GUI: Warning Report

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.2p0

CONFIDENTIAL

CodeSecure Inc

General

GUI Reference: Warning Report

Full information about a single warning that has been issued by one or more CodeSonar analysis runs.

Central to each warning report is an annotated code excerpt that is interactive and navigable.

For descriptions of all the information stored about a CodeSonar warning, see Properties of a Warning.

Warning reports are available for all warnings, independent of the language or languages involved.

Navigating to
Page Properties
Contents and Usage
Annotations
Interaction and Navigation
Navigating from
Related Tasks

Important Note: the CodeSonar Web GUI makes extensive use of JavaScript. Make sure JavaScript is enabled in your web browser.

Navigating to

The Warning Report page for a specific warning can be reached in any of the following ways.

From Analysis:	Click any line in the warning table to navigate to the corresponding Warning Report. The Warning Report will include browse sequence navigation links, and the originating Analysis page is the establishing page for the browse sequence.
From Warning Search Results:	Click any line in the warning table to navigate to the corresponding Warning Report. The Warning Report will include browse sequence navigation links, and the originating Warning Search Results page is the establishing page for the browse sequence.
From Warning Report (within a warning browse sequence):	Click the <Prev (or Next>) browse sequence navigation link to navigate to the Warning Report for the previous (or next) warning in the sequence.
From Explore Callers:	Click the View Path button.
From Search Callers results:	Select warning report from an expanded table entry.
By URL:	Two URL forms: http://hub_location/warninginstance /instance_id.html is the warning report for the specified warning instance. http://hub_location/warningreport /group_id.html redirects to the warning report for the overall representative instance of the specified warning group. In particular, this will be the most recent instance of the warning (or one of the most recent instances, if several were issued by the same analysis).

Page Properties

Output formats

SARIF, XML (warning_report.xsd), text

Visibility Filter Applied

Visible Warnings

RBAC Permissions Needed

Page Access	ANALYSIS_READ ANALYSIS_WARNING_READ G_LIST_PROPERTIES G_LIST_USERS
Page Contents/Functionality	ANALYSIS_ANNOTATE ANALYSIS_OWN_WARNINGS ANALYSIS_WARNING_EXISTS G_FINDING_ADD G_PRIORITY_ADD G_SIGN_IN G_STATE_ADD WPROCESSOR_EXECUTE WPROCESSOR_EXISTS

Contents and Usage

The following annotated screenshot shows the various parts of a Warning Report page.

Annotated Screenshot: Warning Report Page

Standard Header

See CodeSonar GUI Reference: Standard Header. The highlight legend is available.

Breadcrumbs

Home > [Other_ProjectTree_Ancestors >] Project_Name > Analysis_Name > Warning Warning_ID

Home	Links to the GUI Home page.
Other_ProjectTree_Ancestors	Together with the Home link (corresponding to the root project tree), represents the project tree ancestors of the analyzed project as a >-separated sequence of project tree names. Each name links to the corresponding Project Tree page.
Project_Name	Links to the GUI Project page for Project_Name, which is the project that was analyzed.
Analysis_Name	Links to the GUI Analysis page for Analysis_Name.
Warning_ID	The identifier for the warning: unique within the hub.

Page Heading and Links

screenshot fragment: page heading and links

Browse Sequence Navigation Links	*< Prev (Warning num_w* of num_total) Next >** Provide navigation within the current warning browse sequence. If the Warning Report does not belong to a browse sequence, these links are not shown. For full details, see Warning and File Browse Sequences: Navigating Browse Sequences.
Page Heading	**Warning_Class at File_Name:line_num** where: Warning_Class is the warning class of the warning described on the page. File_Name:line_num links to line line_num of file File_Name (which is the warning location) in the annotated code excerpt.
Warning Location Link	jump to warning location ↓ is another link to line line_num of file File_Name in the annotated code excerpt.

Warning Properties and Details

screenshot fragment: warning properties and details

In its unexpanded form, this part of the page consists of two lines.

The first line summarizes the current values of the warning's user-controlled properties: Owner, Priority, State, Finding, and Notes. To modify any of these values, click edit properties and use the Change Warning form as described below.

The second line contains a warning details... link. Click the link to show a table of basic information about the warning.

Menu Bar

The menu bar provides two menus: Show Events and Options.

Show Events Menu	Select an item from this menu to expand the specified set of annotations (and hide all others). All events. Expand all data annotations and all control flow annotations. Only primary events. Expand the data annotations that CodeSonar has determined are especially important. If you have selected Show control events by default in the Options menu, every control flow annotation in the report will also be expanded.
Options Menu	The Options menu items are as follows. Jump to warning location by default. When selected, Warning Report pages will be automatically scrolled to the warning location when they are loaded. Show control events by default. When selected, all control flow annotations will be treated as "primary events": they are displayed by default, and when Only primary events is selected. Show other warnings. When selected, CodeSonar will display additional annotations at locations in the code excerpt where other warnings were issued (if any). Each annotation specifies the class and location of a warning, and provides a link to the associated warning report: This setting is not persistent: it is always deselected when you navigate away from the page. Show line numbers. When selected, line numbers will be displayed to the left of the code excerpt. When deselected, no line numbers are displayed. Wrap lines. When selected, lines in the excerpt will wrap to fit the browser window, as will all annotation text. When deselected, no wrapping will occur and it may be necessary to scroll across to see all code and annotations. With the exception of Show other warnings, CodeSonar will remember your settings and apply them to all warning reports. If you are logged in, the settings will be associated with your username and will still be applied the next time you log in. Otherwise, they will be applied for the remainder of your user session.

Show Events Menu

Select an item from this menu to expand the specified set of annotations (and hide all others).

All events. Expand all data annotations and all control flow annotations.
Only primary events. Expand the data annotations that CodeSonar has determined are especially important. If you have selected Show control events by default in the Options menu, every control flow annotation in the report will also be expanded.

Options Menu

The Options menu items are as follows.

Jump to warning location by default. When selected, Warning Report pages will be automatically scrolled to the warning location when they are loaded.
Show control events by default. When selected, all control flow annotations will be treated as "primary events": they are displayed by default, and when Only primary events is selected.
Show other warnings. When selected, CodeSonar will display additional annotations at locations in the code excerpt where other warnings were issued (if any). Each annotation specifies the class and location of a warning, and provides a link to the associated warning report:

This setting is not persistent: it is always deselected when you navigate away from the page.
Show line numbers. When selected, line numbers will be displayed to the left of the code excerpt. When deselected, no line numbers are displayed.
Wrap lines. When selected, lines in the excerpt will wrap to fit the browser window, as will all annotation text. When deselected, no wrapping will occur and it may be necessary to scroll across to see all code and annotations.

With the exception of Show other warnings, CodeSonar will remember your settings and apply them to all warning reports. If you are logged in, the settings will be associated with your username and will still be applied the next time you log in. Otherwise, they will be applied for the remainder of your user session.

Annotated Code Excerpt

The annotated code excerpt shows the context in which the warning was issued. CodeSonar provides additional information to explain the conditions leading to the warning and aid in diagnosis:

Path Name	Provided at the top of the excerpt. Click to navigate to the Source Listing for the file.
Line Numbers	Correspond directly to line numbers in the file. Visibility is controlled by Show line numbers in the Options menu.
Explanation Information	Significant locations in the excerpt are annotated. All warnings have a warning description box summarizing the issue and the reason or reasons that it has arisen, with links to the code locations and annotations that are especially important. Depending on the class of the warning, there may also be data annotations and control flow annotations. Other warning annotations and parse error annotations will be shown if applicable. Full descriptions of the various annotations are provided in GUI Reference: Warning Report Annotations.
Source Coloring and Interaction	The code excerpt includes standard source coloring and hyperlinking. Along with syntax coloring, the source excerpt has background coloring to aid in interpreting the warning. Basic highlighting identifies code that is particularly relevant to the warning. If the warning is associated with an execution path, the highlighting shows the code on the warning's core path. For example, sometimes both parts of an if statement are highlighted because the statement is nested inside a loop, and the if condition evaluated to "true" in some iterations of the loop and "false" in others. (Use the control flow annotations to determine control flow in the last iteration.) In an extended warning report, the highlighting also shows a user-specified path into the core path. Red highlighting is used by some warning classes to identify the precise location at which the warning was issued. This is especially useful if the warning is issued at a source line that contains multiple statements.
Information Window	The Information Window is available and will interact with any function, variable, macro, or type name in the source excerpt.

Change History (if any)

The sequence of comments attached to this warning (shared by all warnings in a group). These consist of all the user Notes added to the group, plus all the messages automatically generated by CodeSonar when a user changes the Priority, State, Finding, or Owner for the warning group.

To add a new comment, scroll to the Change Warning form and proceed as described below.

Related Warning Notifications (if any)

Notifications and links for other warnings related to this one. Two kinds of relationship are described: warning groups and warning clusters.

Warning Groups	There are three possible warning group membership cases. The warning is the overall representative instance of its warning group, and there are no other instances in the group the same analysis (there may be instances in other analyses). No warning group notification; the Change Warning form is present. The warning is the overall representative instance of its warning group, and there are other instances of the group in the same analysis. A notification of the form Because they are very similar, this warning shares annotations with <id_list>. <id_list> lists the warning IDs for warning instances in the same group and the same analysis. Each Warning ID links to the corresponding Warning Report. The Change Warning form is present. The warning is the not the overall representative instance of its warning group. A notification of the form Because they are very similar, this warning shares annotations with <id_list>. CodeSonar has selected <overall_rep> to represent this group of similar warnings. In order to edit this group, you must edit <overall_rep>. or Because they are very similar, this warning shares annotations with <id_list>. This warning is old and has been superceded by<overall_rep>. These warnings share user annotations. Please edit <overall_rep>. <id_list> lists the warning IDs for warning instances in the same group and the same analysis. <overall_rep> is the warning ID for the overall representative instance for the group. If it is in a different project to the current instance, CodeSonar will note the project. Each Warning ID links to the corresponding Warning Report. The Change Warning form is not present.
Warning Clusters	There are two possible warning cluster membership cases. The warning belongs to a singleton warning cluster. No cluster notification (any instances in the same cluster are also in the same warning group). The warning belongs to a non-singleton warning cluster. A cluster notification of the form <class_name> warnings <id_list> (view all related) occurs on a line matching that of this warning. These warnings do not share annotations by default, but may be related. The warning IDs in <id_list> link to the corresponding Warning Reports. view all related links to the Warning Cluster page for the cluster.

Warning Groups

There are three possible warning group membership cases.

The warning is the overall representative instance of its warning group, and there are no other instances in the group the same analysis (there may be instances in other analyses).
No warning group notification; the Change Warning form is present.
The warning is the overall representative instance of its warning group, and there are other instances of the group in the same analysis.
A notification of the form
Because they are very similar, this warning shares annotations with <id_list>.
- <id_list> lists the warning IDs for warning instances in the same group and the same analysis.
- Each Warning ID links to the corresponding Warning Report.
The Change Warning form is present.
The warning is the not the overall representative instance of its warning group.
A notification of the form
Because they are very similar, this warning shares annotations with <id_list>.
CodeSonar has selected <overall_rep> to represent this group of similar warnings. In order to edit this group, you must edit <overall_rep>.
or
Because they are very similar, this warning shares annotations with <id_list>.
This warning is old and has been superceded by<overall_rep>. These warnings share user annotations. Please edit <overall_rep>.
- <id_list> lists the warning IDs for warning instances in the same group and the same analysis.
- <overall_rep> is the warning ID for the overall representative instance for the group. If it is in a different project to the current instance, CodeSonar will note the project.
- Each Warning ID links to the corresponding Warning Report.
The Change Warning form is not present.

Warning Clusters

There are two possible warning cluster membership cases.

The warning belongs to a singleton warning cluster.
No cluster notification (any instances in the same cluster are also in the same warning group).
The warning belongs to a non-singleton warning cluster.
A cluster notification of the form
<class_name> warnings <id_list> (view all related) occurs on a line matching that of this warning.
These warnings do not share annotations by default, but may be related.
- The warning IDs in <id_list> link to the corresponding Warning Reports.
- view all related links to the Warning Cluster page for the cluster.

Change Warning Form

You can do any combination of the following with the Change Warning form.

Change the Priority, State, Finding, or Owner for the warning group
Apply one or more warning processors.
Append a Note to the change history.

Note: You must be signed in to edit a Warning Report page. If you are not already signed in, you will be asked to sign in after you click Save changes.

Scroll down to the Change Warning section, or click edit properties in the warning properties section to navigate directly to the form.
If the warning is one of several in a warning group, there are two possibilities.
- If it is the overall representative instance for the group, CodeSonar will list the other analysis warnings in the group at the top of the Change Warning form, noting that these warnings share annotations.
- If it is not the overall representative instance, CodeSonar will provide a link to that instance instead of fields for changing the warning. Click the link to navigate to the representative instance, and make your changes on that page.
If the warning belongs to a non-singleton warning cluster, CodeSonar will list the other warnings in the cluster at the top of the Change Warning form, noting that these warnings "do not share annotations by default, but may be related".
If you wish to annotate all warnings in the cluster:
1. Click the view all related link to navigate to the corresponding Warning Cluster page.
2. Inspect the warnings in the Warning Cluster table to make sure you want to apply the same annotations to all of them.
3. If so, use the Change Multiple Warnings functionality on that page to annotate some or all of the warnings in the cluster.
  Otherwise, use your browser's Back button to

Make your desired changes.

Priority, State, Finding	Select new values from the pull-down menus. To specify a new, custom value for Priority, State, or Finding: Select Other... from the appropriate pull-down menu. Enter a name for your new value in the text field that appears under the menu.
Owner	Select a new value from the pull-down menu. If you are modifying a previously-unmodified warning and do not set an Owner, the warning will be assigned to you unless automatic assignment is disabled.
Warning Processors	If any warning processors are available for application, a labeled checkbox for each processor will be displayed after the Priority, State, Finding, and Owner menus. Check the box next to each processor you want to apply. Some installed warning processors may not be displayed. A warning processor will only be displayed if: you have both WPROCESSOR_EXISTS and WPROCESSOR_EXECUTE permissions for that processor, and the processor's display script makes it available in the current context. A warning processor can only change a warning's Owner to a user who has ANALYSIS_OWN_WARNINGS permission for this analysis.
Note	Enter a new note in the Note field.

Save your changes.
- Click Save changes to save your changes and reload the current Warning Report.
- Click Save and Next to save your changes and load the next Warning Report in the current warning browse sequence. (If the current Warning Report does not belong to a warning browse sequence, this button will not be available.)
Only signed-in users can save changes to the hub: if you are not already signed in when you click Save changes or Save and Next, CodeSonar will ask you to Sign In before saving your changes.
If the warning belongs to a non-singleton warning cluster, CodeSonar will display a message suggesting that you may also wish to annotate the other warnings in the cluster. Click the link in the message to navigate to the corresponding Warning Cluster page, where you can inspect and annotate the other warnings.

Automatic Assignment

When automatic assignment is enabled and a user makes changes to a warning that has never previously been modified, that user will be made the Owner of the warning unless their modifications include setting an Owner.

By default, automatic assignment is enabled. To disable automatic assignment:

Navigate to the Change Warnings section of a Warning Report page.
Click the "?" link next to Auto-Assign Enabled (on the same line as the Owner selector).
The page will expand to display some information about automatic assignment, along with a checkbox for enabling automatic assignment.
Deselect the checkbox.

To re-enable, follow the same process but select the checkbox.

Disabling for automatic assignment is managed through browser cookies with an expiry time of 7 days. Therefore:

Enabling and disabling take effect as soon as you change the setting.
Automatic assignment will be re-enabled after a week.
If you clear your cookies, automatic assignment will be re-enabled.
If you wish to disable automatic assignment, you will need to go through the process outlined above:
- every 7 days,
- for every browser you use,
- on every machine you use.

Standard Footer

See CodeSonar GUI Reference: Standard Footer.

Annotations

Warning Reports have annotations at program points that are particularly relevant to the warning, along with annotations for locations in the code excerpt that are important for reasons unrelated to the warning. These annotations are described in GUI Reference: Warning Report Annotations.

Interaction and Navigation

Code excerpts in warning reports provide the following functionality in addition to the standard Source Coloring and Interactivity provided in the CodeSonar GUI.

Element	Interaction
Function call sites	For warnings associated with paths, function call sites along the path can be expanded to show the code for the called function. Click the [+] symbol to expand the associated call site inside the current page; click the [-] symbol to collapse an expanded item. Call site expansion is not provided for library functions and undefined functions.
Macros	To expand a macro definition, click the macro name and select Expand macro definition from the menu that opens. Click the [hide] link in the top right corner of the expansion box to close it, or click the macro name a second time and deselect Expand macro definition.
and	When CodeSonar is displaying only part of a file, and links allow you to extend the excerpt further back and forward, respectively. This is especially useful if you want to see additional context. Refresh the browser window to revert to the excerpt selected by CodeSonar.
	CodeSonar will sometimes elide code from inside an excerpt, replacing it with a note stating which lines have been removed. Lines on the warning's core path will never be elided. Click the link to expand the elided code. Refresh the browser window to revert to the excerpt selected by CodeSonar.

Navigating from

navigate within the code fragment	See Interaction and Navigation above, along with Source Coloring and Hyperlinking.
view the full source listing for the file containing the warning	Click the file name at the top of the annotated code excerpt.
view a CWE weakness description on the CWE web site	Click the CWE ID in the Categories field of the expanded warning details table.
view the warning class description in the CodeSonar manual	Click one of the following. The warning mnemonic in the Categories field of the expanded warning details table. The context-sensitive help link in the page heading. The context-sensitive help link in the warning description box heading.
navigate within the current warning browse sequence (if any)	See Warning and File Browse Sequences: Navigating Browse Sequences.
explore the warning's call paths in the explore callers page	Click the graphical (lite) link in the in the Explore Callers field of the expanded warning details table.
explore the warning's call paths in the search callers page	Click the tabular link in the in the Explore Callers field of the expanded warning details table.
view the warning cluster page associated with the warning	(Only available if the warning belongs to a non-singleton cluster.) Click the view all related link in the cluster notification.

Related Tasks

To report problems with this documentation, please visit https://support.codesecure.com/.