Warning Group Scope

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.2p0

CONFIDENTIAL

CodeSecure Inc

General

Warning Group Scope

The scope of a warning group specifies the extent to which the group (and its associated properties and annotations) is shared across a hub. This section describes the effects of warning group scope, how scope is determined, and how to specify the scope for new warning groups.

Introduction
How It Works
Example
Changing Warning Group Sharing
Interactions with Other Functionality

Introduction

All warning groups have either global scope or project scope.

A warning group with global scope (or hub scope) may have instances from multiple projects.
Global-scoped warning groups are useful when different projects share common code and you want to avoid duplication of effort in examining warnings from that code. They are also useful when you are analyzing variations of the same code under multiple project names: whether deliberately (for example, because of a code branch) or accidentally (because of an error in specifying project name).
A warning group with project scope is associated with a specific project P, and instances of the warning group can only be issued by analyses of P. A project-scoped warning group associated with project P may be referred to as P-scoped.
Project-scoped warning groups are useful when you want to enforce strict separation between different projects, even if they have some code in common.

(In CodeSonar 3.7 and earlier, all warning groups were project-scoped.)

Warning group scope is extremely closely related to a hub's warning group sharing setting:

A warning group's scope is established at the time the group is created and does not subsequently change.
The warning group sharing setting specifies the scope for newly created warnings on a hub.

If a hub's group sharing setting is established before any analyses are carried out, and not subsequently changed, all warning groups on the hub will have the same scoping level.

If sharing is ON:
- All warning groups have global scope.
- All warning instances with the same fingerprint are assigned to the same group, even if they are issued by analyses of different projects.
If sharing is OFF:
- All groups have project scope.
- There may be multiple warning groups with the same fingerprint: one project-scoped group for every project that has instances with that fingerprint.
(If the sharing setting has been changed back and forth as projects are analyzed there will generally be some mixture of global- and project-scoped groups, which can lead to user confusion. We therefore recommend establishing the group sharing setting early in a hub's lifetime and leaving it unchanged thereafter.)

How It Works

Suppose an analysis of project P issues some warning instance w with fingerprint f. When w is submitted to the hub it is assigned to a warning group according to the following decision tree.

Is there is a project-scoped warning group G associated with P and f?
- YES: assign w to G.
- NO: is there a hub-scoped warning group H associated with f?
  - YES: assign w to H.
  - NO: is sharing ON?
    - YES: Create a new hub-scoped warning group J associated with f; assign w to J.
    - NO: Otherwise, create a new project-scoped warning group K associated with P and f; assign w to J.

Example

The following diagram illustrates group determination for warnings issued by analyses of four different projects, where the projects share some source code.

diagram illustrating warning group determination

Changing Warning Group Sharing

Group sharing is ON by default, meaning that all warning groups are hub-scoped. To change the setting, use the Share annotations between projects checkbox in the Analysis tab of the Settings page.

Uncheck the box to turn group sharing OFF.
Check the box to turn group sharing ON.

Important Note: we strongly recommend that the group sharing setting for each hub be decided early in the hub's lifetime, and then kept unchanged.

Interactions with Other Functionality

removing a project	When you remove a project, its project-scoped warning groups are deleted. Global-scoped warning groups are not deleted, even if their only instances were in that project.
removing an analysis	No warning groups are deleted when you remove an analysis.
annotation import/export	Warning group scope on both source and target hubs is an important factor: see the manual section on Importing and Exporting Annotations for full details.
warning search	Warning group scope affects the assumptions that are valid for query construction and result interpretation. In particular, because queries involving set operators return at most one instance per warning group (even if the group has multiple instances that meet the search constraints), the result set can only acknowledge one project per group. If warning groups are hub-scoped, there may have been matching instances from other projects as well. If warning groups are project-scoped, all the other instances in the group will belong to the same project.
analysis comparison	When warning groups are hub-scoped, analyses of different projects may issue instances of the same warning group. It can therefore be interesting to compare analyses of different projects, as well as comparing different analyses of the same project. When warning groups are project-scoped, it is generally only interesting to compare two (or more) analyses of the same project. Comparing analyses of two different projects will give you a result set with two disjoint components: no warning group can have instances in both projects.

To report problems with this documentation, please visit https://support.codesecure.com/.