What's New
From Insight-9.1
Klocwork is the only source-code analysis solution to combine the speed and productivity benefits of desktop source-code analysis with the power and accuracy of a system-wide analysis. With Klocwork, developers can quickly and accurately identify critical security vulnerabilities, quality defects and architectural issues right at their desktop. Built on the patented Klocwork source code analysis engine for examining C#, C++, C, and Java code, Klocwork sets the standard for serious source-code analysis.
This page covers highlights of Klocwork version 9.1. For more information, see the Release Notes.
Support for MISRA C and C++ standards
Klocwork 9.1 provides new checkers which detect violations of the MISRA C 2004 and MISRA C++ 2008 standards. See Detected MISRA-C Issues and Detected MISRA-C++ Issues for the full list of MISRA checkers.
To use these checkers, you need to download them from my.klocwork. See the readme file included with the download for details on enabling the MISRA checkers.
Once you've installed the MISRA-C and MISRA-C++ checkers, they will appear as taxonomies in the Configuration Editor in the KMC. See Setting up an organizational structure for your analysis results for how-to information.
Simplified checker configuration and reporting
With this release, we've separated reporting from build configuration. You can now view the results of your build analysis in unlimited ways.
You can organize your set of Klocwork checkers between analysis runs and make the new organizational structure immediately available for reporting in Klocwork Review. We call this organizational structure a taxonomy.
The MISRA-C and MISRA-C++ taxonomies, for example, contain different sets of checkers, but you can report on both from a single build analysis. And you can create your own taxonomies, each with a distinct set of checkers, to match your own reporting needs. Any particular checker can appear in multiple taxonomies; many of the checkers in the MISRA-C taxonomy, for example, also appear in the MISRA-C++ taxonomy.
Here's an image of the KMC's Configuration Editor, showing the default taxonomies, plus a few custom taxonomies. It also shows the new Search pane, which you can enable with <Ctrl+F>:
If you're used to a previous version of Klocwork, how does this affect how you work?
- The Configuration Editor built into the KMC is much more powerful. See Setting up an organizational structure for your analysis results for how-to information.
- You can create multiple taxonomies for a single project, specifying which categories and checkers should appear in each. You no longer need to set up multiple .pconf.xml files to enable reporting on multiple standards.
- A new field for issue types, labeled Reference (shortened to Ref on the desktop), provides the rule number in the case of the MISRA checkers. For other checkers, you can use this field to add cross-reference information. For example, if you create a taxonomy to report on compliance with the CWE standard, you can add the CWE ID to the Reference field. This reference information is taxonomy-specific, meaning that you can add different information for the same checker in different taxonomies.
- You can search for issue types, which makes it a lot easier to copy and paste them into custom taxonomies. Enable the new Search pane with <Ctrl+F>.
- When you edit and save the configuration at the system or project level, you'll be asked whether you want to update the configuration in the database, so that your changes will be immediately visible in Klocwork Review. (The caveat here, of course, is that if you enable a checker, you'll need to run an analysis to see results from that checker.)
- .pconf.xml files created in earlier versions of Klocwork are still supported.
- On the desktop, you can filter issues by taxonomy. This allows you to focus only on violations of a particular standard, for example. See Filtering issues on the desktop.
- Reporting in Klocwork Review is streamlined. You can select one or more taxonomies in your scope settings to report on for each build analysis:
-
- See Setting up taxonomy-specific reporting and issue management in Klocwork Review for more information.
- Note that you can no longer filter by issue type on the desktop, or scope by issue type in Klocwork Review. See Tutorial - Creating a taxonomy and viewing the results for a walk-through that explains how you can use taxonomies to accomplish the same thing.
Improved C# support
Integration build analysis now supported for C#
C# analysis is now supported for integration projects.
A new project parser, kwcsprojparser, converts Visual Studio project files into a build specification, allowing you to integrate your native build with Klocwork. You then pass the build specification to kwbuildproject or the KMC to run the integration build analysis.
You can use Klocwork Review to view the results of the integration build analysis, including reports. Synchronization between the desktop tools and the integration project ensures that whether issues are cited on the desktop, in Klocwork Review, or in Klocwork Inspect, your development team will always see up-to-date citing information.
How do I get started?
- For pure C# projects, Klocwork administrators can start with Quick-start - Setting up an integration project for developers to connect to.
- For mixed C/C# and C++ projects, get started with the special instructions in Analyzing mixed C/C++ and C-sharp projects.
Connected desktop for C# developers
In previous releases, Klocwork supported only standalone desktop mode for C# projects. With this release, Klocwork introduces the C# connected desktop, allowing development teams to share citing information for detected issues.
C# analysis on the desktop is supported for Visual Studio 200x. For those who build outside Visual Studio, a new project parser, kwcsprojparser, converts Visual Studio project files into a build specification, allowing you to integrate your native build with Klocwork.
How do I get started?
- For pure C# projects, Visual Studio users can start with Using Klocwork for C# in Visual Studio 200x.
- For mixed C/C# and C++ projects, you'll need to connect your desktop solution with two integration projects, as described in Getting Started in Visual Studio 200x for C-sharp projects.
Use Klocwork Desktop remotely
Klocwork Desktop brings issue management to the desktop for C/C++ developers who access their source and compile remotely, using gVim or Emacs (or other text editors or IDEs that Klocwork doesn't currently support with plug-ins).
Klocwork Desktop's new remote mode provides a GUI to review and investigate analysis results and cite issues when you access your development environment through a remote connection, tunneled with SSH or similar remote access utilities.
An issue notification alerts you anytime a new issue is detected in your development environment.
For more information, see Using Klocwork Desktop remotely.
Easier, more effective code reviews
Klocwork Inspect 2.1 includes usability and performance improvements, as well as some cool new features.
Improved feeds
Previously, each feed (which we called a "filter" in version 2.0) could contain only one condition. Now feeds can contain multiple conditions, so for example, you can set up a single feed to monitor your entire team and all the modules your team is responsible for.
You can subscribe to RSS for each feed you set up, rather than one RSS for everything.
We've created two default feeds: "home", which shows you everything related to you, and "all", which shows you everything that is happening in your organization.
And of course, you can still set up a feed to monitor any combination of users and directory paths.
Cite Klocwork detected issues while reviewing code
The 2.0 release of Klocwork Inspect allowed you to display locally detected Klocwork issues right in your pre-checkin code review. Now you can cite those issues too: you can indicate how they should be handled by assigning a status and adding a comment.
Issue citing can promote conversation within a code review. Let's say that I change the status of an issue that Klocwork detected in my code to Ignore, and then I set up a pre-checkin code review. Reviewers will see this issue, and they can examine the traceback information, leading to a deeper view of the code. If a reviewer disagrees with the way I've handled the issue, they can change its status right in Klocwork Inspect. The new status, as well as any comments, will be synchronized with the server project, Klocwork Review, and the connected desktops.
Issue citing in Klocwork Inspect also gives kwcheck users an alternative to Klocwork Desktop. Once you've run an analysis with kwcheck, you can run kwcodereview, and you'll get a URL that takes you straight to your detected issues in Klocwork Inspect.
Improved traceback
The traceback information for detected Klocwork issues is now much more intuitive.
- A collapsible left-side panel provides a bird-eye view of the issue.
- Trace lines are shown in the code as comments, and code indenting for those trace lines is now preserved for enhanced readability.
- Events, conditions and the actual issue trace line in the code are all highlighted.
- "Show more" links allows you to scroll through your source code.
See Using traceback information to investigate detected issues for more information.
Searching
If you wanted to find something in Klocwork Inspect v2.0, you had to set up a filter. Now you can perform full-text or keyword searches for revisions, actions and comments.
Load only recent revisions of a project
Previously, when initially importing your project's SCM data for post-checkin reviews, all revisions were loaded. The new --revision option of kwscm allows you to specify which revision to use as a starting point for code reviews. Klocwork Inspect will load older revisions of the project on demand.
One thing to note here is that a search will retrieve information only from the revisions that have been explicitly loaded.
Getting started with Klocwork Inspect
Go to Reviewing code to get started with code reviews.
Issue highlighting for continuous analysis in Visual Studio
When issues are detected during continuous analysis, you'll see them highlighted directly in your Visual Studio editor. Icons are available in your left and right margins and you can navigate from one issue to another and back using the markers on the right. Left margin icons and highlighting in the editor itself can be disabled or enabled in Visual Studio.
For more information about these issue markers, see Getting started in Visual Studio 200x for C/C++ projects.
C/C++ refactoring in Vim
If you write C/C++ code in Vim or gVim 7.2 or later, you can refactor right in your editor. See Refactoring for C/C++ in Vim for how-to information.
New C/C++ compilers supported for build integration
The IAR Systems ARM compiler is now supported (common compiler names iccarm and ilinkarm). For the full list of supported compilers, see C/C++ compilers supported for build integration.
Support for IntelliJ IDEA 9.0
Klocwork for Java now supports IntelliJ IDEA 9.0.
Improvements to detected issues
From release to release, Klocwork improves issue detection to bring state-of-the-art capabilities to our customers. As a result, expect your issue detection results to change from release to release, as accuracy and coverage improve.
This section describes the improvements made to Klocwork issue detection in this release. Information here can help you plan your upgrade.
Changes to detected issue counts due to conversion of categories to taxonomies
As part of Simplified checker configuration and reporting, when migrating a projects_root directory to version 9.1, custom categories will be converted to taxonomies.
Similarly, saved Klocwork Review scopes based on custom categories will be migrated to scopes based on the closest-matching taxonomy.
During migration, detected issues will be matched by top-level category:
- If an issue type's top-level category matches one of the default 9.1 taxonomies (C and C++, C# or Java), the issue type will be assigned to that taxonomy.
- If an issue type's top-level category doesn't match one of the default 9.1 taxonomies, a new taxonomy will be created with the same name as the category.
As a result, the total numbers of detected issues may change upon migration.
New C/C++ code issues
We've developed many new checkers to detect violations of the MISRA C and MISRA C++ standards. For the full list, see:
Additionally, five new checkers have been introduced as part of the larger ABR/ABV checker family:
- Three of these checkers, in the ABV.UNICODE series, detect buffer overrun errors by analyzing the parameters of two specific Windows C/C++ unicode and character set functions:
- MultiBytetoWideChar, and
- WidecharToMultiByte
- Two of these checkers reduce false positives that resulted when the engine couldn't calculate the real size of the buffer--NNTS.MIGHT and NNTS.MUST. Note that these two checkers replace the previous NNTS checker.
| Code issue | Description |
| ABV.UNICODE.FAILED_MAP | You'll see this issue in either of the Windows C/C++ unicode and character set functions, MultiBytetoWideChar or WidecharToMultiByte, when:
|
| ABV.UNICODE.BOUND_MAP | You'll see this issue when either of the Windows C/C++ unicode and character set functions, MultiBytetoWideChar or WidecharToMultiByte, incorrectly checks buffer boundaries. |
| ABV.UNICODE.NNTS_MAP | You'll see this issue when either of the Windows C/C++ unicode and character set functions, MultiBytetoWideChar or WidecharToMultiByte, does not null-terminate an output string automatically. |
| NNTS.MIGHT | This Non-null Terminated String (NNTS) checker reports possible buffer overflow errors due to an improperly terminated string. NNTS.MIGHT is reported because required information to diagnose the buffer overflow can't be evaluated, such as unknown character length of the argument. |
| NNTS.MUST | This NNTS checker reports array bounds violations resulting from the fact that a buffer was not properly zero terminated and was passed into a function that assumes that the buffer is zero terminated. |
For a complete list of C/C++ code issues detected by Klocwork, see Detected C/C++ Issues.
Changed C/C++ checkers
| Code issue | Description |
| NNTS | This issue type has been split into two new issue types: NNTS.MIGHT and NNTS.MUST. Because these two new checkers have been improved compared with the previous NNTS checker, some of the issues previously reported as NNTS will not be migrated to the two new issue types. The issue status of these reported issues will change to "Not in scope". |
