What's new with Klocwork

Klocwork 2016.3

New Visual Studio Extension

  • Better support for Visual Studio 2010 and up
  • New functionality for working with issues detected on the desktop or server

Improvements in application security defect detection

  • New CWE checkers for Java have been added – Klocwork has the widest coverage of any SCA tool
    • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')/li>
    • CWE-829: Inclusion of Functionality from Untrusted Control Sphere
  • Improvements to our family of tainted data checkers and updates to taxonomy files
  • Check out the complete list of security checkers offered by Klocwork here

Expanded MISRA coverage and help

  • Official MISRA rules documentation now available through IDE plugins and Klocwork Desktop
  • New rules
    • Section 2, Rule 7 (Advisory ) - There should be no unused parameters in functions.
    • Section 8, Rule 14 (Required) - The restrict type qualifier shall not be used.
    • Section 13, Rule 4 (Advisory) – The result of an assignment operator should not be used.
    • Section 20, Rule 11 (Required) - A macro parameter immediately following a # operator shall not immediately be followed by a ## operator.
    • Section 20, Rule 12 (Required) - A macro parameter used as an operand to the # or ## operators, which is itself subject to further macro replacement, shall only be used as an operand to these operators.
    • Section 21, Rule 5 (Required) - The standard header file shall not be used.
    • Section 21, Rule 6 (Required) - The Standard Library input/output functions shall not be used.
    • Section 21, Rule 10 (Required) - The Standard Library time and date functions shall not be used.
    • Section 21, Rule 11 (Required) - The standard header file shall not be used.

Improved and additional compiler support

  • Archelon CSR Kalimba C (new!)
  • Clang
  • GNU
  • Green Hills
  • Intel C++
  • Jack (Java Android Compiler Kit) (new!)
  • Renesas R8C and M16C families
  • Renesas R32C family
  • Synopsys ARC MetaWare compiler
  • Target Chess
  • See the full list of supported compilers here

Klocwork 2016.2

Improvements to the C/C++ analysis engine

  • Better handling of numeric ranges and operations on 64-bit integers means improvement in (false positive/true positive) analysis accuracy and fewer false positives overall
  • Improved detection of the following classes of defects:
    • Array Bounds Violations
    • Memory Leaks
    • Unreachable Code and Unreachable Function Returns
    • Uninitialized and Unused Variables
    • Use of tainted data
    • MISRA defects

Improvements in application security defect detection

  • New CWE checkers have been added – Klocwork has the widest coverage of any SCA tool
    • CWE-759: Use of a One-Way Hash without a Salt (Java)
    • CWE-822: Untrusted Pointer Deference (C/C++)
  • A new taxonomy for C# is now included in the product which maps Klocwork C# checkers to CWE IDs
  • Check out the complete list of security checkers offered by Klocwork here

Expanded MISRA coverage and help

  • MISRA documentation is now available in the Klocwork offline help
  • New rules
    • Section 5, Rule 2 (Required) - Identifiers declared in the same scope and name space shall be distinct
    • Section 11, Rule 9 (Required) - The macro NULL shall be the only permitted form of integer null pointer constant
    • Section 18, Rule 7 (Required) - Flexible array members shall not be declared
    • Section 18, Rule 8 (Required) - Variable-length array types shall not be used
    • Section 21, Rule 9 (Required) - The library functions bsearch and qsort of shall not be used

Improved and additional compiler support

  • Panasonic MN101E/MN101L
  • Renesas RH850
  • ARM
  • Green Hills GHS
  • See the full list of supported compilers here

Improved support for custom checkers

  • The Path API used for creating custom checkers has been upgraded for better support of 64-bit integers