JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.
If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.
If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.
| CodeSonar® 9.2p0 | CONFIDENTIAL | CodeSecure Inc |
CodeSonar provides HTML versions of analysis results and warning reports. This allows easy result browsing as well as a high degree of portability for warning reports.
Important Note: the CodeSonar Web GUI makes extensive use of JavaScript. Make sure JavaScript is enabled in your web browser.
In the previous step you built a project, ran the CodeSonar analysis and sent the analysis results to a hub. Now you can view the analysis report.
The analysis may still be under way when you open the analysis page. If this is the case, the page will not be fully populated and the Analysis State bar will not be full. Reload the page to see updated results. Once the analysis is completed, the Analysis State bar will be full and will contain the word Finished.
You should see a page that looks (something) like this:
This is the analysis page. By default, it will display the Warnings tab, which contains a table of all the warnings issued by the analysis. (The values in the ID column may differ from those shown here.)
The bar will expand to display the File Explorer. If you select a file in the File Explorer, the contents of each Analysis page tab will update to show only the warnings (or files, or procedures) from that file. If you select a directory, the tabs will show the warnings (files, procedures) from the tree under that directory. This is particularly useful for large projects with many source files and directories. This project only has one file, so you don't need to keep the File Explorer open.
You will see at a glance that the analysis of BasicJava.class produced several warnings, including a Null Pointer Dereference (Java) warning.
Each warning has an associated numerical Score. CodeSonar computes and reports this in order to suggest a review order for warnings: warnings with a higher Score value before warnings with a lower Score value.
We will review a "Null Pointer Dereference (Java)" warning first, even though it doesn't have the highest Score, because it provides a useful introduction to several Warning Report features.
This will open a new page.
In overview, the warning report page looks (something) like this:
The report heading specifies the warning class of the warning, and the location (file and line number) where the warning was issued. The location is a link: you can click it to navigate to the warning location in the source excerpt. Directly underneath the heading is a Jump to warning location ↓ link, which has the same destination.
Context-sensitive help links 
are provided throughout the CodeSonar
GUI.
icon next
to the Null Pointer Dereference (Java) heading.Click warning details in the report heading to see detailed information about the warning.
| Categories | The warning is associated with warning mnemonic JAVA.NULL.DEREF,
CWE identifiers CWE:456 and CWE:476, and SEI
CERT Oracle Coding Standard for Java rule EXP01-J. Each category name links to a documentation page: warning mnemonics are documented in this manual, CWE identifiers are documented at the CWE website, and CERT rules and recommendations are documented at the CERT website. |
|---|---|
| Warning ID | Uniquely identifies the warning to the hub. The number before the dot is the Group ID for the warning group this warning belongs to. The number after the dot is the Instance ID and is unique to this warning instance. |
| Last Modified | The last time the warning report was modified. At the moment, this is just the time that the report was issued. |
The warning report displays an annotated excerpt from the source file in which the warning was issued.
| excerpt header | Gives the full path name of the source file and provides Show Events and Options menus. |
|---|---|
| excerpt |
The source excerpt is colored and annotated. In particular:
|
| warning description box | An annotation at the warning location specifies the warning class and explains the problem: accessing the length field causes a null dereference. |
| primary event | CodeSonar has determined that the code at line 8 is especially important – a primary event – because it is the origin of the null value for myarr. The annotation for Event 1 is therefore displayed by default. This is a data annotation and has a yellow background. |
In most cases, events in Java warning reports are considered to be primary events and are displayed by default. For some languages, such as C and C++, warnings typically also have additional annotations that are hidden by default. If you will be analyzing code written these other languages, you have two options for viewing the remaining annotations.
CodeSonar has concluded that myarr.length is a null dereference, because myarr is null at the point when this field access occurs. This is a feasible path, because (objA!=objB) always evaluates to true.
This first warning was straightforward: myarr is set to null and then later dereferenced. It's useful for illustrating the basics of CodeSonar but is an unlikely error for a programmer to make. Even if this bug did somehow find its way into a program it would quickly cause problems and easily be found using basic debugging methods.
To report problems with this documentation, please visit https://support.codesecure.com/.