity Analysis components.
For a summary of checkers that have been added or changed in this release, refer to the "Coverity Checker Change History" table in the Coverity Checker Reference.
Improved support for multidimensional arrays in the UNINIT
checker. (SAT-1483)
Improved the UNINIT
checker to handle some cases where an uninitialized variable's address is taken but no initialization happens. (SAT-15899)
Improved the UNINIT
checker to handle some cases where an uninitialized variable's address is taken but no initialization happens. (SAT-19020)
The INSECURE_RANDOM
checker now supports Visual Basic. (SAT-26269)
The SCRIPT_CODE_INJECTION
checker now supports Visual Basic. (SAT-26270)
Added support for tracking unions to the UNINIT
checker. (SAT-2631)
The RISKY_CRYPTO
checker now considers TLS1.2 insecure by default. (SAT-30256)
Added 'include-files' and 'exclude-files' options for cov-commit-defects
and cov-blame
commands. (SAT-31428)
The new CUDA.DIVERGENCE_AT_COLLECTIVE_OPERATION
checker looks for calls to a collective thread synchronization operation or a collective warp operation (for pre-Compute Capability 7.0 versions) and checks whether they are diverged on thread index. (SAT-31586)
The new CUDA.INACTIVE_THREAD_AT_COLLECTIVE_WARP
checker looks for defects caused when a warp synchronization function is called and the mask does not match the set of participating threads in the warp. It also looks for defects when a warp shuffle function is called and the non-mask arguments are inconsistent with the set of participating threads in the warp. (SAT-31589)
The new CUDA.COLLECTIVE_WARP_SHUFFLE_WIDTH
checker looks for calls to collective shuffle operations and checks whether they are passed an incorrect width parameter. (SAT-31594)
Enabled intraprocedural integer tracking in RISKY_CRYPTO
to resolve key size values stored in variables. (SAT-31606)
The SQLI
checker now supports Kotlin. (SAT-31723)
The UNSAFE_DESERIALIZATION
checker now supports Kotlin. (SAT-31738)
The UNRESTRICTED_ACCESS_TO_FILE
checker now supports Kotlin. (SAT-31759)
The URL_MANIPULATION
checker now supports Kotlin. (SAT-31763)
The WEAK_PASSWORD_HASH
checker now supports Kotlin. (SAT-31764)
The XML_EXTERNAL_ENTITY
checker now supports Kotlin. (SAT-31765)
The MOBILE_ID_MISUSE
checker now supports Kotlin. (SAT-31767)
The OS_CMD_INJECTION
checker now supports Kotlin. (SAT-31768)
The PATH_MANIPULATION
checker now supports Kotlin. (SAT-31769)
The RISKY_CRYPTO
checker now supports Kotlin. (SAT-31771)
The ANDROID_CAPABILITY_LEAK
checker now supports Kotlin. (SAT-31802)
The EXPOSED_PREFERENCES
checker now supports Kotlin. (SAT-31804)
The IMPLICIT_INTENT
checker now supports Kotlin. (SAT-31805)
The INSECURE_COMMUNICATION
checker now supports Kotlin. (SAT-31806)
The MISSING_PERMISSION_FOR_BROADCAST
checker now supports Kotlin. (SAT-31807)
The PREDICTABLE_RANDOM_SEED
checker now supports Kotlin. (SAT-31808)
Added support for OpenSSL's ssl API to the RISKY_CRYPTO
checker. (SAT-32083)
The INSECURE_RANDOM
checker now supports Kotlin.
INSECURE_RANDOM
defects of the subcategory insecure_random_value
have their impact changed from Medium
to Low
(SAT-32461)
Added a new option to the UNINIT_CTOR
checker. The boolean option report_on_default_constructor_without_private_member
, false by default, and activated at high aggressiveness. This causes the checker to report defects when a compiler-generated default constructor fails to initialize some members, even when no members of the class or struct are private. (SAT-32484)
Added a new option to the RISKY_CRYPTO
checker, usage_report
, that allows gathering information about all cryptographic algorithms used in a codebase into a CSV file. (SAT-32506)
The RISKY_CRYPTO
checker now reports 3DES/DES EDE insecure by default. (SAT-32589)
The UNENCRYPTED_SENSITIVE_DATA
checker now supports Kotlin (SAT-32677)
The PW.PRINTF_ARG_MISMATCH
checker has been disabled by default; please use PW.PRINTF_ARGS
instead. (SAT-32901)
The new ANDROID_WEBVIEW_FILEACCESS
checker finds cases where an Android application allows JavaScript code of files loaded through the file:/// protocol
to load other local files without maintaining the WebView's sandbox. (SAT-33427)
Upgraded SpotBugs to version 4.0.0. (SAT-33432)
Added a new event for Go in LOCK
checker when a defer
statement is called. (SAT-33435)
The new UNSAFE_BUFFER_METHOD
checker finds cases where a segment of allocated memory is uninitialized (not zeroed-out), because its content could leak sensitive data from system memory. (SAT-33474)
New MISSING_HEADER_VALIDATION
checker finds cases where the Netty HTTP header validation is disabled, which makes the code vulnerable to HTTP response splitting attacks. (SAT-33475)
Added an option, disabled by default, follow_virtual_destructor_classes
that allows the ALLOC_FREE_MISMATCH
checker to track instances of classes that have virtual destructors. Use of this option might cause some false positive defect reports when derived classes overload new
or delete
. (SAT-33544)
The new DISABLED_ENCRYPTION
checker finds cases where the noOpText()
method is used, which creates an encryptor object that does not perform any encryption and thus might leak sensitive data. (SAT-33550)
The new INSECURE_ACL
checker finds cases where access control lists (ACLs) are set too permissively in cloud provider configuration. (SAT-33663)
Table in Chapter 3 of the Checker Reference has been updated to show those cases when --webapp-security
option would enable the checker. (SAT-33693)
Brakeman version upgraded to 4.8.0. (SAT-33728)
The new CONFIG.HARDCODED_CREDENTIALS_AUDIT
checker finds hardcoded credentials in configuration files in Java, JavaScript, and TypeScript applications. (SAT-33835)
The HEADER_INJECTION
checker now supports Kotlin. (SAT-33897)
The INSECURE_COMMUNICATION
checker now supports Java. (SAT-33903)
The new checker LDAP_NOT_CONSTANT
was added for Java, C#, and Visual Basic. (SAT-33937)
The new UNLIMITED_CONCURRENT_SESSIONS
checker finds cases where the maximum number of concurrent sessions is unlimited. (SAT-33978)
Added support for the Go web frameworks Echo and Gin. (SAT-34000)
The new INSECURE_REMEMBER_ME_COOKIE
checker finds cases of insecure configuration of the RememberMe
cookie, which can be accessed over an HTTP channel. (SAT-34009)
The new CONFIG.SPRING_SECURITY_UNSAFE_AUTHENTICATION_FILTER
checker finds cases where Spring Security frameworks allows credentials to be accepted in a GET request. (SAT-34012)
The HEADER_INJECTION
checker now support Android taints for Java. (SAT-34059)
Improved reporting in the RISKY_CRYPTO
checker when using the forbid:*/*/*/*
option. Now the checker will include all the crypto parameters it knows about in the event message. (SAT-34083)
The new CONFIG.SPRING_SECURITY_EXPOSED_SESSIONID
checker finds cases where the session ids are configured to be sent in URLs. (SAT-34160)
Updated CONFIG.SPRING_SECURITY_DEBUG_MODE
checker now flags additional ways in which debug mode has been enabled.. (SAT-34161)
Support has been added for a few high impact CERT-JAVA rules. (SAT-34176)
Support has been added for a few high impact CERT-C Recommendation rules on EDG-based compilers. (SAT-34178)
Improved the quality of the results of the UNINIT
checker. (SAT-34191)
Increased the default value of UNRESTRICTED_ACCESS_TO_FILE:api_level
from 15 to 19 (SAT-34218)
The new CONFIG.SPRING_BOOT_SENSITIVE_LOGGING
checker finds cases where a Spring Boot application has been configured to log request cookies or HTTP request details. (SAT-34243)
The new CONFIG.SPRING_SECURITY_LOGIN_OVER_HTTP
checker finds cases where the login form of a Spring application is not forced to be accessed over HTTPS. (SAT-34244)
Added models for the Boost Log library. (SAT-34288)
Added models for the Boost Icl library. (SAT-34295)
Extended modeling for the glib library. (SAT-34304)
Extended modeling for the appweb library. (SAT-34307)
The new CUDA.CUDEVICE_HANDLES
checker reports cases where an integer value is used in place of a CUdevice object. (SAT-34336)
The new CUDA.ERROR_INTERFACE
checker looks for missing checks of return values from CUDA API functions that might return an error code. (SAT-34338)
The new CUDA.DEVICE_DEPENDENT_CALLBACKS
checker reports cases where a device-dependent operation is executed, a kernel is launched, or a managed storage object is ODR-used inside a CUDA callback function. (SAT-34339)
The new CUDA.DEVICE_DEPENDENT
checker reports cases where a device-dependent operation is executed, a kernel is launched, or a managed storage object is ODR-used before program initiation has completed, or after program termination has started. (SAT-34340)
The new CUDA.FORK
checker reports cases where a CUDA library interface is called, or an object residing in storage allocated by CUDA library interfaces or a managed storage duration object is accessed, between a call to fork and a subsequent call to exec. (SAT-34344)
The new INSECURE_HTTP_FIREWALL checker finds cases where the HTTP firewall is configured insecurely within the Spring Security framework. (SAT-34434)
The new WEAK_URL_SANITIZATION
checker finds cases where weak sanitization of URLs occurs. (SAT-34551)
C/C++ security checkers like TAINTED_STRING
now distinguish between taint on pointers and their contents and have improved handling of write and assign operations. (SAT-4838)
Improved the UNINIT
checker to handle some cases where an uninitialized variable's address is taken but no initialization happens. (SAT-5286)
Fixed a false positive of MISRA C-2012 Directive 4.9 on clang-based compilers where inline
functions couldn't be used to initialize constants.
Fixed a false positive of MISRA C-2012 Rule 8.3 about identical redefinition using typedef
on clang-based compilers.
Fixed a false positive of MISRA C-2012 Directive 4.9 for macros containing only text string substitution.
Fixed a false positive of MISRA C-2012 Rule 20.7 when macro expansion was not a complete expression.
Fixed a localization issue for some checker and event messages which now shows more translated strings in all three languages.
Fixed a source of UNINIT
false positives involving nested field accesses.
Fixed some false positives with the UNINIT
checker with the enable_write_context
option and with MISRA C-2012 Rule 9.1 when initializing arrays in a loop in a callee.
Fixed some false positives with the UNINIT
checker with the enable_write_context
option and with MISRA C-2012 Rule 9.1 when initializing arrays in a loop in a callee.
Fixed a source of UNINIT
false positives when computing field offsets.
Fixed a false positive on the OVERRUN
checker on msgsnd
and msgrcv
.
Fixed a false positive on the OVERRUN
checker on msgsnd
and msgrcv
.
Fixed a false positive on the OVERRUN
checker on msgsnd
and msgrcv
.
Fixed a false positive on the UNINIT
checker.
Fixed a source of UNINIT
false positives when a value is initialized using a cast of an address.
Fixed a false positive on the OVERRUN
checker on msgsnd
and msgrcv
.
Fixed some false positives with the UNINIT
checker with the enable_write_context
option and with MISRA C-2012 Rule 9.1 when initializing arrays in a loop in a callee.
Fixed a USE_AFTER_FREE
false positive when code was compiled for the C++-17 standard.
Fixed OVERRUN
checker to update bounds for disequalities
against a constant.
Fixed a false negative in the OVERRUN
checker involving memory buffers of size 1 byte allocated with malloc()
.
Fixed an OVERRUN
false negative where the length of a string was not adequately propagated through strcpy
calls.
Eliminated a false positive report from FORWARD_NULL
when certain constructs involving multiple identical dynamic casts appeared.
Fixed a false positive for the RESOURCE_LEAK
checker.
Fixed a false positive on the OVERRUN
checker on msgsnd
and msgrcv
.
Updated memory allocations/free functions in glib API models to use sytem malloc/free.
Fixed an inconsistency in the way the OVERRUN
checker option allow_arrays_of_uniform_structs
treats direct accesses vs. pointer accesses.
Fixed a source of MISSING_COPY_OR_ASSIGN
false positives when the assignment operator or copy constructor is explicitly deleted in a base class.
Fixed a false negative for the SLEEP
checker.
Fixed a false positive for the CTOR_DTOR_LEAK
checker.
Fixed a false positive on the OVERRUN
checker on msgsnd
and msgrcv
.
Improved the UNINIT
checker to avoid incorrectly detecting some assembly code as initializing variables that it does not actually reference.
Added support for the javax.net.ssl.SSLContext
API to the RISKY_CRYPTO
checker.
A false positive for the CONFIG.ATS_INSECURE
checker has been fixed.
Fixed an issue that was causing the analysis to fail in certain cases when the XML_EXTERNAL_ENTITY
checker was enabled.
Fixed a source of FORWARD_NULL
false positives when accessing an outer class member in an inner class with a delegating constructor.
Fixed a recoverable analysis crash mentioning "CHECKED_ARGUMENT_FOR_MISRA" when running MISRA checkers on some code involving floating point operations.
Fixed a case where FORWARD_NULL
would report a false positive when a null reference was reassigned within a lambda function that captured the reference.
Fixed a source of STRAY_SEMICOLON
false positives when using the C++ if constexpr
construct and a clang-based compiler.
Fixed a false negative of MISRA C-2012 Directive 4.14 regarding standard document cases.
Fixed a false positive of CERT INT30-C about a multiply operation after casting into a bigger-size integer.
Fixed false positives of CERT INT30-C and CERT INT32-C about an addition operation after casting into a bigger-size integer.
Fixed a false negative of CERT INT31-C about invalid conversion related to types with qualifiers.
Fixed a false positive of AUTOSAR C++14 A8-4-5 where std::exchange
was used on scalar types.
Fixed a false positive of MISRA C-2012 Rule 10.3 about defects in a standard header file. Also fixed a false positive of MISRA C-2012 Rule 17.7 about compound expressions.
Fixed a false positive of MISRA C-2012 Rule 9.1 about __gettimeofday
.
Fixed a false positive for MISRA C-2012 Rule 9.1.
Fixed a false positive of MISRA C-2012 Rule 10.6 about variables declared as const.
Fixed a false positive in MISRA C-2012 Rule 9.1/UNINIT with "enable_write_context" when a write was predicated on 2 pointers being non-null.
Fixed a false positive of AUTOSAR C++14 A12-1-3 where not all data members were initialized with const values.
Fixed a false positive of CERT INT31-C about bit fields.
Fixed a false positive of CERT INT31-C about casts in parameters and the return value when calling compiler-generated functions.
Suppressed AUTOSAR C++14 A8-4-7 reporting on a template class member function.
Fixed a false positive of MISRA C++-2008 Rule 5-0-15 about using array indexing on an array parameter.
Fixed a false positive of CERT EXP37-C when the called function was prototyped.
Suppressed AUTOSAR C++14 A8-4-11 and A8-4-13 reporting on template classes and functions.
Fixed an AUTOSAR C++14 A8-4-9 false positive where the "in-out" parameter was used to initialize a class non-const reference member.
Fixed a false positive of CERT INT30-C about adding an integer literal after a right-shift operation.
Fixed a false positive of CERT DCL37-C about using a reserved identifier in a standard header file.
Fixed a false positive of CERT MEM55-CPP where an overloaded function has no throw specifier and does not throw exceptions.
Fixed a false positive of MISRA C-2012 Directive 4.7 where a function call was tested by the equality operator.
Fixed the presentation issue of MISRA C-2004 Rule 2.2 for Chinese characters.
Fixed a false positive of AUTOSAR C++14 A9-6-1 where a type was redefined.
Fixed a false positive of CERT INT30-C about subtract operation after left-shifting constant bits.
Fixed a false positive of CERT INT31-C about casting type after sufficient right-shift operation.
Fixed a false positive of MISRA C-2012 Rule 11.1 caused by the wrapped type.
Fixed a false positive of MISRA C++-2008 Rule 0-1-2 where equality operator was used in if
statement.
Fixed a false postive of MISRA C++-2008 Rule 0-1-10 about overloading new
operator.
Fixed a false positive of CERT MEM52-CPP about compiler generated variables.
When using Buildless Capture with JavaScript projects, in some cases analysis might yield a large number of false positives for the EXPLICIT_THIS_EXPECTED
checker. In such cases, we recommend disabling this checker using the --disable EXPLICIT_THIS_EXPECTED
option for the cov-analyze
command.
Churn for the preview INTEGER_OVERFLOW
checker might be higher in this release compared to churn for other checkers.
The latest version of the integrated SpotBug software has a documented bug: FE_FLOATING_POINT_EQUALITY
defects won't be reported
The XSS
checker can report multiple occurrences of the same local defect under certain circumstances.
Added limited support of cov-archive
in a cluster Coverity Connect installation. The limitation is: importing to a subscriber node is forbidden. (IM-24896)
Due to a mismatch between creation timestamps and version numbers in some Incremental Release packages, it was possible for cov-commit-defects
to report that an update was available when in fact no applicable update existed. This test now uses the actual installed version for improved accuracy.
Fixed cov-wizard
result view link error
Fixed a crash in cov-format-errors
that happened when the --json-output-v7
option was used in combination with a missing source location in a SpotBugs report.
cov-make-library
calls specifying a compiler and additional --compiler-opt
options could fail with an incorrect command line error. This has been fixed.
The --ticker mode
option of the cov-run-desktop
command has been removed to fix a bug.
If you receive the following error message when using cov-build
, you can work around this issue by using the --instrument
option.
[WARNING] Compilations that use 32-bit Java tools running on 64-bit Windows were detected during this build. Such compilations are not supported at the moment; analysis might be incomplete or invalid because of that.
Workaround:
> cov-build --dir t1 --instrument ant
If you have KB2919355 (http://support.microsoft.com/kb/2919355
) installed on Windows 2012 system, you might encounter the build hanging under cov-build
if MSBuild is used. When this happens, the process tree will show MSBuild still running under cov-build
, even though there will be no output or progress from MSBuild. To work around this issue, you can do one of the following: Uninstall KB2919355, or Add the --instrument
flag to your cov-build
invocation; for example:
> cov-build --dir dir --instrument msbuild ..
On Windows, when preprocessing a file with cov-emit
to the Windows console, cov-emit
might fail with a catastrophic error if the character encoding of the preprocessed output is not compatible with the console encoding.
This error can be avoided by redirecting the preprocessed output to a file.
When in the Test Prioritization workflow, on the View Results page, clicking the Open in System Editor button might not work for some older Linux distributions.
Running cov-emit-java
to emit a web application (with --war
--findears
or similar) might fail if the number of JAR files in its classpath (including those found with --findjars
) exceeds the operating system's per-process file limit. To work around this case, either increase the per-process open file limit or remove unnecessary JARs from the classpath.
Support for LLVM Clang 3.0–3.6.x is deprecated as of 2020.06 and will be removed in a future release.
Deprecated support for Go 1.12.x.
Deprecated support for Apple Clang 6.0 (Xcode 6.0–6.2) and Appple Clang 6.1 (Xcode 6.3–6.4)
Deprecated support for Ruby 2.3 and 2.4.
Support for IBM XLC versions 8–12 are deprecated as of 2020.06 and will be removed in a future release.
Support for Linux versions of Intel C++ older than version 17 are deprecated as of 2020.06 and will be removed in a future release.
Support for Keil Arm compiler RVCT 3.1, 4.0 for uVision is deprecated as of 2020.06 and will be removed in a future release.
Support for mac OS 10.13 has been deprecated as of 2020.06 and will be removed in a future release.
Support for Oracle JDK 13 has been deprecated as of 2020.06 and will be removed in a future release.
Support for OpenJDK 13 has been deprecated as of 2020.06 and will be removed in a future release
Added support for clang-cl 7.0 on Windows. (CMPCPP-3662)
Added support for the MetaWare ccac Q-2019.12 compiler. (CMPCPP-9048)
Added support for the TASKING TriCore version 6.0r1 compiler. (CMPCPP-9497)
Added support for the Renesas C/C++ RX version 3.01 compiler. (CMPCPP-9622)
Added support for the GNU GCC and G++ version 9.2.0 compiler. (CMPCPP-9821)
Added support for Kotlin 1.3.71. (CMPFG-394)
The JavaScript front end now supports all ES10 (ECMAScript 2019) syntax. (CMPG-3220)
Added support for Go 1.13 and 1.14. (CMPG-3221)
Added support for TypeScript 3.8. (CMPG-3228)
Added support for IBM JDK 7 through 8. (CMPG-3231)
Clarification added to documentation that Coverity only supports Kotlin projects that are targeted to JVM or Android, not other platforms. For multiplatform projects, Coverity only captures Kotlin source files that are targeted to the supported platforms. (CMPG-3239)
Added support for Apple Clang 11 (Xcode 11.4) (CMPG-3247)
Added support for LLVM Clang version 10.0 (CMPG-3272)
Support has been added for the CUDA programming language and the NVIDIA nvcc compiler when used with GNU gcc or Microsoft Visual C++ as the host compiler. (CMPG-3291)
Added support for Go 1.13-1.14.x. (CMPGO-151)
cov-emit-go
now properly handles Go modules. (CMPGO-90)
Optional chaining syntax is now supported by the TypeScript front end. (CMPJS-775)
Xcode 11 is now supported (CMPSWIFT-301)
Added support for macOS 10.15. (COVP-2146)
SCM support for Accurev 7.3 has been added. (COVP-2192)
Support for IBM JDK 7, 7.1 and 8 has been added. (COVP-2225)
To improve performance third party license files will now be contained in a zip file at doc/licenses/coverity-thirdparty-licenses.zip. (INS-2851)
A bug was fixed in the case when cov-build did not work with gcc-10.
Fixed an issue where cov-emit
can't recognize va_list
for the IAR ARM compiler.
Assertion "Trying to access type std::array<unsigned char, 1ul> as a array type" has been eliminated.
Fixed an issue where Coverity failed with an invalid redeclaration of type name __istate_t
for the IAR STM8 compiler.
An issue was fixed in the compilation of code that uses Qt and protocol buffers using 2020.03.
Special support for the WARN_ON
, BUG_ON
, and BUG
macros present in Linux kernel development is no longer in effect when not compiling Linux kernel code.
Fixed a bug in MISRA C 2012 Directive 4.9 checker where a macro with properties that qualify it as not function-like was being flagged as a violation when used as an argument to another macro.
A bug was fixed that created errors when the underlying type of enum
is not scalar.
Fixed an issue where cov-emit
didn't set macro __ARM_FEATURE_CMSE
correctly with --cmse
option for the IAR ARM compiler.
Fixed a bug where MISRA 2008 C++ compliance rule 0-1-5 reported a FP defect due to unused lambda closure class type
Fixed an issue where cov-emit
can't support static_assert
in c mode for the IAR ARM compiler.
An issue was fixed for the capture of a C# project .
Addressed an issue in the emit where large logical chains of C# dynamic types could negatively impact performance.
A bug has been fixed that caused stalled C# builds.
An issue has been addressed that resulted in increased build times for C# code.
Kotlin front end now properly supports Kotlin serialization compiler plugin.
A bug was fixed for numerous parse warnings that were due to Coverity preprocessing removing whitespace incorrectly.
We can now handle some error cases encountered during Java file-system capture more gracefully so that these cases do not result in a failure to emit entire sets of source files.
We can now handle an error case encountered during Java build capture more gracefully so that this case does not result in a failure to emit entire sets of source files.
Fixed a problem in which Java builds with a --release
value below 9 were compiled with modular type-resolution semantics.
A bug was fixed that caused TypeScript recursive function type declarations to cause stack overflow.
The Coverity front end for TypeScript does not have support for the esnext
module type, and has historically fallen back to emitting such TUs with the default module type. It will now fall back to emitting those TUs with the commonjs
module type instead.
The logging output produced by the JavaScript/TypeScript front end has been improved to provide a consistent presentation and more context.
A bug was fixed that led to no files getting emitted and no files getting analyzed for the Scala compiler.
Fixed an issue (on a 64-bit platform compiling using -m32
) that caused Coverity to think that msgrcv()
is overrunning the stated buffer size by four bytes.
cov-build --instrument
has a known issue when running the xdcmake.exe
tool of VisualStudio 2010 when launched from a 32-bit process on Windows 10. This will currently fail with a System.BadImageFormatException
exception. To work around this issue you can do one of the following: Modify the build such that xdcmake.exe
is run from a 64-bit process, or
ignore the xdcmake.exe
process by adding --capture-ignore xdcmake.exe
to your cov-build
invocation.
Casts of ISO/IEC TR 18037 fixed point types are incorrectly rejected in code compiled in C++ mode for Clang based compilers. This issue is known to affect the Synopsys MetaWare ccac compiler.
The new build system introduced in Xcode 10 is not supported with Clang compilers. See the section "Building projects that use Xcode 10's new build system" in the "Coverity Analysis User and Administrator Guide" for details on how to work around this issue.
Coverity Swift front end does not support Mac Catalyst apps in 2020.06 release.
The default charset
for Java 1.8 VM on Mac appears to be UTF-8 if a charset has not been explicitly set. The Coverity Java compiler does not emulate this behavior. Make sure to explicitly set the character encoding by setting a locale using the LANG
or LC_CTYPE
environment variables
The JavaScript front end no longer supports nameless function statements. (Nameless function expressions are supported as before.) A function statement without a declared name is a syntax error according to the ECMAScript standard, but may be used in JavaScript source files with some frameworks.
The Coverity front end for TypeScript does not presently respect module=esnext
. As a result, Coverity tools cannot currently emit top-level awaits which are built using module=esnext
.
Scala Macro Paradise compiler plugin can be incompatible between different Scala 2.12.x patch versions and might cause emit failures.
If Dynamic Analysis reports defects in classes that were compiled without debugging information, or classes that contain mangled information due to misbehaving code coverage or AOP tool, the defect report might contain nonsensical line numbers or file names.
Specifying certain combinations of the instrument-arrays
, instrument-collections
, detect-races
, and detect-deadlocks
options to the Dynamic Analysis agent causes unexpected behavior. In particular, Dynamic Analysis still reports races on arrays and collections according to the instrument-arrays
and instrument-collections
options when detect-races
is false and detect-deadlocks
is true. However, if both detect-races
and detect-deadlocks
are false, Dynamic Analysis reports races on neither collections nor arrays.
If you do not specify a class in the cov-start-da-brokerclasspath
option, the corresponding source file isn't committed, even if the source file is present on the source path.
Support for Mercurial 3.1 and 3.2 has been dropped.
Support for Perforce 2016.1 has been dropped.
Support for Perforce 2016.2 is deprecated as of 2020.06 and will be removed in a future release.
The use of "--cs-coverage opencover" with Test Advisor may fail to capture any tests or coverage data on some versions of Windows if the user's account has Administrator permissions, .NET Framework 4.8 is installed, and user account control (UAC) is disabled. This can be worked around by manually registering the OpenCover profiler DLLs and passing "--cs-no-register-profiler" to your "cov-build --test-capture" invocation. This manual registration must be performed systemwide; your regsvr32 invocations must be run without the "/i:user" argument. For more details on this, see the documentation of cov-build's "--cs-no-register-profiler" switch in the Command Reference.
When using --java-coverage jacoco
, Test Advisor might consider lines that never run to completion, but instead always generate exceptions, to be uncovered.
cov-wizard
might not emit Java successfully with the default version that is installed in Ubuntu 18.04. (See https://bugs.launchpad.net/ubuntu/+source/openjdk-lts/+bug/1796027) To fix this issue, install a different version of Java and set it as the default Java version.
In the Coverity Wizard Policy Editor, the Link to Editor icon in the Outline View might be toggled as enabled, even though the editor is not actually linked with the Outline View.To enable outline linking, toggle the Link to Editor button to disabled, and back to enabled again.
Not all the Preference dialog text is translated into Japanese on the syntax coloring dialog.
In Coverity Wizard, after automatically configuring the compilers in the Configure Compilers screen, the status indicator for the Configure Compilers screen might not update from the exclamation mark icon to the check mark icon, which will appear as though the auto-configuration was unsuccessful. However, clicking anywhere in the Coverity Wizard window or changing pages will cause the indicator to update to the check mark icon.
The Guided Test Advisor Policy Creation Wizard uses Java regex validation instead of the Perl regex validation that Coverity Analysis Test Advisor uses. This should not cause any issues for most users, but if there is a difference, go to the more advanced Test Prioritization Policy Editor and Debugger to enter the proper regex.
The guided policy creation wizard Documentation link fails to open properly on Linux. Open the Coverity Wizard 2019.12 User Guide separately to view this documentation.
After upgrade, Coverity Wizard can sometimes give a ReferenceMap NullPointerExceptionapplication
error on startup. To work around this issue, delete the .orphan file in the <install_dir_sa>/jars/cwiz/configurations/org.eclipse.core.runtime
folder.
When using a self-signed certificate, if the user chooses not to trust a certificate, they might be prompted multiple times (asking to trust the certificate). If a user does not want to trust a self-signed certificate, they should change their Coverity Connect server settings to avoid the prompts. But just keep pressing no (to not trust the certificate), to get through the multiple prompts.
Coverity Wizard now warns the user every time they select the Test Prioritization'
workflow, even if they did not first work with the regular analysis workflow. This can be safely ignored
Using the Duplicate button for configuring compilers in Coverity Wizard does not work.
This section provides release notes for Coverity Desktop components.
Even though we have added support for Android Studio 3.6, Coverity Desktop plugin will fail to scan Android projects. It will work for Java and Gradle projects that are not Android based.
Android Studio does not show the proper scope
in the Issues view for local analysis. It just always says "External output file" currently when in local analysis mode.
Currently any source generated by Gradle Android projects will not be captured by the build process,and will be reported as "Uncaptured" by the IntelliJ and Android Studio IDEs. These files can be ignored by the "Uncaptured Source Files Dialog" or through the "File Exclusions" settings page. Auto-generated Gradle source files are captured when using Android Studio 3+.
Coverity markers in the editor gutter can sometimes be shown in duplicate with the IntelliJ/AndroidStudio Coverity Desktop plug-in.
For OXS 10.14 users with JDK-8136913 installed, using the hostname_regex
in the coverity.conf
file caused a 5 to 30 second delay. We've provided a workaround to fix this issue in our documentation.
Eclipse customers using Plastic SCM might see a failure during Analyze Modified Files, as Eclipse is unable to locate their cm executable file. This occurs when the cm.exe
file is located in /usr/local/bin/
rather than /usr/bin/
and can be resolved by adding a link to the executable in /usr/bin/
.
Added support for IntelliJ 2020.1 (PRD-12102)
Added support for Pycharm 2020.1 (PRD-12103)
Added support for WebStorm 2020.1 (PRD-12104)
Added support for Rubymine 2020.1 (PRD-12105)
Added support for PhpStorm 2020.1 (PRD-12106)
When using whole program checkers in IntelliJ, a warning about missing class files might be displayed in the console, which indicates missing class files with incorrect paths. Even if the paths do not seem correct, this should not affect analysis results
For Coverity Connect users using the Japanese locale, the Apply button in the triage panel was disabled unless the Owner was changed. To work around this, the IDE locale should be the same as the user account locale on the Coverity Connect server. Since IntelliJ currently only supports English, the user account locale on Coverity Connect must be set to English as well
Coverity Connect attributes and usernames in the Coverity Desktop plug-in are cached on start up,and not refreshed until IntelliJ is restarted. If you are missing a new username, or some other triage attribute, try restarting IntelliJ.
The Coverity Desktop plug-in does not currently work for the Alloy IDEA theme.
Android Studio does not show the proper scope
in the Issues view for local analysis. It just always says "External output file" currently when in local analysis mode.
The triage view will not resize while the History section is expanded. Collapsing the history section will cause the view contents to resize.
Currently any source generated by Gradle Android projects will not be captured by the build process,and will be reported as "Uncaptured" by the IntelliJ and Android Studio IDEs. These files can be ignored by the "Uncaptured Source Files Dialog" or through the "File Exclusions" settings page. Auto-generated Gradle source files are captured when using Android Studio 3+.
Coverity markers in the editor gutter can sometimes be shown in duplicate with the IntelliJ/AndroidStudio Coverity Desktop plug-in.
This section provides release notes for Coverity Documentation components.
The list of supported compilers for Dynamic Analysis has been moved to "Appendix A. Coverity Dynamic Analysis for Java". (SAT-33715)
Information about the projects
view type has been added to section 5.2.1 of the Coverity Platform Web Services API Reference.
Updated the fonts used in PDF output for Chinese Simplified documentation. This fixed an issue by which some characters did not render properly.
The broken hyperlinks in section "2.3.4. Troubleshooting for FLEXnet licensing" of the _Coverity 2020.06 Deployment and Installation Guide have been replaced with a single working hyperlink.
Table 8.10. "Frameworks supported by Coverity" in the Coverity 2020.03 Deployment and Installation Guide incorrectly listed "Sprint boot". That listing has been corrected to "Spring boot".
A missing image was restored to Coverity Desktop Analysis Guide.
Support for this version of Coverity will be discontinued 18 months after the base version of this release.
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
This section provides release notes for Coverity Analysis components.
Support for this version of Coverity will be discontinued 18 months after the base version of this release.
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
This section provides release notes for Coverity Platform components.
Support for this version of Coverity will be discontinued 18 months after the base version of this release.
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
This section provides release notes for Coverity Analysis components.
Support for this version of Coverity will be discontinued 18 months after the base version of this release.
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
This section provides release notes for Coverity Platform components.
Support for this version of Coverity will be discontinued 18 months after the base version of this release.
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
This section provides release notes for Coverity Platform components.
Improved the performance of the following methods of the Defect Service Web Service: getMergedDefectsForProjectScope
, getMergedDefectsForStreams
, getMergedDefectsForSnapshotScope
. This resulted in improving the performance of the cov-manage-im
command. In some internal tests the latencies were reduced from about 120 seconds to about 8 seconds.
//This RN is a subset of the RN specified in https://jira-sig.internal.synopsys.com/browse/IM-24871 for 2020.09 (Upland).
Support for this version of Coverity will be discontinued 18 months after the base version of this release.
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
This section provides release notes for Coverity Analysis components.
Fixed an issue where cov-emit-java
crashed on long command line switches.
We can now handle an error case encountered during Java build capture more gracefully so that this case does not result in a failure to emit entire sets of source files.
A bug was fixed that caused TypeScript recursive function type declarations to cause stack overflow.
Support for this version of Coverity will be discontinued 18 months after the base version of this release.
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
This section provides release notes for Coverity Analysis components.
For a summary of checkers that have been added or changed in this release, refer to the "Coverity Checker Change History" table in the Coverity Checker Reference.
Support for this version of Coverity will be discontinued 18 months after the base version of this release.
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
This section provides release notes for Coverity Platform components.
Coverity Compliance Solution helps quality managers and architects manage coding standards projects, those using MISRA, CERT, or AUTOSAR standards, which typically surface large numbers of findings. Using Compliance Solution, developers can focus on the most important issues and even prioritize these.
If you use coding standards and find you have a larger number of defects than you can comfortably handle, the Compliance Solution will let you do the following:
Visualize large numbers of findings and make decisions about how to handle them
Use those decisions to filter findings, excluding all that are not of interest now
Upload only the interesting findings to Coverity Connect
Compliance Solution is now in a beta phase. For documentation, tutorials, and information about the beta program, please see the solution's Community page: https://community.synopsys.com/s/coverity-compliance-solution
This section provides release notes for Coverity Analysis components.
For a summary of checkers that have been added or changed in this release, refer to the "Coverity Checker Change History" table in the Coverity Checker Reference.
Support for this version of Coverity will be discontinued 18 months after the base version of this release.
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
This section provides release notes for Coverity Analysis components.
Support for this version of Coverity will be discontinued 18 months after the 2020.12 release.
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
This section provides release notes for Coverity Platform components.
Coverity Compliance Solution helps quality managers and architects manage coding standards projects, those using MISRA, CERT, or AUTOSAR standards, which typically surface large numbers of findings. Using Compliance Solution, developers can focus on the most important issues and even prioritize these.
If you use coding standards and find you have a larger number of defects than you can comfortably handle, the Compliance Solution will let you do the following:
Visualize large numbers of findings and make decisions about how to handle them
Use those decisions to filter findings, excluding all that are not of interest now
Upload only the interesting findings to Coverity Connect
Compliance Solution is now in a beta phase. For documentation, tutorials, and information about the beta program, please see the solution's Community page: https://community.synopsys.com/s/coverity-compliance-solution
The Help page does not contain documentation or tutorial links. Workaround: You can get the documentation and tutorials from the Solution's Synopsys Community page.
The cov-upload-findings
command is slow for large intermediate directories, that is, those with more than about 100,000 findings.
Improvement of page load performance on Visualize Page upon adding a filter policy.
The threshold control on the Filter Policies/Threshold page does not work on some versions of Microsoft Edge browser. Workaround: Use a different browser.
The installer that the bootstrap script runs quits if you press Enter too many times during the display of the End User License Agreement. You can work around this by pressing 'q' once while the EULA is displayed.
If Findings Manager host's hostname
command returns a name that is not known to DNS, Findings Manager does not know what streams are available from Coverity Connect, even though Coverity Connect is connected to the message bus.
Workaround: Edit the file compliance-solution-2020.03-CSPBETA-####/config/environment
. On the line that starts KAFKA_HOST=
, replace the hostname
with the host's IP address. Then restart the compliance solution with the following command:
cd ../bin; message-bus up && findings-manager up
When you run cov-upload-findings, please ignore the warning message that says no EndPointIdentificationAlgorithm
has been configured for SslContextFactory
.
When you run cov-upload-findings
, please ignore the warning message that says no EndPointIdentificationAlgorithm
has been configured for SslContextFactory
.
A new filter and column named Score is available on views of type "Issues: By Snapshot". This filter/column represents the score assigned to findings by Compliance Solution scoring policies. These scores are retained when Coverity Connect converts the findings to issues. For more information, refer to the Coverity Compliance Solution Guide. (COVDOCS-36)
Coverity Compliance Solution is currently part of the Compliance Solution Beta program and is available only to program participants. For more information about the Compliance Solution Beta program, see the section "Compliance Solution". (COVDOCS-36)
The cov-archive
command can now delete exported streams (for example, cov-archive export-streams --remove --stream s1 --project p1 --archive ../s1_p1.covarch
) thus supporting archiving semantics rather than only exporting as it was in the previous release. See Coverity Command Reference for more details. (IM-23992)
Added build success information to the WS API getSnapshotInformation
method (IM-24103)
Added an ability to configure Trend ETL process scheduling separately from Status ETL process scheduling. (IM-24368)
Added triage-store information to the triage event notifications (IM-24569)
Exporting via cov-archive
no longer requires putting Coverity Connect into maintenance mode. (IM-24590)
Documented the ability to provide event-driven triage notification. The administrator can use event-driven triage notifications to send notifications to issue owners about all triage event changes as they happen. These notifications are filterable and configurable. (IM-24592)
The Coverity Connect silent installer option --admin.password
has been deprecated in favour of two new options --admin.password.env
and --admin.password.file
, which don't require the password to be entered directly on the command line. (INS-2860)
Documentation has been updated to describe the defect status Absent Dismissed
.
Documentation has been updated to warn against setting up more than one LDAP configuration.
Fixed a bug that prevented component map import.
Docs have been updated to reflect the fact that a project manager can preview commits to a stream.
The View API views
method now reports shared views.
Documentation was amended in the Japanese version to warn that admins can use external DB only if they are an experienced database administrator.
Coverity Connect again supports keystores in pkcs12 format.
A bug was fixed for a situation in which repeatedly soft-deleting users caused user names so long that DB errors were raised.
Fixed a bug in the functionality of linking a dynamic stream to a project. As a result, importing dynamic streams via the cov-archive
command is now supported.
A bug has been fixed whereby a user who lacked appropriate permissions was able to access data.
Fixed a time stamp inconsistency issue when the Triage Store was exported and imported between different time zones.
The getMergedDefectsForProjectsScope
API can now retrieve Impact & other information on Preview Defects .
A bug was fixed in which autocompleted users query was using too much working memory.
Documentation has been updated to note the need to set java.io.tmpdir
and/or jna.tmpdir
when file systems are mounted noexec
.
A bug was fixed where the Coordinator was running out of memory after a 2019.12 upgrade.
Drastically improved performance of the cov-archive import-streams
command. In our tests importing times went from days to about an hour. Performance of the cov-archive export
streams command was slightly improved.
MacOS analysis installer now checks for space character in path.
Downloading the binaries to update Java and/or PSQL for security fixes might fail on slow internet connections. Please make sure you have a fast internet connection and retry.
In order to use Coverity Connect with a mail server (https option) or Bugzilla (https option), and some other cases, the user has to import certificates into cim/jre/lib/security/cacerts. After running the updater, all of these certificates are gone.
Changing the summary metric name on a coordinator causes the summary metric to disappear from all reports on subscribers. To work around this issue, add the new summary metric back into the reports on subscriber
User and password information in coverity_config.xml
do not override options specified on the command line.
Collisions might occur if triage data is deleted from a cluster (used for testing, for example), and then up-to-date triage data is imported from a production instance. This is because deleting triage stores does not delete related CIDs. It is recommended you rebuild the cluster from scratch using the production data.
In a cluster environment, deletion of triage data on the coordinator is not recommended unless it can be verified that there are no subscriber dependencies. Synchronization problems between subscribers and the coordinator might result.
The selected value is not displayed for a Coverity Connect field when using Chrome browser version 47.0.2526.80 on Windows 7.
Using a custom defect export handler script might on occasion create an error when attempting to export data to a bug tracking system.
To prevent database constraint violations on subscribers in a cluster, when a user is deleted, it is marked for deletion instead of being completely (hard) deleted. This status subsequently synchronizes across the cluster.
When configuring Coverity Connect to connect to an LDAP server, you must specify (in the Host Name field) the hostname of the machine hosting the LDAP server. Using the IP address of the LDAP server is not supported. For more information, refer to the section "Configuring LDAP server settings" in the Coverity Platform 2020.03 User and Administrator Guide.
Internet Explorer 11 breaks on functionalities using file upload.
Although the Upgrade Guide states that 32-bit to 64-bit in-place database format upgrades are not permitted, some will succeed, yielding valid results. Because in-place upgrade is preferable to backup-and-restore upgrade, we recommend that you try your upgrade in-place and, if it fails, fallback to backup-and-restore upgrade.
If Java 1.7.0_xx is used, and even if the system has a large amount of available RAM, using Java1.7.0_xx and older, Out of Memory
errors might occur despite having sufficient/available RAM. The workaround is to use the Java version shipped with Coverity Platform, or to specify a max heap setting for cov-im-daemon
.
Due to a Red Hat Enterprise Linux issue (Bug 1484079), the Coverity Platform installer on Centos7or RHEL v7.4 might fail due to an ArrayIndexOutOfBoundsException
error and a stack trace indicating an error with fonts. This can be resolved by installing the dejavu-serif-fonts
package.
For customers upgrading their Coverity Platform server from unsupported Coverity versions (such as version 5.x), we recommended that you upgrade to a supported intermediate version (such as2018.03) before upgrading to 2018.06. We also recommended that you perform a backup of your data beforehand with the Upgrade Preparation feature.
All Coverity installers for Linux have a known issue related to missing fonts.
If you are installing a Coverity product on Linux from the command line,
the installer might fail before asking for user input if the target system does not have access to the fonts required by the installer.
Stack traces vary, but usually reference "fonts". You can work around this issue by installing the fontconfig
package.
For example, this command uses the apt-get
package manager to install fontconfig
:
apt-get install fontconfig
This command uses the yum
package manager to install fontconfig
:
yum install fontconfig
The Report Generator now refers to the 2019 version of the sans25 Application Security Risks. (RG-1368)
Fixed a bug in which cov-generate-cvss-report
did not count WEAK_GUARD (CWE-291)
as a CWE/SANS Top 25
vulnerability.
Fixed an error about an invalid configuration file that complained about missing properties when those properties were not actually relevant to the given report.
For ATP-based systems, you might receive an error message during report generation. If you do receive an error message, you are likely missing these libraries: libgl1
, libgl1-mesa-dri
, and libgl1-mesa-glx
.You can install the missing libraries by using the following command syntax:
apt-get installlibgl1
, apt-getlibgl1-mesa-dri
, and apt-getlibgl1-mesa-glx
.
During report generation, you might receive the following error: "Loading library prism_es2
from resource failed: java.lang.UnsatisfiedLinkError:"
If you encounter this error message, please install these missing libraries: apt-get install libgl1
, apt-get libgl1-mesa-dri
, and apt-get libgl1-mesa-glx
.
In the Security Report, "Issues Without CWE Numbers" has been renamed "Non-security Issues" to address a complaint about a mismatch between the reported count of issues without CWE numbers and Coverity Connect output sorted by outstanding defects.
The Security Report now points to BDBA instead of Poretcode SC.
This section provides release notes for Coverity Analysis components.
For a summary of checkers that have been added or changed in this release, refer to the "Coverity Checker Change History" table in the Coverity Checker Reference.
Added issue view columns for standards (AUTOSAR C++14, CERT C, CERT C++, DISA-STIG V4R3, ISO TS17961 2016, OWASP Mobile Top Ten 2016, OWASP Web Top Ten 2017, PCI DSS 2018). (IM-24530)
The SENSITIVE_DATA_LEAK
checker now supports C and C++. (SAT-26090)
A checker option, allow_array_of_uniform_structs
, has been added to the OVERRUN
checker. This option suppresses defect reports when filling an entire array of structures from a pointer to one structure. (SAT-27510)
The REVERSE_INULL
checker will no longer report on pointers that have been asserted as non-NULL. (SAT-29174)
For languages that implicitly initialize member references to null in a constructor, we now explicitly treat those references as initialized to null, rather than unknown/uninitialized. (SAT-31288)
Defects that were previously reported as BUFFER_SIZE_WARNING
are now reported as BUFFER_SIZE
, with a distinguishing subcategory. (SAT-31373)
The ATOMICITY
checker now supports Go. (SAT-31554)
The LOCK
checker now supports Go. (SAT-31555)
The GUARDED_BY_VIOLATION
checker now supports Go. (SAT-31556)
The LOCK_INVERSION
checker now supports Go. (SAT-31557)
The SLEEP
checker now supports Go. (SAT-31558)
The HEADER_INJECTION
checker now supports C, C++, Objective C, and Objective C++. (SAT-31576)
The HARDCODED_CREDENTIALS
checker now supports Kotlin. (SAT-31766)
The SENSITIVE_DATA_LEAK
checker now supports Kotlin. (SAT-31772)
The MISSING_PERMISSION_ON_EXPORTED_COMPONENT
checker now supports Kotlin. (SAT-31795)
The ANDROID_DEBUG_MODE
checker now supports Kotlin. (SAT-31796)
The CONFIG.ANDROID_BACKUPS_ALLOWED
checker now supports Kotlin. (SAT-31797)
The CONFIG.ANDROID_OUTDATED_TARGETSDKVERSION
now supports Kotlin. (SAT-31798)
The CONFIG.ANDROID_UNSAFE_MINSDKVERSION
now supports Kotlin. (SAT-31799)
The BAD_CERT_VERIFICATION
checker now supports Kotlin. (SAT-31803)
The INSECURE_REFERRER_POLICY
checker for JavaScript and TypeScript finds cases where the Referer-Policy
HTTP header is set to certain values that might leak Referrer
header across origins. (SAT-32198)
The new MULTER_MISCONFIGURATION
JavaScript and TypeScript checker finds different cases of insecure configuration of the module multer
. (SAT-32248)
You can now use code annotations in C/C++ to completely suppress a defect instead of only triaging it. (SAT-32272)
Coverity now supports Detekt analysis (SAT-32309)
The CONFIG.MISSING_GLOBAL_EXCEPTION_HANDLER
checker now supports JavaScript and TypeScript. (SAT-32398)
The new DNS_PREFETCHING
checker for JavaScript and TypeScript finds situations where DNS prefetching is enabled by setting the allow
property explicitly to true in the dnsPrefetchControl()
function of the helmet
middleware or in the configuration of the dns-prefetch-control
middleware. (SAT-32402)
The new HPKP_MISCONFIGURATION
checker for JavaScript and TypeScript finds cases of the HTTP Public Key Pinning (HPKP) insecure configuration using modules helmet
and hpkp
. (SAT-32432)
The new FILE_UPLOAD_MISCONFIGURATION
checker for JavaScript and TypeScript finds cases where the express-fileupload
plugin for an Express application is misconfigured and might allow a denial of service attack. (SAT-32512)
The CONFIG.ENABLED_DEBUG_MODE
checker now supports JavaScript and TypeScript. (SAT-32515)
The new ANGULAR_SCE_DISABLED
JavaScript and TypeScript checker finds cases where Strict Contextual Escaping (SCE) is explicitly disabled. (SAT-32659)
The INSECURE_COMMUNICATION
checker now supports JavaScript and TypeScript. (SAT-32779)
The BAD_CERT_VERIFICATION
checker now supports JavaScript and TypeScript. (SAT-33061)
The new AWS_VALIDATION_DISABLED
checker for JavaScript and TypeScript finds cases where the aws-sdk
middleware disables parameters or credentials validation globally. (SAT-33068)
The CONFIG.UNSAFE_SESSION_TIMEOUT
checker now supports JavaScript and TypeScript. (SAT-33071)
Added support for the A rules (Ax-x-x, where x is literal number, for example A0-1-1) in AUTOSAR C++14 compliance standard for Clang-based compilers. (SAT-33078)
For languages that implicitly initialize member references to null in a constructor, we now explicitly treat those references as initialized to null, rather than unknown/uninitialized. (SAT-33117)
The RISKY_CRYPTO
checker now finds insecure SSL ciphers in JavaScript and TypeScript. (SAT-33124)
The name of the AWS_INSUFFICIENT_PRESIGNED_URL_TIMEOUT
checker was changed to INSUFFICIENT_PRESIGNED_URL_TIMEOUT
and now supports AWS and Google cloud providers. (SAT-33134)
The new AWS_SSL_DISABLED
checker for JavaScript and TypeScript finds cases where the sslEnabled
property is set to false
in AWS
configuration. (SAT-33135)
The new TEMPORARY_CREDENTIALS_DURATION
checker for JavaScript and TypeScript finds cases where cloud providers create temporary credentials that last longer than necessary. (SAT-33137)
The CONFIG.CORDOVA_EXCESSIVE_LOGGING
and CONFIG.CORDOVA_PERMISSIVE_WHITELIST
checkers are now enabled when the cov-analyze --webapp-security
option is specified. (SAT-33138)
The new CONFIG.HARDCODED_TOKEN
checker for JavaScript and TypeScript finds tokens and keys stored directly in configuration files. (SAT-33148)
Added modeling for the bzip2
library. (SAT-33179)
Enhanced our modeling of the GoAhead
library. (SAT-33209)
Added modeling for libcurl
. (SAT-33210)
Added models for boost/container library. (SAT-33211)
SpotBugs 3.1.10 has been patched to support the analysis of Java 13 classes. (SAT-33322)
Added a new checker, ODR_VIOLATION,
which finds code that violates the C++ "one definition rule".
Also greatly improved results for MISRA C++-2008 Rule 3-2-2 (SAT-7075)
Fixed false positive defects for compliance checker MISRA C++2008 Rule 14-6-2 for copy constructors and copy assignment operators generated by the compiler.
Documentation for checker options by aggressiveness level has been udpated.
Fixed a source of DEADCODE
false positives when a function whose semantics is min
has max
in its name (for example, clamp_max
)
Fixed a class of USE_AFTER_FREE
false negatives, where calls of free
depend on an allocation policy.
Added models for the glib functions g_variant_print()
and g_variant_print_string()
so that a FORWARD_NULL
is reported when these functions are called with a NULL
pointer in the first parameter.
Fixed a false positive for the NO_EFFECT
Checker when the second argument to memset
fits a signed character.
A model was added for the QNX pthreads
extension pthread_mutex_trylock_monotonic()
. This avoids false positives in the LOCK
checker due to the formerly unrecognized mutex locking function.
Fixed a source of OVERRUN
false positives when a function accesses a buffer using a minimum value multiplied by a constant.
A false positive for the SQLI
checker has been fixed.
A model was added for the QNX pthreads
extension pthread_mutex_trylock_monotonic()
. This avoids false positives in the LOCK
checker due to the formerly unrecognized mutex locking function.
Fixed an error message issue for the NULL_RETURN
checker when the checker's stat_threshold
option is set to zero and the allow_unimpl_and_unchecked
option is set to true
.
Fixed a false positive on the FORWARD_NULL
checker when calling a method on a nil pointer.
The OVERRUN
checker now gives better messages when an array is accessed at a constant element index in a callee; it now prints the element index rather than just the byte index.
Fixed a source NULL_RETURNS
false positives with null-returning operator new
and value-initialization, for instance new (nothrow) char[N]()
.
A bug was fixed in which org.apache.jsp.tag.web.checklistGraph_tag
could not be resolved to a type.
Fixed a crash in the SENSITIVE_DATA_LEAK
checker, which was caused by incorrect handling of array expressions.
Fixed some serious performance issues affecting analysis of C++ codebases with compliance standards.
Fixed a recoverable error with message Cannot get TULinks from TU with no ASTs
when analyzing with CERT coding standards.
Fixed a source of false positive reports RISKY_CRYPTO
that complained about an insecure block mode when not using a block cipher.
Fixed a recoverable failure in the INFINITE_LOOP
checker when analyzing Visual Basic code under certain circumstances.
Fixed a false positive in MISRA C++-2008 Rule 7-1-1 where a variable was modified in try-catch
blocks.
Fixed a false positive of MISRA C 2012 Rule 13.1 about taking the address of a volatile variable in initializer-list.
Fixed a false positive in AUTOSAR C++14 A16-0-1 about conditional file inclusion.
Fixed a false positive of MISRA C-2012 Directive 4.3 where an assembly
statement was mixed with a variable declaration or a return
statement.
Fixed a false positive of CERT ERR30-C about not resetting errno
for out-of-band error indicator returning functions.
Fixed a false positive of MISRA C++-2008 Rule 0-1-6 about reassignment of a variable.
Fixed a false positive of CERT STR34-C where a char
character is compared against another char
character.
Fixed a false positive of CERT INT36-C where a variable of uintptr_t
type was cast to a pointer.
Fixed false positives of MISRA C-2012 Rule 10.1 and MISRA C-2012 Rule 10.4 where false
and 0
were in the same plain macro.
Fixed a false positive of AUTOSAR C++14 A4-7-1 about increasing size without data loss.
Fixed a false positive of MISRA C++-2008 Rule 12-8-1 when other rules were enabled at the same time.
Fixed false positives of AUTOSAR C++14 M9-3-3 and AUTOSAR C++14 A8-4-5 when lambda
function was used.
Fixed a false positive of AUTOSAR C++14 A7-1-5 where member functions used auto
specifier and trailing return type syntax in class template.
Fixed a false positive of AUTOSAR C++14 A3-1-1 related to member initializations in class definitions.
Fxied a false positive of MISRA C-2012 Rule 10.3 where Boolean true
literal was used in struct
initializers.
Fixed a false positive of MISRA C++-2008 Rule 0-1-6 when a value is used in arguments to a new
expression.
Fixed a false positive of MISRA C-2012 Rule 10.3 where there were casts in macros to define bool
literals.
Fixed a false positive of MISRA C++-2008 Rule 12-8-2 about compiler-generated copy assignment operators.
Fixed a false positive of CERT INT31-C about left shift operation and bitwise operation.
Fixed false positive of CERT ERR59-CPP when the library function declaration explicitly indicates that it will not throw an exception.
Fixed a false positive of MISRA C-2012 Rule 10.1 where an enum
constant was used as an operand of operator []
.
Fixed a false positive of AUTOSAR C++14 A7-1-2 about declaration of a non-trivial destructible const
object.
Fixed a false positive of AUTOSAR C++14 A7-1-5 where a lambda function without auto specifier was used as a function parameter.
Fixed a false negative of CERT FIO45-C about value tracking on the string literal.
Fixed a false positive of MISRA C-2012 Rule 21.18 about appropriate argument value of size_t
type.
Fixed a false positive in CERT INT30-C about arithmetic operations on struct
fields.
Fixed a false positive of AUTOSAR C++14 A12-1-1 about delegating constructors.
Fixed a false positive of AUTOSAR C++14 A4-5-1 where an explicit enumerator equality expression was used as an operand of logical and operator.
Fixed False Positive in MISRA C++-2008 Rule 3-1-1 related to member initializations in class definitions.
When using Buildless Capture with JavaScript projects, in some cases analysis might yield a large number of false positives for the EXPLICIT_THIS_EXPECTED
checker. In such cases, we recommend disabling this checker using the --disable EXPLICIT_THIS_EXPECTED
option for the cov-analyze
command.
Churn for the preview INTEGER_OVERFLOW
checker might be higher in this release compared to churn for other checkers.
The XSS
checker can report multiple occurrences of the same local defect under certain circumstances.
Support for FreeBSD 11.2 has been deprecated in this release.
A new command, cov-upload-findings
, has been added to Coverity Analysis. The cov-upload-findings
command uploads Coverity Analysis defect reports to a Compliance Solution Findings Manager. Refer to the 2020.03 Command Reference for more information about this command. (COVDOCS-35)
Coverity Compliance Solution is currently part of the Compliance Solution Beta program and is available only to program participants. For more information about the Compliance Solution Beta program, see the section "Compliance Solution". (COVDOCS-35)
The cov-commit-defects
command has been updated to support streams with attached priority filters. Refer to the Command Reference for more information. (COVDOCS-55)
Coverity Compliance Solution (and priority filtering) is currently part of the Compliance Solution Beta program and is available only to program participants. For more information about the Compliance Solution Beta program, see the section "Compliance Solution". (COVDOCS-55)
Added support for FreeBSD 12.1. (COVP-2203)
Cov-run-desktop
/cov-manage-emit
recompile assertion Selected record-only TUs again after recompiling them
has been eliminated.
Fixed an issue where cov-configure
failed to generate configuration for the MetaWare ccac compiler.
Cov-run-desktop
and cov-manage-emit
recompile will now update text files.
Documentation for cov-analyze
is amended to improve translation as requested.
Added a new option, --cxx-container-type-regex
to the cov-analysis
command; this option allows specifying C++ container types for all checkers that look for them.
Fix a bug so that cov-format-error
can correctly set the language
field in the generated json output.
To reduce analysis time where there are multiple verbatim copies of the same function, cov-analyze
processes just one of these, chosen heuristically. There was a flaw in the heuristic algorithm, which allowed it to enter an infinite loop in extremely rare cases. This flaw has been corrected.
If you receive the following error message when using cov-build
, you can work around this issue by using the --instrument
option.
[WARNING] Compilations that use 32-bit Java tools running on 64-bit Windows were detected during this build. Such compilations are not supported at the moment; analysis might be incomplete or invalid because of that.
Workaround:
> cov-build --dir t1 --instrument ant
If you have KB2919355 (http://support.microsoft.com/kb/2919355
) installed on Windows 2012 system, you might encounter the build hanging under cov-build
if MSBuild is used. When this happens, the process tree will show MSBuild still running under cov-build
, even though there will be no output or progress from MSBuild. To work around this issue, you can do one of the following:
* Uninstall KB2919355, or
* Add the --instrument flag to your cov-build invocation; for example:
> cov-build --dir dir --instrument msbuild ..
On Windows, when preprocessing a file with cov-emit
to the Windows console, cov-emit
might fail with a catastrophic error if the character encoding of the preprocessed output is not compatible with the console encoding.
This error can be avoided by redirecting the preprocessed output to a file.
When in the Test Prioritization workflow, on the View Results page, clicking the Open in System Editor button might not work for some older Linux distributions.
Running cov-emit-java
to emit a web application (with --war
--findears
or similar) might fail if the number of JAR files in its classpath (including those found with --findjars
) exceeds the operating system's per-process file limit. To work around this case, either increase the per-process open file limit or remove unnecessary JARs from the classpath.
Support for the target StarCore DSP version 3.0 and StarCore SDMA version 3.0 of Freescale Codewarrior compilers is dropped as of 2020.03.
Support for Apple JDK is dropped as of 2020.03.
Dropped support for Visual Studio 2010 and 2012.
Build capture of Apple's JDK 1.6 has been EOL'd.
Support for .NET Core 3.0. has been deprecated in this release.
Support for Swift 5.0.x has been deprecated as of 2020.03 and will be removed in a future release.
Support for Pre-Compiled Headers (PCH) has been improved for gcc and Clang compilers; in fast desktop scenarios, PCH dependencies will now be handled automatically. (CMPCPP-8302)
Added support for the Green Hills Optimizing C and C++/EC++ V850 2018.5.5 compiler. (CMPCPP-8715)
Added support for the IAR Renesas RX v4.12 compiler. (CMPCPP-9070)
cov-emit
now tolerates C99-designated initializers for non-POD subobjects in C++. (CMPCPP-9300)
Added support for MPLAB xc32-gcc 2.20 compiler on Linux. (CMPCPP-9409)
Added support for the Green Hills Optimizing C and C++/EC++ RH850 2019.5.5 compiler. (CMPCPP-9654)
Added support for the Apple Clang 11 (Xcode 11) compiler. (CMPCPP-9692)
Added support for Kotlin 1.3-1.3.61. (CMPFG-118)
Support for Pre-Compiled Headers (PCH) has been improved for gcc and Clang compilers; in fast desktop scenarios, PCH dependencies will now be handled automatically. (CMPG-2482)
yield
statements are now supported in Java 13 preview switch
expressions, and support for break
statements in Java 12 preview switch
expressions is removed. (CMPJ-1234)
HTML source files that do not contain or include JavaScript code are now stored in the emit, rather than being ignored. (CMPJS-742)
Added support for Oracle JDK 13. (COVP-2195)
Added support for OpenJDK 13. (COVP-2196)
Added support for .NET Core 3.1. (COVP-2207)
Corrected translation of initialization of a GNU vector with a brace-enclosed list containing a single GNU vector.
cov-emit
assertion failure at "edg/src/templates.c", line 1620, has been eliminated.
Fixed an issue where Coverity didn't recognize builtin prototype _mm512_set_epi16
for the intel compiler on Linux.
Diagnostics in system headers are normally suppressed. In preprocessed and PCH files this was not happening. This has been corrected.
Fixed a problem with slow builds resulting from the processing of C++ Range Library.
The C++ dialect is now properly configured when compiling source as Objective-C++.
Fixed a bug where cov-build
against icc 18.01 failed with error message __gnuc_va_list is undefined
.
Fixed an issue where the option --cygpath
to the cov-emit
command was not being honored.
A cov-emit
issue, EXCEPTION_ACCESS_VIOLATION
was fixed.
A catastrophic compile error was fixed for the cov-emit
command.
A number of bugs preventing Boost 1.68 from compiling on Solaris have been fixed.
Diagnostics in system headers are normally suppressed. In preprocessed and PCH files this was not happening. This has been corrected.
Cov-emit
assertion default rescan info (exprutil.c
, line 4749 in get_expr_rescan_info
) is eliminated.
An incremental build will now update the emit database based on the addition or modification of jar files in the classpath of a Java compilation, even if the source files being compiled have not changed.
Fixed a cov-run-desktop
error when emitting JSP files and some of them failed to compile.
HTML files imported from JavaScript code via the NgTemplate loader are now emitted properly.
Files with .scss extension linked from JavaScript code are emitted as text and no longer produce spurious errors in an attempt to parse the SCSS code as JavaScript.
JSON files with .json extension linked from JavaScript code are emitted as text and no longer produce spurious errors in an attempt to parse the JSON code as JavaScript.
CSV output produced by Coverity analysis (callgraph-metrics.csv, checked-return.csv) can now be parsed by other tools
cov-build --instrument
has a known issue when running the xdcmake.exe
tool of VisualStudio 2010 when launched from a 32-bit process on Windows 10. This will currently fail with a System.BadImageFormatException
exception. To work around this issue you can do one of the following:
* Modify the build such that xdcmake.exe
is run from a 64-bit process.
* Ignore the xdcmake.exe
process by adding --capture-ignore xdcmake.exe
to your cov-build
invocation.
Casts of ISO/IEC TR 18037 fixed point types are incorrectly rejected in code compiled in C++ mode for Clang based compilers. This issue is known to affect the Synopsys MetaWare ccac compiler.
The new build system introduced in Xcode 10 is not supported with Clang compilers. See the section "Building projects that use Xcode 10's new build system" in the "Coverity Analysis User and Administrator Guide" for details on how to work around this issue.
The default charset
for Java 1.8 VM on Mac appears to be UTF-8 if a charset has not been explicitly set. The Coverity Java compiler does not emulate this behavior. Make sure to explicitly set the character encoding by setting a locale using the LANG
or LC_CTYPE
environment variables
The JavaScript front end no longer supports nameless function statements. (Nameless function expressions are supported as before.) A function statement without a declared name is a syntax error according to the ECMAScript standard, but may be used in JavaScript source files with some frameworks.
Scala Macro Paradise compiler plugin can be incompatible between different Scala 2.12.x patch versions and might cause emit failures.
If Dynamic Analysis reports defects in classes that were compiled without debugging information, or classes that contain mangled information due to misbehaving code coverage or AOP tool, the defect report might contain nonsensical line numbers or file names.
Specifying certain combinations of the instrument-arrays
, instrument-collections
, detect-races
, and detect-deadlocks
options to the Dynamic Analysis agent causes unexpected behavior. In particular, Dynamic Analysis still reports races on arrays and collections according to the instrument-arrays
and instrument-collections
options when detect-races
is false and detect-deadlocks
is true. However, if both detect-races
and detect-deadlocks
are false, Dynamic Analysis reports races on neither collections nor arrays.
If you do not specify a class in the cov-start-da-brokerclasspath
option, the corresponding source file isn't committed, even if the source file is present on the source path.
Support for Mercurial 3.1-3.2 has been EOL'd.
Support for git 1.8-2.1 has been EOL'd.
Support for Team Foundation Server 2012 has been deprecated.
Documentation was amended to replace illegible images in Korean with legible images in English.
The use of "--cs-coverage opencover" with Test Advisor may fail to capture any tests or coverage data on some versions of Windows if the user's account has Administrator permissions, .NET Framework 4.8 is installed, and user account control (UAC) is disabled. This can be worked around by manually registering the OpenCover profiler DLLs and passing "--cs-no-register-profiler" to your "cov-build --test-capture" invocation. This manual registration must be performed systemwide; your regsvr32 invocations must be run without the "/i:user" argument. For more details on this, see the documentation of cov-build's "--cs-no-register-profiler" switch in the Command Reference.
When using --java-coverage jacoco
, Test Advisor might consider lines that never run to completion, but instead always generate exceptions, to be uncovered.
cov-wizard
might not emit Java successfully with the default version that is installed in Ubuntu 18.04. (See https://bugs.launchpad.net/ubuntu/+source/openjdk-lts/+bug/1796027) To fix this issue, install a different version of Java and set it as the default Java version.
In the Coverity Wizard Policy Editor, the Link to Editor icon in the Outline View might be toggled as enabled, even though the editor is not actually linked with the Outline View.To enable outline linking, toggle the Link to Editor button to disabled, and back to enabled again.
Not all the Preference dialog text is translated into Japanese on the syntax coloring dialog.
In Coverity Wizard, after automatically configuring the compilers in the Configure Compilers screen, the status indicator for the Configure Compilers screen might not update from the exclamation mark icon to the check mark icon, which will appear as though the auto-configuration was unsuccessful. However, clicking anywhere in the Coverity Wizard window or changing pages will cause the indicator to update to the check mark icon.
The Guided Test Advisor Policy Creation Wizard uses Java regex validation instead of the Perl regex validation that Coverity Analysis Test Advisor uses. This should not cause any issues for most users, but if there is a difference, go to the more advanced Test Prioritization Policy Editor and Debugger to enter the proper regex.
The guided policy creation wizard Documentation link fails to open properly on Linux. Open the Coverity Wizard 2019.12 User Guide separately to view this documentation.
After upgrade, Coverity Wizard can sometimes give a ReferenceMap NullPointerExceptionapplication
error on startup. To work around this issue, delete the .orphan file in the <install_dir_sa>/jars/cwiz/configurations/org.eclipse.core.runtime
folder.
When using a self-signed certificate, if the user chooses not to trust a certificate, they might be prompted multiple times (asking to trust the certificate). If a user does not want to trust a self-signed certificate, they should change their Coverity Connect server settings to avoid the prompts. But just keep pressing no (to not trust the certificate), to get through the multiple prompts.
Coverity Wizard now warns the user every time they select the Test Prioritization'
workflow, even if they did not first work with the regular analysis workflow. This can be safely ignored
Using the Duplicate button for configuring compilers in Coverity Wizard does not work.
This section provides release notes for Coverity Desktop components.
Android Studio does not show the proper scope
in the Issues view for local analysis. It just always says "External output file" currently when in local analysis mode.
Currently any source generated by Gradle Android projects will not be captured by the build process,and will be reported as "Uncaptured" by the IntelliJ and Android Studio IDEs. These files can be ignored by the "Uncaptured Source Files Dialog" or through the "File Exclusions" settings page. Auto-generated Gradle source files are captured when using Android Studio 3+.
Coverity markers in the editor gutter can sometimes be shown in duplicate with the IntelliJ/AndroidStudio Coverity Desktop plug-in.
Added support for Eclipse 2019.12 (4.14) (PRD-12040)
Added support for WindRiver 4.0. (PRD-12073)
For OXS 10.14 users with JDK-8136913 installed, using the hostname_regex
in the coverity.conf
file caused a 5 to 30 second delay. We've provided a workaround to fix this issue in our documentation.
Eclipse customers using Plastic SCM might see a failure during Analyze Modified Files, as Eclipse is unable to locate their cm executable file. This occurs when the cm.exe
file is located in /usr/local/bin/
rather than /usr/bin/
and can be resolved by adding a link to the executable in /usr/bin/
.
Added support for IntelliJ 2019.3 (PRD-11985)
Added support for PyCharm 2019.3 (PRD-11987)
Added support for PhpStorm 2019.3 (PRD-11988)
Added support for WebStorm 2019.3 (PRD-11989)
Added support for RubyMine 2019.3 (PRD-11990)
When using whole program checkers in IntelliJ, a warning about missing class files might be displayed in the console, which indicates missing class files with incorrect paths. Even if the paths do not seem correct, this should not affect analysis results
For Coverity Connect users using the Japanese locale, the Apply button in the triage panel was disabled unless the Owner was changed. To work around this, the IDE locale should be the same as the user account locale on the Coverity Connect server. Since IntelliJ currently only supports English, the user account locale on Coverity Connect must be set to English as well
Coverity Connect attributes and usernames in the Coverity Desktop plug-in are cached on start up,and not refreshed until IntelliJ is restarted. If you are missing a new username, or some other triage attribute, try restarting IntelliJ.
The Coverity Desktop plug-in does not currently work for the Alloy IDEA theme.
Android Studio does not show the proper scope
in the Issues view for local analysis. It just always says "External output file" currently when in local analysis mode.
The triage view will not resize while the History section is expanded. Collapsing the history section will cause the view contents to resize.
Currently any source generated by Gradle Android projects will not be captured by the build process,and will be reported as "Uncaptured" by the IntelliJ and Android Studio IDEs. These files can be ignored by the "Uncaptured Source Files Dialog" or through the "File Exclusions" settings page. Auto-generated Gradle source files are captured when using Android Studio 3+.
Coverity markers in the editor gutter can sometimes be shown in duplicate with the IntelliJ/AndroidStudio Coverity Desktop plug-in.
This section provides release notes for Coverity Documentation components.
Reinserted three images that were missing from the Policy Manager section of the Coverity Platform User and Administration Guide.
Broken links have been fixed in the Upgrade Guide.
Table 3.3.4. (Exported component map JSON elements) of the Coverity Platform User and Administrator Guide previously indicated, incorrectly, that the <component>
field could contain a <description>
field. This is not true, and the row for that <description>
field has been removed from the table.
Assertion "Tried to emit a multi-part diagnostic with no source location" has been eliminated.
Fixed a Swift compiler issue with bool
literals causing the compiler to abort.
Fixed an issue where Swift compiler was omitting symbols without storage.
Fixed a Swift compiler issue where an internal function being called was causing an assertion failure due to wrong return type.
Support for this version of Coverity will be discontinued 18 months after the 2019.12 release.
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
Due to a change in our bug tracking system, items might now be identified by two bug numbers:
One specifying the identity of the bug in our old bug tracking system, formatted like this: XXXXXX. (For example, 374568.)
One specifying the identity of the bug in our new bug tracking system, formatted like this: CODE-XXXXX. (For example, IM-22788.)
Support for the following products, features, platforms, and third-party tools is classified as deprecated or end-of-life as of the Coverity 2019.12 release.
Support for the following products and features is deprecated as of the Coverity 2019.12 release.
Table 33.1. Deprecated products
Product | See also... |
---|---|
target StarCore DSP version 3.0 and StarCore SDMA version 3.0 of Freescale Codewarrior |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
Intellij 2017.1 (Includes IntelliJ-based IDEs CLion, PhpStorm, PyCharm, RubyMine, WebStorm) |
Supported Platforms for Coverity Analysis ![]() |
Perforce 2016.1 |
Coverity Test
Advisor Supported SCM Systems ![]() |
SVN 1.9 |
Coverity Test
Advisor Supported SCM Systems ![]() |
Version 6, 7, and 8 of the Web Services API |
Supported frameworks for Coverity Analysis ![]() |
Support for the following products and features is dropped in the Coverity 2019.12 release.
Table 33.2. End-of-Life Products
Product | See also... |
---|---|
The --dot-coverity-location argument to the
cov-capture command is no longer supported. | The .coverity directory resides directly under the
intermediate directory and is renamed cov-capture . |
Eclipse 4.6 |
Coverity
Coverity Desktop for Eclipse on supported platforms
![]() |
MacOS 10.12 | This affects support for Coverity Analysis, all compilers, Coverity Desktop plugins, Extend SDK, FLEXnet licensing, Coverity Wizard, and Architecture Analysis. |
Microsoft Embedded C++ 4.0 |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
OpenJDK 12 |
Supported Platforms for Coverity Analysis ![]() |
Oracle JDK 12 |
Supported Platforms for Coverity Analysis ![]() |
Perforce 2015.2 |
Coverity Test
Advisor Supported SCM Systems ![]() |
Swift 4.2 |
Supported
Compilers: Coverity Analysis Swift ![]() |
Windows 7 for Cov_Wizard, and the Eclipse, IntelliJ, Android plugins. |
Supported Platforms for Coverity Analysis ![]() |
This section provides release notes for Coverity Platform components.
Coverity Connect is a component of the Coverity® Platform installation package.
The following have been deprecated for Coverity Connect this release:
Version 6 of the Web Services API. (IM-24428)
Version 7 of the Web Services API. (COVDOCS-11)
Version 8 of the Web Services API. (COVDOCS-13)
The following new and changed features have been added for Coverity Connect this release:
A system administrator can use the new cov-archive
command to export a stream, import a stream, or get information about an
archive. (IM-23500)
NOTE: In some cases, importing a stream might take hours or days. This results from complex data and usually happens for archives larger than 200 MB. Performance might improve in a future release.
The following bugs are fixed for Coverity Connect:
Added the ability to provide event-driven triage notification.
Coverity Connect URL construction: added filtering by snapshots.
Fixed an issue that prevented cov-manage-im
from
showing an error description when used with --ssl
option
Fixed an issue with Kerberos authentication: access would fail when a database was restored to a new host system.
Some anomalies in the way Coverity Connect displayed certain Coverity IDs (CIDs) have been fixed.
We fixed an issue that prevented Coverity Connect from loading and displaying triage information for certain defects .
In "Creating, copying, and deleting projects and streams", the
User and Administrator Guide now correctly
describes how Coverity Connect treats streams that have been designated
Outdated
.
Executing cov-admin-db upgrade-schema
with an
external database no longer fails.
A bug was fixed whereby deleted users still received email notifications.
Added information about supported Linux versions in table 7.1.1 of the Coverity Installation Guide.
Updated doc to include information about a url
variable for static fields in Table 3.1.1 in the Coverity
Platform User and Administrator Guide.
Fixed an issue in which the user wanted to see defects that are both older than a given date and newer than a given date.
Fixed an issue causing Coverity Connect to connect to the analysis update server even when the updates were disabled.
Fixed an issue with
cov-analysis-win64-2019.03.exe
in a Windows
environment. When attempting to uninstall it, the process returned an
error with the message that GC overhead limit was exceeded.
Coverity Connect has the following known issues:
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
Downloading the binaries to update Java and/or PSQL for security fixes might fail on slow internet connections. Please make sure you have a fast internet connection and retry.
In order to use Coverity Connect with a mail server (https option) or Bugzilla
(https option), and some other cases, the user has to import
certificates into cim/jre/lib/security/cacerts
. After
running the updater, all of these certificates are gone.
Changing the summary metric name on a coordinator causes the summary metric to disappear from all reports on subscribers. To work around this issue, add the new summary metric back into the reports on subscriber.
An error occurs when a custom role is created using a multi-word rolename that is the same as a built-in rolename, even if there are case differences between the two rolenames.
User and password information in
coverity_config.xml
do not override options
specified on the command line.
Collisions might occur if triage data is deleted from a cluster (used for testing, for example), and then up-to-date triage data is imported from a production instance. This is because deleting triage stores does not delete related CIDs. It is recommended you rebuild the cluster from scratch using the production data.
In a cluster environment, deletion of triage data on the coordinator is not recommended unless it can be verified that there are no subscriber dependencies. Synchronization problems between subscribers and the coordinator might result.
The selected value is not displayed for a Coverity Connect field when using Chrome browser version 47.0.2526.80 on Windows 7.
Using a custom defect export handler script might on occasion create an error when attempting to export data to a bug tracking system.
To prevent database constraint violations on subscribers in a cluster, when a user is deleted, it is marked for deletion instead of being completely (hard) deleted. This status subsequently synchronizes across the cluster.
Internet Explorer 11 fails on operations using file upload.
Although the upgrade doc states that 32-bit to 64-bit in-place database format upgrades are not permitted, some will succeed, yielding valid results. Because in-place upgrade is preferable to backup-and-restore upgrade, we recommend that you try your upgrade in-place and, if it fails, fall back to backup-and-restore upgrade.
If Java 1.7.0_xx is used, and even if the system has a large amount of
available RAM, using Java 1.7.0_xx and older, Out of Memory
errors might occur despite having sufficient/available RAM. The
workaround is to use the Java version shipped with Coverity Platform, or by
specifying a max heap setting for cov-im-daemon
.
Due to a Red Hat Enterprise Linux issue (Bug 1484079), the Coverity
Platform installer on Centos7 or RHEL v7.4 might fail due to an
ArrayIndexOutOfBoundsException
error and a stack trace
indicating an error with fonts. This can be resolved by installing the
dejavu-serif-fonts
package.
For customers upgrading their Coverity Platform server from unsupported Coverity versions (such as version 5.x), we recommended that you upgrade to a supported intermediate version (such as 2018.03) before upgrading to 2018.06. We also recommended that you perform a backup of your data beforehand with the Upgrade Preparation feature.
All Coverity installers for Linux have a known issue related to missing fonts.
If you are installing a Coverity product on Linux from the command
line, the installer might fail before asking for user input if the
target system does not have access to the fonts required by the
installer. Stack traces vary, but usually reference fonts. You can work
around this issue by installing the fontconfig
package.
For example, this command uses the apt-get
package
manager to install fontconfig
:
apt-get install fontconfig
.
This command uses the yum
package manager to
install fontconfig
:
yum install fontconfig
.
Coverity Policy Manager is a component of the Coverity® Platform installation package.
There are no deprecated or EOL items for 2019.12:
This section provides updates about Coverity Analysis components.
There have been several deprecations and EOLs this release:
Undeprecated (re-added) Coverity Analysis platform support for glibc 2.12–2.13.x. (CMPG-3157)
All support for macOS 10.12 is dropped as of 2019.12. (COVP-2103)
Coverity Analysis has the following new and changed features:
Support for NetBSD 8.1 has been added.
Support for FreeBSD 11.3 has been added.
The following sections describe new and updated features, bug fixes, and known issues for Coverity checkers and associated elements.
Added support for the M rules (Mx-x-x, where x is a literal number, for exmple M0-1-1) in AUTOSAR C++14 compliance standard for Clang-based compilers. (SAT-32261)
The following table lists new checkers and the languages they support.
Checker | Languages |
---|---|
CONFIG.COOKIE_SIGNING_DISABLED | Java, JavaScript, TypeScript |
CONFIG.UNSAFE_SESSION_TIMEOUT | Java, JavaScript, TypeScript |
CORS_MISCONFIGURATION | JavaScript, TypeScript |
CORS_MISCONFIGURATION_AUDIT | JavaScript, TypeScript |
DISTRUSTED_DATA_DESERIALIZATION | Go |
EXPRESS_SESSION_UNSAFE_MEMORYSTORE | JavaScript, TypeScript |
EXPRESS_WINSTON_SENSITIVE_LOGGING | JavaScript, TypeScript |
REACT_DANGEROUS_INNERHTML | JavaScript, TypeScript |
REVERSE_TABNABBING | JavaScript, Ruby, TypeScript |
UNLESS_CASE_SENSITIVE_ROUTE_MATCHING | JavaScript, TypeScript |
The following table documents added language support for existing checkers.
Checkers | Languages |
---|---|
ANGULAR_EXPRESSION_INJECTION | TypeScript |
DEADCODE | Go |
DIVIDE_BY_ZERO | VB.NET |
HARDCODED_CREDENTIALS | Go |
HEADER_INJECTION | Go |
INFINITE_LOOP | Go, VB.NET |
INSECURE_COOKIE | JavaScript, TypeScript |
INSUFFICIENT_LOGGING | Go |
LOCK_EVASION | VB.NET |
NOSQL_QUERY_INJECTION | Go |
NULL_RETURNS | VB.NET |
OPEN_REDIRECT | Go |
OS_CMD_INJECTION | Go |
PATH_MANIPULATION | Go |
RISKY_CRYPTO | Go |
SENSITIVE_DATA_LEAK | Go |
SQLI | Go |
TAINTED_ENVIRONMENT_WITH_EXECUTION | Go |
TEMPLATE_INJECTION | Go |
URL_MANIPULATION | Go |
XML_EXTERNAL_ENTITY | Go |
XSS | Go |
New and changed checkers
The new option tainting_downcasts
has been added
to the TAINTED_SCALAR
checker. If this option is
set to true
, the checker will treat casts from raw
data (like char *
or void*
type), to certain struct types (for example, those that look like
network packets), as a source of tainted data.
The LOOP_BOUND
sink type for
TAINTED_SCALAR
has been replaced by
LOOP_BOUND_LOWER
and
LOOP_BOUND_UPPER
.
The TAINTED_SCALAR
checker now reports on
division by an untrusted scalar, as in such a case an attacker could
potentially create a division by zero.
The USER_POINTER
checker is now enabled when
using the --security
option to the
cov-analyze
command.
Setting aggressiveness-level to high now implies the
--distrust-all
option for the following C, C++
checkers: FORMAT_STRING_INJECTION
,
OS_CMD_INJECTION
,
PATH_MANIPULATION
, SQLI
,
URL_MANIPULATION
,
XPATH_INJECTION
. (C, C++)
The NULL_RETURNS
checker will no longer report
defects when the return value of an unimplemented function is never
checked for null
, even if statistical thresholds
and biases, along with the allow_unimpl
option,
indicate it should be considered to return null
. A
new option, allow_unimpl_and_unchecked
, will revert
to the previous behavior.
Ruby security analysis now supports HAML version 5.
The DEADCODE
checker now supports Go.
The INFINITE_LOOP
checker now supports the Go
language
The SQLI
checker can report untrusted data being
passed into MyBatis
queries with unescaped string
substitution. This preview feature requires passing the option
--enable-mybatis-sqli
to the
cov-analyze
command. There might be a
noticeable increase in analysis time if you enable this checker.
The new REVERSE_TABNABBING
checker finds cases
where a link is dynamically generated and is set to open a new window by
virtue of its target
attribute being set to
_blank
.
The SENSITIVE_DATA_LEAK
checker now supports
Go.
The RISKY_CRYPTO
checker now supports Go.
The XML_EXTERNAL_ENTITY
checker now supports
Go.
The INSUFFICIENT_LOGGING
checker reports a defect
in code that handles a security event or error condition but does not
properly log the event. It now supports Go.
The SQLI
checker now supports Go.
The HEADER_INJECTION
checker now supports
Go.
The new DISTRUSTED_DATA_DESERIALIZATION
Go
checker reports an issue any time distrusted data is passed into a
deserialization API.
Added analysis support for new Java 12 support, in particular the new
preview switch
statement syntax and
switch
expression.
The typedefType
pattern in the CodeXM C/C++
library has had some of its fields renamed to match other patterns (such
as classType
): alias
is now
mangledName
; id
is now
identifier
. Also, scopeList was added.
The classDefinition
types in CodeXM C/C++, Java
and C# libraries now expose accessors to find base classes:
findBaseClass
and
findMatchingBaseClass
.
The DIVIDE_BY_ZERO
checker now supports
VB.NET.
The INFINITE_LOOP
checker now supports VB.NET.
The NULL_RETURNS
checker now supports VB.NET.
The LOCK_EVASION
checker now supports
VB.NET.
The new EXPRESS_SESSION_UNSAFE_MEMORYSTORE
checker flags express-session
instances where the
store property is set to
(express-session).MemoryStore
in configuration
or omitted (defaults to
(express-session).MemoryStore
).
The new CONFIG.COOKIE_SIGNING_DISABLED
checker
flags cookie-session
instances where the
signed
property is set to
false
, disabling cookie signing.
The INSECURE_COOKIE
checker now supports
JavaScript and TypeScript.
The new UNLESS_CASE_SENSITIVE_ROUTE_MATCHING
checker finds cases where the unless
function is
called in an Express
application with the
path
parameter that includes a case-sensitive
negative regular expression.
The new CONFIG.UNSAFE_SESSION_TIMEOUT
checker
finds issues with Java, JavaScript, and TypeScript code in which
sessions are unlimited or are timing out after an excessive amount of
time.
The new REACT_DANGEROUS_INNERHTML
checker finds
cases where the dangerouslySetInnerHTML
attribute
of a React
element is set.
Added models for boost
circular buffer.
Added C/C++ models for the Xerces API to detect
PATH_MANIPULATION
defects.
Added models for boost
filesystem library.
The ANGULAR_EXPRESSION_INJECTION
checker now
supports TypeScript.
Added support for the OpenSSL low-level cryptographic APIs to
RISKY_CRYPTO
.
Added models for Boost.Heap
library.
Added C/C++ models for the Boost.beast
API to
detect PATH_MANIPULATION
defects.
Added models for C/C++ API of Miniz library.
The checker REACT_DYNAMIC_URL_INSECURE_TARGET
has
been renamed REVERSE_TABNABBING
.
Added models for the Boost Iostreams
library.
Added models for the Boost Asio
library.
Added models for libfetch
library.
The NOSQL_QUERY_INJECTION
checker now supports
Go.
The PATH_MANIPULATION
checker now supports
Go.
The TAINTED_ENVIRONMENT_WITH_EXECUTION
checker
now supports Go.
The TEMPLATE_INJECTION
checker now supports
Go.
The URL_MANIPULATION
checker now supports
Go.
The HARDCODED_CREDENTIALS
checker now supports
Go.
The OPEN_REDIRECT
checker now supports Go.
The OS_CMD_INJECTION
checker now supports
Go.
The XSS
checker now supports Go.
The new CORS_MISCONFIGURATION
checker finds insecure
configurations of the Cross Origin Resource Sharing (CORS) policy, which
uses additional HTTP headers to allow an application running at one
origin to access selected resources from a different origin.
The new CORS_MISCONFIGURATION_AUDIT
checker finds
insecure configurations of the Cross Origin Resource Sharing (CORS)
policy, which uses additional HTTP headers to allow an application
running at one origin to access selected resources from a different
origin. The checker reports different types of problematic issues in the
CORS configuration that need to be audited (compared to
CORS_MISCONFIUGRATION
) based on the language of the
application and the frameworks or libraries used.
The new EXPRESS_WINSTON_SENSITIVE_LOGGING
checker
finds several cases where sensitive data is automatically logged by the
middleware component of express-winston
.
Added support for the M rules (Mx-x-x, where x is literal number, for example M0-1-1) in AUTOSAR C++14 compliance standard for Clang-based compilers.
Added support for the MISRA C++-2008 compliance standard for Clang-based compilers.
Language coverage for options for SQLI
has been
updated.
Language coverage for options for
SCRIPT_CODE_INJECTION
has been updated.
Language coverage for options for
PATH_MANIPULATION
has been updated.
The following checker-related bugs have been fixed for this release.
Fixed a false negative of MISRA C-2012 Rule 3.2 about CRLF in the end of comment line.
Fixed an INTEGER_OVERFLOW
false positive, related
to the getenv family of functions.
Improved detection of tainted scalars used in loop bounds by the
TAINTED_SCALAR
checker.
Fixed a class of TAINTED_SCALAR
false positives,
where the bounds of the scalar are checked by a called function.
Fixed a source of USER_POINTER
false positives
where calls to copy_from_user
were incorrectly
reported when correctly passing a user pointer as
from
argument
Fixed complexity metric calculation for declaration statements containing conditional expressions.
The NULL_RETURNS
checker will no longer report
defects when the return value of an unimplemented function is never
checked for null, even if statistical thresholds and biases, along with
the allow_unimpl
option, indicate it should be
considered to return null. A new option,
allow_unimpl_and_unchecked
, will revert to the
previous behavior.
Fixed a class of TAINTED_SCALAR
false positives,
where the bounds of the scalar are checked by a called function.
Many Coverity checkers now support the Go language. See Chapter 3 of the Coverity Checkers Reference Guide for a complete list.
Fixed a TAINTED_SCALAR
false positive where a
scalar was sanitized by an equality check.
Fixed a source of false positives when using
org.junit.Assert.assertThat()
.
Improved the UNINIT
checker to report defects on
arguments to printf
-style functions.
Fixed a source of OVERRUN
false positives with
functions accessing buffers in blocks.
Improved support for the Go select
statement.
Improved handling of function literals in the Go language.
Changed wording in the HIS
metrics report to more
clearly indicate the number of HIS
violations.
The BUFFER_SIZE
checker no longer reports on
calls to memset
. The reports were confusing and
OVERRUN
reports the same defects in a clearer
way.
Fixed a source of FORWARD_NULL
false positives
when calling the getcwd
function on platforms where
it allows NULL
for the first parameter.
Fixed a source of OVERRUN
false positives when
reading from the address of a function
Fixed a TAINTED_SCALAR
false positive that
involved an unsigned character used as an offset for a pointer to a 256
byte block of memory.
Fixed RISKY_CRYPTO
false negatives when using SHA
and SHA2 related APIs in OpenSSL library.
Fixed a source of OVERRUN
false positives when
calling some functions that iterate over a NUL-terminated string and a
fixed size buffer, such as custom implementations of
strncpy
.
Broken links in the Coverity Checker Reference guide have now been fixed.
Broken links to CodeXM documentation have now been fixed.
Fixed a problem where PROPERTY_MIXUP
checker was
delaying completion of cov-analyze
.
Fixed a bug that affected the default trust settings for taint sources
in the FORMAT_STRING_INJECTION
checker.
Updated documentation to specify the correct way of enabling
INTEGER_OVERFLOW
checker.
An appendix describing new checkers and added language support for checkers in each release has been restored to the Checker Reference Guide.
Fixed broken links related to CodeXM documentation.
The sample code in the "Quick start tutorial" section of Learning to Write Code XM Checkers has been corrected.
Bouncy castle is now detected by the RISKY_CRYPTO
checker if custom functions from Bouncy Castle are used.
Documentation for STACK_USE
checker has been
updated with an example that recognizes the default values of
max_total_use_bytes
and
max_single_base_use_bytes
.
Fixed an analysis crash with message "Cannot call toString on this
lock name" in particular with Android GuardedBy
annotations.
Added support for std::shared_mutex
; this was
affecting LOCK
checker and also other concurrency
checkers: MISSING_LOCK
,
LOCK_INVERSION
.
Fixed a BUFFER_SIZE
false positive where the
defect would claim that an array had 0 elements and was overrun in a
call to strncat
.
Fixed a false positive for the UNINIT
checker
involving nested loops.
Fixed a false positive of AUTOSAR C++-14 M3-4-1 with range-based
for
loop.
Fixed a source of false positives when using the
NULL_RETURNS null_fields_config
option.
Fixed a cov-analyze
crash due to handling the
class_like_print_writer_for_servlet_output
directive
.
Fixed a false positive of MISRA C-2012 Rule 8.7 where static
const
was incorrectly claimed as external linkage.
Fixed a source of DELETE_ARRAY
false positives
when using new(void *)
.
The checker option no_dead_default
for the
DEADCODE
checker is now documented.
Fixed a problem that could cause analysis or commit crashes when source files used some unsupported character encodings, such as x-IBM33722. Now the files are interpreted as ASCII instead.
Fixed a bug where cov-analyze
Javascript security
checkers were reporting defects from Javascript minified code in the
non-minified code that called it, when the
--report-in-minified-js
option was not
specified.
Fixed a recoverable error when the
SENSITIVE_DATA_LEAK
checker is run with
--enable-audit-mode
.
Improved the implementation of CERT ENV30-C to not report defects where the referenced objects were not modified.
Fixed a false positive of MISRA C++-2008 Rule 5-2-8 when using
NULL
as null-pointer-constant on 64-bits
platform.
Fixed a false postive of CERT EXP34-C about unimplemented functions that never return null.
Fixed a false positive of CERT INT30-C where a variable of unsigned type was subtracted by UINT64_MAX.
Fixed a false positive of CERT ERR33-C about unrecognized
errno
macro.
Fixed a false positive of CERT INT31-C where
smaller
unsigned type was cast to
wider
unsigned type after integer promotion.
Fixed false positives of MISRA C-2012 Rule 9.3 where an array's initializer only consisted of designated initializers.
Fixed a false positive of CERT STR34-C when using
char
type for non-character data.
Fixed a false positive of CERT ARR37-C when accessing array member of a struct.
Fixed a false positive of MISRA C-2012 Rule 8.7 where static
const
was incorrectly claimed as external linkage.
Fixed a false positive of MISRA C++-2008 Rule 6-4-6 where all the enumerators were listed in case labels.
Fixed false positives of AUTOSAR C++14 A5-1-1 where boolean literals
or nullptr
were used.
Fixed false positives of CERT INT34-C where integer literals were used
as operands of shift
operators.
Fixed a false positive of CERT FIO32-C when opening a regular file.
Fixed a false positive of CERT EXP37-C about the compatible type conversion.
Fixed a false positive of CERT INT32-C related to subtraction overflow of signed 64-bits type.
Fixed a false positive in MISRA C-2004 Rule 6.1 about an
enum
type when the option
--short_enums
was used.
Fixed a false positive in MISRA C-2004 Rule 19.4 about the header inclusion guard macro.
Fixed a false positive of MISRA C++-2008 Rule 6-6-1 where
goto
was placed in a statement
expression.
Fixed a false negative in MISRA C++-2008 Rule 17-0-5 on Windows platform.
The following known issues and solutions have been identified for this release.
When using buildless capture with JavaScript projects, in some cases
analysis might yield a large number of false positives for the
EXPLICIT_THIS_EXPECTED
checker. In such cases, we
recommend disabling this checker using the --disable
EXPLICIT_THIS_EXPECTED
option for the
cov-analyze
command.
XSS
The XSS
checker can report multiple occurrences of
the same local defect under certain circumstances.
Churn for the preview INTEGER_OVERFLOW
checker
might be higher in this release compared to churn for other
checkers.
This section lists new features, bug fixes, and known issues related to Coverity-supported compilers (including configuration), and the Compiler Integration Toolkit (CIT).
There were several deprecations and EOLs for this release:
The --dot-coverity-location
argument to the
cov-capture
command is no longer supported. For better
debugging experience, the .coverity
directory resides
directly under the intermediate directory and is renamed
cov-capture
. (BLC-899)
Support for Microsoft Embedded C++ 4.0 compiler has been dropped. (CMPG-3084)
Support for the target StarCore DSP version 3.0 and StarCore SDMA version 3.0 of Freescale Codewarrior compilers is deprecated and will be removed in a future release.(CMPG-3143)
Coverity Analysis support for Swift 4.2 is dropped. (CMPG-3168)
All support for macOS 10.12 is dropped. (COVP-2103)
Support for OpenJDK 12 is dropped. (COVP-2179)
Support for Oracle JDK 12 is dropped. (COVP-2181)
The following features have been added or changed for this release.
The --delete-stale-tus
option has been added to the
cov-capture
command. This option automatically
deletes translation units that are created from source files that were
renamed or removed. This capability is off by default.
The --dot-coverity-location
argument to the
cov-capture
command is no longer supported. For
better debugging experience, the .coverity
directory
resides directly under the intermediate directory and is renamed
cov-capture
.
For the cov-capture
command, the --dir
<idir>
argument is no longer optional; it is
required.
If any JVM language has been configured with
cov-configure
, cov-build
will
now automatically disable the Gradle daemon. It is no longer necessary for
the user to pass --no-daemon
.
If any JVM language has been configured with
cov-configure
, cov-build
will
now automatically disable the Gradle build cache. It is no longer necessary
for the user to pass --no-build-cache
.
Added support for Freescale Codewarrior StarCore C++ Compiler v10.9 on Windows.
Added support for the CrossWorks for MSP430 version 3.1.1 compiler on Windows.
Added support for the TI TMS320C6x version 8.3.1 compiler on Linux.
Added support for Go 1.12.
Added support for the Clang 9 compiler.
Added support for TypeScript 3.3.
Added support for XCODE 10.2.1.
Added support for Swift 5.0.
The following bugs were fixed for compilers and the Compiler Integration Toolkit (CIT) for Coverity Analysis analysis in 2019.12:
Buildless capture fallback will now capture sources for all modules in multi-module Maven projects.
Fixed a bug where cov-capture
could fail due not
being able to retrieve dependencies that would have been built by the
captured Maven project.
Running cov-capture
within a terminal emulator or
other job-managing context on Windows 7 no longer leads to memory exhaustion
and crashing.
Fixed an assertion failure in libcapture
that could
cause programs run under cov-build
to fail on Unix.
This failure would result in the following message being written to the
build
log.
capture-unix.c: assertion failed: s
Fixed a bug for catastrophic signal: C0000005
(EXCEPTION_ACCESS_VIOLATION) : tried to read from addr
0x0000000000000000.
A new error recovery mode has been implemented in
cov-emit
which addresses crashes caused by the
back-end encountering an error node. This new mode can be enabled by adding
--no_error_recovery_walk
to the
cov-emit
command line.
Fixed a crash in cov-emit
involving nested generic
lambdas.
Fixed a spurious PW.BAD_FRIEND_DECL
warning produced
by cov-emit
for some cases involving member classes of
class templates.
Fixed an issue in cov-emit
where the frontend
sometimes failed to constant-evaluate a constexpr
constructor
call, producing spurious errors about accessing expired storage.
Fixed an issue that caused Clang's
-Wno-c++11-narrowing
option to be ignored resulting
in unexpected translation failures.
Fixed an issue where cov-configure sanity test failed with ecomarm.
Fixed an issue where some encoding options were not handled for MSVC compiler.
Invalid nontype
template argument error with
using
declaration has been eliminated.
Allow __builtin_expect
in
constexpr
initializer.
Fixed an issue affecting gcc and Synopsys MetaWare hcac and mcc compilers that resulted in spurious "fixed-point constant is out of range" errors for valid ISO/IEC TR 18037 fixed point literals.
Failure to find files specified on the build command line no longer causes
cov-run-desktop
to exit with a successful exit
code.
Fixed an issue causing incorrect PW.BAD_MACRO_REDEF
reports on macros such as __TIME__
and
__DATE__
when using Microsoft Visual Studio.
Fixed a crash in cov-emit
that could occur when
processing some large complex macro expansions.
Fixed the Clang CIT configuration to recognize variants of the
-flto
option that accept an =
attached operand, such as -flto=thin
. Previously, such
options were discarded resulting in errors when options that require LTO,
such as -fwhole-program-vtables
, were passed.
Fixed an issue that caused Clang's -Wno-register
option to be ignored resulting in unexpected translation failures.
Fixed the crash in C++17 MSVC compiler configuration with templates with
pure virtuals
functions.
Fixed an issue in which cov-translate
died by signal:
6.
Fixed a crash in cov-emit
on use of enum
class
in generic lambda
parameter in
Microsoft emulation mode.
When parsing C# code, using a Windows network path would cause
cov-emit-cs
to crash. This has been fixed.
Updated information in Table 7.2.19 of the Coverity Installation Guide about supported compilers for Scala.
Build capture now correctly handles the sourcepath
compiler switch for Scala.
When using the optionstrict
option with the Visual
Basic Compiler, cov-build
would neglect to emit some
files. This resulted in too few defects being detected. The
cov-build
command now handles this option
correctly.
The following known issues and solutions have been identified for this release.
Casts of ISO/IEC TR 18037 fixed point types are incorrectly rejected in code compiled in C++ mode for Clang based compilers. This issue is known to affect the Synopsys MetaWare ccac compiler.
The new build system introduced in Xcode 10 is not supported with Clang compilers. See the section "Building projects that use Xcode 10's new build system" in the Coverity Analysis User and Administrator Guide for details on how to work around this issue.
Clang-based compilers do not support pragma
methods of
annotating deviations and suppressing false positives.
cov-build --instrument
has a known issue when running
the xdcmake.exe
tool of Visual Studio 2010 when launched
from a 32-bit process on Windows 10. This will currently fail with a
System.BadImageFormatException
exception. To work around
this issue you can do one of the following:
Modify the build such that xdcmake.exe
is
run from a 64-bit process.
Ignore the xdcmake.exe
process by adding
--capture-ignore xdcmake.exe
to your
cov-build
invocation.
The Scala Macro Paradise compiler plugin can be incompatible between different Scala 2.12.x patch versions and might cause emit failures.
The default charset for Java 1.8 VM on Mac appears to be UTF-8 if a
charset has not been explicitly set. The Coverity Java compiler does not
emulate this behavior. Make sure to explicitly set the character encoding by
setting a locale using LANG
or LC_CTYPE
environment variables.
The JavaScript front end no longer supports nameless function statements. (Nameless function expressions are supported as before.) A function statement without a declared name is a syntax error according to the ECMAScript standard, but may be used in JavaScript source files used with some frameworks.
The following sections provide information about new and updated commands relating to the build and capture process, analysis, and commands related to Test Advisor.
This section provides updates about cov-build
and related commands,
including capture
, emit
, and translate
commands.
No new and changed features were added for commands related to the build and capture process in 2019.12.
The following bugs were fixed for build and capture-related commands (including
emit
and translate commands) in 2019.12:
Fixed an error for cov-analyze
failing with
WUR
error for
GNERIC_STATS.7866
.
Fixed an issue in which the cov-commit-defects
command hangs for a C++ file with very long function names.
Fixed complexity metric calculation for declaration statements containing conditional expressions.
Corrected doc to specify the correct option name:
--android-security
, not
--android
.
Fixed a cov-analyze
crash due to handling the
class_like_print_writer_for_servlet_output
directive
.
Build-related commands have the following known issues and solutions:
If you have KB2919355 (http://support.microsoft.com/kb/2919355 )
installed on Windows 2012 system, you might encounter the build hanging
under
cov-build
if MSBuild is used. When this hang
occurs, the process tree will show MSBuild still running under
cov-build
, even though there will be no output or
progress from MSBuild.
To work around this issue, you can either:
Uninstall KB2919355
OR
Add the --instrument
flag to your cov-build
invocation:
> cov-build --dir dir --instrument msbuild ..
On Windows, when preprocessing a file with cov-emit
to the Windows console, cov-emit
might fail with a
catastrophic error if the character encoding of the preprocessed output
is not compatible with the console encoding.
This error can be avoided by redirecting the preprocessed output to a file.
Running cov-emit-java
to emit a web application
(with --war --findears
or similar) might fail if the
number of JAR files in its classpath (including those found with
--findjars
) exceeds the operating system's
per-process file limit. To work around this case, either increase the
per-process open file limit or remove unnecessary JARs from the
classpath.
If you receive the following error message when using
cov-build
, you can work around this issue by
using the --instrument
option.
Error message:
[WARNING] Compilations that use 32-bit Java tools running on 64-bit Windows were detected during this build. Such compilations are not supported at the moment; analysis might be incomplete or invalid because of that.
Workaround:
> cov-build --dir t1 --instrument ant
This section lists new features, bug fixes, and known issues for
cov-analyze
and related commands.
There were no new features added or changed for commands related to the analysis process in 2019.12.
The following bugs were fixed for analysis-related commands in 2019.12.
The arguments to --webapp-security-config
are now
properly propagated from central analysis to desktop analysis
The index page produced by cov-format-errors
in
HTML mode now includes the line number for each defect.
Fixed an issue that could cause commands to fail with message "ASN CA path length larger than signer error" with self-signed root certificates.
Fixed an analysis crash with message "Can't print taint location" .
Fixed an issue that could cause the analysis to run out of memory when a lot of text files were captured.
There were no new features for Test Advisor in2019.12.
This section lists new features, bug fixes, and known issues related to Coverity Wizard.
All support for macOS 10.12 is dropped as of 2019.12. (COVP-2103)
Support for Windows 7 has been dropped in this release. (PRD-11914)
We are changing how we document the minimum supported platform for CovWizard: The minimum version is 64-bit Linux that can run OpenJRE 1.8 and Eclipse 4.4 (PRD-11977)
Coverity Wizard has the following new and changed features in 2019.12.
Documentation for Coverity Wizard has been updated to reflect GUI changes related to buildless capture. (PRD-11995)
Coverity Wizard has the following known issues in version 2019.12:
cov-wizard
might not successfully emit Java with the
default version that is installed in Ubuntu 18.04. (For more information,
see
https://bugs.launchpad.net/ubuntu/+source/openjdk-lts/+bug/1796027
.)
To fix this issue, install a different version of Java and set it as the default Java version.
Using the 'Duplicate' button for configuring compilers in Coverity Wizard does not work.
Coverity Wizard now warns the user every time they select the 'Test Prioritization' workflow, even if they did not first work with the regular analysis workflow. This can be safely ignored.
When using a self-signed certificate, if the user chooses not to trust a certificate, they might be prompted multiple times in a row (asking to trust the certificate). If a user does not want to trust a self-signed certificate, they should change their Coverity Connect server settings to avoid the prompts. But just keep pressing 'no' to not trust the certificate, to get through the multiple prompts.
After upgrade, Coverity Wizard can sometimes give a ReferenceMap
NullPointerException application error on startup. To work-around this
issue, delete the .orphan
file in the
folder. <install_dir_sa>
/jars/cwiz/configurations/org.eclipse.core.runtime
When in the Test Prioritization workflow, on the View Results page, clicking the button might not work for some older Linux distributions.
The guided policy creation wizard "Documentation" link fails to open properly on Linux. Open the Coverity Wizard 2020.12 User Guide separately to view this documentation.
The Guided Test Advisor Policy Creation Wizard uses Java regex validation instead of the Perl regex validation that Coverity Analysis Test Advisor users. This should not cause any issues for most users, but if there is a difference, go to the more advanced Test Prioritization Policy Editor and Debugger to enter the proper regex.
In Coverity Wizard, after automatically configuring the compilers in the
screen, the status indicator for the screen might not update from the exclamation mark icon to the check mark icon, which will appear as though the auto-configuration was unsuccessful. However, clicking anywhere in the Coverity Wizard window or changing pages will cause the indicator to update to the check mark icon.Not all the Preference dialog text is translated into Japanese on the syntax coloring dialog.
In the Coverity Wizard Policy Editor, the 'Link to Editor' icon in the Outline View might be toggled as enabled, even though the editor is not actually linked with the Outline View.
To enable outline linking, toggle the 'Link to Editor' button to disabled, and back to enabled again.
Coverity Test Advisor is a component of the Coverity Analysis installation package.
The following support has been dropped or deprecated in this release:
SCM support for Perforce 2016.1 has been deprecated. (COVP-2165)
SCM support for Perforce 2015.2 has been dropped. (COVP-2166)
Support for SVN 1.9 is deprecated as of 2019.09 and will be removed in a future release. (TADE-2016)
Test Advisor has the following new or changed features in 2019.12.
SCM support for Perforce 2019.1 has been added.
SCM support for SVN 1.10 - 1.12 has been added.
SCM support for Mercurial 4.6–5.1 has been added.
Test Advisor has the following known issues and solutions in 2019.12:
The use of --cs-coverage opencover
with Test Advisor
might fail to capture any tests or coverage data on some versions of Windows
if the user's account has Administrator
permissions,
.NET Framework 4.8 is installed, and user account control (UAC) is disabled.
You can work around this issue by manually registering the OpenCover
profiler DLLs and passing --cs-no-register-profiler
to
your cov-build --test-capture
invocation. This manual
registration must be performed systemwide; your regsvr32 invocations must be
run without the /i:user
argument.
For more details on this, see the documentation of cov-build's
--cs-no-register-profiler
switch in the
Command Reference.
Dynamic Analysis is a component of the Coverity® Analysis installation package.
Dynamic Analysis has no new and changed features in 2019.12.
Dynamic Analysis has the following known issues and solutions in 2019.12:
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
If Dynamic Analysis reports defects in classes that were compiled without debugging information, or contain mangled information due to misbehaving code coverage or AOP tool, the defect report might contain nonsensical line numbers or file names.
Specifying certain combinations of the instrument-arrays
,
instrument-collections
, detect-races
,
and detect-deadlocks
options to the Dynamic Analysis agent causes
unexpected behavior. In particular, Dynamic Analysis still reports races on arrays and
collections according to the instrument-arrays
and
instrument-collections
options when
detect-races
is false and
detect-deadlocks
is true. However, if both
detect-races
and detect-deadlocks
are
false, then Dynamic Analysis reports races on neither collections nor arrays.
If you do not specify a class in the
cov-start-da-broker
classpath
option, the corresponding source file isn't
committed, even if the source file is present on the source path.
Coverity Architecture Analysis is a component of the Coverity Analysis installation package.
Architecture Analysis has the following EOL and deprecated items in 2019.12:
All support for macOS 10.12 is dropped as of 2019.12. (COVP-2103)
Coverity® Extend Software Development Kit is a component of the Coverity® Analysis installation package.
The Coverity Desktop plug-in is available for various platforms from the Coverity Connect Downloads menu.
The following products have been deprecated or dropped for this release.
Support for MacOSX 10.12 has been dropped in this release. (PRD-11850)
Support for JDK 12 has been dropped in this release. (PRD-11852)
Support for Windows 7 has been dropped in this release. (PRD-11914)
The IBM RTC plugin has been replaced with the Eclipse plugin.
Starting from 2019.09, when upgrading the IBM RTC plugin, the user might
encounter a screen that prompts for evaluating the changes to be applied before
continuing. This includes renaming the plugin feature from
com.coverity.desktop.java.ibm.feature.feature.group
to
com.coverity.desktop.java.feature.feature.group.
This
is expected and the user should accept applying these changes and continue with
the installation. (PRD-11952, PRD-12001)
All support for macOS 10.12 is dropped as of 2019.12. (COVP-2103)
The following new and changed features, bug fixes, and known issues were included in this release.
Coverity Desktop for Android Studio has the following new and changed feature in 2019.12:
Support for Android Studio 3.5 has been added in this release.
The following new and changed features, bug fixes, and known issues were included in this release.
Support for MacOSX 10.12 has been dropped in this release. (PRD-11850)
Support for JDK 12 has been dropped in this release. (PRD11852)
Support for Windows 7 has been dropped in this release. (PRD-11914)
The IBM RTC plugin has been replaced with the Eclipse plugin.
Starting from 2019.09, when upgrading the IBM RTC plugin, the user might
encounter a screen that prompts for evaluating the changes to be applied
before continuing. This includes renaming the plugin feature from
com.coverity.desktop.java.ibm.feature.feature.group
to com.coverity.desktop.java.feature.feature.group.
This is expected and the user should accept applying these changes and
continue with the installation. (PRD-11952, PRD-12001)
Support for Eclipse 4.6 has been dropped in this release. (PRD-11984)
Coverity Desktop for Eclipse has the following new and changed features in 2019.12:
Support for Eclipse 4.13 has been added in this release.
The following bugs were fixed for Coverity Desktop for Eclipse in 2019.12.
Fixed a java.lang.StackOverflowError
issue.
Coverity Desktop for Eclipse has the following known issues in version 2019.12:
For OXS 10.14 users with JDK-8136913 installed, using the
hostname_regex
in the
coverity.conf
file causes a 5 to 30 second
delay. We've provided a workaround to fix this issue in our
documentation.
Eclipse customers using Plastic SCM might see a failure during
cm.exe
file is located in
/usr/local/bin/
rather than
/usr/bin/
and can be resolved by adding a link to
the executable in /usr/bin/
.
The following new and changed features, bug fixes, and known issues were included in this release.
Coverity Desktop for Microsoft Visual Studio has no new and changed feature in 2019.12:
Coverity Desktop for Microsoft Visual Studio has the following bug fixes in 2019.12.
Coverity VS Extension properly validates the configured server url.
The following new and changed features, bug fixes, and known issues were included in this release.
The following support has been deprecated or dropped for this release:
Support for MacOSX 10.12 has been dropped in this release. (PRD-11850)
Support for JDK 12 has been dropped in this release. (PRD-11852)
Support for Windows 7 has been dropped in this release. (PRD-11914)
Support for Intellij 2017.1 has been deprecated in this release. (PRD-11998)
Coverity Desktop for IntelliJ IDEA has the following new and changed feature(s) in 2019.12:
Support has been added for CLion 2019.2, PyCharm 2019.2, IntelliJ 2019.2, PhpStorm 2019.2, RubyMine 2019.2.
Coverity Desktop for IntelliJ IDEA has the following known issues in version 2019.12:
Coverity Connect attributes and usernames in the Coverity Desktop plug-in are cached on start up, and not refreshed until IntelliJ is restarted. If you are missing a new username, or some other triage attribute, try restarting IntelliJ.
The Coverity Desktop plug-in does not currently work for the
Alloy
IDEA theme.
Android Studio does not show the proper 'scope' in the Issues view for local analysis. It just always says "External output file" currently when in local analysis mode.
The triage view will not resize while the History section is expanded. Collapsing the history section will cause the view contents to resize.
Coverity markers in the editor gutter can sometimes be shown in duplicate with the IntelliJ/Android Studio Coverity Desktop plug-in.
Currently any source generated by Gradle Android projects will not be captured by the build process, and will be reported as "Uncaptured" by the IntelliJ and Android Studio IDEs. These files can be ignored by the "Uncaptured Source Files Dialog" or through the "File Exclusions" settings page.
When using whole program checkers in IntelliJ, a warning about missing class files might be seen in the console, which indicates missing class files with incorrect paths. Even if the paths do not seem correct, this should not affect analysis results.
For Coverity Connect users using the Japanese locale, the
button in the triage panel was disabled unless the Owner was changed. To work around this, the IDE locale should be the same as the user account locale on the Coverity Connect server. Since IntelliJ currently only supports English, the user account locale on Coverity Connect must be set to English as well.The Coverity Report Generators' installer can be downloaded from the downloads page in Coverity Connect.
Coverity Report Generators has the following deprecation in 2019.12.
The plugin jar is no longer supported Use pluginl.yaml
instead. (RG-1318)
The following features were added or changed for the Coverity Report Generators in 2019.12.
The components
key is now available to filter any
kind of report, not just Coverity Integrity Reports. In addition, you
can use a new issue-kind
field to filter a report
so that it displays only quality or only security issues.
The Coverity Software Integrity Report can now assess specified defects.
The following bugs were fixed for the Coverity Report Generators in 2019.12.
MISRA reports can now be filtered by components.
Fixed a problem with the CVSS report not updating scores on the linked streams in a project.
Coverity Report Generators have the following known issues and solutions:
For ATP-based systems, you may receive an error message during report
generation. If you do receive an error message, you are likely missing
these libraries: libgl1
,
libgl1-mesa-dri
, and
libgl1-mesa-glx
.
You can install the missing libraries by using the following command syntax:
apt-get install
libgl1
, apt-get
libgl1-mesa-dri
, and apt-get
libgl1-mesa-glx
.
During report generation, you might receive the following error: "Loading library prism_es2 from resource failed: java.lang.UnsatisfiedLinkError:"
If you do encounter this error message, please install these missing
libraries: libgl1
,
libgl1-mesa-dri
, and
libgl1-mesa-glx
.
In the Security Report, "Issues Without CWE Numbers" has been renamed "Non-security Issues" to address a complaint about a mismatch between the reported count of issues without CWE numbers and Coverity Connect output sorted by "outstanding defects."
The Security Report now points to BDBA instead of Poretcode SC.
Fixed a false negative of MISRA C-2012 Rule 3.2 about CR/LF in the end of comment line.
Fixed a false negative in MISRA C++-2008 Rule 17-0-5 on Windows platform.
Build capture now correctly handles the sourcepath
compiler switch for Scala.
The IBM RTC plugin has been replaced with the Eclipse plugin.
Starting from version 2019.09, when upgrading the IBM RTC plugin,
the user might encounter a screen that prompts for evaluating the changes
to be applied before continuing. This includes renaming the plugin feature
from com.coverity.desktop.java.ibm.feature.feature.group
to
com.coverity.desktop.java.feature.feature.group
.
This is expected and the user should accept applying these
changes and continue with the installation.
Fixed a memory corruption issue that affected translation of subscript expressions.
Fixed an issue that could cause commands to fail with message "ASN CA path length larger than signer error" with self-signed root certificates.
The following documentation fixes were made in Release Notes:
Fixed errant text formatting in the Coverity Analysis User and Administration Guide.
Reinserted images that were missing in the Coverity Platform User and Administration Guide.
Fixed an issue where Coverity failed with declarations of the vector data types for gcc. (This issue was fixed in the base 2019.09 version.)
Fixed an issue where Coverity failed with undefined _Float64x
and _Float128
for gcc.
(This issue was fixed in the base 2019.09 version.)
Fixed an issue affecting gcc and Synopsys MetaWare hcac and mcc compilers that resulted in spurious "fixed-point constant is out of range" errors for valid ISO/IEC TR 18037 fixed point literals.
Fixed an issue by which the cov-emit
command incorrectly rejected
some ISO/IEC TR 18037 fixed point literal values. This issue had affected the gcc
and Synopsys MetaWare hcac and mcc compilers.
Support for this version of Coverity will be discontinued 18 months after the 2019.12 release.
Due to a change in our bug tracking system, items are now identified by two bug numbers:
One specifying the identity of the bug in our old bug tracking system, formatted like this: XXXXXX. (For example, 374568.)
One specifying the identity of the bug in our new bug tracking system, formatted like this: CODE-XXXXX. (For example, IM-22788.)
Support for the following products, features, platforms, and third-party tools is classified as deprecated or end-of-life as of the Coverity 2019.09 release.
Support for the following products and features is deprecated as of the Coverity 2019.09 release.
Table 40.1. Deprecated products
Product | See also... |
---|---|
Architecture Analysis build-check tool |
Supported Platforms for Coverity Analysis ![]() |
Architecture Analysis Eclipse plug-in |
Supported Platforms for Coverity Analysis ![]() |
Architecture Analysis IntelliJ plug-in |
Supported Platforms for Coverity Analysis ![]() |
__coverity_format_string_sink__ built-in primitive | Users can now use __coverity_taint_sink__(arg, FORMAT_STRING) instead. |
Coverity Desktop support for Java 12 |
Supported
Platforms for Coverity Analysis ![]() |
File system capture |
Buildless capture can be used in place of filesystem capture. Please see the section "Moving from filesystem capture to buildless capture" in the Coverity Analysis User and Administrator Guide for more information. (BLC-827) |
FreeBSD 11.1 |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
FreeBSD 8.4 |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
GNU GCC and G++ 4.2.1 compiler on FreeBSD 8.4 |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
Microsoft Embedded C++ 4.0 compiler |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
Microsoft Visual Studio 2010 and 2012 |
Supported Platforms for Coverity Analysis ![]() |
OpenJDK 12 |
Supported Platforms for Coverity Analysis ![]() |
Plugin jar | Start using plugin.yaml (refer: plugins/plugin.html) instead. |
Sun/Oracle JDK 12 |
Supported Platforms for Coverity Analysis ![]() |
SCM support for SVN 1.9 |
Coverity Test
Advisor Supported SCM Systems ![]() |
Swift 4.2.x |
Supported
Compilers: Coverity Analysis Swift ![]() |
Windows 7, Coverity Analysis support for Windows 7 |
Supported Platforms for Coverity Analysis ![]() |
Support for the following products and features is dropped in the Coverity 2019.09 release.
Table 40.2. End-of-Life Products
This section provides release notes for Coverity Platform components.
Coverity Connect is a component of the Coverity® Platform installation package.
There have been no deprecations or EOL'd items for Coverity Connect this release:
There following new and changed features have been added for Coverity Connect this release:
The language (info from the committed defect) is now included on both the commit preview and triage store import/export. (IM-21182)
The Oshi library is used instead of Sigar for getting OS and hardware info. For pre-requisites and dependencies, please consult the Coverity Install Guide. (IM-23990, IM-23745))
Added support for AWS RDS PostgreSQL as an external managed database for Coverity. (IM-23805)
The embedded PostgreSQL version has been upgraded from 10.4 to 10.9. Coverity Connect now supports external PostgreSQL databases up to 10.9. (IM-24187)
Added support for capturing and analyzing C# projects that use the Unity Roslyn compiler on MacOS. (INS-2711)
The following bugs are fixed for Coverity Connect:
Documentation was updated to fix a typo.
A workaround has been provided for this commit problem.
Updated documentation to specify that Coverity Connect upgraded the embedded PostgreSQL version from 10.4 to 10.9. Coverity Connect now supports external PostgreSQL databases up to 10.9.
Documentation has been updated to explain how to use a secure SSL setting for customers deploying to the cloud.
An error page was updated to show correct information about Support email address.
Two charts were updated in documentation to show which roles are impacted by classify issues permission.
We have reduced the database size by optimizing the internal relationships on the defect storage model.
Documentation was updated to explain how to retrieve information for more than one CID using the Web Services API.
A bug was fixed in which selecting a defect and pressing the Enter key multiple times caused defects to be exported to JIRA.
Documentation has been updated to specify the default set of status
for information returned by
getMergdDefectsForStreams
.
A bug was fixed that caused the program to hang when the user edited component file mapping rules.
The Coverity Platform User and Administrator Guide has been updated to provide correct information about adding and configuring a reverse proxy.
A bug has been fixed that allowed a user with the Observer role at
project level to triage defects using
updateTriageForCIDsInTriageStore()
or using the
cov-manage-im
command.
The cov-manage-im
command in stream mode now displays all
fields.
Preview report json file is now pretty-printed again.
As part of fix for IM-23384,
getSignInConfigurationRequest
and
updateSignInConfigurationRequest
web service calls will
not return enableSessionTimeout
any more.
The notify.using.configuration.from.address.only
is now
correctly documented.
Soft-deleted users are now excluded from counts and
groups.json
.
Release notes in 2019.03, 2019.06, and 2019.09 were updated: References to Java8 were removed.
A new column named "Last Triaged User" that shows the last user who triaged has been added to views.
Coverity Connect has the following known issues:
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
In order to use Coverity Connect with a mail server (https option) or Bugzilla
(https option), and some other cases, the user has to import
certificates into cim/jre/lib/security/cacerts
. After
running the updater, all of these certificates are gone.
Downloading the binaries to update Java and/or PSQL for security fixes might fail on slow internet connections. Please make sure you have a fast internet connection and retry.
Changing the summary metric name on a coordinator causes the summary metric to disappear from all reports on subscribers. To work around this issue, add the new summary metric back into the reports on subscriber.
User and password information in
coverity_config.xml
do not override options
specified on the command line.
An error occurs when a custom role is created using a multi-word rolename that is the same as a built-in rolename, even if there are case differences between the two rolenames.
Collisions might occur if triage data is deleted from a cluster (used for testing, for example), and then up-to-date triage data is imported from a production instance. This is because deleting triage stores does not delete related CIDs. It is recommended you rebuild the cluster from scratch using the production data.
In a cluster environment, deletion of triage data on the coordinator is not recommended unless it can be verified that there are no subscriber dependencies. Synchronization problems between subscribers and the coordinator might result.
The selected value is not displayed for a Coverity Connect field when using Chrome browser version 47.0.2526.80 on Windows 7.
Using a custom defect export handler script might on occasion create an error when attempting to export data to a bug tracking system.
To prevent database constraint violations on subscribers in a cluster, when a user is deleted, it is marked for deletion instead of being completely (hard) deleted. This status subsequently synchronizes across the cluster.
Internet Explorer 11 fails on operations using file upload.
Although the upgrade doc states that 32-bit to 64-bit in-place database format upgrades are not permitted, some will succeed, yielding valid results. Because in-place upgrade is preferable to backup-and-restore upgrade, we recommend that you try your upgrade in-place and, if it fails, fall back to backup-and-restore upgrade.
If Java 1.7.0_xx is used, and even if the system has a large amount of
available RAM, using Java 1.7.0_xx and older, Out of Memory
errors might occur despite having sufficient/available RAM. The
workaround is to use the Java version shipped with Coverity Platform, or by
specifying a max heap setting for cov-im-daemon
.
Due to a Red Hat Enterprise Linux issue (Bug 1484079), the Coverity
Platform installer on Centos7 or RHEL v7.4 might fail due to an
ArrayIndexOutOfBoundsException
error and a stack trace
indicating an error with fonts. This can be resolved by installing the
dejavu-serif-fonts
package.
For customers upgrading their Coverity Platform server from unsupported Coverity versions (such as version 5.x), we recommended that you upgrade to a supported intermediate version (such as 2018.03) before upgrading to 2018.06. We also recommended that you perform a backup of your data beforehand with the Upgrade Preparation feature.
All Coverity installers for Linux have a known issue related to missing fonts.
If you are installing a Coverity product on Linux from the command
line, the installer might fail before asking for user input if the
target system does not have access to the fonts required by the
installer. Stack traces vary, but usually reference fonts. You can work
around this issue by installing the fontconfig
package.
For example, this command uses the apt-get
package
manager to install fontconfig
:
apt-get install fontconfig
.
This command uses the yum
package manager to
install fontconfig
:
yum install fontconfig
.
Coverity Policy Manager is a component of the Coverity® Platform installation package.
There are no deprecated or EOL items for 2019.09:
Fixed a stack overflow in cov-emit
when using the
--emit_complementary_info
option after being prompted by a long macro definition.
Fixed a case of emit DB corruption triggered by use of GNU multiversioning on a member function.
Installing Coverity Analysis will not fail if Windows UAC dialog is not accepted.
Fixed a source of OVERRUN
false positives involving
certain implementations of the va_start
function.
Fixed a false positive in CERT EXP62-CPP
that occurred when using memset
on an array of pointers to class objects.
Fixed a false positive in CERT FLP32-C
where
user-defined functions were mistaken for standard math functions.
Fixed a false positive in CERT OOP51-CPP
where an expected object slicing did not occur.
Fixed a false positive in CERT OOP57-CPP
that occurred when using memset
on an array of pointers to class objects.
Due to a change in our bug tracking system, items are now identified by two bug numbers:
One reflecting the identity of the bug in our old bug tracking system, formatted like this: XXXXXX. (For example, 374568.)
One reflecting the identity of the bug in our new bug tracking system, formatted like this: CODE-XXXXX. (For example, IM-22788.)
![]() | |
Bugs with only a CODE-XXXXX number do not have an old number. |
Support for the following products, features, platforms, and third-party tools is classified as deprecated or end-of-life as of the Coverity 2019.06 release.
Support for the following products and features is deprecated as of the Coverity 2019.06 release.
Table 48.1. Deprecated products
Product | Comments |
---|---|
Eclipse 4.6 support |
Coverity Coverity Desktop for Eclipse on supported platforms ![]() |
Git 1.8-2.1 support |
Coverity Test
Advisor Supported SCM Systems ![]() |
JDK 1.6 for macOS support |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
Mercurial 3.1 and 3.2 support |
Coverity
Test Advisor Supported SCM Systems ![]() |
Oracle JDK 10 support |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
Perforce 2015.2 support |
Coverity Test
Advisor Supported SCM Systems ![]() |
Support for the following products and features is dropped in the Coverity 2019.06 release.
Table 48.2. End-of-Life Products
Product | Comments |
---|---|
Accurev 6.2 support |
Coverity Test
Advisor Supported SCM Systems ![]() |
AIX 6.1 support |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
Architecture Analysis on Windows 32-bit systems |
Supported Platforms for Coverity Analysis ![]() |
Git 1.4-1.7 support |
Coverity Test
Advisor Supported SCM Systems ![]() |
Glibc 2.12-2.13 support |
Supported
Platforms for Coverity Analysis ![]() |
IntelliJ 2016.x support |
Coverity Desktop for
IntelliJ on supported platforms ![]() |
Mercurial 1.0-3.0 support |
Coverity Test
Advisor Supported SCM Systems ![]() |
NetBSD 6.1 and earlier support |
Supported
Platforms for Coverity Analysis ![]() |
Perforce 2014.2 and 2015.1 support |
Coverity Test
Advisor Supported SCM Systems ![]() |
RubyMine, WebStorm, and PyCharm support |
Coverity Desktop for
IntelliJ on supported platforms ![]() |
Swift 4.0-4.1.2 compiler support |
Supported
Compilers: Coverity Analysis Swift ![]() |
TFS 2010 support |
Coverity Test
Advisor Supported SCM Systems ![]() |
Windows Server 2008 R2 support |
Supported Platforms for Coverity Analysis ![]() |
This section provides release notes for Coverity Platform components.
Coverity Connect is a component of the Coverity® Platform installation package.
There have been several deprecations for Coverity Connect this release:
Dropped support for glibc 2.12-2.13. Currently, we are supporting glibc 2.14 or higher. (IM-23864)
Dropped Coverity Platform support for Windows Server 2008. (INS-2668)
There following new and changed features have been added for Coverity Connect this release:
Added the -deststoretype JKS
option to the procedure for
configuring Coverity Connect with TLS/SSL.
For more information, see Section 3.1.1.8. "Configuring Coverity Connect for TLS/SSL" in the Coverity Platform 2019.06 User and Administrator Guide. (IM-23655)
Added support for PostgreSQL 10.4. (IM-23686)
The following bugs are fixed for Coverity Connect:
Fixed a broken link inside an email notification.
Fixed a commit issue caused by a database constraint violation exception.
Fixed the commit failures that resulted from improper use of scrollable results.
Fixed an issue involving password reset failures.
If the database backup fails, an email notification now gets sent to an administrator.
Fixed occasional failures that occurred when generating a Coverity Integrity Report that included large amounts of defects.
Fixed an upgrade failure that resulted from a JVM GC misconfiguration.
Updated the Coverity Connect UI to reflect a (required) default timeout after an inactive session. The default timeout no longer displays as an optional setting under Sign In Settings. Instead, users can now only specify the number of inactive minutes before they are automatically logged out.
Fixed PostgreSQL upgrade failures that resulted from incorrect parsing of external database version numbers.
Fixed an issue which now takes rowCount
into
account for any offset values when accessing
/api/viewContents/*
via curl or wget.
Fixed an error that occurred when multiple triage stores were removed during the coordinator-subscriber synchronization process when triage stores were being used by subscriber streams.
Improved the generic error messages which a user might encounter when backing up the Coverity Connect database during an upgrade.
The config/system.properties
file now also lists
the os_user
property. The os_user
property ensures that the installation is being run by the correct
user.
Coverity Connect has the following known issues:
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
In order to use Coverity Connect with a mail server (https option) or Bugzilla
(https option), and some other cases, the user has to import
certificates into cim/jre/lib/security/cacerts
. After
running the updater, all of these certificates are gone.
Downloading the binaries to update Java and/or PSQL for security fixes might fail on slow internet connections. Please make sure you have a fast internet connection and retry.
Changing the summary metric name on a coordinator causes the summary metric to disappear from all reports on subscribers. To work around this issue, add the new summary metric back into the reports on subscriber.
User and password information in
coverity_config.xml
do not override options
specified on the command line.
An error occurs when a custom role is created using a multi-word rolename that is the same as a built-in rolename, even if there are case differences between the two rolenames.
Collisions might occur if triage data is deleted from a cluster (used for testing, for example), and then up-to-date triage data is imported from a production instance. This is because deleting triage stores does not delete related CIDs. It is recommended you rebuild the cluster from scratch using the production data.
In a cluster environment, deletion of triage data on the coordinator is not recommended unless it can be verified that there are no subscriber dependencies. Synchronization problems between subscribers and the coordinator might result.
The selected value is not displayed for a Coverity Connect field when using Chrome browser version 47.0.2526.80 on Windows 7.
Using a custom defect export handler script might on occasion create an error when attempting to export data to a bug tracking system.
To prevent database constraint violations on subscribers in a cluster, when a user is deleted, it is marked for deletion instead of being completely (hard) deleted. This status subsequently synchronizes across the cluster.
Although the upgrade doc states that 32-bit to 64-bit in-place database format upgrades are not permitted, some will succeed, yielding valid results. Because in-place upgrade is preferable to backup-and-restore upgrade, we recommend that you try your upgrade in-place and, if it fails, fall back to backup-and-restore upgrade.
If Java 1.7.0_xx is used, and even if the system has a large amount of
available RAM, using Java 1.7.0_xx and older, Out of Memory
errors might occur despite having sufficient/available RAM. The
workaround is to use the Java version shipped with Coverity Platform, or
by specifying a max heap setting for cov-im-daemon
.
Due to a Red Hat Enterprise Linux issue (Bug 1484079), the Coverity
Platform installer on Centos7 or RHEL v7.4 might fail due to an
ArrayIndexOutOfBoundsException error and a
stack trace indicating an error with fonts. This can be resolved by
installing the dejavu-serif-fonts
package.
For customers upgrading their Coverity Platform server from unsupported Coverity versions (such as version 5.x), we recommended that you upgrade to a supported intermediate version (such as 2018.03) before upgrading to 2018.06. We also recommended that you perform a backup of your data beforehand with the Upgrade Preparation feature.
All Coverity installers for Linux have a known issue related to missing fonts.
If you are installing a Coverity product on Linux from the command
line, the installer might fail before asking for user input if the
target system does not have access to the fonts required by the
installer. Stack traces vary, but usually reference fonts. You can work
around this issue by installing the fontconfig
package.
For example, this command uses the apt-get
package
manager to install fontconfig
: apt-get
install fontconfig
.
This command uses the yum
package manager to
install fontconfig
: yum install
fontconfig
.
This section provides updates about Coverity Analysis components.
There have been several deprecations and EOLs this release:
Deprecated support for macOS 10.12. (COVP-2108)
Deprecated support for JDK 1.6 on macOS. (COVP-2122)
Deprecated support for Oracle JDK 10. (COVP-2122)
Dropped support for Windows Server 2008 R2. (COVP-2126)
Dropped support for Swift 4.0-4.1.2. (CMPSWIFT-265)
The _coverity_tainted_data_sink_
and
_coverity_tainted_string_sink_content_
primitives have
been deprecated. These primitives are replaced by
_coverity_taint_sink_
, which allows specification of
TaintSinkType
. (SAT-28684)
Deprecated support for the following function annotations:
tainted_data_return
,
tainted_data_argument
,
tainted_string_return_content
, and
tainted_string_argument
These function annotations have been replaced by
taint_source
, which can be used to uniformly specify a
source of tainted data across the following C/C++ checkers:
TAINTED_SCALAR
, TAINTED_STRING
,
OS_CMD_INJECTION
, PATH_MANIPULATION
,
SQLI
, URL_MANIPULATION
, and
XPATH_INJECTION
. (SAT-28914)
Coverity Analysis has the following new and changed features:
Added support for Swift 4.2. (CMPSWIFT-213)
Added support for OpenJDK 11 on Linux and Windows. (COVP-2122)
Coverity Analysis has been further broken down into components providing the ability to select new pieces of the product to omit.
For more information, see Section 2 "Installing Coverity Analysis components" in the Coverity 2019.06 Installation and Deployment Guide. (INS-2564)
Added the --component.cov-wizard
option to the Coverity
Analysis silent installer. The --component.cov-wizard
option controls whether Coverity Wizard is included in the
installation.
For more information, see Section 2.2.2. "Coverity Analysis silent installer" in the Coverity 2019.06 Installation and Deployment Guide. (INS-2628)
Added Server Name Indication (SNI) support to Coverity Analysis tools. (SAT-22256)
Added cross file support for Java and .NET security checkers run with
cov-run-desktop
and Coverity Analysis summaries.
(SAT-25191)
Added taint flow modeling for STL APIs. (SAT-28879)
Removed the cov-template-da
binary. Its functionality
has been moved into the cov-security-da
binary, which
will now automatically run at the end of a filesystem capture for a
JavaScript project. (SAT-28979)
Added a way to mark specific arguments as tainted in the
simple_entry_point
directive. (SAT-29063)
Added a new version (v7) to the JSON defect output format, which includes a new optional MISRA Category field for MISRA defects. The following MISRA categories are now available: Advisory, Required, and Mandatory. (SAT-29154)
Added the --MISRA-category-regex
option to filter
cov-run-desktop
defects based on MISRA category.
(SAT-29200)
Added models for the GUPnP C/C++ Library. (SAT-29441)
Added models for the libmicrohttpd C/C++ Library. (SAT-29459)
Added models for the GLib C/C++ Library. (SAT-29460)
Added models for the libcurl C/C++ Library. (SAT-29463)
Added C/C++ models for GNET APIs to detect
URL_MANIPULATION
defects. (SAT-29524)
Added C/C++ models for the libxml2 library to detect PATH_MANIPULATION defects. (SAT-29614)
Added support for doT.js, Hogan, Lodash, Twig, and Underscore JavaScript template engines. (SAT-29713)
cov-run-desktop
now supports sorting by MISRA Category
level. (SAT-29736)
Installation can now successfully be aborted when a user is asked to continue installation on an existing directory.
Fixed an issue where an unattended installer would not work on the Windows command line.
TAINTED_STRING
no longer reports on dataflow from
the environment back to the environment.
Fixed an issue that could cause false positives in rules such as AUTOSAR C++ 14 A0-1-3, where the checker would falsely claim that a symbol was never referenced.
cov-run-desktop
text output now includes
"MISRA Category"
values when reporting MISRA
defects.
Fixed a bug where Java, C#, and Visual Basic .NET analysis might generate bogus new defects every analysis run due to anonymous inner classes.
Fixed a PATH_MANIPULATION
false negative involving
a call to the xmlReadFile
function in
libxml
.
Improved Coverity Analysis to avoid false positives if an object was assigned a temporary value and that object also contained a field that affected a condition.
In earlier releases, Coverity Fortran Syntax Analysis failed with a memory access violation when run under Clear Linux 4.14-64. This issue has been resolved.
Fixed a class of NULL_RETURNS
false negatives where
a field of a pointer was checked for nullity and then returned even when
it was on a null path.
Fixed an issue that caused SSL verification failures with the
following error message: "Server's SSL certificate is not
trusted. Its CA certificate was found but a chain of trust could not
be constructed."
This error message would appear when
multiple CA certificates with the same name were installed.
cov-analyze
now only analyzes one file when
multiple files end up being the same after the effects of the
--strip-path
option.
Fixed a class of USE_AFTER_FREE
false positives
where previously derived models were being used for current recursive
functions.
Fixed a class of SINGLETON_RACE
false positives
that occurred when Coverity Analysis did not properly recognize a
RequestScope
annotation.
Updated PRINTF_ARGS
's default behavior so that it
no longer reports on mismatches of integral types with the same bit
size. strict_integral_type_match
, a new checker option,
was added to revert PRINTF_ARGS
back to its previous
behavior.
Fixed an issue that would cause PRINTF_ARGS
false
positives when using the %s
specifier in a call to
the wprintf
function on Windows.
Fixed a class of OVERRUN
false positives which
involved retrieving a buffer pointer offset.
Moved the location of defects (when reported from the function declaration) for Flask views in Python applications to the return statement.
Fixed an error that would cause an unrecoverable analysis crash when
AUTOSAR C++14 Rule A2-7-1 was enabled and a source file contained a
//
, immediately followed by a new line.
Fixed an issue that could cause unrecoverable (and sometimes silent) analysis crashes when a file contained a very large number of coding standard violations (for standards such as MISRA C-2012 Rule 20.5).
Updated PRINTF_ARGS
to understand the
Microsoft-specific I32, I64, and I size attributes.
Fixed an error where invoking the version of swprintf that does not
take a size argument resulted in OVERRUN
false
positives.
Fixed a class of INVALIDATE_ITERATOR
false
positives where an end iterator was passed as an argument to
std::prev
.
Custom text checkers were documented as being enabled by default,
although they required explicit enablement. They are now correctly
enabled by default. (See the TEXT.CUSTOM_CHECKER
section in the Checker Reference.)
Fixed a bug where SpotBugs would generate bogus new defects during every analysis run due to the usage of lambdas.
Fixed an issue where non-detection of feature settings in XML parsers
resulted in XML_EXTERNAL_ENTITY
false positive
defects.
Fixed a source of STRAY_SEMICOLON
false positives
when using the C++ if constexpr
construct.
Fixed a source of UNINIT
false positives with the
enable_write_context
option.
Fixed a BUFFER_SIZE
false positive by adding
support for compound operators.
Modeled APIs in libsoup (C/C++ Library) as taint sources and
URL_MANIPULATION
taint sinks.
Fixed an analysis crash that resulted in a "File name was not obtained from getCasePreservedFileName" error message when the HFA checker was enabled on Windows.
Modeled APIs in libfetch (C/C++ Library) as
URL_MANIPULATION
taint sinks.
Modeled taint sources for LZ4 APIs.
Fixed an analysis crash that occurred when using the
--enable-constraint-fpp
option while running
compliance checkers.
Modeled taint sources in File, Networking, and Data Conversion APIs in the C/C++ GIO library. (SAT-29709)
Fixed event messages erroneously printing
<arg-1>
instead of referencing
this
.
Fixed a bug that prevented code annotations from suppressing MISRA defect reports.
Fixed a memory leak that could cause performance issues (especially when running compliance checkers).
Fixed a crash in JavaScript analysis involving large codebases during the generation of a call graph.
Fixed a cov-analyze
Analysis Master (AM) assertion
failure that could occur when attempting to detect JavaScript duplicate
source files that involved source maps.
Improved Coverity Analysis with Clang compilers so that false positives are avoided when an object is assigned a temporary value and that object also contains a field that affects a condition.
Fixed a crash in cov-analyze
involving
catastrophic signal: 22 (SIGABRT)
, which
sometimes resulted from very large output files on Windows.
Fixed a false positive in MISRA C-2012 Rule 18.4 where a pointer to an array decayed into a pointer.
Fixed a false positive in CERT OOP57-CPP that occurred when using
memset
on an array of pointers to class
objects.
Fixed a false positive in CERT OOP51-CPP where an expected object slicing did not occur.
Fixed a false positive in CERT FLP32-C where user-defined functions were mistaken for standard math functions.
Fixed a false positive in CERT EXP62-CPP that occurred when using
memset
on an array of pointers to class
objects.
Fixed a false positive in MISRA C-2012 Rule 7.2 involving macro arguments.
Fix a false positive in MISRA C-2012 Rule 10.3 where a boolean literal
false
was used in a struct field
initializer.
Fixed the wrong event messages for MISRA C-2012 Rule 10.3 in the Japanese locale.
Fixed a false positive in MISRA C++-2008 Rule 0-1-10 where a virtual function was called.
Fixed a MISRA C-2012 Rule 14.4 false positive where
false
was used as a conditional expression for a
while statement in a function-like macro.
Fixed a MISRA C++-2008 Rule 8-5-2 false positive involving zero initialization of float types.
The following sections describe new and updated features, bug fixes, and known issues for Coverity checkers and associated elements.
The following table lists new checkers and the languages they support.
Checker | Languages |
---|---|
CONFIG.CSURF_IGNORE_METHODS | JavaScript |
CONFIG.MYBATIS_MAPPER_SQLI
| Java |
JSONWEBTOKEN_UNTRUSTED_DECODE | JavaScript |
REACT_DYNAMIC_URL_INSECURE_TARGET | JavaScript |
The following table documents added language support for existing checkers.
Languages | Checkers | Checkers |
---|---|---|
C/C++ | URL_MANIPULATION | |
Go |
|
|
TypeScript |
|
|
New and changed checkers
CONFIG.MYBATIS_MAPPER_SQLI
, a new checker, reports
unescaped variable substitution in iBatis and MyBatis Mapper XML
files.
Improved the defect merging strategy for user-defined dataflow
checkers created with DF.CUSTOM_CHECKER
, so that
these checkers better distinguish separate defects from the same
checker. These checkers now use the same defect merging strategy as
built-in dataflow checkers. As a result, some defects from such checkers
that were previously merged into occurrences of the same CID are now
reported as separate CIDs. These separate CIDs can now be triaged
separately.
C/C++ security checkers now use the
__coverity_taint_sink__
primitive, which allows
for specification of sink type.
Added yarrow_start
and rc4_start
LibTomCrypt API functions to the DC.WEAK_CRYPTO
checker.
Added TypeScript support for the
EXPLICIT_THIS_EXPECTED
quality checker.
Added TypeScript support for the FORWARD_NULL
quality checker.
Added TypeScript support for the NULL_RETURNS
quality checker.
Added TypeScript support for the REVERSE_INULL
quality checker.
Added the __coverity_taint_sink__
primitive. The
advantage of this new primitive is that it allows specification of a
TaintSinkType.
This primitive is shared by the following C/C++ security checkers:
TAINTED_STRING
,
TAINTED_SCALAR
, OS_CMD_INJECTION
,
PATH_MANIPULATION
, SQLI
,
XPATH_INJECTION
,
URL_MANIPULATION
, and
INTEGER_OVERFLOW
.
The __coverity_taint_sink__
primitive also
replaces the __coverity_tainted_string_sink_content__
and __coverity_tainted_data_sink__
primitives.
CONFIG.CSURF_IGNORE_METHODS
, a new checker, finds
cases (such as POST, PUT, and DELETE) where the csurf middleware is
configured to ignore requests with HTTP methods that change server
state.
JSONWEBTOKEN_UNTRUSTED_DECODE
finds cases where JWT
tokens are decoded but their signature is not verified. If the token is
not verified, attackers might submit forged tokens and gain access to
sensitive data and functionality.
REACT_DYNAMIC_URL_INSECURE_TARGET
finds cases where
a link is dynamically generated and is set to open a new window by
virtue of its target attribute being set to _blank. Third-party sites
opened from such links are able to redirect the original window or tab
to an arbitrary URL without user interaction. When returning to the
original window or tab, a user might be tricked into disclosing
sensitive information through a phishing attack.
The IDENTICAL_BRANCHES
checker now supports
Go.
Added a new C/C++ checker: URL_MANIPULATION
.
The CONSTANT_EXPRESSION_RESULT
checker now supports
Go.
The COPY_PASTE_ERROR
checker now supports
Go.
The DIVIDE_BY_ZERO
checker now supports Go.
The FORWARD_NULL
checker now supports Go.
The REVERSE_INULL
checker now supports Go.
The UNINTENDED_INTEGER_DIVISION
checker now
supports Go.
The UNUSED_VALUE
checker now supports Go.
Added support for Ruby on Rails major version series 6.x to the Ruby security checkers.
Further increased Coverity's coverage of the AUTOSAR C++14 standard, 18-10 edition.
Added TypeScript support for the NO_EFFECT
quality
checker.
XSS
The XSS
checker can report multiple occurrences of
the same local defect under certain circumstances.
INTEGER_OVERFLOW
churnChurn for the preview INTEGER_OVERFLOW
checker
might be higher in this release compared to churn for other
checkers.
This section lists new features, bug fixes, and known issues related to Coverity-supported compilers (including configuration), and the Compiler Integration Toolkit (CIT).
There were several deprecations and EOLs for Compiler Integration Toolkit (CIT) this release:
Dropped support for the
--coverity_source_
<language
>
switches to cov-translate
. (CMPCPP-8306)
Dropped support for AIX 6.1. (CMPG-3016)
Added support for the Kyoto Microcomputer gcc version 6.4.0 compiler. (CMPCPP-6765)
Added support for Sony PS4 SDK versions 5.0, 5.5, and 6.0. (CMPCPP-7072)
Added support for the Keil ARM uVision 5.06 compiler. (CMPCPP-7474)
Added support for the Kyoto Microcomputer Clang version 6.0.0 compiler. (CMPCPP-8127)
cov-emit
now supports _Imaginary
types.
(CMPCPP-8306)
Added support for the Analog Devices SHARC 8.12.0.0 compiler. (CMPCPP-8331)
Added support for the Analog Devices Blackfin 8.12.0.0 compiler. (CMPCPP-8332)
Added support for the ARM Clang 6.3 compiler. (CMPCPP-8333)
Added support for GCC 8.2 and 8.3. (CMPCPP-8478)
Added support for LLVM Clang 8. (CMPCPP-8567)
Added support for the MetaWare ccac P-2019.03 compiler. (CMPCPP-8615)
Added support for capturing and analyzing C# projects on Mac OS X that use the Unity Roslyn compiler. Analysis support is limited to quality checkers only. (CMPCSH-992)
Added support for .NET Core 2.2. (CMPCSH-1043)
Undeprecated support for GNU GCC and G++ compilers on macOS. Coverity will continue to support GNU compilers on macOS. (CMPG-2987)
Added support for Fortran 18 standard. (CMPG-2988)
The following bugs were fixed for compilers and the Compiler Integration Toolkit (CIT) for Coverity Analysis analysis in 2019.06:
The cov-build
command can now successfully capture
OJDeploy-based builds.
Fixed an issue involving EXECUTING
lines that were
elided in the build-log.txt
file for commands executed
with the execvp()
system call.
Corrected an issue with xref generation that resulted in an
Expression: !isNull() && "Cannot retrieve a NULL type
pointer" assertion failure in
cov-internal-emit-clang
when the
__underlying_type builtin
type trait was used with a
dependent type.
Fixed an assertion in cov-emit
that could occur when an
xvalue expression appeared within parentheses.
cov-emit
now accepts inline namespaces declared with
the __inline
keyword.
Fixed an issue in cov-emit
when emulating GCC where an
enumeration type with no explicit underlying type was incorrectly given a
signed underlying type.
Fixed an issue where using compiler intrinsics would cause false positive defects in MISRA-C 2012 Rule 8.2.
Fixed a suppressible assertion failure that occurred when initializing classes and structures with multiple inheritances combined with regular class inheritances.
cov-emit
now allows aggregate initialization of objects
with SIMD vector types.
Fixed a stack overflow in cov-emit
when using the
--emit_complementary_info
option after being prompted
by a long macro definition.
Fixed an issue where the C/C++ source type was incorrectly translated for the Green Hills ARM compiler.
Corrected an issue with Clang compilers that resulted in a "decl is part of a template" assertion failure error message and TU loss. This issue occurred when a build was captured with support enabled for compliance checkers.
Fixed an issue where cov-build
would not recognize the
-tcf_core_config
option for the MetaWare ccac
compiler.
A number of performance improvements were made for
--emit_complementary_info
and
--emit_referenced_types
.
Diagnostics performance has been improved.
Compilations with many parse warnings can be slow. This has been fixed.
Fixed an assertion in cov-emit
error recovery that
could occur when emitting referenced types.
Macro-related performance issues have been fixed.
Fixed an internal error issued by cov-emit
when a
template with a template-dependent base class was encountered while
emulating the GCC -fms-extensions
switch.
Fixed an issue that could cause a crash with the following message:
"TU <N1> and <N2> both have primary source file
<file>"
.
Fixed an issue where some header files for the MetaWare ccac compiler could not be found.
Fixed an issue where cov-emit-cs
would crash if a
function definition was used in an external alias.
Addressed an issue in the C# frontend where error recovery would result in the following assertion error message: "assertion failed: Cannot find class".
Fixed several (minor) issues with the Visual Basic compiler switch table.
Fixed a stack overflow in the cov-emit-java
frontend
for large binary operation expressions with thousands of sub
expressions.
cov-emit-swift
is now more fault tolerant to
unsupported Swift versions and language constructs.
Fixed an issue where the enable-batch-mode
and
pch-output-dir
Swift native compiler options were not
recognized.
Addressed an issue in the Visual Basic FE where an Optional
DateTime
parameter would cause the FE to crash.
cov-build --instrument
has a known issue when running
the xdcmake.exe
tool of Visual Studio 2010 when launched
from a 32-bit process on Windows 10. This will currently fail with a
System.BadImageFormatException
exception. To work around
this issue you can either:
Modify the build such that xdcmake.exe
is
run from a 64-bit process.
Ignore the xdcmake.exe
process by adding
--capture-ignore xdcmake.exe
to your
cov-build
invocation.
The Scala Macro Paradise compiler plugin can be incompatible between different Scala 2.12.x patch versions and might cause emit failures.
The JavaScript front end no longer supports nameless function statements. (Nameless function expressions are supported as before.) A function statement without a declared name is a syntax error according to the ECMAScript standard, but may be used in JavaScript source files used with some frameworks.
The default charset for Java 1.8 VM on Mac appears to be UTF-8 if a
charset has not been explicitly set. The Coverity Java compiler does not
emulate this behavior. Make sure to explicitly set the character encoding by
setting a locale using LANG
or LC_CTYPE
environment variables.
This section provides updates about cov-build
and related commands,
including capture, emit, and translate commands.
There were no new and changed features added for commands related to the build and capture process (including emit and translate commands) in 2019.06.
There was one bug fixed for build and capture-related commands (including emit and translate commands) in 2019.06:
Fixed an issue where cov-capture
could
intermittently hang on macOS.
Build-related commands have the following known issues and solutions:
If you have KB2919355 (http://support.microsoft.com/kb/2919355 )
installed on Windows 2012 system, you might encounter the build hanging
under
cov-build
if MSBuild is used. When this hang
occurs, the process tree will show MSBuild still running under
cov-build
, even though there will be no output or
progress from MSBuild.
To work around this issue, you can either:
Uninstall KB2919355
OR
Add the --instrument flag to your cov-build invocation:
> cov-build --dir dir --instrument msbuild ..
On Windows, when preprocessing a file with cov-emit
to the Windows console, cov-emit
might fail with a
catastrophic error if the character encoding of the preprocessed output
is not compatible with the console encoding.
This error can be avoided by redirecting the preprocessed output to a file.
Running cov-emit-java
to emit a web application
(with --war --findears
or similar) might fail if the
number of JAR files in its classpath (including those found with
--findjars
) exceeds the operating system's
per-process file limit. To work around this case, either increase the
per-process open file limit or remove unnecessary JARs from the
classpath.
If you receive the following error message when using
cov-build
, you can work around this issue by
using the --instrument
option.
Error message:
[WARNING] Compilations that use 32-bit Java tools running on 64-bit Windows were detected during this build. Such compilations are not supported at the moment; analysis might be incomplete or invalid because of that.
Workaround:
> cov-build --dir t1 --instrument ant
This section lists new features, bug fixes, and known issues for
cov-analyze
and related commands.
There were no new features added or changed for commands related to the analysis process in 2019.06.
Analysis-related commands have the following known issues and solutions:
The cov-run-desktop
command sometimes fails on
large Java compilations, potentially causing emit database corruption on
Windows platforms. This can manifest as a cov-analyze
crash. More commonly, cov-emit-java
itself will fail
with access violation crashes or errors concerning a failure to acquire
a lock. These will appear in
cov-run-desktop-log.txt
. If this issue occurs,
you can work around it by specifying -j 1
with
cov-run-desktop
.
This section lists new features for Test Advisor.
This section lists new features, bug fixes, and known issues related to Coverity Wizard.
There was one EOL this release:
Dropped support for Microsoft Team Foundation Server (TFS) 2010. (PRD-11763)
Coverity Wizard has the following new and changed feature in 2019.06:
Added support for Microsoft Azure DevOps Server 2019. (PRD-11751)
The following bug was fixed for Coverity Wizard in 2019.06:
Fixed Java filesystem capture in cov-wizard
and
Coverity plugins to capture all Java source files.
Coverity Wizard has the following known issues in version 2019.06:
cov-wizard
might not successfully emit Java with the
default version that is installed in Ubuntu 18.04. (For more information,
see
https://bugs.launchpad.net/ubuntu/+source/openjdk-lts/+bug/1796027
.)
To fix this issue, install a different version of Java and set it as the default Java version.
Using the 'Duplicate' button for configuring compilers in Coverity Wizard does not work.
Coverity Wizard now warns the user every time they select the 'Test Prioritization' workflow, even if they did not first work with the regular analysis workflow. This can be safely ignored.
When using a self-signed certificate, if the user chooses not to trust a certificate, they might be prompted multiple times in a row (asking to trust the certificate). If a user does not want to trust a self-signed certificate, they should change their Coverity Connect server settings to avoid the prompts. But just keep pressing 'no' to not trust the certificate, to get through the multiple prompts.
After upgrade, Coverity Wizard can sometimes give a ReferenceMap
NullPointerException application error on startup. To work-around this
issue, delete the .orphan
file in the
folder. <install_dir_sa>
/jars/cwiz/configurations/org.eclipse.core.runtime
When in the Test Prioritization workflow, on the View Results page, clicking the button might not work for some older Linux distributions.
The guided policy creation wizard "Documentation" link fails to open properly on Linux. Open the Coverity Wizard 2020.12 User Guide separately to view this documentation.
The Guided Test Advisor Policy Creation Wizard uses Java regex validation instead of the Perl regex validation that Coverity Analysis Test Advisor users. This should not cause any issues for most users, but if there is a difference, go to the more advanced Test Prioritization Policy Editor and Debugger to enter the proper regex.
In Coverity Wizard, after automatically configuring the compilers in the
screen, the status indicator for the screen might not update from the exclamation mark icon to the check mark icon, which will appear as though the auto-configuration was unsuccessful. However, clicking anywhere in the Coverity Wizard window or changing pages will cause the indicator to update to the check mark icon.Not all the Preference dialog text is translated into Japanese on the syntax coloring dialog.
In the Coverity Wizard Policy Editor, the 'Link to Editor' icon in the Outline View might be toggled as enabled, even though the editor is not actually linked with the Outline View.
To enable outline linking, toggle the 'Link to Editor' button to disabled, and back to enabled again.
Coverity Test Advisor is a component of the Coverity Analysis installation package.
There have been several deprecations and EOLs this release:
Dropped support for Git 1.4-1.7. (TADE-1984)
Dropped support for Mercurial 1.0-3.0. (TADE-1985)
Deprecated support for Git 1.8-2.1. (TADE-1987)
Dropped support for Perforce 2014.2 and 2015.1. (TADE-1992)
Deprecated support for Perforce 2015.2. (TADE-1992)
Dropped support for Accurev 6.2. (TADE-1996)
Deprecated support for Mercurial 3.1 and 3.2. (TADE-1996)
Dropped support for Team Foundation Server (TFS) 2010. (TADE-1999)
Test Advisor has several new or changed features in 2019.06:
Added support for Azure DevOps Server 2019 to our SCM tools. It can be
accessed by passing the --scm ads
argument. (TADE-1986)
Added support for versions of Git up to 2.21. (TADE-1987)
Added support for Perforce 2017.2, 2018.1, and 2018.2. (TADE-1992)
The following bug was fixed for Test Advisor in 2019.06:
cov-import-scm
and cov-extract-scm
now accept the --scm-tool
, --scm-tool-arg
,
--scm-command-arg
, and
--scm-project-root
options as synonyms for the
--tool
, --tool-arg
,
--command-arg
, and --project-root
options. This makes their interfaces consistent with our other tools using
SCM arguments.
Test Advisor has the following known issues and solutions in 2019.06:
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
Dynamic Analysis is a component of the Coverity® Analysis installation package.
There has been one deprecation this release:
Deprecated support for JDK for macOS 1.6. (JDA-1090)
Dynamic Analysis has the following known issues and solutions in 2019.06:
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
If Dynamic Analysis reports defects in classes that were compiled without debugging information, or contain mangled information due to misbehaving code coverage or AOP tool, the defect report might contain nonsensical line numbers or file names.
Specifying certain combinations of the instrument-arrays
,
instrument-collections
, detect-races
,
and detect-deadlocks
options to the Dynamic Analysis agent causes
unexpected behavior. In particular, Dynamic Analysis still reports races on arrays and
collections according to the instrument-arrays
and
instrument-collections
options when
detect-races
is false and
detect-deadlocks
is true. However, if both
detect-races
and detect-deadlocks
are
false, then Dynamic Analysis reports races on neither collections nor arrays.
If you do not specify a class in the
cov-start-da-broker
classpath
option, the corresponding source file isn't
committed, even if the source file is present on the source path.
Coverity Architecture Analysis is a component of the Coverity Analysis installation package.
Coverity® Extend Software Development Kit is a component of the Coverity® Analysis installation package.
The Coverity Desktop plug-in is available for various platforms from the Coverity Connect Downloads menu.
There were several deprecations and EOLs for Coverity Desktop this release:
Dropped support for Microsoft Team Foundation Server (TFS) 2010. (PRD-10649; PRD-10651)
Dropped support for the --preview
option. (PRD-11714)
Dropped support for Android Studio 2.2. (PRD-11756)
Dropped support for IntelliJ 2016.x. (PRD-11780)
Dropped support for RubyMine, WebStorm, and PyCharm. (PRD-11780)
Deprecated support for Eclipse 4.6. (PRD-11781)
Coverity Desktop for Android Studio has the following new and changed feature in 2019.06:
Added Android plugin support for Gradle 3.1.4. (PRD-11803)
There following bug was fixed for Coverity Desktop for Android Studio in 2019.06:
Fixed an issue where entering long strings to run build tests would
cause UI issues in cov-wizard
.
Coverity Desktop for Eclipse has the following new and changed features in 2019.06:
Added support for Eclipse 2019.03. (PRD-11716)
The Fast Desktop IDEs now support sorting and filtering by MISRA Category level. (PRD-10707; PRD-11740)
Added support for Microsoft Azure DevOps Server (ADS) 2019. (PRD-11749)
Added support for PhpStorm 2019.1, WebStorm 2019.1, and RubyMine 2019.1. (PRD-11766)
There following bug was fixed for Coverity Desktop for Eclipse in 2019.06:
Fixed an issue where using dynamic variables for the working directory in the Eclipse plugin would cause the build to fail. Prior to the fix, the dynamic variables were not being properly evaluated when a custom build command was used.
Coverity Desktop for Eclipse has the following known issues in version 2019.06:
For OXS 10.14 users with JDK-8136913 installed, using the
hostname_regex
in the
coverity.conf
file causes a 5 to 30 second
delay. We've provided a workaround to fix this issue in our
documentation.
Eclipse customers using Plastic SCM may see a failure during
cm.exe
file is located in
/usr/local/bin/
rather than
/usr/bin/
and can be resolved by adding a link to
the executable in /usr/bin/
.
Coverity Desktop for Microsoft Visual Studio has the following new and changed feature in 2019.06:
Added support for Microsoft Azure DevOps Server (ADS) 2019. (PRD-11751)
Coverity Desktop for IntelliJ IDEA has the following new and changed feature(s) in 2019.06:
Added support for IntelliJ 2019.1. (PRD-11743)
![]() | |
Support for IntelliJ and PyCharm 2019.1 JDK11 has been pushed out to 2019.09. As of 2019.06, we only support IDEA JDK8 products. |
Added support for Microsoft Azure DevOps Server (ADS) 2019. (PRD-11749; PRD-11750)
Added support for CLion 2019.1. (PRD-11764)
Coverity Desktop for IntelliJ IDEA has the following known issues in version 2019.06:
Coverity Connect attributes and usernames in the Coverity Desktop plug-in are cached on start up, and not refreshed until IntelliJ is restarted. If you are missing a new username, or some other triage attribute, try restarting IntelliJ.
The Coverity Desktop plug-in does not currently work for the 'Alloy' IDEA theme.
Android Studio does not show the proper 'scope' in the Issues view for local analysis. It just always says "External output file" currently when in local analysis mode.
The triage view will not resize while the History section is expanded. Collapsing the history section will cause the view contents to resize.
Coverity markers in the editor gutter can sometimes be shown in duplicate with the IntelliJ/Android Studio Coverity Desktop plug-in.
Currently any source generated by Gradle Android projects will not be captured by the build process, and will be reported as "Uncaptured" by the IntelliJ and Android Studio IDEs. These files can be ignored by the "Uncaptured Source Files Dialog" or through the "File Exclusions" settings page.
When using whole program checkers in IntelliJ, a warning about missing class files might be seen in the console, which indicates missing class files with incorrect paths. Even if the paths do not seem correct, this should not affect analysis results.
For Coverity Connect users using the Japanese locale, the
button in the triage panel was disabled unless the Owner was changed. To work around this, the IDE locale should be the same as the user account locale on the Coverity Connect server. Since IntelliJ currently only supports English, the user account locale on Coverity Connect must be set to English as well.The Coverity Report Generators' installer can be downloaded from the downloads page in Coverity Connect.
Coverity Report Generators have no deprecations or EOLs in 2019.06.
There were no new or changed features added for the Coverity Report Generators in 2019.06.
The following bug was fixed for the Coverity Report Generators in 2019.06:
During Coverity Reports installation, users are no longer prompted to
create file associations for the .covsr
,
.covmr
, .covcr
, or
.sir
file extensions because these extensions
are no longer used by Coverity Reports.
Coverity Report Generators have the following known issues and solutions:
For ATP-based systems, you may receive an error message during report
generation. If you do receive an error message, you are likely missing
these libraries: libgl1
,
libgl1-mesa-dri
, and
libgl1-mesa-glx
.
You can install the missing libraries by using the following command syntax:
apt-get install
libgl1
, apt-get
libgl1-mesa-dri
, and apt-get
libgl1-mesa-glx
.
During report generation, you might receive the following error: "Loading library prism_es2 from resource failed: java.lang.UnsatisfiedLinkError:"
If you do encounter this error message, please install these missing
libraries: libgl1
,
libgl1-mesa-dri
, and
libgl1-mesa-glx
.
The following new documents and changes were made in 2019.06:
Coverity Plugin, Test Advisor and Wizard support for TFS 2010 has been discontinued as of 2019.06.
A new chapter has been added that describes how you must now configure
reports using a .yaml
configuration file.
The CodeXM documents are all now in a consistent HTML format.
They have been edited to improve their consistency and clarity.
Fixed a source of OVERRUN
false positives involving the
use of the strncpy_s
function.
Fixed a source of OVERRUN
false positives with certain
implementations of the va_start
function.
Fixed a class of SINGLETON_RACE
false positives that
occurred when Coverity Analysis did not properly recognize a
RequestScope
annotation.
Fixed an issue that would cause PRINTF_ARGS
false
positives when using the %s
specifier in a call to the
wprintf
function on Windows.
Improved Coverity Analysis with Clang compilers, so that false positives are avoided when an object is assigned a temporary value and that object also contains a field that affects a condition.
Updated PRINTF_ARGS
to understand the
Microsoft-specific I32, I64, and I size attributes.
Fixed an error where invoking the version of swprintf that does not take a size argument resulted in OVERRUN false positives.
Fixed a MISRA C-2012 Rule 14.3 false positive, involving an explicit casting that was handled incorrectly.
This introduces a pragma-based mechanism, allowing inline source code annotations to suppress reporting of defects and false positives that are found in C and C++ code. The fields that are available in the pragma support compliance deviation use the cases by generating a (CSV) file. The CVS file that is generated lists all the suppressed defects and false positives.
Due to a change in our bug tracking system, items are now identified by two bug numbers:
One reflecting the identity of the bug in our old bug tracking system, formatted like this: XXXXXX. (For example, 374568.)
One reflecting the identity of the bug in our new bug tracking system, formatted like this: CODE-XXXXX. (For example, IM-22788.)
![]() | |
Bugs with only a CODE-XXXXX number do not have an old number. |
Support for the following products, features, platforms, and third-party tools is classified as deprecated or end-of-life as of the Coverity 2019.03 release.
Support for the following products and features is deprecated as of the Coverity 2019.03 release.
Table 60.1. Deprecated products
Product | Comments |
---|---|
ARM ADS 1.11-1.2 C/C++ compiler support |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
ARM RVDS 2.0–4.1 C/C++ compiler support |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
Git 1.4-1.7 support |
Coverity
Test Advisor Support SCM Systems ![]() |
GNU GCC and G++ 2.7.2–8.1.0 compilers on Mac OS support |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
IAR Embedded Workbench C/C++ 7.30B–8.10 compiler for the 8051 processor support |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
macOS 10.12 support |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
Mercurial 1.0-3.0 support |
Coverity
Test Advisor Support SCM Systems ![]() |
Microsoft Visual C++ 6 and 2003 compiler support |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
Solaris 10 support |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
STMicroelectronics GNU C/C++ 2.3.1 and 4.1.1 compiler support |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
Swift compiler running in Xcode 9.0-9.4 support |
Supported Compilers: Coverity Analysis Swift ![]() |
Support for the following products and features is dropped in the Coverity 2019.03 release.
Table 60.2. End-of-Life Products
Product | Comments |
---|---|
Android Jack compiler support |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
HP-UX platform support |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
Java support on Solaris SPARC |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
macOS 10.11 support |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
NetBSD 6.1 and earlier support |
Supported
Platforms for Coverity Analysis ![]() |
QNX Momentics 5.0 support |
Supported
Platforms for Coverity Analysis ![]() |
Xbox 360 compiler support |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
This section provides release notes for Coverity Platform components.
Coverity Connect is a component of the Coverity® Platform installation package.
There has been one EOL for Coverity Connect this release:
Triage store merging and copying are no longer supported. (IM-23489)
There following new and changed features have been added for Coverity Connect this release:
Coverity Connect now supports the Code Sight plugin for IntelliJ, Visual Studio, and Eclipse. The following features are supported:
Coverity Connect and Code Sight can share triage lists
Code Sight can leverage available scan summaries from Coverity Connect to augment the accuracy of results found on the desktop
The following bugs are fixed for Coverity Connect:
Triage store export now provides JSON (gzip) files and import now optionally accepts JSON (gzip) files.
Enhanced the export functionality by filtering out disabled users when
the "Do not show disabled users"
option was selected
in the panel.
Fixed a null pointer exception in the
updateComponentMap
API when a null value was
passed in components.
Fixed a concurrency bug in LDAP integration code, which might have caused login issues for LDAP users.
The Coverity Platform administrator can now unlock all temporarily locked user accounts. An Unlock User Accounts button has been added to the Configuration → System → Authentication and Sign In → Sign In Log screen. This button unlocks accounts of users who are temporarily locked out as a result of repeated unsuccessful login attempts. It does not unlock user accounts that the administrator has explicitly locked.
Triage store export functionality now produces compressed (gzip) JSON data. Triage store import functionality now also accepts compressed JSON data.
Improved the stability of Coverity Connect for Windows operating systems by changing the library that Coverity Connect uses to gather system information.
cov-manage-im
now accepts values for the
https_proxy
environment variable when it contains
an http scheme.
The bundled JRE was updated, and now comes from OpenJDK 11. As a result, Coverity Connect is now using enhanced Java garbage collector (GC) logging and low overhead Java flight recording (JFR) is now always enabled.
The GC logs are now named gc_%t_%p.log
, where
%t
is the process start time and
%p
is the process identifier (PID). Consequently,
restarting Coverity Connect does not overwrite the previous GC logs (like it
previously did). While the size of GC logs is limited per process, the
total size of all GC logs (including the logs from previous runs) is not
limited, and the logs from older executions need to be managed by the
Coverity Connect administrator because Coverity Connect does not automatically remove
them.
Similarly to the GC logs, the size of JFR output is limited per
process, but recordings from previous runs (the file format is
hotspot-pid-%p-id-1-%t.jfr
) need to be managed
by the Coverity Connect administrator because Coverity Connect does not automatically remove
them.
Improved the efficiency of the Policy Manager's Trend Report job, especially for data sets involving large amounts of function data.
Fixed a security issue so that general users are no longer able to improperly access authentication key files.
Recomputed the recent Policy Manager trend data after a configuration change had invalidated the existing data. Prior to this fix, Policy Manager trend charts did not display data before the date of the configuration change.
Fixed a bug in the Purge Snapshot Details functionality that was causing Issue Occurrences to be lost for some Issues for snapshots that were not directly purged. New snapshots would still display the correct Occurrences, but existing snapshots would still be missing data.
Coverity Connect has the following known issues:
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
In order to use Coverity Connect with a mail server (https option) or Bugzilla
(https option), and some other cases, the user has to import
certificates into cim/jre/lib/security/cacerts
. After
running the updater, all of these certificates are gone.
Downloading the binaries to update Java and/or PSQL for security fixes might fail on slow internet connections. Please make sure you have a fast internet connection and retry.
Changing the summary metric name on a coordinator causes the summary metric to disappear from all reports on subscribers. To work around this issue, add the new summary metric back into the reports on subscriber.
User and password information in
coverity_config.xml
do not override options
specified on the command line.
An error occurs when a custom role is created using a multi-word rolename that is the same as a built-in rolename, even if there are case differences between the two rolenames.
Collisions might occur if triage data is deleted from a cluster (used for testing, for example), and then up-to-date triage data is imported from a production instance. This is because deleting triage stores does not delete related CIDs. It is recommended you rebuild the cluster from scratch using the production data.
In a cluster environment, deletion of triage data on the coordinator is not recommended unless it can be verified that there are no subscriber dependencies. Synchronization problems between subscribers and the coordinator might result.
The selected value is not displayed for a Coverity Connect field when using Chrome browser version 47.0.2526.80 on Windows 7.
Using a custom defect export handler script might on occasion create an error when attempting to export data to a bug tracking system.
To prevent database constraint violations on subscribers in a cluster, when a user is deleted, it is marked for deletion instead of being completely (hard) deleted. This status subsequently synchronizes across the cluster.
Although the upgrade doc states that 32-bit to 64-bit in-place database format upgrades are not permitted, some will succeed, yielding valid results. Because in-place upgrade is preferable to backup-and-restore upgrade, we recommend that you try your upgrade in-place and, if it fails, fall back to backup-and-restore upgrade.
If Java 1.7.0_xx is used, and even if the system has a large amount of
available RAM, using Java 1.7.0_xx and older, Out of Memory
errors might occur despite having sufficient/available RAM. The
workaround is to use the Java version shipped with Coverity Platform, or
by specifying a max heap setting for cov-im-daemon
.
Due to a Red Hat Enterprise Linux issue (Bug 1484079), the Coverity
Platform installer on Centos7 or RHEL v7.4 might fail due to an
ArrayIndexOutOfBoundsException error and a
stack trace indicating an error with fonts. This can be resolved by
installing the dejavu-serif-fonts
package.
For customers upgrading their Coverity Platform server from unsupported Coverity versions (such as version 5.x), we recommended that you upgrade to a supported intermediate version (such as 2018.03) before upgrading to 2018.06. We also recommended that you perform a backup of your data beforehand with the Upgrade Preparation feature.
This section provides updates about Coverity Analysis components.
There have been several deprecations and EOLs this release:
Coverity Analysis support for macOS 10.11 has been dropped. (COVP-2102)
__coverity_tainted_data_argument__
,
__coverity_tainted_data_return__
,
__coverity_tainted_string_argument__
, and
__coverity_tainted_string_return_content__
primitives
have been deprecated. These primitives are replaced by
__coverity_mark_pointee_as_tainted__
, which allows
specification of taintType
. (SAT-28378)
Coverity Analysis has the following new and changed features:
Added support for Windows Server 2019. (COVP-2087)
Added support for NetBSD v7.1, 7.2, and 8.0. (COVP-2088)
Added support for FreeBSD v11.2 and 12.0. (COVP-2091)
Added support for IsNothing
as a null check in Visual
Basic. (SAT-26396, 121688)
Added TypeScript support for the COPY_PASTE_ERRORS
and
DEADCODE
quality checkers. (SAT-26374)
Added TypeScript support for the following quality checkers:
CONSTANT_EXPRESSION_RESULT
,
IDENTICAL_BRANCHES
,
IDENTIFIER_TYPO
, MISSING_BREAK
,
NESTING_INDENT_MISMATCH
,
STRAY_SEMICOLON
,
UNEXPECTED_CONTROL_FLOW
,
UNINTENDED_GLOBAL
, and
UNREACHABLE
. (SAT-27242)
Added support for audit taint analysis in Visual Basic sources. When
analysis is run with the --enable-audit-mode
option,
additional audit-mode defects are reported. (SAT-27998)
Added a built-in model for the linux
_raw_spin_trylock()
function. (SAT-28281)
A new command, cov-security-da
, runs the dynamic
analysis check for security issues that was previously performed by
cov-analyze
and cov-capture
. These
commands now invoke cov-security-da
, instead.
For cov-analyze
and cov-capture
, the
option --no-security-da
disables the invocation of
cov-security-da
. (SAT-28393)
Added support for the Mustache template engine to JavaScript Template Dynamic Analysis. (SAT-28568)
Added support for the Nunjucks template engine to JavaScript Template Dynamic Analysis. (SAT-28567)
Added a new option to cov-run-desktop
: The
--connect-timeout
option allows users to change (in
seconds) the connection timeout to the given duration. (SAT-28563)
The Coverity installers now bundle and run OpenJDK (instead of Oracle JRE).
On 32-bit Windows platforms, the
cov-install-updates
rollback command failed if
the path exceeded 260 characters in length. This limitation has been
removed.
Installers for Solaris x86_64 and Solaris SPARC are now only available as archives, not as executable installers. For more information, see Chapter 2.4 Using an archive file to install Coverity Analysis in the Coverity Installation and Deployment Guide.
Due to the removal of Java analysis support, Coverity Analysis
installations for Solaris will no longer contain the utilities
cov-manage-im
, cov-copy-overrun-triage
,
cov-start-da-broker
, and
cov-stop-da-broker
.
Fixed an issue where analyzing large codebases on Windows, especially on some versions such as Windows server 2016, could result in significant slowdowns.
Fixed a bug for TAINTED_SCALAR
where a sink was not
generated for a struct field when it was used as a loop bound.
Fixed the configuration for the --dc-config
option,
so that users can specify a function's name using the unmangled name
printed by cov-manage-emit
.
The --enable-audit-mode
option is now accepted by
cov-run-desktop
and passed to
cov-analyze
.
Checker-specific trust options now override the
--distrust-all
option.
Fixed web application security false negatives involving values that
were returned by Django request.GET.get
and the
%
string operator.
Fixed an analysis crash involving an "issueType = BUFFER_SIZE_WARNING" error message.
Fixed a source of false positives involving C99
_Bool
and ?:
expressions.
Fixed an error that caused the RESOURCE_LEAK
no_vararg_leak
option to be ineffective.
Fixed an issue where cov-analyze
--append
would fail to report the set of enabled
checkers. With the fix, the set of enabled checkers for
cov-analyze
is now properly reported on when the
--append
option is used with any tool.
The cov-dotnet-aot
command has been removed, as it
is no longer necessary. The .NET
bytecode that was
previously affected by cov-dotnet-aot
is now compiled
ahead of time (as part of the product).
Fixed a cov-analyze
recoverable error that occurred
with the UNLOGGED_SECURITY_EXCEPTION
checker on some
C# throw statements.
Fixed a bug where analysis erroneously considered
System.String.Split
methods as dereferencing
their separator parameter.
A new --checker-option
to the
cov-make-library
command enables users to set
options when invoking this command. The options set here are passed
along to cov-analyze
.
Fixed an error that would prevent FORWARD_NULL
reports when a function initializes all the members of a struct to 0 or
NULL.
Fixed the issue where for...of
loops with
destructuring iterators caused false positive
NO_EFFECT
defects.
Improved Coverity Analysis to report on TAINTED_SCALAR
defects for indices passed to std::vector
.
Fixed a crash in cov-analyze
dataflow analysis
which was caused by long string concatenation.
As of the 2019.03 release, a small amount of work that used to run
during cov-analyze
now runs during
cov-build
and cov-capture
.
Users may see slightly increased runtime for
cov-build
and cov-capture
, and
slightly decreased runtime for cov-analyze
.
To revert back to the old behavior, you can run
cov-build
and cov-capture
with
the --no-security-da
option and then run the
cov-security-da
command before running
cov-analyze
.
Fixed an analysis crash involving LENGTH_FUNCTION
when using the --enable-fnptr
option.
The Fortran analysis program was incorrectly substituting backslash characters when composing include file paths with included filenames. The program has been corrected to use only forward slashes in the absolute filenames that it produces.
A logic error in cov-run-fortran
caused arguments
that do not look like source files to be removed from the argument list,
causing include file paths to be elided. This problem has been
corrected. Include file paths that are passed with the
-I
option now work as intended.
Note that the include file paths are part of the input for the Fortran analysis tool, so they must appear after the double dash that separates control options from analysis options.
On Windows platforms, the colon (:
) is no longer
recognized as a path delimiter. Multiple paths following the
-I
option should be delimited with semicolons or
commas. On Linux platforms, the comma (,
) has been
added as a path delimiter to support uniform handling of include paths
across platforms.
Fixed a source of false positives that occurred when the same condition was checked multiple times and it involved temporary objects.
Fixed an issue that could cause OVERRUN
false
positives when using the memcpy_s
function without
a prototype.
Fixed an issue that could cause false positives when a variable was
modified using *(type *)&var
.
Fixed an issue that caused OVERRUN
false positives
when using _TRUNCATE
with secure Windows API
functions.
Fixed the overflow detection logic in the calculation of loop variable
bounds to avoid roundup_lower >= *new_lower
assertion
failures in intervalfpp.cpp
.
Improved models for the Apache Commons Codec library. The
RISKY_CRYPTO
checker and other checkers may
report more defects in code that utilizes this library.
Fixed a false negative in MISRA C-2012 Rule 22.2 where a successful
realloc
function call was not processed as
freeing its pointer argument.
Fixed a false negative in CERT MEM34-C, where a successful
realloc
function call was not processed as
freeing its pointer argument.
Fixed a false negative in FIO34-C caused by integer sizes of different platforms.
Fixed an issue that caused slow performance of the CERT DCL40-C checker.
Fixed a false positive in CERT STR31-C.
Fixed false positives in MISRA C-2012 Rule 6.1 involving explicitly signed and unsigned integer types. We've also improved the defect presentation.
Improved the defect presentation of MISRA C-2012 Rule 21.2 to be clearer.
Fixed false positives in MISRA C-2012 Rule 10.1, 10.3, 10.4 and 10.5 where an integer literal indicating a value of 0 or 1 was incorrectly recognized as a boolean essential type in function-like macros.
Older versions of FlexLM might produce the wrong hostid version. Please make sure you have installed a version of FlexLM which supports Windows 10.
Coverity Analysis cannot be installed into an existing empty folder. Please select a non-existing folder.
The Coverity Analysis installer fails when the installer path contains Japanese characters.
On 64-bit Windows platforms, the length of the command string that can
be passed to the Fortran syntax analyzer is limited (internally) to
32768 characters. If this limit is exceeded,
cov-run-fortran
fails and reports an
"Argument list too long" error.
Coverity Fortran Syntax Analysis fails with a memory access violation when run under Clear Linux 4.14-64. There is a possible incompatibility with the Fortran runtime library on the Clear Linux platform.
When --webapp-security-aggressiveness-level
is set to
high
, it has the effect of setting the
distrust_all
checker option for many checkers. In
this case, trusting individual taints using
--trust-<taint-type>
options does not override
the distrust_all
checker option. Note that
--enable-audit-mode
sets
--webapp-security-aggressiveness-level=high
by
default. This describes the current behavior. It might change in future
releases and should not be relied upon.
The following sections describe new and updated features, bug fixes, and known issues for Coverity checkers and associated elements.
The following table lists new checkers and the languages they support.
Checker | Languages |
---|---|
CONFIG.ANDROID_BACKUPS_ALLOWED | Android CodeXM |
CONFIG.ANDROID_UNSAFE_MINSDKVERSION | Android CodeXM |
CONFIG.ANDROID_OUTDATED_TARGETSDKVERSION | Android CodeXM |
CONFIG.JSONWEBTOKEN_NON_EXPIRING_TOKEN | JavaScript |
CONFIG.MYSQL_SSL_VERIFY_DISABLED | JavaScript |
CONFIG.REQUEST_STRICT_SSL_DISABLED | JavaScript |
CONFIG.SOCKETIO_MAXHTTPBUFFERSIZE_SET_TOO_LARGE | JavaScript |
CONFIG.SOCKETIO_ORIGINS_ACCEPT_ALL | JavaScript |
CONFIG.SEQUELIZE_ENABLED_LOGGING | JavaScript |
The following table documents added language support for existing checkers.
Languages | Checkers | Checkers |
---|---|---|
TypeScript |
|
|
New and changed checkers
The XML_EXTERNAL_ENTITY
checker reports more
defects when data from the filesystem is distrusted.
For the PATH_MANIPULATION
checker, built-in
sanitizer heuristics are now disabled when the
--enabled-audit-mode
option is present.
The NO_EFFECT
checker no longer reports on
0, <IIFE>
(the Javascript idiom), which is
used to disambiguate IIFEs (Immediately Invoked Function Expressions)
from function definitions.
The following checkers have been updated as indicated. Note that the updates vary subtly between checkers. For example, although the four options mentioned are always the same four, in some cases the options are newly added to the checker, while in other cases they already existed but have added language support:
ANGULAR_EXPRESSION_INJECTION
Added these new options:
trust_mobile_other_app
:
<boolean
>,
trust_mobile_other_privileged_app
:
<boolean
>,
trust_mobile_same_app
:
<boolean
>,
and
trust_mobile_user_input
:
<boolean
>.
COOKIE_INJECTION
Added TypeScript language support to the
COOKIE_INJECTION
checker.
Added these new options:
trust_mobile_other_app
:
<boolean
>,
trust_mobile_other_privileged_app
:
<boolean
>,
trust_mobile_same_app
:
<boolean
>,
and
trust_mobile_user_input
:
<boolean
>.
CSS_INJECTION
Added TypeScript language support to the
CSS_INJECTION
checker.
Added these new options:
trust_mobile_other_app
:
<boolean
>,
trust_mobile_other_privileged_app
:
<boolean
>,
trust_mobile_same_app
:
<boolean
>,
and
trust_mobile_user_input
:
<boolean
>.
DOM_XSS
Added TypeScript language support to the
DOM_XSS
checker.
Added these new options:
trust_mobile_other_app
:
<boolean
>,
trust_mobile_other_privileged_app
:
<boolean
>,
trust_mobile_same_app
:
<boolean
>,
and
trust_mobile_user_input
:
<boolean
>.
HEADER_INJECTION
Added TypeScript language support to the
HEADER_INJECTION
checker.
Added these new options for JavaScript and TypeScript only:
trust_mobile_other_app
:
<boolean
>,
trust_mobile_other_privileged_app
:
<boolean
>,
trust_mobile_same_app
:
<boolean
>,
and
trust_mobile_user_input
:
<boolean
>.
LOCALSTORAGE_MANIPULATION
Added TypeScript language support to the
LOCALSTORAGE_MANIPULATION
checker.
Added these new options:
trust_mobile_other_app
:
<boolean
>,
trust_mobile_other_privileged_app
:
<boolean
>,
trust_mobile_same_app
:
<boolean
>,
and
trust_mobile_user_input
:
<boolean
>.
PATH_MANIPULATION
Added TypeScript language support to the
PATH_MANIPULATION
checker.
Added JavaScript, PHP, Python, and TypeScript language support
to these options:
trust_mobile_other_app
:
<boolean
>,
trust_mobile_other_privileged_app
:
<boolean
>,
trust_mobile_same_app
:
<boolean
>,
and
trust_mobile_user_input
:
<boolean
>.
REGEX_INJECTION
Added TypeScript language support to the
REGEX_INJECTION
checker.
Added JavaScript and TypeScript language support to these
options:
trust_mobile_other_app
:
<boolean
>,
trust_mobile_other_privileged_app
:
<boolean
>,
trust_mobile_same_app
:
<boolean
>,
and
trust_mobile_user_input
:
<boolean
>.
SCRIPT_CODE_INJECTION
Added TypeScript language support to the
SCRIPT_CODE_INJECTION
checker.
Added these new options for JavaScript, PHP, Python,
TypeScript only:
trust_mobile_other_app
:
<boolean
>,
trust_mobile_other_privileged_app
:
<boolean
>,
trust_mobile_same_app
:
<boolean
>,
and
trust_mobile_user_input
:
<boolean
>.
SESSIONSTORAGE_MANIPULATION
Added TypeScript language support to the
SESSIONSTORAGE_MANIPULATION
checker.
Added these new options:
trust_mobile_other_app
:
<boolean
>,
trust_mobile_other_privileged_app
:
<boolean
>,
trust_mobile_same_app
:
<boolean
>,
and
trust_mobile_user_input
:
<boolean
>.
SQLI
Added TypeScript language support to the
SQLI
checker.
Added JavaScript, PHP, Python, and TypeScript language support
to these options:
trust_mobile_other_app
:
<boolean
>,
trust_mobile_other_privileged_app
:
<boolean
>,
trust_mobile_same_app
:
<boolean
>,
and
trust_mobile_user_input
:
<boolean
>.
TEMPLATE_INJECTION
Added TypeScript language support to the
TEMPLATE_INJECTION
checker.
Added these new options:
trust_mobile_other_app
:
<boolean
>,
trust_mobile_other_privileged_app
:
<boolean
>,
trust_mobile_same_app
:
<boolean
>,
and
trust_mobile_user_input
:
<boolean
>.
URL_MANIPULATION
Added TypeScript language support to the
URL_MANIPULATION
checker.
Added these new options:
trust_mobile_other_app
:
<boolean
>,
trust_mobile_other_privileged_app
:
<boolean
>,
trust_mobile_same_app
:
<boolean
>,
and
trust_mobile_user_input
:
<boolean
>.
The CONFIG.SEQUELIZE_ENABLED_LOGGING
checker finds
cases where a Sequelize connection is created with logging enabled. In
these cases, the SQL queries would be logged to the console and may leak
sensitive data.
The new CONFIG.SOCKETIO_ORIGINS_ACCEPT_ALL
checker
finds cases where a socket.io instance is configured to allow
connections from any origin.
The new
CONFIG.SOCKETIO_MAXHTTPBUFFERSIZE_SET_TOO_LARGE
checker finds cases where a Socket.IO server is created with a buffer
size that is too large.
The new CONFIG.MYSQL_SSL_VERIFY_DISABLED
checker
finds cases where a MySQL connection is configured to not verify the
validity of the SSL certificate and accepts invalid certificates.
The new CONFIG.JSONWEBTOKEN_NON_EXPIRING_TOKEN
checker finds cases where JWTs are created without an expiration time,
making them tokens that are valid forever.
CONFIG.ANDROID_BACKUPS_ALLOWED
, a new Android
CodeXM checker, reports a defect in an
AndroidManifest.xml
file when an application is
configured to allow its data to be backed up. Backup files can leak
sensitive information or can be tampered with and then restored to the
same or to a different device, potentially evading security controls and
assumptions.
The CONFIG.REQUEST_STRICT_SSL_DISABLED
checker
finds cases where the request module makes calls over an SSL channel and
disables the verification of the SSL certificate.
CONFIG.ANDROID_OUTDATED_TARGETSDKVERSION
, a new
Android CodeXM checker, reports a defect in an
AndroidManifest.xml
file when an application is
configured to target a version of the Android operating system that is
not the latest available. By targeting older OS versions, the
application cannot take advantage of security enhancements added in
later OS versions.
CONFIG.ANDROID_UNSAFE_MINSDKVERSION
, a new Android
CodeXM checker, reports a defect in an AndroidManifest.xml
file
when an application is configured to run on a legacy
Android operating system version that no longer receives security
updates and that contains high-risk, publicly known vulnerabilities.
Allowing an application to execute on such Android versions is unsafe,
as malicious applications might exploit operating system weaknesses to
perform a variety of attacks.
Further increased Coverity's coverage of the AUTOSAR C++14 standard, 18-10 edition.
Trust options have been added for the following checkers:
INTEGER_OVERFLOW
,
TAINTED_STRING
,
TAINTED_SCALAR
, OS_CMD_INJECTION
,
PATH_MANIPULATION
,
XPATH_INJECTION
, and
SQLI
.
Updated the version of SpotBugs used internally. The following checkers are no longer available due to removal from newer versions of SpotBugs:
VA_FORMAT_STRING_BAD_CONVERSION
VA_FORMAT_STRING_BAD_CONVERSION_TO_BOOLEAN
VA_FORMAT_STRING_BAD_CONVERSION_FROM_ARRAY
VA_FORMAT_STRING_NO_PREVIOUS_ARGUMENT
VA_FORMAT_STRING_ARG_MISMATCH
VA_FORMAT_STRING_BAD_ARGUMENT
VA_FORMAT_STRING_MISSING_ARGUMENT
VA_FORMAT_STRING_ILLEGAL
VA_FORMAT_STRING_EXTRA_ARGUMENTS_PASSED
VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED
XSS
The XSS
checker can report multiple occurrences of
the same local defect under certain circumstances.
INTEGER_OVERFLOW
churnChurn for the preview INTEGER_OVERFLOW
checker
might be higher in this release compared to churn for other
checkers.
This section lists new features, bug fixes, and known issues related to Coverity-supported compilers (including configuration), and the Compiler Integration Toolkit (CIT).
There were several deprecations and EOLs for Compiler Integration Toolkit (CIT) this release:
Support for emitting Java on Solaris SPARC has been dropped. (CMPJ-1105)
Support for ARM ADS 1.1 C/C++ compilers is now deprecated.
Support for ARM ADS 1.2 C/C++ compilers is now deprecated.
Support for ARM RVDS 2.0–4.1 C/C++ compilers is now deprecated. (CMPG-2928)
Support for the STMicroelectronics GNU C/C++ 4.1.1 compiler is now deprecated.
Support for the STMicroelectronics ST Micro C/C++ 2.3.1 compiler is now deprecated. (CMPG-2929)
Support for the IAR Embedded Workbench C/C++ 7.30B–8.10 compiler for the 8051 processor is now deprecated. (CMPG-2930)
Support for the Microsoft Visual C++ 6 and 2003 compilers is now deprecated. (CMPG-2931)
Support for Solaris 10 is now deprecated. (CMPG-2932)
Support for GNU GCC and G++ 2.7.2–8.1.0 compilers on Mac OS is now deprecated. (CMPG-2933)
Support for the HP-UX platform has been removed. (CMPG-2945)
Support for the Android Jack compiler has been dropped. (CMPG-2947)
Support for the XBox 360 compiler has been dropped. (CMPG-2948)
Support for NetBSD 6.1 and earlier has been dropped. (CMPG-2951)
Support for the Swift compiler running in Xcode 9.0-9.4 is now deprecated. (CMPSWIFT-241)
Added Java 11 support for cov-emit-java
. (CMPJ-1087)
Added support for wildcards in the cov-emit-java
--module-source-path
option. (CMPJ-1121)
Added support for the Green Hills Optimizing C and C++/EC++ ARM 2018.1.4 compiler. (CMPCPP-8322)
The following bugs are fixed for compilers and the Compiler Integration Toolkit (CIT) for Coverity Analysis analysis in 2019.03:
Fixed an issue with cov-build
on Unix-like platforms
that would cause the build to fail with "capture-unix.c:
assertion failed: s_new".
Addressed a Coverity Analysis false positive involving the CallerMemberName, CallerLineNumber, and CallerFilePath attributes in C# and Visual Basic analysis.
cov-emit
will now ignore the following set of pragma
directives: diag_suppress
,
diag_remark
, diag_warning
,
diag_error
, diag_once
, and
diag_default
. Previously, use of these directives
intended for the native compiler could inadvertently interfere with
diagnostics produced by cov-emit
.
Non-source files (such as .doj and .idf) that are input to a Blackfin compiler invocation are no longer incorrectly treated as source files.
Improved the performance of cov-emit
when emitting
classes with a large number of base classes and virtual functions.
cov-emit
now accepts C++17 nested namespaces in
pre-C++17 modes when emulating recent versions of GCC.
Fixed various parse errors, which were caused by friend template functions.
cxxintppc.exe
, the Green Hills Integrity OS compiler,
no longer causes errors when being used in preprocessor code that detects
whether exceptions are enabled.
Fixed a spurious error in cov-emit
where a template
parameter default argument included a cast operation applied to a nontrivial
expression with a constant value.
Fixed a spurious error that occurred in cov-emit
when a
type qualifier was applied to a function type in an alias template.
Fixed an issue involving MetaWare ccac switches, where some switches were insufficiently translated.
Fixed an internal error in cov-emit
that could occur
when certain complex macro expansions were performed.
Corrected the Clang compiler configuration to forward the
-flto
and -fvisibility
options to
compiler probes in order to satisfy the requirements when using the
-fsanitize=cfi
option.
Fixed a case of memory corruption in cov-emit
when a
call was made to an extern inline method, and the target of the call was
wrapped in parentheses. For example: (f)()
.
Addressed a Coverity Analysis false positive involving the
CallerMemberName
,
CallerLineNumber
, and CallerFilePath
attributes in C# and Visual Basic analysis.
Fixed an issue in cov-emit-cs
where properties
assignments in a deconstruction expression could cause the following
assertion failure in analysis: "Function object should have
function type".
Fixed a Java compilation bug involving type annotations on method parameters. If the type was defined in an implicitly resolved source file, it could cause a crash.
Fixed an issue in cov-emit-java
where the frontend
could generate incorrect information for generic classes, depending upon the
order in which classes were encountered.
Fixed an issue where cov-emit-java
was rejecting
command lines with multiple instances of the --add-reads
,
--add-exports
, and --add-modules
options.
Absolute file paths in HTML files are now resolved correctly against the
web root path. Users can pass the web root path with the
--fs-library-path
option.
Fixed the issue where for...of
loops with destructuring
iterators caused false positive NO_EFFECT
defects.
Improved the performance of emitting JavaScript (.js
)
source files that use JSX and TypeScript features.
Improved the extraction of AngularJS code from HTML attributes to avoid a spurious syntax error.
Fixed an issue in which source map files captured along with JavaScript source files could, in rare circumstances, result in a hang or crash while processing the JavaScript source.
Fixed an issue that avoids database corruption. The issue would occur when deleting JavaScript translation units that were associated with module link records.
Removed the extraneous error messages that were produced (by the Python 2 compiler) when the Python compiler version was unspecified and a later version of Python successfully parsed the source code.
Clang compilers that are invoked with the -fsyntax-only
option will cause any translation units in that invocation to no longer be
emitted.
Corrected an issue that caused cov-internal-emit-clang
to fail with a "Key not found"
assertion failure.
This issue occurred when capturing Clang compiler invocations where Clang
module support was enabled.
The -lang
switch for the Renesas compilers now sets the
source language for all source files on the command line, including source
files that appear before the switch.
Fixed a spurious error in cov-emit
where a template
parameter default argument included a cast operation applied to a nontrivial
expression with a constant value.
cov-build --instrument
has a known issue when running
the xdcmake.exe
tool of Visual Studio 2010 when launched
from a 32-bit process on Windows 10. This will currently fail with a
System.BadImageFormatException
exception. To work around
this issue you can either:
Modify the build such that xdcmake.exe
is
run from a 64-bit process.
Ignore the xdcmake.exe
process by adding
--capture-ignore xdcmake.exe
to your
cov-build
invocation.
The JavaScript front end no longer supports nameless function statements. (Nameless function expressions are supported as before.) A function statement without a declared name is a syntax error according to the ECMAScript standard, but may be used in JavaScript source files used with some frameworks.
The default charset for Java 1.8 VM on Mac appears to be UTF-8 if a
charset has not been explicitly set. The Coverity Java compiler does not
emulate this behavior. Make sure to explicitly set the character encoding by
setting a locale using LANG
or LC_CTYPE
environment variables.
This section provides updates about cov-build
and related commands,
including capture, emit, and translate commands.
Buildless capture is no longer supported on Solaris SPARC. (BLC-457)
The following new and changed features were added for commands related to the build and capture process (including emit and translate commands) in 2019.03:
C# buildless capture now supports projects targeting any target framework as long as the relevant SDK is present on the system. (BLC-395)
For C# buildless capture: As long as the user has the required SDK installed on their system, buildless capture will now be able to capture projects targeting any target framework. (BLC-433)
There were several bugs fixed for build and capture-related commands (including emit and translate commands) in 2019.03:
Customers no longer need to install Bower for use with buildless capture.
Capturing JavaScript projects with cov-capture
on Windows should no longer leave occasional node.exe processes
running after completion.
Capturing JavaScript projects with cov-capture
on
Windows should no longer encounter occasional hangs in npm during
project inspection.
Build-related commands have the following known issues and solutions:
If you have KB2919355 (http://support.microsoft.com/kb/2919355 )
installed on Windows 2012 system, you might encounter the build hanging
under
cov-build
if MSBuild is used. When this hang
occurs, the process tree will show MSBuild still running under
cov-build
, even though there will be no output or
progress from MSBuild.
To work around this issue, you can either:
Uninstall KB2919355
OR
Add the --instrument flag to your cov-build invocation:
> cov-build --dir dir --instrument msbuild ..
On Windows, when preprocessing a file with cov-emit
to the Windows console, cov-emit
might fail with a
catastrophic error if the character encoding of the preprocessed output
is not compatible with the console encoding.
This error can be avoided by redirecting the preprocessed output to a file.
Running cov-emit-java
to emit a web application
(with --war --findears
or similar) might fail if the
number of JAR files in its classpath (including those found with
--findjars
) exceeds the operating system's
per-process file limit. To work around this case, either increase the
per-process open file limit or remove unnecessary JARs from the
classpath.
If you receive the following error message when using
cov-build
, you can work around this issue by
using the --instrument
option.
Error message:
[WARNING] Compilations that use 32-bit Java tools running on 64-bit Windows were detected during this build. Such compilations are not supported at the moment; analysis might be incomplete or invalid because of that.
Workaround:
> cov-build --dir t1 --instrument ant
This section lists new features, bug fixes, and known issues for
cov-analyze
and related commands.
There were no new features added or changed for commands related to the analysis process in 2019.03.
Analysis-related commands have the following known issues and solutions:
The cov-run-desktop
command sometimes fails on
large Java compilations, potentially causing emit database corruption on
Windows platforms. This can manifest as a cov-analyze
crash. More commonly, cov-emit-java
itself will fail
with access violation crashes or errors concerning a failure to acquire
a lock. These will appear in
cov-run-desktop-log.txt
. If this issue occurs,
you can work around it by specifying -j 1
with
cov-run-desktop
.
This section lists new features for Test Advisor.
This section lists new features, bug fixes, and known issues related to Coverity Wizard.
Coverity Wizard has the following new and changed feature in 2019.03:
cov-Wizard
now allows users to set the context path to
connect to the Coverity Connect server. The host, port, and SSL fields in the
Commit Defect configuration page have been merged into
a single URL field. (PRD-10597)
Coverity Wizard has the following known issues in version 2019.03:
Using the 'Duplicate' button for configuring compilers in Coverity Wizard does not work.
Coverity Wizard now warns the user every time they select the 'Test Prioritization' workflow, even if they did not first work with the regular analysis workflow. This can be safely ignored.
When using a self-signed certificate, if the user chooses not to trust a certificate, they might be prompted multiple times in a row (asking to trust the certificate). If a user does not want to trust a self-signed certificate, they should change their Coverity Connect server settings to avoid the prompts. But just keep pressing 'no' to not trust the certificate, to get through the multiple prompts.
After upgrade, Coverity Wizard can sometimes give a ReferenceMap
NullPointerException application error on startup. To work-around this
issue, delete the .orphan
file in the
<install_dir_sa>/jars/cwiz/configurations/org.eclipse.core.runtime
folder.
When in the Test Prioritization workflow, on the View Results page, clicking the button might not work for some older Linux distributions.
The guided policy creation wizard "Documentation" link fails to open properly on Linux. Open the Coverity Wizard 2020.12 User Guide separately to view this documentation.
The Guided Test Advisor Policy Creation Wizard uses Java regex validation instead of the Perl regex validation that Coverity Analysis Test Advisor users. This should not cause any issues for most users, but if there is a difference, go to the more advanced Test Prioritization Policy Editor and Debugger to enter the proper regex.
In Coverity Wizard, after automatically configuring the compilers in the
screen, the status indicator for the screen might not update from the exclamation mark icon to the check mark icon, which will appear as though the auto-configuration was unsuccessful. However, clicking anywhere in the Coverity Wizard window or changing pages will cause the indicator to update to the check mark icon.Not all the Preference dialog text is translated into Japanese on the syntax coloring dialog.
In the Coverity Wizard Policy Editor, the 'Link to Editor' icon in the Outline View might be toggled as enabled, even though the editor is not actually linked with the Outline View.
To enable outline linking, toggle the 'Link to Editor' button to disabled, and back to enabled again.
Coverity Test Advisor is a component of the Coverity Analysis installation package.
There has been several deprecations and EOLs this release:
The export-ta-qae-data
subcommand of the
cov-manage-emit
command is no longer supported.
(TADE-1981)
Coverity Test Advisor support for Git 1.4–1.7 is deprecated. (TADE-1982)
Coverity Test Advisor support for Mercurial 1.0–3.0 is deprecated. (TADE-1983)
Test Advisor has the following known issues and solutions in 2019.03:
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
Dynamic Analysis is a component of the Coverity® Analysis installation package.
Dynamic Analysis has the following known issues and solutions in 2019.03:
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
If Dynamic Analysis reports defects in classes that were compiled without debugging information, or contain mangled information due to misbehaving code coverage or AOP tool, the defect report might contain nonsensical line numbers or file names.
Specifying certain combinations of the instrument-arrays
,
instrument-collections
, detect-races
,
and detect-deadlocks
options to the Dynamic Analysis agent have
unexpected behavior. In particular, Dynamic Analysis still reports races on arrays and
collections according to the instrument-arrays
and
instrument-collections
options when
detect-races
is false and
detect-deadlocks
is true. However, if both
detect-races
and detect-deadlocks
are
false, then Dynamic Analysis reports races on neither collections nor arrays.
If you do not specify a class in the
cov-start-da-broker
classpath
option, the corresponding source file isn't
committed, even if the source file is present on the source path.
Coverity Architecture Analysis is a component of the Coverity Analysis installation package.
Coverity® Extend Software Development Kit is a component of the Coverity® Analysis installation package.
The Coverity Desktop plug-in is available for various platforms from the Coverity Connect Downloads menu.
There has been one EOL this release:
Dropped Coverity Desktop support for QNX Momentics 5.0. (PRD-11694)
Coverity Desktop for Android Studio has the following new and changed features in 2019.03:
Added support for Android Studio v2018.3. (PRD-10683; PRD-11683)
There following bug was fixed for Coverity Desktop for Android Studio in 2019.03:
In Android Studio 3.0, some dialogs in
have an extra help button with no help message available. It has been fixed in the latest Android Studio version.Coverity Desktop for Eclipse has the following new and changed features in 2019.03:
The Eclipse extension now allows users to set the context path to connect to the Coverity Connect server. The host, port, and ssl fields in the Coverity Connect configuration page have been merged into a single URL field. (PRD-10596)
Added support for Java 11. (PRD-10641)
Added support for Eclipse 4.10 (SimRel 2018-12) (PRD-11661)
Added support for Clion v2018.3. (PRD-11684)
Added support for Rubymine, PHPStorm, Webstrom, and Pycharm v2018.3. (PRD-11685)
Added support for QNX Momentics 7.0. (PRD-11694)
The Coverity Desktop plugin for Eclipse now supports Eclipse 4.10 (SimRel 2018-12)
There following bug was fixed for Coverity Desktop for Eclipse in 2019.03:
The --enable-java-annotation-framework-support
option
has been enabled by default, so plugin users no longer need to specify
it in their coverity.conf
file as an extra
cov-build
option.
Coverity Desktop for Eclipse has the following known issues in version 2019.03:
For OXS 10.14 users with JDK-8136913 installed, using the
hostname_regex
in the
coverity.conf
file causes a 5 to 30 second
delay. We've provided a workaround to fix this issue in our
documentation.
Eclipse customers using Plastic SCM may see a failure during
cm.exe
file is located in
/usr/local/bin/
rather than
/usr/bin/
and can be resolved by adding a link to
the executable in /usr/bin/
.
Coverity Desktop for Microsoft Visual Studio has the following new and changed features in 2019.03:
The Visual Studio extension now allows users to set the context path to connect to the Coverity Connect server. (PRD-10693)
Coverity Desktop for IntelliJ IDEA has the following new and changed feature(s) in 2019.03:
The IntelliJ extension now allows users to set the context path to connect to the Coverity Connect server. The host, port, and ssl fields in the Coverity Connect configuration page have been merged into a single URL field. (PRD-10596)
Added support for IntelliJ v2018.3. (PRD-11656)
Coverity Desktop for IntelliJ IDEA has the following known issues in version 2019.03:
Coverity Connect attributes and usernames in the Coverity Desktop plug-in are cached on start up, and not refreshed until IntelliJ is restarted. If you are missing a new username, or some other triage attribute, try restarting IntelliJ.
The Coverity Desktop plug-in does not currently work for the 'Alloy' IDEA theme.
Android Studio does not show the proper 'scope' in the Issues view for local analysis. It just always says "External output file" currently when in local analysis mode.
The triage view will not resize while the History section is expanded. Collapsing the history section will cause the view contents to resize.
Coverity markers in the editor gutter can sometimes be shown in duplicate with the IntelliJ/Android Studio Coverity Desktop plug-in.
Currently any source generated by Gradle Android projects will not be captured by the build process, and will be reported as "Uncaptured" by the IntelliJ and Android Studio IDEs. These files can be ignored by the "Uncaptured Source Files Dialog" or through the "File Exclusions" settings page.
When using whole program checkers in IntelliJ, a warning about missing class files might be seen in the console, which indicates missing class files with incorrect paths. Even if the paths do not seem correct, this should not affect analysis results.
For Coverity Connect users using the Japanese locale, the
button in the triage panel was disabled unless the Owner was changed. To work around this, the IDE locale should be the same as the user account locale on the Coverity Connect server. Since IntelliJ currently only supports English, the user account locale on Coverity Connect must be set to English as well.The Coverity Report Generators' installer can be downloaded from the downloads page in Coverity Connect.
Coverity Report Generators have no deprecations or EOLs in 2019.03.
The following new and changed features were added for the Coverity Report Generators in 2019.03:
The Coverity Report Generators in this installation use a new and unified configuration file mechanism. All report generators are now configured using the same configuration file format and schema. The new format is human-readable and YAML-based.
Please see the config/config.yaml
configuration file
for full documentation and an example of how to configure the report
generators.
The old configuration formats are no longer supported. (RG-1086)
There was one bug fixed for the Coverity Report Generators in 2019.03:
Updated the Report Generators so that they refer to the 2017 version of the OWASP Top 10 Application Security Risks.
Coverity Report Generators have the following known issues and solutions:
During report generation, you might receive the following error: "Loading library prism_es2 from resource failed: java.lang.UnsatisfiedLinkError:"
If you do encounter this error message, please install these missing
libraries: apt-get install libgl1
, apt-get
libgl1-mesa-dri
, and apt-get
libgl1-mesa-glx
.
The following new documents and changes were made in 2019.03:
The extract-files
sub-command was added to the
cov-manage-emit
command in release 2018.09, but the
<<filename>
> argument was accidentally
omitted from the Command Reference. This argument has now been added to the
Command Reference.
Coverity Analysis, Coverity Wizard, and Coverity Desktop support for macOS 10.12 has been deprecated as of 2019.03.
Added PRINTF_ARGS
checker to the Checker History
Appendix in the Coverity Checker Reference.
Coverity Desktop support for Visual Studio 2013 has been deprecated as of 2019.03.
Coverity Desktop support for QNX Momentics 5.0 is end-of-life.
Coverity Desktop support for QNX Momentics 7.0 is added.
The following commands and options have already been released, but were not documented. Documentation has been added for the following:
The cov-emit-vb
command
These options to the cov-emit-cs
command:
--langversion
--link
--target
__coverity_tainted_data_argument__
,
__coverity_tainted_data_return__
,
__coverity_tainted_string_argument__
, and
__coverity_tainted_string_return_content__
primitives
have been deprecated. These primitives are replaced by
__coverity_mark_pointee_as_tainted__
, which allows
specification of taintType
.
Coverity Analysis now supports the following frameworks: ReactiveX (RxJava, Reactor), Ember, Fastify, Restify, and Google Cloud APIs (Storage).
Fixed a false positive in CERT EXP62-CPP
that occurred
when using the memset
function on an array of pointers
to class objects.
Fixed a false positive in CERT FLP32-C
where
user-defined functions were mistaken for standard math functions.
Fixed a false positive in CERT OOP51-CPP
where an
expected object slicing did not occur.
Fixed a false positive in CERT OOP57-CPP
that occurred
when using the memset
function on an array of pointers
to class objects.
Fixed an error where invoking the version of swprintf
that does not take a size argument would result in OVERRUN
false positives.
Updated PRINTF_ARGS
to understand the Microsoft-specific
I32, I64, and I size attributes.
Fixed a class of OVERRUN
false positives that occurred when
accessing a buffer within a decreasing loop in a callee.
Fixed a class of NO_EFFECT
false positives, which
incorrectly reported on a misused comma operator when va_start
was invoked in Visual Studio 2017.
A number of performance improvements have been made and a heuristic has been added to try to work around the performance issues.
In addition to a number of performance improvements, we've implemented a
mitigation option that acts as a temporary workaround. It is like
--no_emit_referenced_types
, but rather than being
absolute, it will be a dial. The dial is zero to infinity and it controls a
heuristic, which only means that lower settings will be faster. This dial
will impact fidelity by eliminating some referenced types, however, the
impact is expected to be minimal. The ideal setting will be code
base-specific and will have to be determined experimentally, although just
using 0 for all code bases might be acceptable.
For example:
$ COVERITY_REFERENCED_TYPES_THRESHOLD=80 cov-build -dir emit make
Fixed an error that caused SSL verification failures, resulting in the following error message: "Server's SSL certificate is not trusted. Its CA certificate was found but a chain of trust could not be constructed." This error occurred when multiple CA certificates with the same name were installed.
Defects were reported at line 1 of a generated JavaScript file, where the source file (indicated by a source map) was not found on the file system. Now, the defects are reported at the relevant location in the generated file.
Provided a workaround that avoids an assertion violation during analysis.
The crash occurs when there is an inconsistency in the emit of TypeScript
syntax: export = class { ... }
.
Corrected an issue with Clang compilers that resulted in a "decl is part of a template" assertion failure error message and a TU loss. This occurred when capturing a build where the support for compliance checkers was enabled.
Fixed an issue in cov-emit-java
where the front-end
could generate incorrect information for generic classes depending upon the
order in which classes were encountered.
Fixed an issue where cov-emit-java
was rejecting
command lines with multiple instances of the --add-reads
,
--add-exports
, and --add-modules
options.
Corrected an issue that caused cov-internal-emit-clang
to fail with a "Key not found" assertion failure
diagnostic when capturing Clang compiler invocations where Clang module
support enabled.
Fixed a Microsoft compatibility issue in cov-emit
where
a parse error was emitted on a specialization of a template function with
different exception specifiers.
Previously, when cov-capture
was used on Windows to
capture a JavaScript project that uses the Bower project manager, the Bower
utility failed to run. As a result, dependencies were not downloaded
correctly. This has been fixed.
Fixed a bug where the enabled-checkers
setting in the
ANALYSIS.metrics.xml
file did not include regular
quality or security checkers, even though they were enabled.
Due to a change in our bug tracking system, items are now identified by two bug numbers:
One reflecting the identity of the bug in our old bug tracking system, formatted like this: XXXXXX. (For example, 374568.)
One reflecting the identity of the bug in our new bug tracking system, formatted like this: CODE-XXXXX. (For example, IM-22788.)
![]() | |
Bugs with only a CODE-XXXXX number do not have an old number. |
Support for the following products, features, platforms, and third-party tools is classified as deprecated or end-of-life as of the Coverity 2018.12 release.
Support for the following products and features is deprecated as of the Coverity 2018.12 release.
Table 73.1. Deprecated products
Product | Comments |
---|---|
Accurev 6.2 support |
Coverity
Test Advisor Support SCM Systems ![]() |
AIX 6.1 support |
Supported
Platforms for Coverity Analysis ![]() |
Android Studio 2.2 support |
Supported
Platforms for Coverity Analysis ![]() |
Desktop plugin support for Eclipse v4.5 |
Coverity Desktop Eclipse platform support ![]() |
GNU-GCC version 2.x compiler support |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
HI-TECH PICC compiler support |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
HP-UX platform support |
Supported
Platforms for Coverity Analysis ![]() |
IntelliJ IDEA 2016.1 and 2016.3 support |
Supported
Platforms for Coverity Analysis ![]() |
Linux Kernel 2.6.31 and older deprecated for Coverity Connect |
Supported
Platforms for Coverity Analysis ![]() |
misra_config settings have been deprecated | Users can use the coding_standard_config option
instead. |
NetBSD 6.1 and earlier deprecated for Coverity |
Supported
Platforms for Coverity Analysis ![]() |
Perforce 2014.2-2015.1 support |
Coverity
Test Advisor Support SCM Systems ![]() |
2016.3 version support for RubyMine, WebStorm, PyCharm, and PhpStorm |
Supported
Platforms for Coverity Analysis ![]() |
SNC C/C++ and SNC GNU C/C++ compilers support |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
TFS 2010 support |
Coverity
Test Advisor Support SCM Systems ![]() |
TriMedia compiler support |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
Visual Studio 2008 support |
Supported
Platforms for Coverity Analysis ![]() |
Windows Server 2008 SP2 support deprecated for Coverity Analysis |
Supported
platforms ![]() |
Xbox 360 compiler |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
Xcode gcc 4.2 and llvm-gcc 4.2 support |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
Support for the following products and features is dropped in the Coverity 2018.12 release.
Table 73.2. End-of-Life Products
Product | Comments |
---|---|
Accurev 6.0 and 6.1 support |
Coverity
Test Advisor Support SCM Systems ![]() |
Apple Clang 2.1-5.1 support |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
Clearcase 7.0.x, 7.1.x and 8.0.x support |
Coverity
Test Advisor Support SCM Systems ![]() |
Eclipse 4.5 support |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
Perforce 2007.2 – 2014.1 support |
Coverity
Test Advisor Support SCM Systems ![]() |
Linux Kernel 2.6.31 and older support dropped for Coverity Analysis |
Supported
Platforms for Coverity Analysis ![]() |
Scratchbox support dropped for Coverity Analysis |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
TFS 2008 support |
Coverity
Test Advisor Support SCM Systems ![]() |
This section provides release notes for Coverity Platform components.
Coverity Connect is a component of the Coverity® Platform installation package.
There has been one deprecation for Coverity Connect this release:
Coverity Connect support is deprecated in the Pacific release for Linux Kernel 2.6.31 and earlier. (SAT-27278)
The WRITE_DEFECTS
variable has been renamed
WRITE_ISSUES_JSON
. (RG-1049)
Added support for Tomcat 8.0.53. (IM-22827)
The following bugs are fixed for Coverity Connect:
Fixed an RBAC issue which caused an infinite refresh loop on the Visitor role when viewing a project.
For concurrent commits with a commitPoolThreads
value of less than five, the value will then be changed to
5
, which is the default commit pool size.
Improved the Coverity Connect instance startup and availability.
Fixed a bug in the code that sent email notifications about commit action completion. This was causing commit actions to hang in cases where
had incorrect authentication data.Fixed an issue that was causing excessive memory usage when browsing functions in High CCM (>15) view. We also improved the performance for browsing functions in this view.
When restoring large backup dump files, pg_restore
might throw an error such as "pg_restore: [parallel archiver]
could not create worker process: Cannot allocate
memory". We've fixed this by adding more memory.
Fixed an issue where the Configuration - Users & Groups dialog would close immediately after being opened by an Administrators group member.
It is now possible to create two LDAP configurations that have the same server and port.
Fixed an issue where the cov-platform
installer
would not properly create a keystore
in new Coverity
instances if the hostname had been changed during .
Resolved an issue where installing cov-analysis
into Program Files on Windows without the
Extend SDK would cause Incremental Updates to
fail.
Fixed an issue where a stacktrace
would be
printed to the console when upgrading a Coverity instance with a
disabled HTTP proxy server.
The Linux Coverity Connect installer will now fail if it is run with root permissions. It will also provide the user with an explanation for the failure.
Improved the error handling and messaging for argument parsing of unattended installers.
Resolved an issue where a Backup and Restore of Coverity on Windows could not be installed into a non-existent directory.
Fixed an error that occurred for some Windows users where the Coverity updater failed to work properly. Prior to the fix, the updater failed to remove older files and would not properly create any new files.
When performing a
, the trust store from the old Coverity Connect is now migrated to the new instance.The Coverity Connect installer has been updated so that, when performing a Backup and Restore, the user is prompted for the previous installation directory before the new installation directory. The installer will attempt to determine the previous installation directory, and prefills the selection, where possible.
You can now use a .JSON
file to configure
security reports.
Coverity Connect has the following known issues:
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
For customers upgrading their Coverity Platform server from unsupported Coverity versions (such as version 5.x), we recommended that you upgrade to a supported intermediate version (such as 2018.03) before upgrading to 2018.06. We also recommended that you perform a backup of your data beforehand with the Upgrade Preparation feature.
Due to a Red Hat Enterprise Linux issue (Bug 1484079), the Coverity
Platform installer on Centos7 or RHEL v7.4 might fail due to an
ArrayIndexOutOfBoundsException error and a
stack trace indicating an error with fonts. This can be resolved by
installing the dejavu-serif-fonts
package.
To prevent database constraint violations on subscribers in a cluster, when a user is deleted, it is marked for deletion instead of being completely (hard) deleted. This status subsequently synchronizes across the cluster.
Using a custom defect export handler script might on occasion create an error when attempting to export data to a bug tracking system.
The selected value is not displayed for a Coverity Connect field when using Chrome browser version 47.0.2526.80 on Windows 7.
In a cluster environment, deletion of triage data on the coordinator is not recommended unless it can be verified that there are no subscriber dependencies. Synchronization problems between subscribers and the coordinator might result.
Collisions might occur if triage data is deleted from a cluster (used for testing, for example), and then up-to-date triage data is imported from a production instance. This is because deleting triage stores does not delete related CIDs. It is recommended you rebuild the cluster from scratch using the production data.
In order to use Coverity Connect with a mail server (https option) or Bugzilla
(https option), and some other cases, the user has to import
certificates into cim/jre/lib/security/cacerts
. After
running the updater, all of these certificates are gone.
Downloading the binaries to update Java and/or PSQL for security fixes might fail on slow internet connections. Please make sure you have a fast internet connection and retry.
User and password information in
coverity_config.xml
does not override otions
specified on the command line.
An error occurs when a custom role is created using a multi-word rolename that is the same as a built-in rolename, even if there are case differences between the two rolenames.
If Java 1.7.0_xx is used, and even if the system has a large amount of
available RAM, using Java 1.7.0_xx and older, Out of Memory
errors might occur despite having sufficient/available RAM. The
workaround is to use the Java version shipped with Coverity Platform (1.8), or
by specifying a max heap setting for cov-im-daemon
.
Changing the summary metric name on a coordinator causes the summary metric to disappear from all reports on subscribers. To work around this issue, add the new summary metric back into the reports on subscriber.
Although the upgrade doc states that 32-bit to 64-bit in-place database format upgrades are not permitted, some will succeed, yielding valid results. Because in-place upgrade is preferable to backup-and-restore upgrade, we recommend that you try your upgrade in-place and, if it fails, fall back to backup-and-restore upgrade.
This section provides updates about Coverity Analysis components.
There have been several deprecations and EOLs this release:
Support for the Scratchbox compiler has been dropped. This EOL includes
removal of the cov-build-sbox
and
cov-configure-sbox
commands. (CAP-1325, 121094)
Support for Windows Server 2008 SP2 has been deprecated as of this release. (CMPG-2865)
Support for the HP-UX platform has been deprecated as of this release. (CMPG-2857)
The following SCMs are no longer supported as of this release:
Accurev 6.0 and 6.1
Clearcase 7.0.x, 7.1.x and 8.0.x
Perforce 2007.2 – 2014.1
TFS 2008 (COVP-2062)
Support for NetBSD 6.0 and 6.1 has been deprecated as of this release. (COVP-2075)
Support for AIX 6.1 has been deprecated as of this release. (COVP-2071)
Support for the following source control management systems (SCMs) is deprecated as of this release:
Accurev 6.2
Perforce 2014.2 and 2015.1
TFS 2010 (COVP-2062)
Coverity Analysis support for Linux Kernel 2.6.31 and earlier has been dropped. (SAT-27278)
Coverity Analysis has the following new and changed features:
Added support for .NET Core 2.0-2.1 applications on Windows. (SAT-27606; SAT-20558, 96584; CMPG-2864)
Added support for TypeScript. (SAT-16388, 79255)
Added support for C# 7.1–7.3. (CMPG-2863)
Added support for Swift 3.3 and 4.1.x. (CMPSWIFT-187)
The new cov-emit
--enable_user_sections
option enables the user sections
compiler extension, allowing variable placement at specific addresses in
memory. Compilers that support this extension include the IAR ARM compiler
which uses the @
operator for this purpose, and the
CodeWarrior compiler which uses :
. Please consult your
compiler manual for more information.
This option supersedes
cov-emit
's deprecated
--allow_declare_at_address
option. (CMPCPP-6362,
102666)
Added support for NetBSD 7.0. (COVP-2073)
Added support for macOS 10.14. (COVP-2038)
cov-capture
: This new command captures source files for
analysis from the file system or from an SCM repository, without a build.
(BLC-183)
Fixed a class of OVERRUN
false positives that
occurred when accessing a buffer within a decreasing loop in a
callee.
Improved the performance of the PROPERTY_MIXUP
checker for auto-implemented properties.
Fixed a performance issue with running MSIRA C++-2008 rules on some code base where the analysis hangs on some work units.
Fixed a cov-analyze
crash in Java webapp security
checkers.
Implemented new coding standard ISO TS17961.
Improved the coverage of the AUTOSAR C++14 coding standard. Refer to the Checker Reference for more information about AUTOSAR C++ coverage.
Fixed a cov-analyze
recoverable error that occurred
when parsing EL in JavaServer Pages (JSPs).
Fixed a class of OVERRUN
false positives where a
buffer was accessed within a parameter-bounded loop in a callee and when
the loop could exit early.
Fixed an analysis crash in Coverity Desktop that produced the following error message: "Suppressible assertion failed at analysis/work-unit/work-unit.cpp: tu_index.is_present()".
Added custom models for the strlcpy
and
strlcat
functions.
Added support for reporting OVERRUN
defects in
loops where the buffer index is a field of a local variable.
Fixed a web application security analysis crash that occurred when tainting members of a class that were missing a definition.
Fixed a cov-analyze
crash in the
WRAPPER_ESCAPE
checker where the same variable
was cast to multiple different wrapper types.
Fixed an analysis crash caused by unexpected field types during a
deep write
.
Fixed a cov-analyze
crash that produced the
following message when analyzing Visual Basic .NET: "Invalid
relationship type: dyn==".
Fixed a crash that occurred when decompiling some .NET assemblies.
Fixed a crash that occurred in cov-commit-defects
,
where the use of the --strip-path
option caused
multiple files to have the same name. The crash would produce the
following error message: "File symbols should already have
been handled".
Fixed a cov-format-errors
crash involving the use
of C++11 variadic templates.
Fixed a class of RESOURCE_LEAK
false negatives
involving self-pointers (such as patterns like obj->field = obj
+ offset
).
Fixed an error with a function that caused an unconditional exit, where, if that function contained a loop, our analysis would incorrectly fail to notice the unconditional program exit.
new(nothrow)
correctly returns a null pointer, and
therefore reports on more defects.
Fixed the line count metric for function lines of cases where a function was called with a default argument value. In some cases, the location of the default argument's definition would incorrectly be included in the line span, yielding a very large line count.
The documentation for cov-install-updates
has been
updated to clarify that the check
,
list
, and install
subcommands
require connection options sufficient to access update information from
a connected Coverity server.
The C# PATH_MANIPULATION
checker was enhanced to
recognize that filtering paths using
GetInvalidPathChars()
is insufficient to
sanitize against upwards directory traversal.
Fixed a cov-analyze
crash that produced the
following message: "In init_fn(PASS_BY_VALUE):
opt-uint.hpp:124: assertion failed: Expected a value to be present
for optional integer".
The XML_EXTERNAL_ENTITY
checker reports on any
insecurely configured parser, regardless of whether its input is
untrusted or not, when cov-analyze
is run with
--enable-audit-mode
.
Fixed a crash in cov-commit-defects
and
cov-format-errors
where the following error
message was produced: "Cannot parse XML: Char 0xFFFF out of
allowed range"
.
Improved the precision of UNINIT for classes accessed through subclasses.
Fixed a class of RESOURCE_LEAK
false positives when
an integer representing a resource (including a pointer cast to an
integer, using allow_cast_to_int
) is passed on to an
unimplemented function.
Fixed a crash on Windows that occurred when a defect file grew larger than 4GB.
Fixed a class of NULL_RETURNS
false positives that
occurred when a function returned a C++ reference type.
Fixed a EXCEPTION_STACK_OVERFLOW
crash that
sometimes occurred when MISRA C-2012 Rule 18.2 or CERT C ARR36-C
checkers were enabled for cov-analyze
.
Fixed a class of NO_EFFECT
false positives which
incorrectly reports misused comma operators with Visual Studio 2017
va_start
.
Fixed a crash that occurred when parsing some invalid
coverity.conf
files with the
extend_checkers
configuration.
Fixed a class of OVERRUN
false positives where a
buffer was accessed within a loop in a callee. That access was guarded
by an extra condition which prevented the overrun.
Improved the model for the mbrlen
function and
its related functions, so that it can report on
UNINIT
problems.
Improved the OVERRUN
checker to detect more cases
where a buffer argument was accessed using a constant provided in a
callee.
Fixed a class of STREAM_FORMAT_STATE
false
positives with a function that uses a saver class, and calls
flags
, setf
, or
setiosflags
.
Fixed an OVERRUN
false negative so that the pointer
is compared against NULL
before the overrun
occurs.
Added the require_exact_zero option
(default true) to
the DIVIDE_BY_ZERO
checker. This option controls
whether the checker should report a defect only when the denominator is
known to be exactly zero on the path being analyzed.
Fixed a class of MISMATCHED_ITERATOR
false
positives where std::move
was applied to STL
containers.
Fixed a class of ALLOC_FREE_MISMATCH
false
negatives where the allocations were done conditionally.
Improved the precision of the OVERRUN
checker for
cases where a callee checks bounds.
Improved the OVERRUN
checker so that it handles
cases where an allocation uses the number of bytes that is a multiple of
its argument.
Improved the OVERRUN
checker to report cases where
the address of a buffer or buffer length is passed as an
argument.
Fixed a class of DEADCODE
false positives with the
report_redundant_tests
option and try/catch
blocks.
Fixed a class of NULL_RETURNS
false positives that
occurred where the operator new
function returned a
null pointer.
Fixed a class of CHECKED_RETURN
checker false
positives caused by the --aggressiveness-level high
setting overriding the effect of setting
CHECKED_RETURN:stat_threshold
directly.
Improved the OVERRUN
checker so that it reports
more cases where the buffer or its index was copied through local
variables.
Fixed STRING_NULL
false negatives where memcpy
produced non null-terminated strings.
Added models for zlib, improving precision of the analysis for code that uses the zlib library.
Fixed a class of STRING_NULL
false positives where
a non null-terminated string's address is printed using
%p
.
cov-run-desktop
no longer sets the
100-Continue
expectation, fixing compatibility
issues with some proxies that do not handle this expectation
correctly.
Improved the OVERRUN
checker to report more cases
involving multiple levels of callees.
Fixed a class of ARRAY_VS_SINGLETON
false positives
that occurred where the pointer to a class was incremented while the
pointer was also being cast to a base class.
Fixed a class of OVERRUN
false positives, where the
index was an expression (such as an addition or multiplication), and
that same expression was checked beforehand.
Fixed a class of OVERRUN
false negatives where
strncpy
was called with a fixed-sized
destination buffer and the number of characters to be copied was
specified by a function argument.
Fixed RESOURCE_LEAK
false negatives by enhancing
the models for sqlite_exec
and
sqlite3_exec
functions.
Fixed a class of OVERRUN
false positive with
min
calculations.
Fixed a class of BAD_SHIFT
false positives where
the shifted bit count was the result of subtracting two correlated
values.
Improved the OVERRUN
checker to report cases where
multiple different arguments were used to access the same buffer.
Improved the OVERRUN
checker to report more cases
where a buffer is accessed within a loop in a callee.
Fixed a class of OVERRUN
false positives where the
buffer index was modified in a callee.
Improved the USE_AFTER_FREE
checker to report some
cases where a freed pointer is compared to another pointer in a
callee.
Fixed RESOURCE_LEAK
false positives where a pointer
to a struct was stored by copying a pointer to its first field.
Improved the OVERRUN
checker to report more cases
where getter functions are used.
Fixed a crash that occurred when multiple MISRA configuration files
that contained HIS Metrics were passed to
cov-analyze
.
Fixed a false positive in MISRA C-2012 Rule 11.9 where a macro
NULL
was used as a null pointer constant.
Corrected the classification of two MISRA rules in the Checker Reference Guide.
Fixed a false positive in CERT EXP37-C where an incorrect number of arguments was reported for C++ code.
Fixed a false positive in CERT PRE31-C where a function calls
assert
.
Improved the error message for CERT DCL37-C so that it is clearer.
Fixed a false positive in CERT PRE31-C, where a function call was misinterpreted as invoking an unsafe function-like macro.
Fixed a false positive in CERT INT32-C involving a cast to a wider integer type.
Fixed a false positive in CERT INT32-C, where defects were reporting on already checked expressions.
Fixed a false positive in CERT EXP37-C involving Coverity's internal types.
Fixed a false positive in CERT EXP36-C that occurred while converting pointers of a struct type that had the same alignment.
Fixed some false positives that occurred in MISRA C++-2008 Rule 3-2-2
and Rule 3-2-4 when a static const
class member with
an in-class initialization was present.
Fixed a false positive in MISRA C-2012 Rule 2.2 for a function that contained an intentional infinite loop with a side effect.
Fixed a false positive in MISRA C-2012 Rule 13.2 when calling a function with two function calls without side effects as arguments.
Fixed a crash that occurred when CERT-C checkers were enabled.
Enhanced the defect presentation of MISRA C-2012 Rule 10.1.
Fixed a MISRA C++-2008 Rule 0-1-10 false positive, where a global or static class object was defined.
Improved the defect presentation of MISRA C-2012 Rule 10.4.
Fixed an "Invalid property" assertion failure
for cov-analyze
.
Fixed a memory leak in the CERT DCL58-CPP check.
Fixed some EVALUATION_ORDER
and MISRA 2012 Rule
13.2 false positives that claimed volatile access on variables declared
with a custom alignment.
Fixed a false negative in MISRA C-2012 Rule 19.2 where a
keyword was not reported when being used without a typedef.
Added a new coding standards configuration file to turn on CERT-C rules that CERT requires to run with CERT-C++.
Fixed an issue that caused MISRA C-2012 Rule 17.2 to crash when it was run with languages other than C/C++.
Fixed several false negative cases in MISRA C-2012 Rule 14.3 involving constant conditional expressions.
Fixed a false positive case for MISRA C-2012 Rule 7.2 involving literals in assembly code.
Fixed a false positive in MISRA C++-2008 Rule 0-1-10 where a destructor was called.
Fixed false negatives of CERT FIO46-C with a new checker.
Fixed a false negative in CERT ENV31-C where the environment pointer was accessed indirectly through a function call.
Fixed an issue reporting on simple cases for CERT STR32-C.
Fixed a false negative case which uses pointer arithmetic to access structure members in CERT ARR37-C.
Fixed a false negative in CERT-EXP32-C where the assignment allowed the valid code to reference the value of the volatile object through a nonvolatile reference.
Fixed a false negative in CERT PRE31-C involving an assignment from an unsafe function-like macro.
Fixed a false positive in MISRA C 2012 Dir 4.4.
Fixed a false positive in MISRA C-2012 Rule 10.3 where the initializer
{0}
could be used to initialize an aggregate or
union type.
Fixed a false positive in MISRA C-2012 Rule 5.2 where the language standard was not correctly handled.
Updated the MISRA 2012 Rule 22.8 and MISRA 2012 Rule 22.9 checkers to
detect direct errno
modification within a
function.
Fixed a false positive in MISRA C++-2008 Rule 0-1-4, which declared a variable with an initialization, assigning it a new value.
Fixed a false positive in MISRA C-2012 Directive 4.8 where there is no pointer to the structure or in the translation unit.
Older versions of FlexLM might produce the wrong hostid version. Please make sure you have installed a version of FlexLM which supports Windows 10.
Coverity Analysis cannot be installed into an existing empty folder. Please select a non-existing folder.
The Coverity Analysis installer fails when the installer path contains Japanese characters.
On 64-bit Windows platforms, the length of the command string that can
be passed to the Fortran syntax analyzer is limited (internally) to
32768 characters. If this limit is exceeded,
cov-run-fortran
fails and reports an
"Argument list too long" error.
Coverity Fortran Syntax Analysis fails with a memory access violation when run under Clear Linux 4.14-64. There is a possible incompatibility with the Fortran runtime library on the Clear Linux platform.
When --webapp-security-aggressiveness-level
is set to
high
, it has the effect of setting the
distrust_all
checker option for many checkers. In
this case, trusting individual taints using
--trust-<taint-type>
options does not override
the distrust_all
checker option. Note that
--enable-audit-mode
sets
--webapp-security-aggressiveness-level=high
by
default. This describes the current behavior. It might change in future
releases and should not be relied upon.
The following sections describe new and updated features, bug fixes, and known issues for Coverity checkers and associated elements.
We've added MISRA C 2004 and MISRA C 2012 compliance standard support for the Clang compiler. (CMPCPP-7133, 115796)
The following table lists new checkers and the languages they support.
Checker | Languages |
---|---|
ANGULAR_BYPASS_SECURITY | JavaScript, TypeScript |
ANGULAR_ELEMENT_REFERENCE | JavaScript, TypeScript |
BLACKLIST_FOR_AUTHN | Ruby |
CONFIG.SEQUELIZE_ENABLED_LOGGING | JavaScript |
CSS_INJECTION | JavaScript |
DC.PREDICTABLE_KEY_PASSWORD | C/C++ |
DYNAMIC_OBJECT_ATTRIBUTES | Ruby |
FLOATING_POINT_EQUALITY
| C/C++ |
INSECURE_DIRECT_OBJECT_REFERENCE | Ruby |
INSUFFICIENT_LOGGING | JavaScript |
LOCALSTORAGE_WRITE | JavaScript, TypeScript |
PRINTF_ARGS | C/C++ |
RAILS_DEFAULT_ROUTES | Ruby |
RAILS_DEVISE_CONFIG | Ruby |
RAILS_MISSING_FILTER_ACTION | Ruby |
REGEX_MISSING_ANCHOR | Ruby |
RUBY_VULNERABLE_LIBRARY | Ruby |
SESSION_MANIPULATION | Ruby |
TRUST_BOUNDARY_VIOLATION | Java, C#, Visual Basic |
UNESCAPED_HTML | Ruby |
UNSAFE_SESSION_SETTING | Ruby |
UNSAFE_BASIC_AUTH | Ruby |
URL_MANIPULATION | JavaScript |
The following table documents added language support for existing checkers.
Languages | Checkers | Checkers |
---|---|---|
C/C++ |
|
|
Ruby |
|
|
New and changed checkers
AUDIT.SPECULATIVE_EXECUTION_DATA_LEAK has a new option:
speculative_uninitialized_use
:<bool>
If true, the checker will report defects if the index used in a nested memory access is only initialized inter-procedurally. Depending on the code produced by the compiler, a speculative store bypass might occur. This would allow the memory access to occur before the initialization, resulting in the use of an uninitialized value as the load address. This could enable an attacker to read sensitive information. (SAT-27561)
Calls to the bypassSecurityTrust* functions from the Angular DomSanitizer API. (SAT-27672)
Reports uses of the ElementRef
API where the underlying
DOM element is accessed and used in a sensitive way. (SAT-27672)
Reports defects when a filter on a web controller is specified using a list of actions to which the filter applies, rather than a list of actions to which the filter does not apply. (SAT-27000)
Finds cases where a sequelize
connection is created with
logging enabled. In this case, SQL queries would be logged to the
console and might leak sensitive data because console outputs are often
streamed to log files when the application is deployed.
(SAT-27605)
Reports a defect when a user-controlled string is able to modify the CSS of an HTML element. (SAT-26373, 121614)
Detects calls to crypto APIs that result in the generation of weak or predictable keys. (SAT-26050)
Finds vulnerabilities that occur when a resource is updated with attribute names and values using uncontrolled dynamic data (CWE-915).
Reports on floating-point expressions being tested for equality or inequality. This checker is adapted from MISRA C++2008 Rule 6-2-2. (SAT-25993, 119829)
Finds code that might allow attackers to directly retrieve records via a simple identifier (CWE-639).
Reports a defect in code that handles a security event or error condition but does not properly log the event. Logging important security events facilitates the earlier detection of security incidents and a better response to them. (SAT-27562)
Reports whenever any data is written to localStorage
.
(SAT-27672)
The OMR_NULL_LOAD
checker is now enabled by
default. (SAT-24594, 115330)
Trust options are not supported for C and C++ in this release.
(They have been documented in the localized versions of the Checker Reference.)
![]() | |
Some of the defects reported by this checker were previously reported as TAINTED_STRING defects. |
(SAT-28029)
Trust options are not supported for C and C++ in this release.
(They have been documented in the localized versions of the Checker Reference.)
![]() | |
Some of the defects reported by this checker were previously reported as TAINTED_STRING defects. |
(SAT-28029)
Reports on invalid printf format strings, or invalid arguments to those strings. (SAT-23905, 112760)
Identifies vulnerabilities resulting from the failure to mark a controller method as private. (SAT-27000)
Reports on a number of best practices when configuring a Ruby on Rails application using the Devise authentication library. (SAT-26285)
Finds code where a filter specifies an action that does not exist. (SAT-26285)
Finds regular expressions where proper anchors to the beginning and end of the string are not specified (CWE-777).
Reports a defect if your application uses a library that might be affected by one of a given set of Ruby-on-Rails related vulnerabilities. (SAT-26998)
Indicates that uncontrolled dynamic data is used to specify a key in a session. (SAT-27000)
Trust options are not supported for C and C++ in this release.
(They have been documented in the localized versions of the Checker Reference.)
![]() | |
Some of the defects reported by this checker were previously reported as TAINTED_STRING defects. |
(SAT-28029)
Trust options are not supported for this release.
(They have been documented in the localized versions of the Checker Reference.)
(SAT-28029)
Some defects that were previously reported by this checker are now reported by the following checkers:
OS_CMD_INJECTION
PATH_MANIPULATION
SQL_INJECTION
![]() | |
Trust options are not supported for this release. (They have been documented in the localized versions of the Checker Reference.) |
(SAT-24466)
Reports a defect when tainted data is stored in a location that is generally trusted. (SAT-19949, 93494)
Reports possible instances of cross-site scripting vulnerabilities. (SAT-27000)
Reports use of Basic Authentication: the Basic Authentication scheme sends unencrypted credentials with every request from the web browser to the web server. (SAT-27000)
Reports unsafe settings related to web server sessions. (SAT-27000)
Detects instances where a URL or URI is constructed unsafely. (SAT-26541)
Trust options are not supported for C and C++ in this release.
(They have been documented in the localized versions of the Checker Reference.)
(SAT-28029)
The XSS
checker is now also supported for Ruby.
(for SAT-26997)
INTEGER_OVERFLOW
churnChurn for the preview INTEGER_OVERFLOW
checker
might be higher in this release compared to churn for other
checkers.
XSS
The XSS
checker can report multiple occurrences of
the same local defect under certain circumstances.
This section lists new features, bug fixes, and known issues related to Coverity-supported compilers (including configuration), and the Compiler Integration Toolkit (CIT).
There were several deprecations and EOLs for Compiler Integration Toolkit (CIT) this release:
Deprecated support for NetBSD 6.1 and earlier. (CMPG-2889)
Deprecated support for the HI-TECH PICC compiler. (CMPG-2856)
Deprecated support for the TriMedia TCS compiler. (CMPG-2855)
Deprecated support for the SNC C/C++ and SNC GNU C/C++ compilers. (CMPG-2854)
Deprecated support for Visual Studio 2008. (CMPG-2853)
Deprecated support for GNU GCC 2.x. (CMPG-2852)
Dropped support for Apple Clang versions 2.1-5.1. (CMPG-2812, 120910)
Added support for the Green Hills Optimizing C and C++/EC++ ARM 2015.1.4 compiler. (CMPCPP-7386, 118589)
Added support for ARM Clang 6.10.1. (CMPCPP-7582, 121633)
Added support for ARM NEON builtin types and intrinsic functions for gcc compilers. (CMPCPP-6477, 104248)
Added support for C++17. (CMPG-2182, 85696)
JavaScript files containing decorator syntax are now supported for capture and emit. (CMPJS-549)
The JavaScript front end now supports the ECMAScript 8
async
function and await
syntax.
(CMPJS-423, 103284)
JavaScript source code containing JSX syntax, which is often used for writing React applications, is now supported for capture and emit. Note that source code using Flow syntax is not supported. (CMPJS-649; CMPJS-525; CMPJS-415, 101071)
We've also added the -no-jsx
option to the
cov-configure
command. This option disables the
filesystem capture of JSX files.
Capture and emit of Angular application code, written in TypeScript, are now supported. (CMPJS-185, 92790)
Capturing and emitting TypeScript source files is now supported. (CMPJS-184, 92789)
Added the new option --no-typescript
to the
cov-configure
command. This option disables the
filesystem capture of TypeScript files.
The following bugs are fixed for compilers and the Compiler Integration Toolkit (CIT) for Coverity Analysis analysis in 2018.12:
An issue where cov-build
could miss compiler
invocations in some Mac OS builds has been resolved.
Fixed an "Unexpected attempt to load an enum definition" assertion.
Fixed an assertion in cov-emit
when emitting the
initializer for a non-trivial type array with an explicit zero bound.
Fixed an issue in the GCC configuration that caused spurious errors when using certain intrinsics.
Fixed a parsing error and subsequent error recovery crash in
cov-emit
involving a failure to resolve an overloaded
function when assigning a member function pointer.
Fixed a spurious "no instance of overloaded function matches
the specified type" error in cov-emit
that could occur in C++17 mode when specializing a template class template
constructor.
Fixed an issue where cov-emit
sometimes produced the
wrong value for std::is_pod
in a class with inheriting
constructors.
An internal error that resulted in an assertion failure, stating
"missing default rescan info" for
edg/src/exprutil.c
, has been fixed.
There was an issue with the CERT PRE30-C defect detection when compiling with an MSVC compiler and the C language level was left unspecified. This has been fixed.
In the WindRiver Diab compiler support, identifiers beginning with "packed" were being misinterpreted as using the packed keyword. This has been corrected.
Functions containing ASM statements were not being properly emitted in Windows. There was also no specific parse error message. Instead, there was only a message indicating that the function was not emitted. This has been corrected.
An edg/src/class_decl.c assertion failure, which occurs in C++ code when using a Microsoft extension, has been fixed.
Use of the Microsoft __super
extension no longer
results in failures when captured code is compiled with Clang.
Fixed an emit filename corruption that occurred on Windows when a file is included with an absolute path without drive specification in a PCH file.
Fixed a spurious redeclaration error in cov-emit
that
could occur in the presence of a prior using declaration for the same
method.
Fixed an issue in the GCC compiler configuration that caused errors when
using various STL templates added in C++17, such as std::void_t and
std::disjunct
.
Fixed a spurious error that occurred in cov-emit
when
emulating versions of GCC newer than 4.2. The error would occur for an
out-of-class definition of a nested template class member.
Fixed an issue where the wrong value for the
__cplusplus
macro was used for some Intel
compilers.
An edg/src/lower_name.c assertion failure has been fixed.
Fixed an internal error in cov-emit
that occurred when
an assertion was triggered during error recovery.
Fixed an internal error that occurred in cov-emit
when
instantiating a template that contained a constexpr
friend
declaration.
The cov-emit
database was getting corrupted when parse
messages exceeded 100M. This has been fixed.
An assertion failure with edg/src/expr.c
has been
fixed.
Fixed a spurious error that could occurr in cov-emit
when using the xmemory header with Visual Studio 2017 in
/std:c++17
or /std:c++latest
mode.
Fixed a cov-emit
crash that resulted from mangling
anonymous structs in a template function.
Fixed a spurious error in cov-emit
that occurred when
template argument lists were followed by >>
.
Fixed an issue where cov-emit
would crash when the
compiler was parsing template constructors.
Fixed a crash in cov-internal-emit-clang
, which
involved C99 designated initializers for aggregate fields.
Fixed an assertion failure that occurred for Clang compilers when the subscript operator was used on an rvalue expression of a vector type.
The use of class template deduction guides no longer results in a compilation failure.
Fixed a spurious error in cov-emit
when initializing a
constexpr
static data member of a class marked
dllimport
.
Fixed an issue where __attribute__(packed)
was not
being respected on enums.
Added support for the -fgnu89-inline
switch to the GCC
configuration.
Fixed a parse error in cov-emit
involving variadic
templates and templates with default arguments.
Declaring a member function with the same name as a base member function no longer causes parse failures with Microsoft compilers.
Fixed an issue where __builtin_va_list
was unrecognized
when emulating some Intel compilers.
Use of C++11 generalized attributes (such as
[[clang::fallthrough]]
) no longer results in failures
when capture code is compiled with Clang-based compilers.
Addressed several crashes in cov-emit-cs
related to
using local functions with lambdas and delegates. Most common cases appeared
as "Unknown serf pointer" and "assertion
failed: delegatedFn->is_static_method() ||
delegatedFnInstanceExpr".
Fixed an issue with Coverity Analysis where a nullable literal value in C# would
trigger an assertion in cov-analysis
.
C++14 and C++17 support has been significantly improved.
Fixed an error when using the replay feature with a
Clang-based compiler and
--emit-complementary-info
option (which is
activated when using compliance standards).
Addressed several crashes in cov-emit-vb
that caused
time-consuming error recovery invocations.
Fixed a NullPointerException
in
cov-emit-java
that could occur when compiling
non-modular code with JAR files that contain module definitions. This could
result in entire compilations being lost.
Fixed a Java version detection failure when the
JAVA_TOOL_OPTIONS
or _JAVA_OPTIONS
environment variable was set in the native build environment.
Removed the --enable-java-annotation-framework-support
option from cov-build
. By default, this behavior is now
enabled.
cov-build --instrument
has a known issue when running
the xdcmake.exe
tool of Visual Studio 2010 when launched
from a 32-bit process on Windows 10. This will currently fail with a
System.BadImageFormatException
exception. To work around
this issue you can either:
Modify the build such that xdcmake.exe
is
run from a 64-bit process.
Ignore the xdcmake.exe
process by adding
--capture-ignore xdcmake.exe
to your
cov-build
invocation.
The default charset for Java 1.8 VM on Mac appears to be UTF-8 if a
charset has not been explicitly set. The Coverity Java compiler does not
emulate this behavior. Make sure to explicitly set the character encoding by
setting a locale using LANG
or LC_CTYPE
environment variables.
The JavaScript front end no longer supports nameless function statements. (Nameless function expressions are supported as before.) A function statement without a declared name is a syntax error according to the ECMAScript standard, but may be used in JavaScript source files used with some frameworks.
This section lists new features, bug fixes, and known issues for
cov-build
and related commands, including emit and translate
commands.
The following new and changed features were added for commands related to the build process (including emit and translate commands) in 2018.12:
The cov-build
command has added the
--js-template-da
option: When specified, it causes the
Javascript template dynamic-analysis to be run for all directories specified
in --fs-capture-search
. (SAT-27752)
The new cov-capture
command allows you to run a
"buildless" capture of your source. That is, it captures source code without
requiring a build. For more information, see the Coverity Analysis User and
Administrator Guide. (BLC-212)
Previously, cov-capture
was used for capturing Test
Advisor test coverage. That functionality has been consolidated into
cov-build
--test-capture
. See the Command Reference for more
information. (BLC-87)
There were no bugs fixed for build-related commands (including emit and translate commands) in 2018.12.
Build-related commands have the following known issues and solutions:
On Windows, when preprocessing a file with cov-emit
to the Windows console, cov-emit
might fail with a
catastrophic error if the character encoding of the preprocessed output
is not compatible with the console encoding.
This error can be avoided by redirecting the preprocessed output to a file.
If you have KB2919355 (http://support.microsoft.com/kb/2919355 )
installed on Windows 2012 system, you might encounter the build hanging
under
cov-build
if MSBuild is used. When this hang
occurs, the process tree will show MSBuild still running under
cov-build
, even though there will be no output or
progress from MSBuild.
To work around this issue either:
Uninstall KB2919355
OR
Add the --instrument flag to your cov-build invocation:
> cov-build --dir dir --instrument msbuild ..
Running cov-emit-java
to emit a web application
(with --war --findears
or similar) might fail if the
number of JAR files in its classpath (including those found with
--findjars
) exceeds the operating system's
per-process file limit. To work around this case, either increase the
per-process open file limit or remove unnecessary JARs from the
classpath.
If you receive the following error message when using
cov-build
, you can work around this issue by
using the --instrument
option.
Error message:
[WARNING] Compilations that use 32-bit Java tools running on 64-bit Windows were detected during this build. Such compilations are not supported at the moment; analysis might be incomplete or invalid because of that.
Workaround:
> cov-build --dir t1 --instrument ant
This section lists new features, bug fixes, and known issues for
cov-analyze
and related commands.
The following new features were added or changed for commands related to the analysis process in 2018.12:
The --enable-audit-mode
option has been added to the
cov-analyze
command. This option sets the impact
level to Audit
and enables audit-mode analysis, which is
intended to expose more potential security vulnerabilities by considering
additional potential data sources that could be used in an exploit. It sets
--webapp-security-aggressiveness-level
=high
and --distrust-all
, enables four additional checkers, and
models additional taint sources in supported languages. (SAT-27768,
IM-23168)
The cov-analyze
command has two new options:
--enable-brakeman , which enables Brakeman Pro
checkers (Default) |
--disable-brakeman , which disables Brakeman Pro
checkers |
These two new options are used to enable and disable the new Ruby checkers. (SAT-27544) |
The cov-analyze
command has two new options:
--enable-brakeman
, which enables Brakeman Pro
checkers (Default)
--disable-brakeman
, which disables Brakeman Pro
checkers
These two new options are used to enable and disable the new Ruby checkers. (SAT-27544)
Analysis-related commands have the following known issues and solutions:
The cov-run-desktop
command sometimes fails on
large Java compilations, potentially causing emit database corruption on
Windows platforms. This can manifest as a cov-analyze
crash. More commonly, cov-emit-java
itself will fail
with access violation crashes or errors concerning a failure to acquire
a lock. These will appear in
cov-run-desktop-log.txt
. If this issue occurs,
you can work around it by specifying -j 1
with
cov-run-desktop
.
This section lists new features for Test Advisor.
This section lists new features, bug fixes, and known issues related to Coverity Wizard.
There have been no deprecations or EOLs this release.
Coverity Wizard has the following new and changed features in 2018.12:
Added support for OSX 10.14 to Coverity Wizard. (PRD-10591, 121360)
The following bugs were fixed for Coverity Wizard in 2018.12:
Added an option, allowing customers to disable all
webapp-security
checkers.
Fixed an issue where cov-wizard
wouldn't allow users to
resize the window in the
Capture step of Coverity Wizard.
The user is no longer required to install JVM6 on OSX.
Coverity Wizard has the following known issues in version 2018.12:
Using the 'Duplicate' button for configuring compilers in Coverity Wizard does not work.
Coverity Wizard now warns the user every time they select the 'Test Prioritization' workflow, even if they did not first work with the regular analysis workflow. This can be safely ignored.
When using a self-signed certificate, if the user chooses not to trust a certificate, they might be prompted multiple times in a row (asking to trust the certificate). If a user does not want to trust a self-signed certificate, they should change their Coverity Connect server settings to avoid the prompts. But just keep pressing 'no' to not trust the certificate, to get through the multiple prompts.
After upgrade, Coverity Wizard can sometimes give a ReferenceMap
NullPointerException application error on startup. To work-around this
issue, delete the .orphan
file in the
<install_dir_sa>/jars/cwiz/configurations/org.eclipse.core.runtime
folder.
When in the Test Prioritization workflow, on the View Results page, clicking the button might not work for some older Linux distributions.
The guided policy creation wizard "Documentation" link fails to open properly on Linux. Open the Coverity Wizard 2020.12 User Guide separately to view this documentation.
The Guided Test Advisor Policy Creation Wizard uses Java regex validation instead of the Perl regex validation that Coverity Analysis Test Advisor users. This should not cause any issues for most users, but if there is a difference, go to the more advanced Test Prioritization Policy Editor and Debugger to enter the proper regex.
In Coverity Wizard, after automatically configuring the compilers in the
screen, the status indicator for the screen might not update from the exclamation mark icon to the check mark icon, which will appear as though the auto-configuration was unsuccessful. However, clicking anywhere in the Coverity Wizard window or changing pages will cause the indicator to update to the check mark icon.Not all the Preference dialog text is translated into Japanese on the syntax coloring dialog.
In the Coverity Wizard Policy Editor, the 'Link to Editor' icon in the Outline View might be toggled as enabled, even though the editor is not actually linked with the Outline View.
To enable outline linking, toggle the 'Link to Editor' button to disabled, and back to enabled again.
Coverity Test Advisor is a component of the Coverity Analysis installation package.
Test Advisor has the following new and changed features in 2018.12:
Support for the Accurev source control management system has been extended to Accurev version 7.2. (TADE-1958)
Support for Team Foundation Server 2018 has been added. (TADE-1928)
Automatic version detection for Team Foundation Server has been added. It can
be used by replacing --scm tfs2013
, --scm
tfs2015
, etc., in your invocations of Coverity tools with
--scm tfs
. (TADE-1928)
The following bugs are fixed for Test Advisor in 2018.12:
Previously, the Coverity SCM tools (cov-extract-scm
,
cov-import-scm
, cov-blame
,
cov-run-desktop
) would fail to parse output from svn
if --use-merge-history
was being passed (via
--command-arg
--use-merge-history
, --scm-command-arg
--use-merge-history
, or --scm-param
annotate_arg=--use-merge-history
). This has been fixed.
Test Advisor has the following known issues and solutions in 2018.12:
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
Dynamic Analysis is a component of the Coverity® Analysis installation package.
Dynamic Analysis has the following known issues and solutions in 2018.12:
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
If Dynamic Analysis reports defects in classes that were compiled without debugging information, or contain mangled information due to misbehaving code coverage or AOP tool, the defect report might contain nonsensical line numbers or file names.
Specifying certain combinations of the instrument-arrays
,
instrument-collections
, detect-races
,
and detect-deadlocks
options to the Dynamic Analysis agent have
unexpected behavior. In particular, Dynamic Analysis still reports races on arrays and
collections according to the instrument-arrays
and
instrument-collections
options when
detect-races
is false and
detect-deadlocks
is true. However, if both
detect-races
and detect-deadlocks
are
false, then Dynamic Analysis reports races on neither collections nor arrays.
If you do not specify a class in the
cov-start-da-broker
classpath
option, the corresponding source file isn't
committed, even if the source file is present on the source path.
Coverity Architecture Analysis is a component of the Coverity Analysis installation package.
Coverity® Extend Software Development Kit is a component of the Coverity® Analysis installation package.
The Coverity Desktop plug-in is available for various platforms from the Coverity Connect Downloads menu.
There have been several deprecations and EOLs this release:
Coverity Desktop support has been dropped for Eclipse 4.5. (PRD-10681)
Coverity Desktopsupport has been deprecated for Android Studio 2.2. (PRD-10681)
Coverity Desktop support has been deprecated for IntelliJ IDEA 2016.1 and 2016.3. (PRD-10681)
Coverity Desktop support has been deprecated for the 2016.3 version of RubyMine, WebStorm, PyCharm, and PhpStorm. (PRD-10681)
Dropped support for TFS 2008. (PRD-10650; PRD-10648)
Deprecated support for TFS 2010.
Deprecated the misra_config
settings. Users can use the
coding_standard_config
option instead. Note that the
coding_standard_config
option supports multiple files.
(PRD-10584, 120571)
Coverity Desktop for Eclipse has the following new and changed features in 2018.12:
Added support Eclipse 4.9. (PRD-10683)
Added support for .C
files. (PRD-10677)
Added support for OSX 10.14 to the Eclipse Coverity Desktop plugin. (PRD-10695; PRD-10591, 121360)
The Coverity Visual Studio extension now supports multiple Coding Standard Configuration files. (PRD-10583)
Added support for Android Studio 3.2. (PRD-10560)
Security Audit issues from a remote stream can now be viewed in the Coverity plugins.
In Visual Studio, these issues will be displayed without an impact icon. (PRD-10549)
Coverity Visual Studio Extension now supports .NET Core projects. (PRD-10446)
There following bugs were fixed for Coverity Desktop for Eclipse in 2018.12:
Any Coding Standard Configuration setting from
the coverity.conf
file was displayed as read-only
in the (under ). This has been fixed.
Fixed an issue where the IssuesView column did not properly display.
Coverity Desktop for Eclipse has the following known issues in version 2018.12:
Eclipse customers using Plastic SCM may see a failure during
cm.exe
file is located in
/usr/local/bin/
rather than
/usr/bin/
and can be resolved by adding a link to
the executable in /usr/bin/
.
For OXS 10.14 users with JDK-8136913 installed, using the
hostname_regex
in the
coverity.conf
file causes a 5 to 30 second
delay. We've provided a workaround to fix this issue in our
documentation.
Coverity Desktop for Microsoft Visual Studio has the following new and changed features in 2018.12:
Coverity Desktop now supports Microsoft TFS 2018.
The user interface has also been modified so that users are no longer required to specify the TFS version for SCM analysis. (PRD-10630; PRD-10629)
Coverity Desktop for Microsoft Visual Studio has the following bug fixes in 2018.12:
Fixed an encoding issue which caused Visual Studio to crash.
As of the Pacific release, the user no longer needs to select a specific TFS version in order to use TFS for SCM analysis.
The Coverity Visual Studio extension was crashing due to an invalid OEM code page, which was used to retrieve the encoding. We've fixed this by using default encoding in the OEM code page.
Fixed a System.InvalidOperationException error message which was thrown when a wait dialog was displayed.
Coverity Desktop for IntelliJ IDEA has the following new and changed feature(s) in 2018.12:
Added support for IntelliJ 2018.2, CLion 2018.2, PhpStorm 2018.2, PyCharm 2018.2, RubyMine 2018.2, and Webstorm 2018.2. (PRD-10617; PRD-10559)
Added support for Java 9+ project module path. (PRD-10610; PRD-10609)
Added support for OSX 10.14 to the IntelliJ Coverity Desktop plugin. (PRD-10591, 121360)
Coverity Desktop for IntelliJ IDEA has the following known issues in version 2018.12:
For Coverity Connect users using the Japanese locale, the
button in the triage panel was disabled unless the Owner was changed. To work around this, the IDE locale should be the same as the user account locale on the Coverity Connect server. Since IntelliJ currently only supports English, the user account locale on Coverity Connect must be set to English as well.When using whole program checkers in IntelliJ, a warning about missing class files might be seen in the console, which indicates missing class files with incorrect paths. Even if the paths do not seem correct, this should not affect analysis results.
Coverity markers in the editor gutter can sometimes be shown in duplicate with the IntelliJ/Android Studio Coverity Desktop plug-in.
Currently any source generated by Gradle Android projects will not be captured by the build process, and will be reported as "Uncaptured" by the IntelliJ and Android Studio IDEs. These files can be ignored by the "Uncaptured Source Files Dialog" or through the "File Exclusions" settings page.
The triage view will not resize while the History section is expanded. Collapsing the history section will cause the view contents to resize.
Android Studio does not show the proper 'scope' in the Issues view for local analysis. It just always says "External output file" currently when in local analysis mode.
The Coverity Desktop plug-in does not currently work for the 'Alloy' IDEA theme.
Coverity Connect attributes and usernames in the Coverity Desktop plug-in are cached on start up, and not refreshed until IntelliJ is restarted. If you are missing a new username, or some other triage attribute, try restarting IntelliJ.
The following new documents and changes were made in 2018.12:
You can now generate a security report from a script. For more information, see the chapter on Security reports in the Coverity Platform User and Administrator Guide.
The OWASP Mobile Top 10 report has been added. This report details the assessments that were done, provides a summary of findings, and specifies the remediations needed. Information from this report is of special interest to application security assurance teams and their clients.
The PCI DSS report has been added. It analyzes your source and reports violations of standards defined by the Payment Card Industry Data Security Standard (PCI DSS), which was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.
The OWASP Top Ten report was added. It details the assessments that were done, provides a summary of findings, and specifies the remediations needed. Information from this report is of special interest to application security assurance teams and their clients.
Added instructions for running a security analysis on an ASP.NET Core Web application. See "2.2.2. Running a security analysis on an ASP.NET Web application" in the Coverity Analysis 2018.09 User and Administrator Guide for more information.
Supported standards per language (for example, CWE Top 25) are now documented in "Chapter 1.3. Language Support" of the Coverity Analysis 2018.12 User and Administrator Guide.
Fixed a false positive in CERT EXP62-CPP
that occurred when using memset
on an array of pointers to class objects.
Fixed a false positive in CERT FLP32-C where user-defined functions were mistaken for standard math functions.
Fixed a false positive in CERT OOP51-CPP
where an expected object slicing did not occur.
Fixed a false positive in CERT OOP57-CPP
that occurred when using memset
on an array of pointers to class objects.
Fixed a bug in the Purge Snapshot Details functionality which caused some Issue occurrences to be lost for snapshots that were not directly purged. With the fix, new snapshots will have correct occurrences, but existing snapshots might still be missing some data.
Added support for the LLVM Clang 7.0, Apple Clang 9.1 (Xcode 9.3/9.4), and Apple Clang 10 (Xcode 10.0) compilers.
Fixed a NullPointerException
in
cov-emit-java
that could be encountered while
compiling non-modular code when JAR files on the classpath contained module
declarations. This caused entire compilations to be lost.
This update causes a database incompatibility with releases 2018.09 to 2018.09-3. Please upgrade to 2018.09-4 or later.
Fixed an issue where the Configuration - Users &
Groups dialog would close immediately after being opened by
an Administrators
group member.
Fixed the line count metric for function lines of cases where a function was called with a default argument value. In some cases, the location of the default argument's definition would incorrectly be included in the line span, yielding a very large line count.
Due to a change in our bug tracking system, items are now identified by two bug numbers:
One reflecting the identity of the bug in our old bug tracking system, formatted like this: XXXXXX. (For example, 374568.)
One reflecting the identity of the bug in our new bug tracking system, formatted like this: CODE-XXXXX. (For example, IM-22788.)
![]() | |
Bugs with only a CODE-XXXXX number do not have an old number. |
Support for the following products, features, platforms, and third-party tools is classified as deprecated or end-of-life as of the Coverity 2018.09 release.
Support for the following products and features is deprecated as of the Coverity 2018.09 release.
Table 87.1. Deprecated products
Product | Comments |
---|---|
Accurev 6.0 and 6.1 support |
Coverity
Test Advisor Support SCM Systems ![]() |
Apple Clang v2.0 - 5.1 support |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
Coverity Connect DesktopDeveloper role |
The |
cov-build option:
--treat-as-64bit | The --treat-as-64bit option is deprecated. The
related COVERITY_INSTRUMENT_64BIT_EXES variable is
also deprecated because --instrument capture now works
in a way that can adapt to 64-bit .NET binaries (that appear to run as
32-bit .NET binaries). |
ClearCase v7.0.x, 7.1.x and 8.0.x |
Coverity
Test Advisor Support SCM Systems ![]() |
Desktop plugin support for Eclipse v4.5 |
Coverity Desktop Eclipse platform support ![]() |
Developer Streams feature | Support for the Developer Streams feature is now
deprecated and will be removed in a future release. |
GCC on Windows for Extend SDK checker development | For Extend SDK checker development on Windows, use of the GCC compiler (available in the MinGW environment) to compile Extend SDK checkers has been deprecated as of this release. Support will be removed and replaced in a future release. |
Linux Kernel 2.6.31 and earlier deprecated for Coverity Analysis |
Supported
Platforms for Coverity Analysis ![]() |
Mac OS X versions 10.10 and 10.11 deprecated for Coverity |
Supported
Platforms for Coverity Analysis ![]() |
Perforce 2007.2-2014.1 |
Coverity
Test Advisor Support SCM Systems ![]() |
PostrgeSQL 9.5 as external database for Coverity Connect |
Coverity
Software Requirements ![]() |
Safari versions no longer supported by Apple | Support for versions of Safari that Apple no longer supports is deprecated for Coverity Connect. |
Scratchbox support deprecated for Coverity Analysis |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
Windows 7 support deprecated for Coverity Connect |
Supported
platforms ![]() |
Windows Server 2008 support deprecated for Coverity Connect |
Supported
platforms ![]() |
Xbox 360 compiler |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
Xcode gcc 4.2 and llvm-gcc 4.2 support |
Supported Compilers: Coverity Analysis for C/C++ ![]() |
Support for the following products and features is dropped in the Coverity 2018.09 release.
Table 87.2. End-of-Life Products
Product | Comments |
---|---|
Java versions 1.5 and 1.6 for Coverity Analysis and Coverity Desktop |
Supported
platforms ![]() |
Java 1.7 running the Coverity Desktop plugin within Eclipse, IntelliJ, and Android Studio |
Supported Platforms for Coverity Desktop ![]() |
Java 9 support |
Supported
Platforms for Coverity Analysis ![]() |
This section provides release notes for Coverity Platform components.
Coverity Connect is a component of the Coverity® Platform installation package.
There have been no deprecations or EOLs for Coverity Connect this release.
Coverity Connect has the following new and changed features:
We've integrated Coverity into Synopsys' eLearning system. User accounts are provided by one of our Sales and Support team members once a Synopsys license has been purchased by your organization. To log in to the eLearning portal, visit elearning.synopsys.com. (COVP-2045, 639930)
Added TLSv1.2 support to
cov-manage-im
. (IM-22209,
116603)
The cov-commit-defects
command
has a new option: --url
. This option allows
you to commit analysis results to a Coverity Connect instance that has a context path
in its HTTP(S) URL. This option replaces the --host
,
--port
, --https-port
, and
--dataport
options. The --url
option
is provided to accommodate the use of a context path and to deal with the
setting up of Coverity Connect behind a reverse proxy. (IM-22788, 117291)
The behavior of importing groups has changed slightly: When a user selects an LDAP group to import into Coverity Connect, by default, it imports the top level group and all nested LDAP group members with the specified Group Filter. The user may set the scope of the Group Filter to either Top level groups only or Top level groups and nested groups. (IM-21347, 107963)
The following bugs are fixed for Coverity Connect:
Updated the wording in the CERT Report Compliance Scorecard to list the first rule violation (of the selected Target Compliance Level) so that it appears in the Standard: CERT C 2016 table.
A few MISRA C:2012 rules were categorized under
Required
. They are now correctly categorized
under Advisory
.
Defects classfied as Intentional
or False
Positive
were incorrectly classified in the Security
Report. This has been fixed.
Updated the MISRA Report Generator's JSON files to ensure that the PDF version of the report displays the same MISRA rules being shown in the UI.
The Target Integrity Level in the Coverity Integrity Report did not display correctly in the Japanese locale. This has been fixed.
Added an authentication key to the Security Report Generator. Users must now re-enter their authentication key before generating the report. This update minimizes security vulnerabilities.
Updated the MISRA Report Help documentation to indicate that MISRA C++2008 Rule 8-3-1 is now supported.
Improved the performance of report generators by limiting the number of defect instances that are returned when calling WS methods.
Fixed an issue where projects were not visible if they were added to Coverity Connect after the report generator had started.
Resolved an issue in the Coverity Connect installer where the wrong description for "In Place upgrade mode" was displayed in console mode.
Fixed an issue where upgrading Coverity from version 8.7.1 to 2018.06
would result in a Database Integrity Check
failure.
This no longer happens.
Updated the cov-admin-db check-integrity
feature to
ensure that important database constraints are present even when
unspecified. This reduces the risk of any performance issues.
Users upgrading from Coverity 2018.01 to 2018.06 no longer receive a column "defect_instance_details_id" contains null values error message.
Fixed an issue where updating or deleting streams would sometimes produce foreign key constraint violations.
The TLSv1 protocol is now disabled by default because of its security vulnerabilities. The only security protocol enabled by default is TLSv1.2.
Note that some previous versions of Coverity Connect clients (such as
cov-wizard
and cov-manage-im
)
do not support TLSv1.2 and might not work with a new server unless TLSv1
is enabled. To enable TLSv1 in the Coverity Connect server, read the "Enable TLSv1"
instructions provided in the
${SERVER_INSTALL_DIR}/server/base/conf/server.xml
file.
The Coverity Connect server would sometimes disable users that were previously imported via LDAP if they were unable to connect to a directory service. This has been fixed.
Improved the synchronization of projects between Coordinator and Subscriber nodes in the Coverity Connect cluster. As a result, the risk of synchronization failures, requiring manual intervention to be resolved, has been reduced.
Improved the logging in the code path that creates analysis summaries. Analysis summaries that are not found for a specified hash are now properly handled.
We can now successfully import nested group members of groups with more than 1500 members.
Added a mechanism that prevents Coverity Connect backup jobs from running concurrently. With the fix, the backup jobs now run sequentially.
Improved the Coverity Connect server startup process, so that the server no longer switches to LDAP authentication despite Kerberos authentication being configured and enabled.
Improved the synchronization of triage stores between Coordinator and Subscriber nodes in the Coverity Connect cluster. As a result, the risk of synchronization failures, requiring manual intervention to be resolved, has been reduced.
Updated the getUser
and getUsers
API requests so that responses now include a timestamp of when the user
last logged in.
Fixed an issue where the incorrect database size was being displayed when users ran
from the page. The correct database size is now calculated and displayed.Fixed an importing issue in Coverity Connect that resulted from component map changes made prior to importing a new file.
Fixed a data overflow issue where
cov-commit-defects
would hang when processing
large intermediate directories. The server memory footprint has been
reduced and cov-commit-defects
no longer produces a
data processing error.
Coverity Connect has the following known issues:
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
For customers upgrading their Coverity Platform server from unsupported Coverity versions (such as version 5.x), we recommended that you upgrade to a supported intermediate version (such as 2018.03) before upgrading to 2018.06. We also recommended that you perform a backup of your data beforehand with the Upgrade Preparation feature.
Due to a Red Hat Enterprise Linux issue (Bug 1484079), the Coverity
Platform installer on Centos7 or RHEL v7.4 might fail due to an
ArrayIndexOutOfBoundsException error and a
stack trace indicating an error with fonts. This can be resolved by
installing the dejavu-serif-fonts
package.
To prevent database constraint violations on subscribers in a cluster, when a user is deleted, it is marked for deletion instead of being completely (hard) deleted. This status subsequently synchronizes across the cluster.
Using a custom defect export handler script might on occasion create an error when attempting to export data to a bug tracking system.
The selected value is not displayed for a Coverity Connect field when using Chrome browser version 47.0.2526.80 on Windows 7.
In a cluster environment, deletion of triage data on the coordinator is not recommended unless it can be verified that there are no subscriber dependencies. Synchronization problems between subscribers and the coordinator might result.
Collisions might occur if triage data is deleted from a cluster (used for testing, for example), and then up-to-date triage data is imported from a production instance. This is because deleting triage stores does not delete related CIDs. It is recommended you rebuild the cluster from scratch using the production data.
In order to use Coverity Connect with a mail server (https option) or Bugzilla
(https option), and some other cases, the user has to import
certificates into cim/jre/lib/security/cacerts
. After
running the updater, all of these certificates are gone.
Downloading the binaries to update Java and/or PSQL for security fixes might fail on slow internet connections. Please make sure you have a fast internet connection and retry.
User and password information in
coverity_config.xml
does not override otions
specified on the command line.
An error occurs when a custom role is created using a multi-word rolename that is the same as a built-in rolename, even if there are case differences between the two rolenames.
If Java 1.7.0_xx is used, and even if the system has a large amount of
available RAM, using Java 1.7.0_xx and older, Out of Memory
errors might occur despite having sufficient/available RAM. The
workaround is to use the Java version shipped with Coverity Platform (1.8), or
by specifying a max heap setting for cov-im-daemon
.
Changing the summary metric name on a coordinator causes the summary metric to disappear from all reports on subscribers. To work around this issue, add the new summary metric back into the reports on subscriber.
Although the upgrade doc states that 32-bit to 64-bit in-place database format upgrades are not permitted, some will succeed, yielding valid results. Because in-place upgrade is preferable to backup-and-restore upgrade, we recommend that you try your upgrade in-place and, if it fails, fall back to backup-and-restore upgrade.
This section provides updates about Coverity Analysis components.
There have been several deprecations and EOLs this release:
The --chcmdline-type
option to the
cov-build
and cov-capture
command has
been deprecated. (CAP-1343, CAP-609, 47799)
Dropped support for Java 9. (COVP-2051)
Coverity Analysis has the following new and changed features:
Added support for Java 10. (SAT-26217, 120926)
The new --tmpdir
<tmp> and
-t
<tmp> options to the
cov-manage-emit
command specify the temporary
directory to use. On UNIX, the default is
$TMPDIR
, or /tmp
if that
variable does not exist. On Windows, the default is to use the temporary
directory specified by the operating system. (SAT-19969, 93555)
Updated the models for Java classes in the
java.util.zip
namespace, allowing the analysis
to report "Zip Slip" vulnerabilities.
Updated issue types to compliance rule-based main event tags and added more descriptive Coverity Connect issue names.
Fixed an assertion failure in the web application security analysis,
involving certain C# methods with ref
parameters.
Updated models for the Java class
java.util.Scanner
, allowing the analysis to
report more vulnerabilities.
Different failures in Poky, Yocto, and BitBake builds would sometimes
occur when run under cov-build
. These failures would
produce the following error message: "ERROR: ld.so: object
'/path/to/cov-analysis-kit/bin/libcapture-linux64-${PLATFORM}.so'
from LD_PRELOAD cannot be preloaded". These issues have
been fixed.
On 64-bit Linux systems, C++ builds run in Eclipse would sometimes produce the following error message: "ERROR: ld.so: object '/path/to/cov-analysis-linux64-version/bin/libcapture-linux64-.so' from LD_PRELOAD cannot be preloaded: ignored". This has been fixed.
On 64-bit Windows platforms, the length of the command string that can
be passed to the Fortran syntax analyzer is limited (internally) to
32768 characters. If this limit is exceeded,
cov-run-fortran
fails and reports an
"Argument list too long" error.
The Coverity Analysis installer fails when the installer path contains Japanese characters.
Coverity Analysis cannot be installed into an existing empty folder. Please select a non-existing folder.
The following sections describe new and updated features, bug fixes, and known issues for Coverity checkers and associated elements.
The following table documents added language support for existing checkers.
Languages | Checkers | Checkers |
---|---|---|
Visual Basic | ASPNET_MVC_VERSION_HEADER | OS_CMD_INJECTION |
New and changed checkers
ASPNET_MVC_VERSION_HEADER
The ASPNET_MVC_VERSION_HEADER
checker now supports
Visual Basic. (SAT-26408, 121741)
OS_CMD_INJECTION
The OS_CMD_INJECTION
checker now supports Visual
Basic. (SAT-26389, 121676)
Fixed a stack overflow issue with MISRA C-2012 Rule 13.1.
For C and Objective-C, Coverity Analysis now treats an access of the first
field of a struct like an access of the struct itself. As a result,
we’ve fixed RESOURCE_LEAK
false positives.
Clear Linux is not supported in the 2018.09 release.
INTEGER_OVERFLOW
churnChurn for the preview INTEGER_OVERFLOW
checker
might be higher in this release compared to churn for other
checkers.
XSS
The XSS
checker can report multiple occurrences of
the same local defect under certain circumstances.
This section lists new features, bug fixes, and known issues related to Coverity-supported compilers (including configuration), and the Compiler Integration Toolkit (CIT).
There have been no Compiler Integration Toolkit (CIT) deprecations or EOLs this release.
Compilers and the Compiler Integration Toolkit (CIT) for Coverity Analysis has the following new features:
Added Java 10 support for Coverity Analysis. (CMPG-2809, 120696)
Added support for the Nintendo Switch SDK compiler. (CMPCPP-6923, 112469)
The following bugs are fixed for compilers and the Compiler Integration Toolkit (CIT) for Coverity Analysis analysis in 2018.09:
Fixed a regression (introduced in LLVM/Clang 6) which would result in a spurious "-Werror=nsconsumed-mismatch is currently enabled, but was not in the PCH file" error.
The use of the Objective-C keyword @available
(or
__builtin_available
for C code) no longer causes
cov-internal-emit-clang
to crash.
C/C++ compilers that are configured with the --clang
option now support Coverity annotations.
cov-build --instrument
has a known issue when running
the xdcmake.exe
tool of Visual Studio 2010 when launched
from a 32-bit process on Windows 10. This will currently fail with a
System.BadImageFormatException
exception. To work around
this issue you can either:
Modify the build such that xdcmake.exe
is
run from a 64-bit process.
Ignore the xdcmake.exe
process by adding
--capture-ignore xdcmake.exe
to your
cov-build
invocation.
The JavaScript front end no longer supports nameless function statements. (Nameless function expressions are supported as before.) A function statement without a declared name is a syntax error according to the ECMAScript standard, but may be used in JavaScript source files used with some frameworks.
The default charset for Java 1.8 VM on Mac appears to be UTF-8 if a
charset has not been explicitly set. The Coverity Java compiler does not
emulate this behavior. Make sure to explicitly set the character encoding by
setting a locale using LANG
or LC_CTYPE
environment variables.
This section lists new features, bug fixes, and known issues for
cov-build
and related commands, including emit and translate
commands.
There are no new and changed features for commands related to the build process (including emit and translate commands) in 2018.09.
There are no bug fixes for build-related commands (including emit and translate commands) in 2018.09.
Build-related commands have the following known issues and solutions:
On Windows, when preprocessing a file with cov-emit
to the Windows console, cov-emit
might fail with a
catastrophic error if the character encoding of the preprocessed output
is not compatible with the console encoding.
This error can be avoided by redirecting the preprocessed output to a file.
If you have KB2919355 (http://support.microsoft.com/kb/2919355 )
installed on Windows 2012 system, you might encounter the build hanging
under
cov-build
if MSBuild is used. When this hang
occurs, the process tree will show MSBuild still running under
cov-build
, even though there will be no output or
progress from MSBuild.
To work around this issue either:
Uninstall KB2919355
OR
Add the --instrument flag to your cov-build invocation:
> cov-build --dir dir --instrument msbuild ..
Running cov-emit-java
to emit a web application
(with --war --findears
or similar) might fail if the
number of JAR files in its classpath (including those found with
--findjars
) exceeds the operating system's
per-process file limit. To work around this case, either increase the
per-process open file limit or remove unnecessary JARs from the
classpath.
If you receive the following error message when using
cov-build
, you can work around this issue by
using the --instrument
option.
Error message:
[WARNING] Compilations that use 32-bit Java tools running on 64-bit Windows were detected during this build. Such compilations are not supported at the moment; analysis might be incomplete or invalid because of that.
Workaround:
> cov-build --dir t1 --instrument ant
This section lists new features, bug fixes, and known issues for
cov-analyze
and related commands.
Analysis-related commands have the following known issues and solutions:
The cov-run-desktop
command sometimes fails on
large Java compilations, potentially causing emit database corruption on
Windows platforms. This can manifest as a cov-analyze
crash. More commonly, cov-emit-java
itself will fail
with access violation crashes or errors concerning a failure to acquire
a lock. These will appear in
cov-run-desktop-log.txt
. If this issue occurs,
you can work around it by specifying -j 1
with
cov-run-desktop
.
This section lists new features for Test Advisor.
This section lists new features, bug fixes, and known issues related to Coverity Wizard.
There has been one support removal this release:
In order to improve security, we no longer bundle GTK+ with cov-wizard. As a result, the appearance of cov-wizard might vary depending on the version and GTK+ theme. We recommend that you use the Ambiance theme, if you are experiencing UI issues. (PRD-10571, 119795, PRD-4854, 49756)
Coverity Wizard has the following known issues in version 2018.09:
Using the 'Duplicate' button for configuring compilers in Coverity Wizard does not work.
Coverity Wizard now warns the user every time they select the 'Test Prioritization' workflow, even if they did not first work with the regular analysis workflow. This can be safely ignored.
When using a self-signed certificate, if the user chooses not to trust a certificate, they might be prompted multiple times in a row (asking to trust the certificate). If a user does not want to trust a self-signed certificate, they should change their Coverity Connect server settings to avoid the prompts. But just keep pressing 'no' to not trust the certificate, to get through the multiple prompts.
After upgrade, Coverity Wizard can sometimes give a ReferenceMap
NullPointerException application error on startup. To work-around this
issue, delete the .orphan
file in the
<install_dir_sa>/jars/cwiz/configurations/org.eclipse.core.runtime
folder.
When in the Test Prioritization workflow, on the View Results page, clicking the button might not work for some older Linux distributions.
The guided policy creation wizard "Documentation" link fails to open properly on Linux. Open the Coverity Wizard 2020.12 User Guide separately to view this documentation.
The Guided Test Advisor Policy Creation Wizard uses Java regex validation instead of the Perl regex validation that Coverity Analysis Test Advisor users. This should not cause any issues for most users, but if there is a difference, go to the more advanced Test Prioritization Policy Editor and Debugger to enter the proper regex.
In Coverity Wizard, after automatically configuring the compilers in the
screen, the status indicator for the screen might not update from the exclamation mark icon to the check mark icon, which will appear as though the auto-configuration was unsuccessful. However, clicking anywhere in the Coverity Wizard window or changing pages will cause the indicator to update to the check mark icon.Not all the Preference dialog text is translated into Japanese on the syntax coloring dialog.
In the Coverity Wizard Policy Editor, the 'Link to Editor' icon in the Outline View might be toggled as enabled, even though the editor is not actually linked with the Outline View.
To enable outline linking, toggle the 'Link to Editor' button to disabled, and back to enabled again.
Coverity Test Advisor is a component of the Coverity Analysis installation package.
Test Advisor has the following known issues and solutions in 2018.09:
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
Using a Bullseye small runtime newer than version 8.9.26 with Test Advisor Developer Edition might not work correctly.
Function Coverage Instrumentation network coverage collection does not support IPv6, and might fail to collect coverage data if the emit server address contains a hostname which resolves to an IPv6 address. This problem may be avoided by explicitly specifying an IPv4 address, or by using a hostname which only resolves to an IPv4 address.
If you encounter the following errors when running your Java build/tests
under cov-build/cov-capture
for Test Advisor, then your native
build is likely already using JaCoCo as part of the build:
Caused by: java.lang.RuntimeException: Class java/util/UUID could not be instrumented. ... Caused by: java.lang.NoSuchFieldException: $jacocoAccess ...
In order to run this with Test Advisor you will need to disable the native JaCoCo
in your build. This will depend on the build system used, but for common
build systems, like Maven, this can be as simple as adding
"-Djacoco.skip=true
".
When using Desktop Analysis with Accurev, if your setup requires access to different
servers, you will need to configure this through an Accurev
wspaces
files. For convenience, here is a link to
the Accurev documentation: http://www.borland.com/Products/Change-Management/AccuRev
.
cov-commit-defects
might fail when:
it is committing the results of a Test Advisor analysis, and
it is run on a Windows machine with a non-utf8 Japanese
locale, such as shift-jis
Coverage for Java tests can sometimes erroneously flag the closing brace of a finally block as coverable and uncovered. This is caused by the way the Java compiler generates the byte-code for the finally block, and is a limitation of the underlying coverage tool.
This issue can be resolved either by using a Test Advisor policy and code comments to "ta-ignore" the area of the code where the coverage is incorrect, or by writing a test that causes a RuntimeException to be thrown from inside the try block.
In Coverity Wizard, on the Test metrics download summary status indicator might incorrectly display the status "Test metrics files are present" when the test metrics files have actually been deleted.
screen in the Test Prioritization workflow, theTest metrics files can be deleted in the following ways:
Perform a new build with the Clear intermediate directory before each build check box activated.
Delete the intermediate directory.
Directly delete individual test metrics files within the intermediate directory.
For Linux users creating new policy files with the Coverity Wizard Test Advisor Policy Editor, the
→ and → actions will not be enabled until the new document has been modified. Evaluating the policy, or returning to Coverity Wizard will prompt users to save the new policy file.The source code locations of template functions of template classes are incorrect. This might lead to incorrect results from Test Advisor, as coverage might be misattributed to such functions, or missing from such functions, due to the incorrect locations.
Dynamic Analysis is a component of the Coverity® Analysis installation package.
Dynamic Analysis has the following known issues and solutions in 2018.09:
All Coverity products, including the installers, support only ASCII characters for file and directory names. Non-ASCII characters, such as Japanese characters, are not supported for these names.
If Dynamic Analysis reports defects in classes that were compiled without debugging information, or contain mangled information due to misbehaving code coverage or AOP tool, the defect report might contain nonsensical line numbers or file names.
Specifying certain combinations of the instrument-arrays
,
instrument-collections
, detect-races
,
and detect-deadlocks
options to the Dynamic Analysis agent have
unexpected behavior. In particular, Dynamic Analysis still reports races on arrays and
collections according to the instrument-arrays
and
instrument-collections
options when
detect-races
is false and
detect-deadlocks
is true. However, if both
detect-races
and detect-deadlocks
are
false, then Dynamic Analysis reports races on neither collections nor arrays.
If you do not specify a class in the
cov-start-da-broker
classpath
option, the corresponding source file isn't
committed, even if the source file is present on the source path.
Coverity Architecture Analysis is a component of the Coverity Analysis installation package.
Coverity® Extend Software Development Kit is a component of the Coverity® Analysis installation package.
The Coverity Desktop plug-in is available for various platforms from the Coverity Connect Downloads menu.
There has been one EOL this release:
Dropped support for Java 1.6 and 1.7. Note that Java 6 (1.6) and Java 7 (1.7) code may still be analyzed using the Eclipse, IntelliJ, and Android Studio plugins. (PRD-10576, 120315)
Coverity Desktop for Eclipse has the following new and changed features in 2018.09:
Added support for Eclipse v4.8. (PRD-104447, BZ 113633)
Coverity Desktop for Microsoft Visual Studio has no new and changed features in 2018.09.
Coverity Desktop for IntelliJ IDEA has the following new and changed feature(s) in 2018.09:
Added CLion version support (2017.3 to 2018.1) for IntelliJ plugins. (PRD-10514, BZ 118222)
Coverity Desktop for IntelliJ IDEA has the following known issues in version 2018.09:
For Coverity Connect users using the Japanese locale, the
button in the triage panel was disabled unless the Owner was changed. To work around this, the IDE locale should be the same as the user account locale on the Coverity Connect server. Since IntelliJ currently only supports English, the user account locale on Coverity Connect must be set to English as well.When using whole program checkers in IntelliJ, a warning about missing class files might be seen in the console, which indicates missing class files with incorrect paths. Even if the paths do not seem correct, this should not affect analysis results.
Coverity markers in the editor gutter can sometimes be shown in duplicate with the IntelliJ/Android Studio Coverity Desktop plug-in.
Currently any source generated by Gradle Android projects will not be captured by the build process, and will be reported as "Uncaptured" by the IntelliJ and Android Studio IDEs. These files can be ignored by the "Uncaptured Source Files Dialog" or through the "File Exclusions" settings page.
The triage view will not resize while the History section is expanded. Collapsing the history section will cause the view contents to resize.
Android Studio does not show the proper 'scope' in the Issues view for local analysis. It just always says "External output file" currently when in local analysis mode.
The Coverity Desktop plug-in does not currently work for the 'Alloy' IDEA theme.
Coverity Connect attributes and usernames in the Coverity Desktop plug-in are cached on start up, and not refreshed until IntelliJ is restarted. If you are missing a new username, or some other triage attribute, try restarting IntelliJ.
The following new documents and changes were made in 2018.09:
Coverity CodeXM documentation has been corrected and expanded. The CodeXM QuickStart Tutorial introduces some features that are new to Coverity 2018.09.
The cov-import-results
entry has been updated in the
Command Reference. It replaces the individual language-specific options. The
value for the --lang
option <lang> is one of cpp, cs,
java, javascript, objc, php, python2, python3, ruby, scala, swift,
text-files, or vb. This option sets the source language and analysis domain
in the output error.xml file and replaces language-specific options like
--cpp
and --java
. For more
information, see the Command Reference.
The Coverity Checker Reference now includes a table that shows Coverity checker coverage for the OWASP 2016 Mobile Top Ten.
The Coverity CodeXM Common Library Reference, a new document in HTML form, has also been added to document some new functions that are available to all supported languages.
The --occurrences
option, which filters output based on
the occurrence count for issues, is now documented in the “Output and
filtering options” section for the cov-run-desktop
command.
Added a new section about upgrade recommendations and MISRA changes in the Upgrade Guide. The new MISRA engine might affect the number and quality of the defect reports.
Version-specific IDE and Java requirements for Coverity Desktop have been centralized in "IDE and Java Version Support" (Section 7.5.2) of the Coverity Desktop 2018.09 Installation and Deployment Guide. These version-specific requirements are no longer duplicated in other books and sections of the documentation set.
The information contained in this document, and the Licensed Product provided by Synopsys,
are the proprietary and confidential information of Synopsys, Inc. and its affiliates and
licensors, and are supplied subject to, and may be used only by Synopsys customers in
accordance with the terms and conditions of a license agreement previously accepted by
Synopsys and that customer. Synopsys' current standard end user license terms and conditions
are contained in the cov_EULM
files located at
<install_dir>/doc/en/licenses/end_user_license
.
Portions of the product described in this documentation use third-party material. Notices,
terms and conditions, and copyrights regarding third party material may be found in the
<install_dir>/doc/en/licenses
directory.
Customer acknowledges that the use of Synopsys Licensed Products may be enabled by authorization keys supplied by Synopsys for a limited licensed period. At the end of this period, the authorization key will expire. You agree not to take any action to work around or override these license restrictions or use the Licensed Products beyond the licensed period. Any attempt to do so will be considered an infringement of intellectual property rights that may be subject to legal action.
If Synopsys has authorized you, either in this documentation or
pursuant to a separate mutually accepted license agreement, to
distribute Java source that contains Synopsys annotations, then your
distribution should include Synopsys'
analysis_install_dir/library/annotations.jar
to
ensure a clean compilation. This annotations.jar
file contains proprietary intellectual property owned by Synopsys.
Synopsys customers with a valid license to Synopsys' Licensed Products
are permitted to distribute this JAR file with source that has been
analyzed by Synopsys' Licensed Products consistent with the terms of
such valid license issued by Synopsys. Any authorized distribution must
include the following copyright notice: Copyright
© 2020 Synopsys, Inc. All rights reserved
worldwide.
U.S. GOVERNMENT RESTRICTED RIGHTS: The Software and associated documentation are provided with Restricted Rights. Use, duplication, or disclosure by the U.S. Government is subject to restrictions set forth in subparagraph (c)(1) of The Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 or subparagraphs (c)(1) and (2) of Commercial Computer Software – Restricted Rights at 48 CFR 52.227-19, as applicable.
The Manufacturer is: Synopsys, Inc. 690 E. Middlefield Road, Mountain View, California 94043.
The Licensed Product known as Coverity is protected by multiple patents and patents pending, including U.S. Patent No. 7,340,726.
Coverity and the Coverity logo are trademarks or registered trademarks of Synopsys, Inc. in the U.S. and other countries. Synopsys' trademarks may be used publicly only with permission from Synopsys. Fair use of Synopsys' trademarks in advertising and promotion of Synopsys' Licensed Products requires proper acknowledgement.
Microsoft, Visual Studio, and Visual C# are trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries.
Microsoft Research Detours Package, Version 3.0.
Copyright © Microsoft Corporation. All rights reserved.
Oracle and Java are registered trademarks of Oracle and/or affiliates. Other names may be trademarks of their respective owners.
"MISRA", "MISRA C" and the MISRA triangle logo are registered trademarks of MISRA Ltd, held on behalf of the MISRA Consortium. © MIRA Ltd, 1998 - 2013. All rights reserved. The name FindBugs and the FindBugs logo are trademarked by The University of Maryland.
Other names and brands may be claimed as the property of others.
This Licensed Product contains open source or community source software ("Open Source Software") provided under separate license terms (the
"Open Source License Terms"), as described in the
applicable license agreement under which this Licensed Product is licensed ("Agreement"). The applicable Open Source License Terms are
identified in a directory named licenses
provided with the delivery of
this Licensed Product. For all Open Source Software subject to the terms of an LGPL license,
Customer may contact Synopsys at software-integrity-support@synopsys.com
and Synopsys will comply with the terms of the
LGPL by delivering to Customer the applicable requested Open Source Software package, and
any modifications to such Open Source Software package, in source format, under the
applicable LGPL license. Any Open Source Software subject to the terms and conditions of the
GPLv3 license as its Open Source License Terms that is provided with this Licensed Product
is provided as a mere aggregation of GPL code with Synopsys' proprietary code, pursuant to
Section 5 of GPLv3. Such Open Source Software is a self-contained program separate and apart
from the Synopsys code that does not interact with the Synopsys proprietary code.
Accordingly, the GPL code and the Synopsys proprietary code that make up this Licensed
Product co-exist on the same media, but do not operate together. Customer may contact
Synopsys at software-integrity-support@synopsys.com
and Synopsys will comply with the terms of the GPL by delivering to
Customer the applicable requested Open Source Software package in source code format, in
accordance with the terms and conditions of the GPLv3 license. No Synopsys proprietary code
that Synopsys chooses to provide to Customer will be provided in source code form; it will
be provided in executable form only. Any Customer changes to the Licensed Product (including
the Open Source Software) will void all Synopsys obligations under the Agreement, including
but not limited to warranty, maintenance services and infringement indemnity
obligations.
The Cobertura package, licensed under the GPLv2, has been modified as of release 7.0.3.
The package is a self-contained program, separate and apart from Synopsys code that does not
interact with the Synopsys proprietary code. The Cobertura package and the Synopsys
proprietary code co-exist on the same media, but do not operate together. Customer may
contact Synopsys at software-integrity-support@synopsys.com
and Synopsys will comply with the terms of the GPL by
delivering to Customer the applicable requested open source package in source format, under
the GPLv2 license. Any Synopsys proprietary code that Synopsys chooses to provide to
Customer upon its request will be provided in object form only. Any changes to the Licensed
Product will void all Coverity obligations under the Agreement, including but not limited to
warranty, maintenance services and infringement indemnity obligations. If Customer does not
have the modified Cobertura package, Synopsys recommends to use the JaCoCo package
instead.
For information about using JaCoCo, see the description for cov-build
--java-coverage
in the Command Reference.
Copyright © All rights reserved. Developed by: LLVM Team, University of
Illinois at Urbana-Champaign (http://llvm.org/
). Permission
is hereby granted, free of charge, to any person obtaining a copy of LLVM/Clang
and associated documentation files ("Clang"), to deal with Clang without
restriction, including without limitation the rights to use, copy, modify,
merge, publish, distribute, sublicense, and/or sell copies of Clang, and to
permit persons to whom Clang is furnished to do so, subject to the following
conditions: Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimers. Redistributions
in binary form must reproduce the above copyright notice, this list of
conditions and the following disclaimers in the documentation and/or other
materials provided with the distribution. Neither the name of the University of
Illinois at Urbana-Champaign, nor the names of its contributors may be used to
endorse or promote products derived from Clang without specific prior written
permission.
CLANG IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE CONTRIBUTORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH CLANG OR THE USE OR OTHER DEALINGS WITH CLANG.
Copyright © Rackspace, US Inc. All rights reserved. Licensed under the
Apache License, Version 2.0 (the "License"); you may not use these files except
in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
.
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright © 2020 Synopsys Inc. All rights reserved
worldwide. (www.synopsys.com
), with
Reserved Font Name fa-gear, fa-info-circle,
fa-question.
This Font Software is licensed under the SIL Open Font License, Version 1.1.
This license is available with a FAQ at
http://scripts.sil.org/OFL
.
Copyright © 1999-2003 The Apache Software Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
The end-user documentation included with the redistribution, if any, must include the following acknowlegement: "This product includes software developed by the Apache Software Foundation (http://www.apache.org/)."
Alternately, this acknowlegement may appear in the software itself, if and wherever such third-party acknowlegements normally appear.
The names "The Jakarta Project", "Commons", and "Apache Software Foundation" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact apache@apache.org.
Products derived from this software may not be called "Apache" nor may "Apache" appear in their names without prior written permission of the Apache Group.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
http://www.apache.org/licenses/
Licensed under the Apache License, Version 2.0 (the "License"); you may not
use this file except in compliance with the License. You may obtain a copy of
the License at:
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Results of analysis from Coverity and Test Advisor represent the results of analysis as of the date and time that the analysis was conducted. The results represent an assessment of the errors, weaknesses and vulnerabilities that can be detected by the analysis, and do not state or infer that no other errors, weaknesses or vulnerabilities exist in the software analyzed. Synopsys does NOT guarantee that all errors, weakness or vulnerabilities will be discovered or detected or that such errors, weaknesses or vulnerabilities are are discoverable or detectable.
SYNOPSYS AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, CONDITIONS AND REPRESENTATIONS, EXPRESS, IMPLIED OR STATUTORY, INCLUDING THOSE RELATED TO MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, SATISFACTORY QUALITY, ACCURACY OR COMPLETENESS OF RESULTS, CONFORMANCE WITH DESCRIPTION, AND NON-INFRINGEMENT. SYNOPSYS AND ITS SUPPLIERS SPECIFICALLY DISCLAIM ALL IMPLIED WARRANTIES, CONDITIONS AND REPRESENTATIONS ARISING OUT OF COURSE OF DEALING, USAGE OR TRADE.