Configuration Presets

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.2p0

CONFIDENTIAL

CodeSecure Inc

Configuration Presets

Configuration presets are named combinations of configuration parameter settings that can be applied directly in the CodeSonar build/analysis command.

Overview
Applying a Preset
Presets Shipped with CodeSonar
Finding Detailed Information on a Specific Preset
Creating a New Preset

Overview

Configuration presets are named combinations of configuration parameter settings that can be applied directly in the CodeSonar build/analysis command.

Location	Each preset is located in directory $CSONAR/codesonar/presets/, with a file name of the form PresetName.conf where PresetName is the name of the preset. Any file that meets these conditions will be treated as an available preset.
Contents	Each preset is a text file containing zero or more configuration parameter settings.
Applying	Presets are applied by name (the path and the .conf file extension are implicit) as described in Applying a Preset, below.
Available Presets	CodeSonar ships with a number of presets. You can also define custom presets and modify existing presets.
Precedence	Applied presets are loaded after the general template configuration file, but before any other applicable configuration files. They therefore can override settings specified in the general template, but can themselves be overridden by settings specified in other files. For full details, see Configuration Files: Configuration File Loading.

Presets vs Additional Configuration Files

There are two major differences between applying a preset and specifying an additional configuration file: location and loading mechanism.

	Preset	Additional Configuration File
location	$CSONAR/codesonar/presets/PresetName.conf only	anywhere
loading mechanism	-preset PresetName (No path or .conf extension)	-conf-file /path/to/fname (Path required, fname must include file extension if it has one.)

Applying a Preset

To apply the preset named PresetName (defined in $CSONAR/codesonar/presets/PresetName.conf) to a CodeSonar build/analysis:

Command Line	Specify -preset <preset_name> as part of your build/analysis command. For example: codesonar analyze MyProj -preset <preset_name> localhost:7340 make
Define as a default preset	Copy <preset_name>.conf from $CSONAR/codesonar/presets/ to $CSONAR/codesonar/default_presets/. OR Use the CodeSonar Configuration Tool Modify Analysis Settings option.
Windows Build Wizard	Select <preset_name> from the Preset list on screen 2.
Eclipse Plug-In	Select <preset_name> from the Presets list in the Properties dialog.
Visual Studio Plug-In	Select <preset_name> from the Presets list in the Project Properties dialog.

Configuration Files: Changing Parameter Settings discusses the issues to consider when you change parameter settings for a given project, including changes in the presets used to build and analyze the project.

Presets Shipped with CodeSonar

The following presets are shipped with CodeSonar.

For presets that enable sets of warning classes associated with one or more warning class categories, the close mapping for that category is used.

Preset Name	Description
all_warningclasses	Enable all warning classes (except those with mnemonic DIAG.*, which are diagnostic only) for all languages to which each class applies. This preset sets INCREMENTAL_BUILD = No. See the section below for expanded explanations of this parameter.
android_base	Set various analysis bounds and compiler model mappings to support analyzing the Android Open Source Project with codesonar cs_android.py. We recommend using this preset whenever your CodeSonar build/analysis makes use of codesonar cs_android.py.
allow_many_parse_errors	Set a very high ERROR_LIMIT_PER_COMPILATION. Note that this preset sets PREPROCESS_IF_FAIL = No, which specifies that preprocessed versions of compilation units containing parse errors will not be saved.
autosarc++14	Taxonomy preset for AUTOSARC++14: AUTOSAR AP Release 18-10 Guidelines for the use of the C++14 language in critical and safety-related systems. Enables warning classes for C++ compilation units, and only if both of the following are true: the class is associated with at least one rule in AUTOSAR AP Release 18-10, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes, INCREMENTAL_BUILD = No, and WARNING_FILTER += discard class="Basic Numerical Type Used" line_contents=~\<(main\|argc\|argv)\>. See the sections below for expanded explanations of these parameters.
autosarc++14_inc	Taxonomy preset for AUTOSARC++14: AUTOSAR AP Release 18-10 Guidelines for the use of the C++14 language in critical and safety-related systems. Enables warning classes for C++ compilation units, and only if all of the following are true: the class is associated with at least one rule in AUTOSAR AP Release 18-10, and the class is supported in incremental analysis, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes and WARNING_FILTER += discard class="Basic Numerical Type Used" line_contents=~\<(main\|argc\|argv)\>. See the sections below for expanded explanations of these parameters.
barr_naming	Check for violations of the naming rules in the Barr Group Embedded C Coding Standard; issue a Naming Style Violation warning for each such violation.
bsi	Enable all warning classes (except those with mnemonic DIAG.*, which are diagnostic only) associated with "Build Security In" (BSI) rules. A number of CodeSonar warning classes have been implemented specifically to support rules previously published by the U.S. Department of Homeland Security "Build Security In" (BSI) initiative.
cert	Taxonomy preset for multiple CERT taxonomies: CERT-C: SEI CERT C Coding Standard. CERT-CPP: SEI CERT C++ Coding Standard. CERT-Java: SEI CERT Oracle Coding Standard for Java. Enables warning classes only if both of the following are true: the class is associated with at least one rule or recommendation in one of {CERT-C, CERT-CPP, CERT-Java} (it does not need to be associated with all three), and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes and INCREMENTAL_BUILD = No. See the sections below for expanded explanations of these parameters.
certc	Taxonomy preset for CERT-C: SEI CERT C Coding Standard. Enables warning classes only if both of the following are true: the class is associated with at least one rule or recommendation in the SEI CERT C Coding Standard, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes and INCREMENTAL_BUILD = No. See the sections below for expanded explanations of these parameters.
certcpp	Taxonomy preset for CERT-CPP: SEI CERT C++ Coding Standard. Enables warning classes only if both of the following are true: the class is associated with at least one rule or recommendation in the SEI CERT C++ Coding Standard, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes. See the section below for an expanded explanation of this parameter.
certjava	Taxonomy preset for CERT-Java: SEI CERT Oracle Coding Standard for Java. Enables warning classes that are associated with at least one rule or recommendation in the SEI CERT Oracle Coding Standard for Java. (There are no Java warning classes with mnemonic DIAG.*).
concurrency	Enable all C and C++ warning classes (except those with mnemonic DIAG., which are diagnostic only) that are related to multithreaded programs (that is, the classes with CONCURRENCY. mnemonics).
csharp_complete	Enable all warning classes detected in C# code: both CodeSonar-detected C# warning classes and Roslyn-detected C# warning classes.
csharp_deep	Enable all CodeSonar-detected C# warning classes that are characterized as deep. Note: This preset does not enable any Roslyn-detected C# warning classes (those with mnemonic ROSLYN.*).
csharp_no_roslyn	Disable all Roslyn-detected C# warning classes (those with mnemonic ROSLYN.*).
csharp_pedantic	Enable all CodeSonar-detected C# warning classes that are characterized as pedantic. Note: This preset does not enable any Roslyn-detected C# warning classes (those with mnemonic ROSLYN.*).
csharp_security	Enable all CodeSonar-detected C# warning classes whose significance is "security". Note: This preset does not enable any Roslyn-detected C# warning classes (those with mnemonic ROSLYN.*).
csharp_roslyn_allrulesdefault	Enable the set of Roslyn-detected C# warning classes equivalent to the AllRulesDefault ruleset provided by microsoft.codeanalysis.netanalyzers 8.0.0. Note: This preset does not enable any CodeSonar-detected C# warning classes (those with mnemonic CSHARP.*).
csharp_roslyn_allrulesenabled	Enable the set of Roslyn-detected C# warning classes equivalent to the AllRulesEnabled ruleset provided by microsoft.codeanalysis.netanalyzers 8.0.0. Note: This preset does not enable any CodeSonar-detected C# warning classes (those with mnemonic CSHARP.*).
csharp_roslyn_designrulesdefault	Enable the set of Roslyn-detected C# warning classes equivalent to the DesignRulesDefault ruleset provided by microsoft.codeanalysis.netanalyzers 8.0.0. Note: This preset does not enable any CodeSonar-detected C# warning classes (those with mnemonic CSHARP.*).
csharp_roslyn_globalizationrulesdefault	Enable the set of Roslyn-detected C# warning classes equivalent to the GlobalizationRulesDefault ruleset provided by microsoft.codeanalysis.netanalyzers 8.0.0. Note: This preset does not enable any CodeSonar-detected C# warning classes (those with mnemonic CSHARP.*).
csharp_roslyn_interoperabilityrulesdefault	Enable the set of Roslyn-detected C# warning classes equivalent to the InteroperabilityRulesDefault ruleset provided by microsoft.codeanalysis.netanalyzers 8.0.0. Note: This preset does not enable any CodeSonar-detected C# warning classes (those with mnemonic CSHARP.*).
csharp_roslyn_maintainabilityrulesdefault	Enable the set of Roslyn-detected C# warning classes equivalent to the MaintainabilityRulesDefault ruleset provided by microsoft.codeanalysis.netanalyzers 8.0.0. Note: This preset does not enable any CodeSonar-detected C# warning classes (those with mnemonic CSHARP.*).
csharp_roslyn_performancerulesdefault	Enable the set of Roslyn-detected C# warning classes equivalent to the PerformanceRulesDefault ruleset provided by microsoft.codeanalysis.netanalyzers 8.0.0. Note: This preset does not enable any CodeSonar-detected C# warning classes (those with mnemonic CSHARP.*).
csharp_roslyn_portedfromfxcoprulesdefault	Enable the set of Roslyn-detected C# warning classes equivalent to the PortedFromFxCopRulesDefault ruleset provided by microsoft.codeanalysis.netanalyzers 8.0.0. Note: This preset does not enable any CodeSonar-detected C# warning classes (those with mnemonic CSHARP.*).
csharp_roslyn_reliabilityrulesdefault	Enable the set of Roslyn-detected C# warning classes equivalent to the ReliabilityRulesDefault ruleset provided by microsoft.codeanalysis.netanalyzers 8.0.0. Note: This preset does not enable any CodeSonar-detected C# warning classes (those with mnemonic CSHARP.*).
csharp_roslyn_usagerulesdefault	Enable the set of Roslyn-detected C# warning classes equivalent to the UsageRulesDefault ruleset provided by microsoft.codeanalysis.netanalyzers 8.0.0. Note: This preset does not enable any CodeSonar-detected C# warning classes (those with mnemonic CSHARP.*).
cwe2020	Enable all warning classes that are closely mapped to one or more of the 2020 CWE/SANS Top 25 Most Dangerous Software Weaknesses. This preset sets RETAIN_UNNORMALIZED_C_AST = Yes. See the section below for an expanded explanation of this parameter.
cwe2021	Enable all warning classes that are closely mapped to one or more of the 2021 CWE Top 25 Most Dangerous Software Weaknesses. This preset sets RETAIN_UNNORMALIZED_C_AST = Yes. See the section below for an expanded explanation of this parameter.
cwe2022	Enable all warning classes that are closely mapped to one or more of the 2022 CWE Top 25 Most Dangerous Software Weaknesses. This preset sets RETAIN_UNNORMALIZED_C_AST = Yes. See the section below for an expanded explanation of this parameter.
cwe2023	Enable all warning classes that are closely mapped to one or more of the 2023 CWE Top 25 Most Dangerous Software Weaknesses. This preset sets RETAIN_UNNORMALIZED_C_AST = Yes. See the section below for an expanded explanation of this parameter.
cwe2024	Enable all warning classes that are closely mapped to one or more of the 2024 CWE Top 25 Most Dangerous Software Weaknesses. This preset sets RETAIN_UNNORMALIZED_C_AST = Yes. See the section below for an expanded explanation of this parameter.
cwe2025	Enable all warning classes that are closely mapped to one or more of the 2025 CWE Top 25 Most Dangerous Software Weaknesses. This preset sets RETAIN_UNNORMALIZED_C_AST = Yes. See the section below for an expanded explanation of this parameter.
cwe_kev10_2024	Enable all warning classes that are closely mapped to one or more of the 2024 CWE Top 10 KEV Weaknesses.
cwe660_java	Enable all Java warning classes that are broadly mapped to CWE:660.
cxx_parser_diagnostics	Enable all C/C++ parser warning classes, reporting both parser warnings and parser errors. The latter has the effect of duplicating errors from the parse log as CodeSonar warnings.
cxx_parser_warnings	Enable all C/C++ parser warning classes, but only for warnings that correspond to parser warnings (as opposed to parser errors). Note that error status for these warnings is determined by the parser: for a given warning class, there may be some warning instances that are parse errors but other warning instances that are not.
disa	Taxonomy preset for multiple taxonomies: DISA-6r1: DISA Application Security and Development STIG version 6 release 1 (published June 5, 2024). DISA-5r3: DISA Application Security and Development STIG version 5 release 3 (published July 26, 2023). DISA-4r3: DISA Application Security and Development STIG version 4 release 3 (published April 28, 2017). DISA3r10: DISA Application Security and Development STIG version 3 release 10 (published January 23, 2015). These represent all revisions of the DISA Application Security and Development STIG for which CodeSonar has mappings. Enables warning classes only if both of the following are true: the class is associated with at least one finding in one of the listed DISA Application Security and Development STIG taxonomies (it does not need to be associated with all of them), and the class is not diagnostic-only (mnemonic DIAG.). Does not enable warning classes that are diagnostic-only (mnemonic DIAG.). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes. See the section below for an expanded explanation of this parameter.
disa_latest	Taxonomy preset for the most recent version of the DISA Application Security and Development STIG for which CodeSonar has mappings. For this version of CodeSonar (9.2p0), the most recent version of this STIG for which mappings are provided is Version 6, Release 1, published June 5, 2024. Enables warning classes only if both of the following are true: the class is associated with at least one finding in the DISA Application Security and Development STIG Version 6, Release 1, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes. See the section below for an expanded explanation of this parameter.
disa_6r1	Taxonomy preset for DISA-6r1: DISA Application Security and Development STIG version 6 release 1 (published June 5, 2024). Enables warning classes only if both of the following are true: the class is associated with at least one finding in the DISA Application Security and Development STIG version 6, release 1, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes. See the section below for an expanded explanation of this parameter.
disa_5r3	Taxonomy preset for DISA-5r3: DISA Application Security and Development STIG version 5 release 3 (published July 26, 2023). Enables warning classes only if both of the following are true: the class is associated with at least one finding in the DISA Application Security and Development STIG version 5, release 3, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes. See the section below for an expanded explanation of this parameter.
disa_4r3	Taxonomy preset for DISA-4r3: DISA Application Security and Development STIG version 4 release 3 (published April 28, 2017). Enables warning classes only if both of the following are true: the class is associated with at least one finding in the DISA Application Security and Development STIG version 4, release 3, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes. See the section below for an expanded explanation of this parameter.
disa_3r10	Taxonomy preset for DISA3r10: DISA Application Security and Development STIG version 3 release 10 (published January 23, 2015). Enables warning classes only if both of the following are true: the class is associated with at least one finding in the DISA Application Security and Development STIG version 3, release 10 , and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes. See the section below for an expanded explanation of this parameter.
dry_run	Perform a dry run.
fast	Set lower values for various analysis bounds and disable Tainted Buffer Access checking, with the goal of a faster analysis. This preset may lead to a higher number of false negatives (because of reduced analysis resources), a higher number of false positives (because of reduced refinement resources), or both. Settings are described in section Performing a Fast Analysis.
his_metrics	Enable HIS and related metrics.
insider	Enable those built-in warning classes that are considered to be particularly associated with insider threat. Many of these warning classes have a focus on security holes that can be introduced - maliciously or mistakenly - by an insider. Insider threats are rare, so this preset tends to have a high false positive rate.
insider_more	Enable a strict superset of the warning classes enabled by the insider preset; set various other parameters to support stricter checking for various classes. Many of these warning classes have a focus on security holes that can be introduced - maliciously or mistakenly - by an insider. Insider threats are rare, so this preset tends to have a high false positive rate
insider_only	Enable those built-in warning classes that are considered to be particularly associated with insider threat; disable all other classes. Many of these warning classes have a focus on security holes that can be introduced - maliciously or mistakenly - by an insider. Insider threats are rare, so this preset tends to have a high false positive rate
intel	[Windows only] Disables compiler recognition for the cl and cl.exe executables, and specifies that compilations with mcpcom.exe should be handled by the mcpcom compiler model. Always use this preset when you are building and analyzing projects based on the mcpcom compiler (or any other compilers that you have mapped to the mcpcom compiler model). This preset has no effect on non-Windows systems.
intro	Disable some warning classes that are less likely to indicate serious defects.
java_complete	Enable all Java warning classes.
java_deep	Enable all Java warning classes that are characterized as deep.
java_pedantic	Enable all Java warning classes that are characterized as pedantic.
java_security	Enable all Java warning classes whose significance is "security".
jpl	Taxonomy preset for JPL: JPL Institutional Coding Standard for the C Programming Language. Enables warning classes only if both of the following are true: the class is associated with at least one rule in the JPL Institutional Coding Standard for the C Programming Language, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes. See the section below for an expanded explanation of this parameter.
jsf++	Taxonomy preset for JSF++: Joint Strike Fighter Air Vehicle C++ Coding Standards for the System Development and Demonstration Program. Enables warning classes only if both of the following are true: the class is associated with at least one rule in the Joint Strike Fighter Air Vehicle C++ Coding Standards for the System Development and Demonstration Program, and the class is not diagnostic-only (mnemonic DIAG.*). Additional jsf++ preset information: It contains a number of configuration settings that customize warning class behavior to conform with the guidelines in this standard. Read the comments in the preset for full details. It defines a new warning class: "High Cyclomatic Complexity" It sets RETAIN_UNNORMALIZED_C_AST = Yes, INCREMENTAL_BUILD = No, and WARNING_FILTER += discard class="Basic Numerical Type Used" line_contents=~\<(main\|argc\|argv)\>. See the sections below for expanded explanations of these parameters.
jsf++_inc	Taxonomy preset for JSF++: Joint Strike Fighter Air Vehicle C++ Coding Standards for the System Development and Demonstration Program. Enables warning classes for C++ compilation units, and only if all of the following are true: the class is associated with at least one rule in the Joint Strike Fighter Air Vehicle C++ Coding Standards for the System Development and Demonstration Program, and the class is supported in incremental analysis, and the class is not diagnostic-only (mnemonic DIAG.*). Additional jsf++_inc preset information: It contains a number of configuration settings that customize warning class behavior to conform with the guidelines in this standard. Read the comments in the preset for full details. It defines a new warning class: "High Cyclomatic Complexity" It sets RETAIN_UNNORMALIZED_C_AST = Yes, INCREMENTAL_BUILD = No, and WARNING_FILTER += discard class="Basic Numerical Type Used" line_contents=~\<(main\|argc\|argv)\>. See the sections below for expanded explanations of these parameters.
malloc_never_fails	Set MALLOC_FAILURE_BEHAVIOR=DOESNT_FAIL.
misra	Taxonomy preset for multiple MISRA C taxonomies: MisraC2025: MISRA C:2025 Guidelines for the use of the C language in critical systems MisraC2023: MISRA C:2023 Guidelines for the use of the C language in critical systems Misra2012: MISRA C:2012 Guidelines for the use of the C language in critical systems Misra2004: MISRA C:2004 Guidelines for the use of the C language in critical systems Enables warning classes for C compilation units, and only if all of the following are true: the class is associated with at least one guideline (rule or directive) in one of {MisraC2025, MisraC2023, Misra2012, Misra2004} (it does not need to be associated with all four), and for associations with a Misra2012 guideline, that guideline is present in the latest edition, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes, INCREMENTAL_BUILD = No, and WARNING_FILTER += discard class="Basic Numerical Type Used" line_contents=~\<(main\|argc\|argv)\>. See the sections below for expanded explanations of these parameters.
misra_inc	Taxonomy preset for multiple taxonomies: MisraC2025: MISRA C:2025 Guidelines for the use of the C language in critical systems MisraC2023: MISRA C:2023 Guidelines for the use of the C language in critical systems Misra2012: MISRA C:2012 Guidelines for the use of the C language in critical systems Misra2004: MISRA C:2004 Guidelines for the use of the C language in critical systems Enables warning classes for C compilation units, and only if all of the following are true: the class is associated with at least one guideline (rule or directive) in one of {MisraC2025, MisraC2023, Misra2012, Misra2004} (it does not need to be associated with all four), and for associations with a Misra2012 guideline, that guideline is present in the latest edition, and the class is supported in incremental analysis, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes and sets WARNING_FILTER += discard class="Basic Numerical Type Used" line_contents=~\<(main\|argc\|argv)\>. See the sections below for expanded explanations of these parameters.
misrac2025	Taxonomy preset for MisraC2025: MISRA C:2025 Guidelines for the use of the C language in critical systems. Enables warning classes for C compilation units, and only if both of the following are true: the class is associated with at least one rule or directive in the MISRA C:2025 Guidelines for the use of the C language in critical systems, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes, INCREMENTAL_BUILD = No, and WARNING_FILTER += discard class="Basic Numerical Type Used" line_contents=~\<(main\|argc\|argv)\>. See the sections below for expanded explanations of these parameters.
misrac2025_inc	Taxonomy preset for MisraC2025: MISRA C:2025 Guidelines for the use of the C language in critical systems. Enables warning classes for C compilation units, and only if all of the following are true: the class is associated with at least one rule or directive in MISRA C:2025, and the class is supported in incremental analysis, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes and sets WARNING_FILTER += discard class="Basic Numerical Type Used" line_contents=~\<(main\|argc\|argv)\>. See the sections below for expanded explanations of these parameters.
misrac2023	Taxonomy preset for MisraC2023: MISRA C:2023 Guidelines for the use of the C language in critical systems. Enables warning classes for C compilation units, and only if both of the following are true: the class is associated with at least one rule or directive in the MISRA C:2023 Guidelines for the use of the C language in critical systems, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes, INCREMENTAL_BUILD = No, and WARNING_FILTER += discard class="Basic Numerical Type Used" line_contents=~\<(main\|argc\|argv)\>. See the sections below for expanded explanations of these parameters.
misrac2023_inc	Taxonomy preset for MisraC2023: MISRA C:2023 Guidelines for the use of the C language in critical systems. Enables warning classes for C compilation units, and only if all of the following are true: the class is associated with at least one rule or directive in MISRA C:2023, and the class is supported in incremental analysis, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes and sets WARNING_FILTER += discard class="Basic Numerical Type Used" line_contents=~\<(main\|argc\|argv)\>. See the sections below for expanded explanations of these parameters.
misra2012	Taxonomy preset for Misra2012: MISRA C:2012 Guidelines for the use of the C language in critical systems. Enables warning classes for C compilation units, and only if both of the following are true: the class is associated with a rule or directive in the latest edition of MISRA C:2012, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes, INCREMENTAL_BUILD = No, and WARNING_FILTER += discard class="Basic Numerical Type Used" line_contents=~\<(main\|argc\|argv)\>. See the sections below for expanded explanations of these parameters.
misra2012_inc	Taxonomy preset for Misra2012: MISRA C:2012 Guidelines for the use of the C language in critical systems. Enables warning classes for C compilation units, and only if all of the following are true: the class is associated with a rule or directive in the latest edition of MISRA C:2012, and the class is supported in incremental analysis, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes and sets WARNING_FILTER += discard class="Basic Numerical Type Used" line_contents=~\<(main\|argc\|argv)\>. See the sections below for expanded explanations of these parameters.
misra2012-0	Taxonomy preset for Misra2012: MISRA C:2012 Guidelines for the use of the C language in critical systems. Enables warning classes for C compilation units, and only if both of the following are true: the class is associated with a rule or directive in the following MISRA C:2012 edition: [0] MISRA C:2012 Guidelines for the use of the C language in critical systems, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes, INCREMENTAL_BUILD = No, and WARNING_FILTER += discard class="Basic Numerical Type Used" line_contents=~\<(main\|argc\|argv)\>. See the sections below for expanded explanations of these parameters.
misra2012-1	Taxonomy preset for Misra2012: MISRA C:2012 Guidelines for the use of the C language in critical systems. Enables warning classes for C compilation units, and only if both of the following are true: the class is associated with a rule or directive in the following MISRA C:2012 edition: [1] MISRA C:2012 Amendment 1 Additional security guidelines for MISRA C:2012, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes, INCREMENTAL_BUILD = No, and WARNING_FILTER += discard class="Basic Numerical Type Used" line_contents=~\<(main\|argc\|argv)\>. See the sections below for expanded explanations of these parameters.
misra2012-2	Taxonomy preset for Misra2012: MISRA C:2012 Guidelines for the use of the C language in critical systems. Enables warning classes for C compilation units, and only if both of the following are true: the class is associated with a rule or directive in the following MISRA C:2012 edition: [2] MISRA C:2012 Amendment 2 Updates for ISO/IEC 9899:2011 Core functionality, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes, INCREMENTAL_BUILD = No, and WARNING_FILTER += discard class="Basic Numerical Type Used" line_contents=~\<(main\|argc\|argv)\>. See the sections below for expanded explanations of these parameters.
misra2012-3	Taxonomy preset for Misra2012: MISRA C:2012 Guidelines for the use of the C language in critical systems. Enables warning classes for C compilation units, and only if both of the following are true: the class is associated with a rule or directive in the following MISRA C:2012 edition: [3] MISRA C:2012 Amendment 3 Updates for ISO/IEC 9899:2011/2018 Phase 2 — New C11/C18 features, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes, INCREMENTAL_BUILD = No, and WARNING_FILTER += discard class="Basic Numerical Type Used" line_contents=~\<(main\|argc\|argv)\>. See the sections below for expanded explanations of these parameters.
misra2012-4	Taxonomy preset for Misra2012: MISRA C:2012 Guidelines for the use of the C language in critical systems. Enables warning classes for C compilation units, and only if both of the following are true: the class is associated with a rule or directive in the following MISRA C:2012 edition: [4] MISRA C:2012 Amendment 4 Updates for ISO/IEC 9899:2011/2018 Phase 3 — Multi-threading and atomics, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes, INCREMENTAL_BUILD = No, and WARNING_FILTER += discard class="Basic Numerical Type Used" line_contents=~\<(main\|argc\|argv)\>. See the sections below for expanded explanations of these parameters.
misra2004	Taxonomy preset for Misra2004: MISRA C:2004 Guidelines for the use of the C language in critical systems. Enables warning classes for C compilation units, and only if both of the following are true: the class is associated with a rule in MISRA C:2004, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes, INCREMENTAL_BUILD = No, and WARNING_FILTER += discard class="Basic Numerical Type Used" line_contents=~\<(main\|argc\|argv)\>. See the sections below for expanded explanations of these parameters.
misra2004_inc	Taxonomy preset for Misra2004: MISRA C:2004 Guidelines for the use of the C language in critical systems. Enables warning classes for C compilation units, and only if all of the following are true: the class is associated with a rule in MISRA C:2004, and the class is supported in incremental analysis, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes and sets WARNING_FILTER += discard class="Basic Numerical Type Used" line_contents=~\<(main\|argc\|argv)\>. See the sections below for expanded explanations of these parameters.
misrac++	Taxonomy preset for multiple MISRA C++ taxonomies: MisraC++2023: MISRA C++:2023 Guidelines for the use of C++17 in critical systems. MisraC++2008: MISRA C++:2008 Guidelines for the use of the C++ language in critical systems. Enables warning classes for C++ compilation units, and only if both of the following are true: the class is associated with at least one rule in MISRA C++:2023 or MISRA C++:2008 (it does not need to be associated with both), and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes, INCREMENTAL_BUILD = No, and WARNING_FILTER += discard class="Basic Numerical Type Used" line_contents=~\<(main\|argc\|argv)\>. See the sections below for expanded explanations of these parameters.
misrac++_inc	Taxonomy preset for multiple taxonomies: MisraC++2023: MISRA C++:2023 Guidelines for the use of C++17 in critical systems. MisraC++2008: MISRA C++:2008 Guidelines for the use of the C++ language in critical systems. Enables warning classes for C++ compilation units, and only if all of the following are true: the class is associated with at least one rule in MISRA C++:2023 or MISRA C++:2008 (it does not need to be associated with both), and the class is supported in incremental analysis, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes and sets WARNING_FILTER += discard class="Basic Numerical Type Used" line_contents=~\<(main\|argc\|argv)\>. See the sections below for expanded explanations of these parameters.
misrac++2023	Taxonomy preset for MisraC++2023: MISRA C++:2023 Guidelines for the use of C++17 in critical systems. Enables warning classes for C++ compilation units, and only if both of the following are true: the class is associated with at least one rule in MISRA C++:2023, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes, INCREMENTAL_BUILD = No, and WARNING_FILTER += discard class="Basic Numerical Type Used" line_contents=~\<(main\|argc\|argv)\>. See the sections below for expanded explanations of these parameters.
misrac++2023_inc	Taxonomy preset for MisraC++2023: MISRA C++:2023 Guidelines for the use of C++17 in critical systems. Enables warning classes for C++ compilation units, and only if all of the following are true: the class is associated with at least one rule in MISRA C++:2023, and the class is supported in incremental analysis, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes and sets WARNING_FILTER += discard class="Basic Numerical Type Used" line_contents=~\<(main\|argc\|argv)\>. See the sections below for expanded explanations of these parameters.
misrac++2008	Taxonomy preset for MisraC++2008: MISRA C++:2008 Guidelines for the use of the C++ language in critical systems. Enables warning classes for C++ compilation units, and only if all of the following are true: the class is associated with at least one rule in MISRA C++:2008, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes, INCREMENTAL_BUILD = No, and WARNING_FILTER += discard class="Basic Numerical Type Used" line_contents=~\<(main\|argc\|argv)\>. See the sections below for expanded explanations of these parameters.
misrac++2008_inc	Taxonomy preset for MisraC++2008: MISRA C++:2008 Guidelines for the use of the C++ language in critical systems. Enables warning classes for C++ compilation units, and only if all of the following are true: the class is associated with at least one rule in MISRA C++:2008, and the class is supported in incremental analysis, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes and sets WARNING_FILTER += discard class="Basic Numerical Type Used" line_contents=~\<(main\|argc\|argv)\>. See the sections below for expanded explanations of these parameters.
no_crashes	Configure the analysis so that Null Pointer Dereference, Division by Zero, and integer division overflow will not be treated as crashing vulnerabilities.
no_cxx_parser_diagnostics	Disable all C/C++ parser warning classes.
no_dead_code	Disable C/C++ warning classes with significance redundancy. These warning classes generally flag dead (unnecessary) code. Dead code is sometimes intentional but is sometimes indicative of mistakes. It is recommended that first-time CodeSonar users disable dead code warnings.
no_incremental	Set INCREMENTAL_BUILD=No. For more information on this parameter, see the section below.
no_style	Disable C/C++ warning classes with significance style. Suppress coding-style warnings.
no_taint_or_funcptr	Disable the top-down pointer analysis phase, meaning that: Taint metrics and taint propagation information will not be available. Function pointer resolution is not performed.
owasp2025	Taxonomy preset for OWASP-2025: the OWASP Top 10 2025. Enables warning classes only if both of the following are true: the class is associated with at least one rule in the OWASP Top 10 2025, and the class is not diagnostic-only (mnemonic DIAG.*).
owasp2021	Taxonomy preset for OWASP-2021: the OWASP Top 10 2021. Enables warning classes only if both of the following are true: the class is associated with at least one rule in the OWASP Top 10 2021, and the class is not diagnostic-only (mnemonic DIAG.*).
owasp2017	Taxonomy preset for OWASP-2017: the OWASP Top 10 2017. Enables warning classes only if both of the following are true: the class is associated with at least one rule in the OWASP Top 10 2017, and the class is not diagnostic-only (mnemonic DIAG.*).
pow10	Taxonomy preset for POW10: "Power of Ten" rules. Enables warning classes only if both of the following are true: the class is associated with at least one "Power of Ten" rule, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes. See the section below for an expanded explanation of this parameter.
python_debug_console	Include the Python debug console plug-in, which opens an interactive Python console at the end of the analysis "Linking" stage; analysis does not proceed until the console exits. For more information, see the Python API documentation.
security	Enable those built-in C/C++ warning classes that are considered especially useful for security audits. Settings are described in section Performing a Security-Oriented Analysis.
serial	Configure the analysis to run in serial mode (including after the analysis has transitioned to daemon mode).
stable_results	Configure the analysis for increased determinism: result sets will be more stable across analyses than without these settings, at the cost of increased false negative rate and slower taint analysis. False positives may increase or decrease. Apply all the settings described in section Performing an Analysis with Improved Determinism.
thorough	May enable a more thorough analysis. Settings are described in section Performing a More Thorough Analysis.
ts17961	Taxonomy preset for TS17961: ISO/IEC TS 17961 rules ("C Secure Coding Rules Technical Specification"). Enables warning classes only if both of the following are true: the class is associated with at least one ISO/IEC TS 17961 rule, and the class is not diagnostic-only (mnemonic DIAG.*). This preset sets RETAIN_UNNORMALIZED_C_AST = Yes and INCREMENTAL_BUILD = No. See the sections below for expanded explanations of these parameters.
weakprng	Enable those built-in warning classes that flag uses of some well-known weak pseudo-random number generators.

Taxonomy Presets

We say that a preset shipped with CodeSonar is a taxonomy preset if it enables warning classes on the basis of their association with one or more standard category kinds ("taxonomies").

For a given warning class C, a taxonomy preset will enable C if all of the following are true.

C is closely mapped to one or more categories in the specified taxonomies.
The preset does not also enable warning classes that are closer matches for the same categories.
For example, the Inappropriate Include File Specification warning class is closely mapped to MisraC2023:20.3 (The #include directive shall be followed by either a <filename> or "filename" sequence). However, the Malformed #include class is an even closer match. The misrac2023 preset therefore contains a WARNING_FILTER rule enabling the latter but does not contain a rule enabling the former.

When a warning class is omitted from a taxonomy preset for this reason, the preset file contains an explanatory comment.
C satisfies any additional conditions specified for the preset. For example, many taxonomy presets do not enable warning classes with mnemonic DIAG.* because these warning classes are diagnostic only.

A taxonomy may have multiple associated taxonomy presets.

The same taxonomy may have different presets that impose different sets of additional conditions. For example, autosarc++14 and autosarc++14_inc differ in their suitability for use with incremental analysis.
A taxonomy may be involved in presets with various sets of other taxonomies. For example, the CERT-C taxonomy has two associated taxonomy presets: certc (CERT-C taxonomy only) and cert (CERT-C, CERT-CPP, and CERT-Java).

Note: CWE top 25 presets such as cwe2024 are not considered taxonomy presets.

RETAIN_UNNORMALIZED_C_AST=Yes Setting

This setting is used because normalized ASTs don't hold the right data to decide for certain warning classes, so certain presets are configured to retain the required data structure. CodeSonar preserves this "extra" data required by the warning classes enabled by the preset.

INCREMENTAL_BUILD=No Setting

This setting is used because incremental build is not compatible with warning classes that depend on global state. For example, non-unique identifier warnings require knowledge of every identifier in the project, so CodeSonar must parse and analyze all compilation units to issue these warnings.

Some presets are configured to disable INCREMENTAL_BUILD so the entire project can be rebuilt and analyzed.

WARNING_FILTER += discard class="Basic Numerical Type Used" Setting

The standard way to write the prototype for main() is to use basic numerical types: int main(int argc, char* argv[]), but the Basic Numerical Type Used warning class complains about that usage. CodeSonar provides an exception for the prototype of main.

For more information on the options, see the WARNING_FILTER documentation.

Finding Detailed Information on a Specific Preset

For detailed information about any preset, inspect the corresponding configuration file. For example, to see the settings associated with the thorough preset, inspect $CSONAR/codesonar/presets/thorough.conf.

We do not recommend editing the built-in presets directly. If you want a preset that is a variation of some built-in preset PresetName:

Save a copy of $CSONAR/codesonar/presets/PresetName.conf in the presets directory with a related name (such as MyPresetName.conf) so that it is easy to identify. For example:
cp $CSONAR/codesonar/presets/PresetName.conf $CSONAR/codesonar/presets/MyPresetName.conf
Edit $CSONAR/codesonar/presets/MyPresetName.conf to incorporate your customizations.

When you want to use your new preset, apply it:

command line	Specify -preset MyPresetName as part of your build/analysis command. For example: codesonar analyze ProjectX -preset MyPresetName localhost:7340 gcc -c myfile.c
Windows build wizard	Select MyPresetName from the Preset list on screen 2.

Creating a New Preset

Suppose you want to create a new preset called AlexCustom.

Check to make sure $CSONAR/codesonar/presets/AlexCustom.conf does not already exist (meaning that there is already an AlexCustom preset).
- If the file already exists, you can either edit it to suit your needs or choose a different name for your new preset.
Create a new file $CSONAR/codesonar/presets/AlexCustom.conf.
Populate AlexCustom.conf with the configuration settings that you want to include in your preset.
- See the sections on Compiler-Independent Configuration File Parameters and Compiler-Dependent Configuration File Parameters for full configuration parameter documentation.

Test your new preset by applying it to a small project.

command line	codesonar analyze testAlexCustom -preset AlexCustom localhost:7340 gcc -c myfile.c
Windows build wizard	Select AlexCustom from the Preset list on screen 2.

Check the analysis alerts. If there are problems with the configuration settings in your new preset, they will be described in an alert.
Once you have satisfied that your preset is working correctly, apply it to your CodeSonar builds and analyses as required.

To report problems with this documentation, please visit https://support.codesecure.com/.