Klocwork Review report output file formats

From Insight-9.0

Contents 1 XML output reference 1.1 XML output example 1.2 XML output file format 2 Text output reference 2.1 Text output for metrics violations and usage rules 3 Filter file output reference 3.1 Filter file output format 4 CSV output reference

You can export Klocwork Review reports:

• from the Issue Management module in Klocwork Review
• with the command-line utility kwinspectreport

When exporting from Issue Management in Klocwork Review, only XML and TEXT formats are supported.

XML output reference

The XML Klocwork output lists detected issues in the order in which they display in the issue list, and identifies each field with a descriptive XML tag. Traceback is included in the output if it is available for the issue.

XML output example

The following is an example of the XML output created with:

• the xml link in Klocwork Review's Issue Management module or
• the --xml option of kwinspectreport

Example of XML output from a project (that includes traceback)

<?xml version="1.0" encoding="UTF-8" ?>

<errorList xmlns="http://www.klocwork.com/inForce/report/1.0" version="9.0.0">

<problem>

<problemID>2</problemID>

<file>/space/karpov/cruisecontrol-bin-2.5/projects/ACE_wrappers/ace/ARGV.cpp</file>

<method>create_buf_from_queue</method>

<line>304</line>

<column>19</column>

<code>MLK.MIGHT</code>

<message>Possible memory leak. Dynamic memory stored in 'this->buf_' allocated through function 'new[]' at line 304 can be lost at line 304</message>

<anchor>2018035671</anchor>

<prefix><=0)return-1;delete[]this->buf_;</prefix>

<postfix>ACE_TCHAR[this->length_+this->ar</postfix>

- <trace>

- <traceBlock file="/space/karpov/cruisecontrol-bin-2.5/projects/ACE_wrappers/ace/ARGV.cpp" method="create_buf_from_queue" id="0">

<traceLine line="304" text="Dynamic memory stored in 'this->buf_' is allocated through the 'new[]' function." type="E" />

<traceLine line="304" text="exception_caught is true" type="C" />

<traceLine line="304" text="Dynamic memory stored in 'this->buf_' is lost." type="E" />

</traceBlock>

</trace>
<severity>Error</severity>
<severitylevel>3</severitylevel>
<displayAs>Error</displayAs>
<category>C and C++/Memory Leaks</category>
<citingStatus>Analyze</citingStatus>
<lastCommit>0</lastCommit>
<state>Existing</state>
<owner>jlee</owner>
- <history>

- <statusUpdate user="jlee" status="Fix" timestamp="1257886429000">

<comment />

</statusUpdate>

</history> <dateOriginated>1240417515000</dateOriginated>
<dateFixed>1250886231000</dateFixed>
<url>http://buildlx03:8070/klocwork/insight-review.html#goto:project=ACE_wrappers,pid=2</url>
</problem>

XML output file format

The XML Klocwork output contains one <errorList> element with zero or more <problem> elements inside. Each problem description contains the following tags:

• <problemID> is the number assigned to the issue by Klocwork

• <file> is the name of the file in which the problem or violation occurs

• <method> is where the statement occurs

• <line> is the number of the line in the source code on which the problem or violation occurs

• <column> is the position in the line where the problem or violation occurs

• <code> is a short name for the code problem. For descriptions of each of the code problems Klocwork products can detect (listed by error code), see Detected C/C++ Issues or Detected Java Issues

• <message> describes the detected problem or violation by identifying key statements in the code that contribute to the issue

• <anchor> is an internal hash value used for issue propagation. It may be empty for some types of problems

• <prefix> captures the characters before the defect

• <postfix> captures the characters after the defect

• <trace> is information tracing the origin of a detected issue

• <traceBlock> identifies a code statement that contributes to the issue. Each traceblock or trace statement includes the:

• • file and where the issue occurs
  • <traceLine line> is the number of the line in the source code in which the problem or violation occurs. The <traceLine line> may also include:
  • text that describes the problem that contributes to the detected issue or issue. The text that displays is specific to the issue type
  • type that indicates the type of traceblock. Values are: E for Event; C for Condition, and "" for other
  • ID= which contains a reference to another traceblock

• <severity> is a severity name corresponding to the issue severity level.

• <severitylevel> is a value of between 1 and 10, with one representing the most serious issues and 10 representing the least serious.

• <displayAs> is a user-configurable indicator of whether the type of problem or violation detected is serious enough to be considered an error or just a warning. Klocwork options determine whether or not warnings are shown in output

• <category> is a default or user-defined category into which a specific issue is grouped. Memory Leak is one example. You can edit the category in the problem-configuration file using the KMC

• <citingstatus> is a user-assigned indicator (except for the default initial status of Analyze) of how the detected issue should be handled. Values include: Analyze, Ignore, Not a problem, Fix, Fix in Next Release, Fix in Later Release, Defer, and Filter. For more information, see Issue statuses

• <lastCommit> refers to the time of the last status change, which is measures in milliseconds. A value of 0 indicates that the status hasn't changed (Analyze)

• <state> is a read-only indicator that captures the history of an issue. State can be either New, Existing, Not in scope, Fixed or Recurred. For more information, see Issue states

• <owner> is the file owner. You'll only see this if file ownership has been loaded for the project. See Tracking issues by owner

• <history> indicates the status update history of the issue, which includes the person who changed the status, the status the issue was changed to, the timestamp (in milliseconds) and comments added; this block appears for an issue only when the issue's status has been changed twice

• <dateOriginated> the date (in milliseconds) when the issue was detected

• <dateFixed> the date (in milliseconds) when the issue was fixed

• <url> is the Klocwork Review URL for the detected issue

Text output reference

The following section describes how to read the output created when text is the selected output format from the text link in Issue Management or the --text option of kwinspectreport.

Each line in the Klocwork plain text output contains at least the following fields (the "error message" field for metric threshold violations and usage rules violations contains additional information, described below):

File name; Line number; Column; Severity label; <blank>; Severity number; Issue code; Severity label; Method; Anchor; Error message; <blank>; State; Category path; status; Issue ID; Klocwork Review URL

where

• File name is the name of the file in which the issue occurs

• Line number is the number of the line in the source code on which the issue occurs

• Column indicates where the column in which the issue occurs

• Severity label applied to issues of this type and severity number. For more information, see Severity

• Severity number indicates the severity of the issue, between 1 and 10, with one representing the most serious issues and 10 representing the least serious

• Issue code is the unique code assigned to each issue type that Klocwork detects. View a description by hovering over the code. For detailed descriptions of each of the issues Klocwork products can detect (listed by error code), see Detected C/C++ Issues or Detected Java Issues

• Severity (Error or Warning)

• Method is the parent method where the issue occurs

• Anchor is an internal hash value used for propagation of reported issues. It may be empty for some types of problem

• Error message is a message describing the detected issue

• State is a read-only indicator that traces the history of an issue from the first time it is detected to the time when it is no longer detected. State can be either New, Existing, Not in scope, Fixed, Recurred or Obsolete. For more information, see Issue states

• Category path is a default or user-defined category into which a specific issue is grouped. See Categories

• Status is a user-assigned indicator (except for the default initial status) of how the detected issue should be handled. It can be one of the following: Analyze, Ignore, Not a problem, Fix, Fix in Next Release, Fix in Later Release, Defer, Filter. For more information, see Issue statuses

• Issue ID is a number assigned to the detected issue by Klocwork

• Klocwork Review URL provides the URL where you can View Issue details, source code and traceback for the specific issue

Example:

demosthenes\revisions\rev4\zeroes.c;64;5;Error;;3;NPD.FUNC.MUST;Error;random_trials;-1783555832;Pointer ’center’ returned from call to function ’triangle_center’ at line 62 may be NULL and will be dereferenced at line 64.;;Existing;C and C++/Null Pointer Dereference;Analyze;19;http://localhost:8072/klocwork/insight-review.html#goto:project=demosthenes,pid=19

Text output for metrics violations and usage rules

Error message field for metric threshold violations

The error message field for metric threshold violations has additional fields (marked in bold text):

File name; Line number; Character position; Severity label; <blank>; Severity number; Violated metric "description of metric": <Software entity> <Real value> <Operation> <Threshold value>;<blank>; State; Category path; status; Issue ID; Klocwork Review URL

where

• Violated metrics "description of metric" is a brief description of the violated metric from the configuration file

• Software entity is the name of the specific software entity that contains the metric violation. It can be any software entity recognized by Klocwork, such as FUNCTION, CLASS-METHOD, CLASS, FILE, or CLASS-TEMPLATE.

• Real value is the detected value of the metric in the code object

• Operation is the logical comparison of the real value with the threshold value. It is an expression such as less than (<), equal to (=), or greater than (>).

• Threshold value is the metric threshold set in the configuration file.

Note: If a metric exceeds both the warning and the error thresholds, only the error message is reported.

Example

Below is a metric violation where the number of lines of code in the file (95) are above the specified threshold of 80 lines:

C:\tests\webgoat\webgoat_demo2\WebGoat\webgoat\src\session\DatabaseUtilities.java;1;0;Error; ;3;METRICS.E.Lines_of_code;Error;DatabaseUtilities.java;2002102333;Violated metric "Lines of code": DatabaseUtilities.java 95>80;;Existing;Demo - Error Category;Analyze;26;https://localhost:8070/klocwork/insight-review.html#goto:project=webgoat,pid=26

Error message field for usage rules violations

The error message field for usage rules violations has these additional fields:

<Rule name>:<From> -> <To> <Relationship kind> (<Number> of <Total number>) <Expression>

where

• Rule name is the name of the rule in the usage rules configuration file
• From is the object in which the relationship originated, prefixed by a file name
• To is the object in which the relationship terminated, prefixed by a file name and, in brackets, the object type (such as FUNCTION)
• Relationship kind is the type of relationship between code entities
• Number is a number that represents the order in which the instance was found (for example, 1 of 4 means first of four instances)
• Total number is the total number of instances of this type of violation
• Expression is a logical expression in which the number on the left is the real number of violations of the rule and the number on the right is the number (threshold) specified in the rule (for example, 5>0 might mean that five relationships were found where the rule specifies that none are allowed).

Note: The numbers in this expression may represent relationships or interfaces, depending on which was set with the count option in the usage rule. For more information on configuration of usage rules, see Syntax of the usage rules configuration file.

Example

--- Usage rule violations: Design rules ---
a.c:4:Error: no printf: a.c:{FUNCTION}a -> (undefined) :printf [FUNCTION_CALLS_FUNCTION] (1 of 2) 10>0:New:Analyze;Warning

This line means that the design rule called "no printf" was violated by function "a" from file "a.c" calling the function printf. The word "undefined" means that this function was not found inside the analyzed system (it is a system function defined in the system library). The number 10 means that there were a total of 10 violations of this rule.

The number 2 is the total number of times function printf was called from file a.c. The number 1 in "1 of 2" is the first instance of two calls that cause this violation. To print more instances (one more, in this case), use the --usage-details option. The issue was detected for the first time in this analysis and has yet to be assessed. This issue is in the category "Warning".

Filter file output reference

You can only output system build issues in filter file format with kwinspectreport --filter.

Filter file output format

Each line of the filter file represents one type of problem you want to exclude from the Klocwork output. Each line in the file has the following fields:

Path;File;Line;Position;Function;ErrorCode;Anchor;State;EnterDate;LeaveDate;Status

where

• Path is the path to the analyzed file. It can be substituted with the wildcard "*".
• File is the name of the file in which an error or violation that you no longer want reported was found. It can be substituted with the wildcard "*".
• Line is the code line number at which the problem occurred. It can be substituted with the wildcard "*".
• Position is the position of the problem occurrence within a line of code. It can be substituted with the wildcard "*".
• Function is the name of the function or procedure in which the problem occurred. It can be substituted with the wildcard "*".
• ErrorCode is the short name of an issue or rule. It can be substituted with the wildcard "*".
  • For the error codes for code problems detected by Klocwork, see Detected C/C++ Issues or Detected Java Issues.
  • For metric thresholds violations, use the following syntax:

  METRICS.<severity>.<name>

  where severity is W (warning) or E (error), and name is the name of the metric as defined in the first field of each line of the metric threshold violations configuration file. For example, the name of the first violation rule in the default file is "Number of lines of code of function". The error code for this violation would be, therefore, METRICS.Number of lines of code of function. The severity indicator displayed indicates whether a detected metric violation exceeded the Warning threshold or the Error threshold.

  • For usage rule violations, use the following syntax:

  ARULE.<name>

  where name is the name of the usage rule as defined in the first field of each line of the usage rules configuration file. For example, the name of the first coding rule in the default file is "do not use alloc directly or via xalloc". The error code for this violation would be, therefore:

  ARULE.do not use alloc directly or via xalloc.

• Anchor is an internal hash value used for issue propagation. It may be empty for some types of problems.
• State displays one of the following: New, Existing, Not in scope, Fixed or Recurred.
• EnterDate is the date on which the record was added to the filter. The date is shown in the following format: <mmm> <dd>,<yyyy>. Example, May 26, 2005
• LeaveDate is the date on which the record was automatically commented out of the filter file either because the issue was fixed and no longer found by Klocwork or because more than one of the match fields changed in the source code. The leave date field appears only for lines that are commented out (lines starting with #) and that have DEL in the Comment field. The date is shown in the following format: <mmm> <dd>,<yyyy>. Example, May 26, 2005
• Status is the indicator of how the detected issue should be handled. The status of all records in the filter file is Filter and all records with this action are, by default, not shown in Klocwork outputs.

Example of full line

C:\inForceJavaDemo\src\session;DatabaseUtilities.java;56;;writeTable;METRICS.W.Number of lines of code of function;session::DatabaseUtilities::writeTable,>30;New;Oct 11, 2005;;Analyze

CSV output reference

The CSV report contains one row of comma-separated values for each source file in the project. The CSV report is different from the other Klocwork reports in that it does not reproduce the data displayed in any issue list. Instead, it contains file-level metrics.

This output is suitable for import into a spreadsheet application or your own parsing script. It is created with the --csv option of kwinspectreport.

The columns of the report are as follows:

Path: For C/C++ files, this is the file’s full path. For Java classes, this is the class’s fully qualified classname, including the package.

FileClass: The filename (C/C++) or classname (Java), without the path.

Coupling.Uses: The file’s Uses Coupling value.

Coupling.UsedBy: The file’s Used-By Coupling value.

SLOC: The file’s number of source lines of code (non-blank, non-comment).

The following five columns are the default top-level issue categories, and the value under each category is number of errors the file contains for that category. If the user creates their own top-level categories, then they will have corresponding columns in this report. This is dynamic in the same way as the category reports in Klocwork Review.

Errors.issues (C/C++ projects)

Errors.Header File Problems (C/C++ projects)

Note: You must request a special extensibility package from Klocwork Customer Support to detect header file problems.

Errors.Security Vulnerabilities (C/C++ and Java projects)

The final column in the report:

Errors.UnusedEntities: A default report column included in all CSV reports, representing a "virtual" category of issues containing all issues reporting unused entities.

Note: You must request a special extensibility package from Klocwork Customer Support to detect "UNUSED" problems.