What's New

From Insight-9.0

Jump to: navigation, search

Contents

Klocwork is the only source-code analysis solution to combine the speed and productivity benefits of desktop source-code analysis with the power and accuracy of a system-wide analysis.

With Klocwork, developers can quickly and accurately identify critical security vulnerabilities, quality defects and architectural issues right at their desktop.

Built on the patented Klocwork source code analysis engine for examining C#, C++, C, and Java code, Klocwork sets the standard for serious source-code analysis.

This page covers highlights of Klocwork version 9.0. For more information, see the Release Notes.

Desktop

This section outlines new features and improvements to Klocwork client applications. See also Authentication for users in the Enterprise Infrastructure section.

Continuous analysis

Continuous analysis checks for issues when you access a file and when you save a file, providing automatic defect highlighting while you work in your editor.

That means that you're made aware of any pre-existing issues when you access a file and any newly injected errors when you save the file.

Continuous analysis is enabled by default. You can disable continuous analysis and manually trigger an analysis of solutions, projects, subdirectories or files.

Continuous analysis is available in:

  • Visual Studio 2005 and 2008
  • Eclipse 3.3, 3.4 and 3.5
  • Klocwork Desktop, the GUI for C/C++ developers who use kwcheck because their IDE or editor is not supported by Klocwork

Insight Pro Desktop 2.0

Klocwork Insight Pro is a separately licensed product that includes all the features of Insight Desktop, plus:

Refactoring

Refactoring options are available to you right from your editor, allowing you to quickly gauge the state of your code and improve its design without having to access separate views or dialogs.

Refactoring is available to C/C++ developers using the following Klocwork IDE plug-ins or features:

  • Visual Studio 2005 and 2008
  • Eclipse 3.3, 3.4 and 3.5

To use this feature, select code in your editor, right-click, choose Klocwork Refactoring, and select the refactoring option that best suits the situation.

You can:

  • extract methods or functions from large and unwieldy methods to create smaller and more logical functions. The newly extracted function is added to your source file, while the selected code is replaced with a call to that function.
  • introduce variables to simplify complicated expressions. Occurrences of the expression are replaced with the new variable(s).
  • inline methods to remove the overhead of an overly segmented source layout. Typical candidates for inlining are simple functions that are called from few locations, but which might be invoked frequently at runtime, such as from an inner loop, and which might best benefit from the overhead of function calling being removed. This involves placing the method’s body into the body of its caller(s)and removing the method.
  • rename entities whose scope is file-local, in order to make your identifier names more meaningful.

Klocwork Inspect

Klocwork Inspect is a web-based application that makes it easier to improve code maintainability and quality. Your Klocwork Inspect feed page is your conduit to establishing dynamic, event-based, asynchronous pre- and post-checkin code reviews.

There's no need for code printouts or meetings. You can simply view the latest revisions available on your home page or invite participants to an informal review by sending a link to the revision of interest.

Pre-checkin reviews allow developers to upload files they're currently working on to Klocwork Inspect. For pre-checkin reviews, Klocwork Inspect provides a diff view comparing code currently under development with the previously checked-in version. Pre-checkin reviews leverage Klocwork desktop analysis, flag detected issues and provide traceback for locally modified code.

The diff tool provides a merged view or side-by-side file comparisons.

Comments added to the code become threaded conversations among reviewers. Action items that arise from reviews are also captured. Automatic feeds notify developers of new revisions to the project, comments that have been made, and any action items that require attention.

Automatic feeds on feedback dashboard alert you when:

  • new revisions are available
  • pre-checkin reviews have been launched
  • comments have been made
  • action items arising from the review have been assigned to you or actions you assigned to others have been completed

Use filters to customize your feed page to focus on files checked in by specific users or on parts of the code base that are of particular interest to you. You can subscribe to the RSS to retrieve the latest revisions, actions and comments.

While Klocwork Inspect provides syntax highlighting for C/C++, C#, Java and XML, any file regardless of language can be reviewed in Klocwork Inspect.

For more information, see Reviewing code.

Support for C# 3.0

Klocwork for C# in Visual Studio .NET 2008 now supports C# 3.0 (within the .NET 3.5 framework).

Traceback improvements

Traceback now available for unreachable code issues

With this release, traceback is now available for detected unreachable code issues (UNREACH.GEN and UNREACH.RETURN) in Klocwork client tools.

Previously, Klocwork detected unreachable code issues, but traceback wasn't provided for these C/C++ issues.

Traceback identifies statements in the code that contribute to detected issues and allows you to navigate through your source code.

Specifically, traceback for these issue types indicates why code is unreachable in these two situations:

  • the code occurs after a call to a function that will never return
  • the code is in a path that has an infeasible precondition

To show why a condition on a path to unreachable code is considered infeasible, traceback for UNREACH issues contains:

  • events for calculated conditional expressions, and
  • the inferred values of the variables that are used in them

The traceback example below shows unreachable code because of an infeasible ’or’ condition:

Image:Unreach_traceback_5_big_pic.png

UNREACH issues are disabled by default. To view detected UNREACH issues, along with their new traceback feature, you must enable them in your issue profile for your integration build analysis or desktop analysis.

Traceback available for loops in C/C++ Path checkers

Traceback now identifies loops. The following is a list of these new events:

  • Entering loop with condition <cond>
  • Entering next loop iteration with condition <cond>
  • Loop is broken by call to 'return' function
  • Loop is broken by call to 'break' function
  • Loop is finished
  • Not entering loop (see picture below)

Image:ABR_not_entering_loop_35933_new.png

New events for buffer overflow checkers (ABR, ABV.STACK and NNTS)

Traceback now identifies events that provide more details about string handling.

The following are examples of events tracking the properties of strings:

Example 1: "Assigned to constant string"

Image:ABR_NNTS_Ex0_array_buf.png

Examples 2 and 3: "Array '<>' of size <> is retrieved from function"

Image:ABR_NNTS_Ex1_functions_strdup.png

Image:ABR_NNTS_Ex2_sprintf-PR35567.png

Klocwork Desktop allows you to change server and configuration settings

Project settings can now be changed directly from Klocwork Desktop from the new Server settings and Project configuration dialogs in Tools > Preferences.

In addition to server settings, these dialogs allow you to easily disable or enable continuous analysis or parallel analysis, and turn issues on or off.

Previously, any project settings changes (after project creation) had to be done with kwcheck.

Enterprise infrastructure

This section outlines new features and improvements to the Klocwork servers and analysis engines.

Improved synchronization performance for large projects

Connected desktop users will see faster synchronization performance, particularly for issue-status updating. Storage of detected issues for integration build analysis and desktop analysis has been changed from an XML file (problems.xml) to an embedded database.

Embedded database issue storage makes partial and full synchronization performance significantly faster, particularly for large projects containing many detected issues.

New licensing model

Klocwork 9.0 uses a simplified licensing model. See Setting up licensing for details.

Authentication for users

To enhance security when Basic, LDAP or NIS authentication is configured, all users must now be authenticated with the Klocwork Server. For GUI tools, a dialog will prompt users to log in; command-line tools will prompt users to run a new command, kwauth. Each user needs to log in only once; a token is then stored in the user's home directory. User passwords are not stored.

Improved SSL support

All Klocwork clients can now use a secure connection to the Klocwork Server. Previously, only Klocwork Review and the developer desktop tools could use a secure connection.

In addition, the process for setting up SSL is simpler; it's now a part of setting up access control with kwauthconfig. See Using a secure Klocwork Server connection for complete information on setting up both the Klocwork Server and Klocwork clients to communicate over SSL.

New state for issues which are no longer reported due to improvements in the analysis engine

Previously, false positives which were resolved due to analysis engine improvements were assigned the "Fixed" state.

Version 9.0 introduces a new state for these issues: Obsolete.

After upgrading to version 9.0 and running your first system-build analysis, you can see Obsolete issues in Klocwork Review by searching for "All Issues" in the Issue Management module.

Other Klocwork tools do not show Obsolete issues.

Project Server and Web Server combined into Klocwork Server

Prior to version 9.0, the Klocwork Server Package contained four servers:

  • Project Server
  • Database Server
  • License Server
  • Web Server

With this release, the Project Server and Web Server have been combined into one, called the Klocwork Server. With just three servers instead of four, server installation and maintenance is more straightforward. Connected desktops are now linked with the Klocwork Server, instead of the Project Server.

Server discovery tool

Both the User and Server packages contain a new tool, kwdiscover, which allows users to find instances of the Klocwork Server running on their local area network. This can be helpful when users don't know the host name and port number for the Klocwork Server they want to connect to.

Electric Cloud integration supports build specification templates

The kwecbuild command now accepts a build specification template as input, in addition to a regular build specification, and allows specification of the template variables with the new --buildspec-variable option. For how-to information, see Integrating Klocwork with Electric Cloud.

Stay logged into Klocwork Review and Klocwork Inspect

Klocwork Review and Klocwork Inspect use a persistent login cookie to implement the "stay logged in" feature. When users log in with "stay logged in" checked, they won't need to log into future sessions.

New C/C++ compilers supported for build integration

The TriMedia compiler is now supported (common compiler names tmcc and tmCC). For the full list of supported compilers, see C/C++ compilers supported for build integration.

Analysis tools may use network communication for internal data storage

Klocwork analysis tools (kwbuildproject and the developer desktop tools) may use network communication for internal data exchange. No information is transmitted outside the corporate network.

User Documentation Wiki

All user documentation is now published on a wiki at

http://www.klocwork.com/products/documentation/Insight-9.0

The wiki format allows users to annotate the help with comments and questions. Anonymous browsing is allowed; if you create an account, you can contribute by editing pages. We welcome your feedback and suggestions for improvement to the wiki.

You can download single pages as PDF, or assemble multiple pages as books and download them as PDF.

A snapshot of the wiki content is included with the Klocwork installation packages, so that users without internet access can get help from the client tools and from the Klocwork Server:

http://<Klocwork-Server-host>:<Klocwork-Server-port>/documentation

Updated wiki snapshots will also be included with service releases.

Improvements to detected issues and supported metrics

From release to release, Klocwork improves issue detection to bring state-of-the-art capabilities to our customers. As a result, expect your issue detection results to change from release to release, as accuracy and coverage improve.

This section describes the improvements made to Klocwork issue detection in this release. Information here can help you plan your upgrade. See also New state for issues which are no longer reported due to improvements in the analysis engine.

Note that there are no changes to metrics in version 9.0.

New C/C++ code issues

Klocwork 9.0 finds the following new C/C++ code issue:

Code issue Description
ABV.ANY_SIZE_ARRAY Split from the 8.2 issue type ABR. Access to variable length array element is out of bounds. ABV.ANY_SIZE_ARRAY is a subtype of ABR issues for an array of unknown size which is the last element of a structure. For an example, see ABV.ANY_SIZE_ARRAY.

For a complete list of C/C++ code issues detected by Klocwork, see Detected C/C++ Issues.

Improvements to C/C++ issue detection

Value tracking for smart pointers is improved. This change primarily affects the NPD checker.

Improvements to C# issue detection

The Klocwork analysis engine now supports version 3.0 of the C# language specification (.NET Framework version 3.5), in addition to versions 1.0 and 2.0.

For a complete list of C# issues detected by Klocwork, see Detected C-sharp Issues.

See also

Retrieved from "http://www.klocwork.com/products/documentation/Insight-9.0/What%27s_New"
Personal tools