--- proj6.1p0.conf 2021-12-01 10:29:27.204765300 -0500 +++ proj6.2p0.conf 2021-12-01 10:30:07.278051900 -0500 @@ -1,7 +1,7 @@ # For emacs: -*- Shell-script -*- # ###################################################################### -# CodeSonar 6.1p0 Configuration File +# CodeSonar 6.2p0 Configuration File ###################################################################### # # CodeSonar will use preferences defined in this file when running @@ -1149,6 +1149,30 @@ # #INITIALIZER_LIMIT = 512 +# Parameter ARRAY_CTOR_CALL_LIMIT +# +# Purpose +# Specifies an upper bound on the number of constructor calls +# CodeSonar is willing to make for each end of an array. +# +# Tags +# - ANALYSIS_BOUND: Analysis resource/effort limit +# +# Type +# integer +# +# Behavior Elements on each end of the array will be initialized +# individually. Elements in the middle will be initialized using a +# for-loop. +# +# A value of -1 means that there is no limit on the number of +# calls. +# +# Notes +# Number of calls can significantly affect analysis time. +# +#ARRAY_CTOR_CALL_LIMIT = 2 + # Parameter CONSTEXPR_CALL_DEPTH_LIMIT # # Purpose @@ -2126,6 +2150,9 @@ # Type # { Yes, No } # +# Languages +# C/C++ +# # Behavior # Let P be the name of the project. Then behavior is as follows. # - Yes : Incrementality will be enabled for this build/analysis of @@ -3485,6 +3512,7 @@ # WARNING_FILTER += discard class="Cast Alters Value" # WARNING_FILTER += discard class="Coercion Alters Value" # WARNING_FILTER += discard class="Command Injection" +# WARNING_FILTER += discard class="Comparison of Unrelated Pointers" # WARNING_FILTER += discard class="Copy-Paste Error" # WARNING_FILTER += discard class="Dangerous Function Cast" # WARNING_FILTER += discard class="Deadlock" @@ -3507,7 +3535,6 @@ # WARNING_FILTER += discard class="Format String Injection" # WARNING_FILTER += discard class="Format String Type Error" # WARNING_FILTER += discard class="Format String" -# WARNING_FILTER += discard class="Free Non-Heap Variable" # WARNING_FILTER += discard class="Free Null Pointer" # WARNING_FILTER += discard class="Function Call Has No Effect" # WARNING_FILTER += discard class="Gamma on Zero" @@ -3518,10 +3545,12 @@ # WARNING_FILTER += discard class="Hardcoded Crypto Key" # WARNING_FILTER += discard class="Hardcoded Crypto Salt" # WARNING_FILTER += discard class="Ignored Return Value" +# WARNING_FILTER += discard class="Input After Output Without Positioning" # WARNING_FILTER += discard class="Integer Overflow of Allocation Size" # WARNING_FILTER += discard class="LDAP Injection" # WARNING_FILTER += discard class="Leak" # WARNING_FILTER += discard class="Library Injection" +# WARNING_FILTER += discard class="Local Variable Passed to Thread" # WARNING_FILTER += discard class="LocalHandle on LMEM_FIXED Memory" # WARNING_FILTER += discard class="LocalLock on LMEM_FIXED Memory" # WARNING_FILTER += discard class="LocalUnlock on LMEM_FIXED Memory" @@ -3538,6 +3567,8 @@ # WARNING_FILTER += discard class="Null Pointer Dereference" # WARNING_FILTER += discard class="Null Security Descriptor" # WARNING_FILTER += discard class="Null Test After Dereference" +# WARNING_FILTER += discard class="Object Slicing" +# WARNING_FILTER += discard class="Output After Input Without Positioning" # WARNING_FILTER += discard class="Overlapping Memory Regions" # WARNING_FILTER += discard class="Plaintext Storage of Password" # WARNING_FILTER += discard class="Plaintext Transmission of Password" @@ -3546,8 +3577,10 @@ # WARNING_FILTER += discard class="Redundant Condition" # WARNING_FILTER += discard class="Return Pointer to Freed" # WARNING_FILTER += discard class="Return Pointer to Local" +# WARNING_FILTER += discard class="Return from noreturn" # WARNING_FILTER += discard class="SQL Injection" # WARNING_FILTER += discard class="Shift Amount Exceeds Bit Width" +# WARNING_FILTER += discard class="Subtraction of Unrelated Pointers" # WARNING_FILTER += discard class="Tainted Buffer Access" # WARNING_FILTER += discard class="Tainted Environment Variable" # WARNING_FILTER += discard class="Try-lock that will never succeed" @@ -3577,6 +3610,8 @@ # WARNING_FILTER += discard class="Use of tmpnam" # WARNING_FILTER += discard class="Useless Assignment" # WARNING_FILTER += discard class="Varargs Function Cast" +# WARNING_FILTER += discard class="Virtual Call in Constructor" +# WARNING_FILTER += discard class="Virtual Call in Destructor" # WARNING_FILTER += discard class="cosh on High Number" # WARNING_FILTER += discard class="cosh on Low Number" # WARNING_FILTER += discard class="sqrt on Negative Value" @@ -3988,6 +4023,7 @@ # WARNING_FILTER += allow class="High Risk Loop" # WARNING_FILTER += allow class="Implicit Address of Function" # WARNING_FILTER += allow class="Implicit Function Declaration" +# WARNING_FILTER += allow class="Implicit Lambda Capture" # WARNING_FILTER += allow class="Inappropriate Assignment Type" # WARNING_FILTER += allow class="Inappropriate Bit-field Type" # WARNING_FILTER += allow class="Inappropriate Cast Type" @@ -3999,10 +4035,13 @@ # WARNING_FILTER += allow class="Inconsistent Enumerator Initialization" # WARNING_FILTER += allow class="Inconsistent Function Declarations" # WARNING_FILTER += allow class="Inconsistent Object Declarations" +# WARNING_FILTER += allow class="Initialization Cycle" # WARNING_FILTER += allow class="Inline Assembly Code" # WARNING_FILTER += allow class="Inline Function Not static" # WARNING_FILTER += allow class="Invalid Preprocessor Directive" # WARNING_FILTER += allow class="Label Not In Enclosing Block" +# WARNING_FILTER += allow class="Lambda Has No Parameter List" +# WARNING_FILTER += allow class="Lambda Has No Return Type" # WARNING_FILTER += allow class="Leftover Debug Code" # WARNING_FILTER += allow class="Library Function Override" # WARNING_FILTER += allow class="Line Splicing in Comment" @@ -4051,6 +4090,7 @@ # WARNING_FILTER += allow class="Mixed Assembly and Code" # WARNING_FILTER += allow class="Modified Parameter" # WARNING_FILTER += allow class="Multiple Abnormal Loop Exits" +# WARNING_FILTER += allow class="Multiple Accesses of Atomic" # WARNING_FILTER += allow class="Multiple Declarations On Line" # WARNING_FILTER += allow class="Multiple Declarations of a Global" # WARNING_FILTER += allow class="Multiple External Declarations" @@ -4080,6 +4120,7 @@ # WARNING_FILTER += allow class="Not Enough Assertions" # WARNING_FILTER += allow class="Object Defined in Header File" # WARNING_FILTER += allow class="Octal Constant" +# WARNING_FILTER += allow class="Out of Order Member Initializers" # WARNING_FILTER += allow class="Over-initialized Element" # WARNING_FILTER += allow class="Partially Uninitialized Aggregate" # WARNING_FILTER += allow class="Partially Uninitialized Array" @@ -4133,6 +4174,8 @@ # WARNING_FILTER += allow class="Unexercised Data Flow" # WARNING_FILTER += allow class="Union Type" # WARNING_FILTER += allow class="Unknown Lock" +# WARNING_FILTER += allow class="Unordered Initialization" +# WARNING_FILTER += allow class="Unreachable Catch" # WARNING_FILTER += allow class="Unreachable Control Flow" # WARNING_FILTER += allow class="Unspecified Array Size with Designator Initialization" # WARNING_FILTER += allow class="Unterminated Escape Sequence" @@ -4189,16 +4232,19 @@ # WARNING_FILTER += allow class="Use of bsearch" # WARNING_FILTER += allow class="Use of catopen" # WARNING_FILTER += allow class="Use of chroot" +# WARNING_FILTER += allow class="Use of cnd_wait" # WARNING_FILTER += allow class="Use of cuserid" # WARNING_FILTER += allow class="Use of execlp" # WARNING_FILTER += allow class="Use of execvp" # WARNING_FILTER += allow class="Use of exit" +# WARNING_FILTER += allow class="Use of fork" # WARNING_FILTER += allow class="Use of getenv" # WARNING_FILTER += allow class="Use of getlogin" # WARNING_FILTER += allow class="Use of getopt" # WARNING_FILTER += allow class="Use of getpass" # WARNING_FILTER += allow class="Use of getwd" # WARNING_FILTER += allow class="Use of longjmp" +# WARNING_FILTER += allow class="Use of memcmp" # WARNING_FILTER += allow class="Use of memset" # WARNING_FILTER += allow class="Use of mkstemp" # WARNING_FILTER += allow class="Use of offsetof" @@ -4235,10 +4281,14 @@ # WARNING_FILTER += allow class="Using Directive" # WARNING_FILTER += allow class="Variable Could Be const" # WARNING_FILTER += allow class="Variadic Macro" +# WARNING_FILTER += allow class="Virtual Base Class not In Diamond" +# WARNING_FILTER += allow class="Virtual Base Class" +# WARNING_FILTER += allow class="Virtual and Non-Virtual Base Class" # WARNING_FILTER += allow class="Warnings Not Treated As Errors" # WARNING_FILTER += allow class="Weak Cryptography" # WARNING_FILTER += allow class="Write to Read Only File" # WARNING_FILTER += allow class="chroot without chdir" +# WARNING_FILTER += allow class="delete with Non-Virtual Destructor" # # (Java warning classes) # WARNING_FILTER += allow class="Actual Parameter Element may be null (Java)" @@ -4846,7 +4896,7 @@ ## --- for BSI MEMSET Rule -#BAD_FUNCTION_REGEX = ^memset$ +#BAD_FUNCTION_REGEX = ^(std::)?memset(\(.*\))?$ #BAD_FUNCTION_MESSAGE = Use of memset #BAD_FUNCTION_CATEGORIES = BADFUNC.MEMSET;CWE:14 #BAD_FUNCTION_BASE_RANK = 10.0 @@ -4860,7 +4910,7 @@ #BAD_FUNCTION_BASE_RANK = 45.0 #BAD_FUNCTION_SIGNIFICANCE = SECURITY -#BAD_FUNCTION_REGEX = ^s?rand$ +#BAD_FUNCTION_REGEX = ^(std::)?s?rand(\(.*\))?$ #BAD_FUNCTION_MESSAGE = Use of rand #BAD_FUNCTION_CATEGORIES = BADFUNC.RANDOM.RAND;BSI:MetaRule;CWE:330 #BAD_FUNCTION_BASE_RANK = 45.0 @@ -5136,7 +5186,6 @@ #BAD_FUNCTION_BASE_RANK = 10 #BAD_FUNCTION_SIGNIFICANCE = STYLE - #BAD_FUNCTION_REGEX = ^(atof)$ #BAD_FUNCTION_MESSAGE = Use of atof #BAD_FUNCTION_CATEGORIES = BADFUNC.ATOF;Misra2012:21.7;Misra2004:20.10;CWE:758;CWE:676 @@ -5319,6 +5368,24 @@ #BAD_FUNCTION_BASE_RANK = 1.0 #BAD_FUNCTION_SIGNIFICANCE = SECURITY +#BAD_FUNCTION_REGEX = ^(std::)?memcmp(\(.*\))?$ +#BAD_FUNCTION_MESSAGE = Use of memcmp +#BAD_FUNCTION_CATEGORIES = BADFUNC.MEMCMP +#BAD_FUNCTION_BASE_RANK = 10.0 +#BAD_FUNCTION_SIGNIFICANCE = SECURITY + +#BAD_FUNCTION_REGEX = ^cnd_(timed)?wait$ +#BAD_FUNCTION_MESSAGE = Use of cnd_wait +#BAD_FUNCTION_CATEGORIES = BADFUNC.CNDWAIT +#BAD_FUNCTION_BASE_RANK = 10.0 +#BAD_FUNCTION_SIGNIFICANCE = RELIABILITY + +#BAD_FUNCTION_REGEX = ^fork$ +#BAD_FUNCTION_MESSAGE = Use of fork +#BAD_FUNCTION_CATEGORIES = BADFUNC.FORK +#BAD_FUNCTION_BASE_RANK = 10.0 +#BAD_FUNCTION_SIGNIFICANCE = RELIABILITY + # Parameter PLUGINS # # Purpose @@ -12645,6 +12712,25 @@ # UNREACHABLE_FUNCTIONS rules, if you no longer need them. +# Parameter REACHABILITY_DUMP_FILE +# +# Purpose +# Specifies an output file for diagnostic reachability information. +# +# Tags +# - BUILD_OUTPUT: Additional Outputs from the Build/Analysis +# +# Type +# string (representing a file path) +# +# Behavior +# Reachability information will be output to the specified file. +# +# Notes +# Example: +# REACHABILITY_DUMP_FILE = /PATH/TO/dump_file + + # Parameter HARDCODED_ARGS_REGEX # Parameter HARDCODED_ARGS_LIST # Parameter HARDCODED_ARGS_CLASS_NAME @@ -13416,7 +13502,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - JAVA: Specific to the Java Build/Analysis # # Type # a list of Java build options @@ -13426,6 +13511,9 @@ # [doc/html/FAQ.html#libc_commandline] apply (even on non-Windows # systems). # +# Languages +# Java +# # Behavior # The specified options will be prepended to the set of options # passed to the Java build/analysis @@ -13450,7 +13538,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - JAVA: Specific to the Java Build/Analysis # # Type # a list of Java build options @@ -13460,6 +13547,9 @@ # [doc/html/FAQ.html#libc_commandline] apply (even on non-Windows # systems). # +# Languages +# Java +# # Behavior # The specified options will be appended to the set of options # passed to the Java build/analysis @@ -13480,6 +13570,9 @@ # a list of C# build options # [doc/html/Csharp_Module/Building/Building.html] # +# Languages +# C# +# # Behavior # The specified options will be prepended to the set of options # passed to the C# build/analysis @@ -13509,6 +13602,9 @@ # a list of C# build options # [doc/html/Csharp_Module/Building/Building.html] # +# Languages +# C# +# # Behavior # The specified options will be appended to the set of options # passed to the C# build/analysis @@ -15326,18 +15422,20 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - JAVA: Specific to the Java Build/Analysis # # Type # { java1, java2, java3, java4, java5, java6, java7, java8, java9, -# java10, java11, java12, java13, java14, androidAPI1, androidAPI2, -# androidAPI3, androidAPI4, androidAPI5, androidAPI6, androidAPI7, -# androidAPI8, androidAPI9, androidAPI10, androidAPI11, -# androidAPI12, androidAPI13, androidAPI14, androidAPI15, -# androidAPI16, androidAPI17, androidAPI18, androidAPI19, -# androidAPI20, androidAPI21, androidAPI22, androidAPI23, -# androidAPI24, androidAPI25, androidAPI26, androidAPI27, -# androidAPI28 } +# java10, java11, java12, java13, java14, java15, java16, java17, +# androidAPI1, androidAPI2, androidAPI3, androidAPI4, androidAPI5, +# androidAPI6, androidAPI7, androidAPI8, androidAPI9, androidAPI10, +# androidAPI11, androidAPI12, androidAPI13, androidAPI14, +# androidAPI15, androidAPI16, androidAPI17, androidAPI18, +# androidAPI19, androidAPI20, androidAPI21, androidAPI22, +# androidAPI23, androidAPI24, androidAPI25, androidAPI26, +# androidAPI27, androidAPI28 } +# +# Languages +# Java # # Behavior # If a value is specified for JAVA_ANALYSIS_FRAMEWORK, CodeSonar @@ -15364,12 +15462,14 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - JAVA: Specific to the Java Build/Analysis # # Type # { ALL_ENTRIES, ONLY_EXPLICIT_ENTRIES, ONLY_STANDARD_ENTRIES, # LIBRARY, ALL_METHODS } # +# Languages +# Java +# # Behavior # - ALL_ENTRIES : treat all public and protected methods and # constructors as entry points. @@ -15395,11 +15495,13 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - JAVA: Specific to the Java Build/Analysis # # Type # { Yes, No } # +# Languages +# Java +# # Behavior # - Yes : The analysis will treat assertion statements as if they # are executed. Warnings can be reported in assertion code, and @@ -15417,6 +15519,9 @@ # Specifies a timeout (in seconds) for the overall Java # build/analysis [doc/html/Java_Module/Building/Building.html]. # +# Languages +# Java +# # Behavior # - integer N : if the Java Build/Analysis hasn't finished after N # seconds, it will halt with an error message. No analysis @@ -15424,7 +15529,7 @@ # # Tags # - TIME_LIMIT: Analysis Time Limits -# - JAVA: Specific to the Java Build/Analysis +# - JAVA # # Type # non-negative integer @@ -15444,7 +15549,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - JAVA: Specific to the Java Build/Analysis # - WC_JAVA.IO.INJ.CODE: Used by Code Injection (Java) # - WC_JAVA.IO.INJ.COMMAND: Used by Command Injection (Java) # - WC_JAVA.IO.INJ.XSS: Used by Cross Site Scripting (Java) @@ -15479,6 +15583,9 @@ # Type # { Yes, No } # +# Languages +# Java +# # Behavior # - Yes : Advanced checking for injection-related issues is # performed. This requires more resources than the No setting, @@ -15504,11 +15611,13 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - JAVA: Specific to the Java Build/Analysis # # Type # string # +# Languages +# Java +# # Behavior # The whole value of this parameter will be prepended to the list # of JVM arguments that is used to start the Java analysis JVM. To @@ -15532,7 +15641,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - JAVA: Specific to the Java Build/Analysis # # Type # string @@ -15561,7 +15669,6 @@ # # Tags # - ANALYSIS_BOUND: Analysis resource/effort limit -# - JAVA: Specific to the Java Build/Analysis # # Type # , where is a non-negative integer. @@ -15590,15 +15697,17 @@ # # Tags # - ANALYSIS_BOUND: Analysis resource/effort limit -# - JAVA: Specific to the Java Build/Analysis # # Type # , where is a non-negative integer. # +# Languages +# Java +# # Behavior # The specified value is interpreted as an upper bound on memory. -#JAVA_LAUNCHER_MEMORY = 512 +#JAVA_LAUNCHER_MEMORY = 1024 # Parameter JAVA_ANALYSIS_MEMORY_MANAGEMENT @@ -15610,11 +15719,13 @@ # # Tags # - ANALYSIS_BOUND: Analysis resource/effort limit -# - JAVA: Specific to the Java Build/Analysis # # Type # { ADAPTIVE, NONE, SIMPLE } # +# Languages +# Java +# # Behavior # - ADAPTIVE : The JVM that executes the analysis is passed # argument -Xmx , where is the lower of the value @@ -15643,12 +15754,14 @@ # # Tags # - ANALYSIS_BOUND: Analysis resource/effort limit -# - JAVA: Specific to the Java Build/Analysis # # Type # integer in the range 1.., where is the total # number of cores on the analysis machine. # +# Languages +# Java +# # Behavior # If JAVA_ANALYSIS_JVM_CONCURRENCY is set with # JAVA_ANALYSIS_JVM_CONCURRENCY=, the active processor count @@ -15681,7 +15794,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - JAVA: Specific to the Java Build/Analysis # - WC_JAVA.IO.INJ.ANDROID.MESSAGE: Used by Android Message # Injection (Java) # - WC_JAVA.IO.INJ.ANDROID.URL: Used by Android URL Injection @@ -15721,6 +15833,9 @@ # Type # { Yes, No } # +# Languages +# Java +# # Behavior # - Yes : data originating from database queries will be not be # treated as tainted, and cannot cause a taint-related warning to @@ -15754,7 +15869,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - JAVA: Specific to the Java Build/Analysis # - WC_JAVA.IO.INJ.ANDROID.MESSAGE: Used by Android Message # Injection (Java) # - WC_JAVA.IO.INJ.ANDROID.URL: Used by Android URL Injection @@ -15794,6 +15908,9 @@ # Type # { Yes, No } # +# Languages +# Java +# # Behavior # - Yes : data originating from the device will be not be treated # as tainted, and cannot cause a taint-related warning to be @@ -15828,7 +15945,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - JAVA: Specific to the Java Build/Analysis # - WC_JAVA.IO.INJ.ANDROID.MESSAGE: Used by Android Message # Injection (Java) # - WC_JAVA.IO.INJ.ANDROID.URL: Used by Android URL Injection @@ -15868,6 +15984,9 @@ # Type # { Yes, No } # +# Languages +# Java +# # Behavior # - Yes : data originating from the environment or from system # properties will be not be treated as tainted, and cannot cause @@ -15903,7 +16022,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - JAVA: Specific to the Java Build/Analysis # - WC_JAVA.IO.INJ.ANDROID.MESSAGE: Used by Android Message # Injection (Java) # - WC_JAVA.IO.INJ.ANDROID.URL: Used by Android URL Injection @@ -15943,6 +16061,9 @@ # Type # { Yes, No } # +# Languages +# Java +# # Behavior # - Yes : data originating from external streams or sockets will be # not be treated as tainted, and cannot cause a taint-related @@ -15976,7 +16097,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - JAVA: Specific to the Java Build/Analysis # - WC_JAVA.IO.INJ.ANDROID.MESSAGE: Used by Android Message # Injection (Java) # - WC_JAVA.IO.INJ.ANDROID.URL: Used by Android URL Injection @@ -16016,6 +16136,9 @@ # Type # { Yes, No } # +# Languages +# Java +# # Behavior # - Yes : data originating from web requests or console input will # be not be treated as tainted, and cannot cause a taint-related @@ -16050,7 +16173,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - JAVA: Specific to the Java Build/Analysis # - WC_JAVA.IO.INJ.ANDROID.MESSAGE: Used by Android Message # Injection (Java) # - WC_JAVA.IO.INJ.ANDROID.URL: Used by Android URL Injection @@ -16148,7 +16270,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - JAVA: Specific to the Java Build/Analysis # - WC_JAVA.IO.INJ.ANDROID.MESSAGE: Used by Android Message # Injection (Java) # - WC_JAVA.IO.INJ.ANDROID.URL: Used by Android URL Injection @@ -16210,6 +16331,9 @@ # Type # { Yes, No } # +# Languages +# Java +# # Behavior # - Yes : the Java analysis will track information about each field # of each object. @@ -16236,7 +16360,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - JAVA: Specific to the Java Build/Analysis # - WC_JAVA.IO.INJ.FRAGMENT: Used by Fragment Injection (Java) # - WC_JAVA.IO.TAINT.IC.FRAGMENT: Used by Ineffective Cleansing of # Fragment Taint (Java) @@ -16253,6 +16376,9 @@ # Type # { Yes, No } # +# Languages +# Java +# # Behavior # - Yes : checks for the listed warning classes will only be # performed if at least one Android manifest has been included @@ -16274,7 +16400,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - JAVA: Specific to the Java Build/Analysis # - WC_JAVA.CLASS.VIS.FIELD: Used by Field Too Visible (Java) # - WC_JAVA.CLASS.VIS.SFIELD: Used by Static Field Too Visible # (Java) @@ -16282,6 +16407,9 @@ # Type # { PUBLIC, PROTECTED, PACKAGE, PRIVATE } # +# Languages +# Java +# # Behavior # Warning classes that reason about field visibility inspect fields # with visibility equal to, or less restrictive than, the value of @@ -16310,7 +16438,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - JAVA: Specific to the Java Build/Analysis # - WC_JAVA.DEEPNULL.EFIELD: Used by Field Element may be null # (deep) (Java) # - WC_JAVA.DEEPNULL.FIELD: Used by Field may be null (deep) (Java) @@ -16332,6 +16459,9 @@ # Type # { Yes, No } # +# Languages +# Java +# # Behavior # - Yes : checks for the listed warning classes will not # incorporate additional supporting analyses such as reachability @@ -16357,7 +16487,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - JAVA: Specific to the Java Build/Analysis # - WC_JAVA.DEEPNULL.EFIELD: Used by Field Element may be null # (deep) (Java) # - WC_JAVA.DEEPNULL.FIELD: Used by Field may be null (deep) (Java) @@ -16379,6 +16508,9 @@ # Type # { Yes, No } # +# Languages +# Java +# # Behavior # - Yes : checks for the listed warning classes will be preceded by # a "class initialization analysis" to determine the locations at @@ -16404,7 +16536,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - JAVA: Specific to the Java Build/Analysis # - WC_JAVA.DEEPNULL.EFIELD: Used by Field Element may be null # (deep) (Java) # - WC_JAVA.DEEPNULL.FIELD: Used by Field may be null (deep) (Java) @@ -16449,7 +16580,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - JAVA: Specific to the Java Build/Analysis # - WC_JAVA.CONCURRENCY.SYNC.MSS: Used by Missing synchronized # Statement (Java) # - WC_JAVA.CONCURRENCY.UG.FIELD: Used by Unguarded Field (Java) @@ -16460,6 +16590,9 @@ # Type # { byValue, byName } # +# Languages +# Java +# # Behavior # - byName : @GuardedBy annotations refer to the names of the # annotated variables or fields. @@ -16497,7 +16630,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - JAVA: Specific to the Java Build/Analysis # - WC_JAVA.CONCURRENCY.SYNC.MSS: Used by Missing synchronized # Statement (Java) # - WC_JAVA.CONCURRENCY.UG.FIELD: Used by Unguarded Field (Java) @@ -16508,6 +16640,9 @@ # Type # { Yes, No } # +# Languages +# Java +# # Behavior # # If JAVA_ANALYSIS_CONCURRENCY_GUARDS_MODE=byValue, behavior is as @@ -16542,7 +16677,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - JAVA: Specific to the Java Build/Analysis # - WC_JAVA.NULL.RET.UNCHECKED: Used by Call Might Return Null # (Java) # - WC_JAVA.INSEC.DTP: Used by Deprecated Transfer Protocol (Java) @@ -16576,6 +16710,9 @@ # Type # { Yes, No } # +# Languages +# Java +# # Behavior # - Yes : the analysis will perform stricter checking for the # listed warning classes. @@ -16603,7 +16740,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - JAVA: Specific to the Java Build/Analysis # - WC_JAVA.STRUCT.EXCP.GEH: Used by Generic Exception Handler # (Java) # - WC_JAVA.HARDCODED.IP: Used by Hardcoded IP Address (Java) @@ -16616,6 +16752,9 @@ # Type # { Yes, No } # +# Languages +# Java +# # Behavior # # - Yes : the analysis will perform more pedantic checking for the @@ -16647,7 +16786,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - CSHARP: Specific to the C# Build/Analysis # # Type # { net10, net11, net20, net30, net35, net40, net45, net451, @@ -16655,6 +16793,9 @@ # netcoreapp1.0, netcoreapp1.1, netcoreapp2.0, netcoreapp2.1, # netcoreapp2.2, netcoreapp3.0, netcoreapp3.1, net5.0 } # +# Languages +# C# +# # Behavior # If a value is specified for CSHARP_ANALYSIS_FRAMEWORK, CodeSonar # will analyze the application with respect to the corresponding @@ -16680,12 +16821,14 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - CSHARP: Specific to the C# Build/Analysis # # Type # { ALL_ENTRIES, ONLY_EXPLICIT_ENTRIES, ONLY_STANDARD_ENTRIES, # LIBRARY, ALL_METHODS } # +# Languages +# C# +# # Behavior # - ALL_ENTRIES : treat all public and protected methods and # constructors as entry points. @@ -16711,11 +16854,13 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - CSHARP: Specific to the C# Build/Analysis # # Type # { Yes, No } # +# Languages +# C# +# # Behavior # - Yes : The analysis will treat assertion statements as if they # are executed. Warnings can be reported in assertion code, and @@ -16740,7 +16885,7 @@ # # Tags # - TIME_LIMIT: Analysis Time Limits -# - CSHARP: Specific to the C# Build/Analysis +# - CSHARP # # Type # non-negative integer @@ -16764,7 +16909,7 @@ # # Tags # - TIME_LIMIT: Analysis Time Limits -# - CSHARP: Specific to the C# Build/Analysis +# - CSHARP # # Type # non-negative integer @@ -16784,7 +16929,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - CSHARP: Specific to the C# Build/Analysis # - WC_CSHARP.IO.INJ.CODE: Used by Code Injection (C#) # - WC_CSHARP.IO.INJ.COMMAND: Used by Command Injection (C#) # - WC_CSHARP.IO.INJ.XSS: Used by Cross Site Scripting (C#) @@ -16844,11 +16988,13 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - CSHARP: Specific to the C# Build/Analysis # # Type # string # +# Languages +# C# +# # Behavior # The whole value of this parameter will be prepended to the list # of JVM arguments that is used to start the C# analysis JVM. To @@ -16872,11 +17018,13 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - CSHARP: Specific to the C# Build/Analysis # # Type # string # +# Languages +# C# +# # Behavior # The whole value of this parameter will be prepended to the list # of JVM arguments that is used to start the C# analysis launcher @@ -16901,11 +17049,13 @@ # # Tags # - ANALYSIS_BOUND: Analysis resource/effort limit -# - CSHARP: Specific to the C# Build/Analysis # # Type # , where is a non-negative integer. # +# Languages +# C# +# # Behavior # The specified value is interpreted as an upper bound on memory. # @@ -16930,11 +17080,13 @@ # # Tags # - ANALYSIS_BOUND: Analysis resource/effort limit -# - CSHARP: Specific to the C# Build/Analysis # # Type # , where is a non-negative integer. # +# Languages +# C# +# # Behavior # The specified value is interpreted as an upper bound on memory. @@ -16950,11 +17102,13 @@ # # Tags # - ANALYSIS_BOUND: Analysis resource/effort limit -# - CSHARP: Specific to the C# Build/Analysis # # Type # { ADAPTIVE, NONE, SIMPLE } # +# Languages +# C# +# # Behavior # - ADAPTIVE : The JVM that executes the analysis is passed # argument -Xmx , where is the lower of the value @@ -16983,7 +17137,6 @@ # # Tags # - ANALYSIS_BOUND: Analysis resource/effort limit -# - CSHARP: Specific to the C# Build/Analysis # # Type # integer in the range 1.., where is the total @@ -17021,7 +17174,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - CSHARP: Specific to the C# Build/Analysis # - WC_CSHARP.IO.INJ.CODE: Used by Code Injection (C#) # - WC_CSHARP.IO.INJ.COMMAND: Used by Command Injection (C#) # - WC_CSHARP.IO.INJ.DLL: Used by DLL Injection (C#) @@ -17057,6 +17209,9 @@ # Type # { Yes, No } # +# Languages +# C# +# # Behavior # - Yes : data originating from database queries will be not be # treated as tainted, and cannot cause a taint-related warning to @@ -17090,7 +17245,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - CSHARP: Specific to the C# Build/Analysis # - WC_CSHARP.IO.INJ.CODE: Used by Code Injection (C#) # - WC_CSHARP.IO.INJ.COMMAND: Used by Command Injection (C#) # - WC_CSHARP.IO.INJ.DLL: Used by DLL Injection (C#) @@ -17126,6 +17280,9 @@ # Type # { Yes, No } # +# Languages +# C# +# # Behavior # - Yes : data originating from the device will be not be treated # as tainted, and cannot cause a taint-related warning to be @@ -17159,7 +17316,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - CSHARP: Specific to the C# Build/Analysis # - WC_CSHARP.IO.INJ.CODE: Used by Code Injection (C#) # - WC_CSHARP.IO.INJ.COMMAND: Used by Command Injection (C#) # - WC_CSHARP.IO.INJ.DLL: Used by DLL Injection (C#) @@ -17195,6 +17351,9 @@ # Type # { Yes, No } # +# Languages +# C# +# # Behavior # - Yes : data originating from the environment or from system # properties will be not be treated as tainted, and cannot cause @@ -17230,7 +17389,6 @@ # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - CSHARP: Specific to the C# Build/Analysis # - WC_CSHARP.IO.INJ.CODE: Used by Code Injection (C#) # - WC_CSHARP.IO.INJ.COMMAND: Used by Command Injection (C#) # - WC_CSHARP.IO.INJ.DLL: Used by DLL Injection (C#) @@ -17266,6 +17424,9 @@ # Type # { Yes, No } # +# Languages +# C# +# # Behavior # - Yes : data originating from external streams or sockets will be # not be treated as tainted, and cannot cause a taint-related @@ -17299,7 +17460,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - CSHARP: Specific to the C# Build/Analysis # - WC_CSHARP.IO.INJ.CODE: Used by Code Injection (C#) # - WC_CSHARP.IO.INJ.COMMAND: Used by Command Injection (C#) # - WC_CSHARP.IO.INJ.DLL: Used by DLL Injection (C#) @@ -17335,6 +17495,9 @@ # Type # { Yes, No } # +# Languages +# C# +# # Behavior # - Yes : data originating from web requests or console input will # be not be treated as tainted, and cannot cause a taint-related @@ -17368,7 +17531,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - CSHARP: Specific to the C# Build/Analysis # - WC_CSHARP.INSEC.CERT.RS: Used by Certificate Added to Root # Store (C#) # - WC_CSHARP.IO.INJ.CODE: Used by Code Injection (C#) @@ -17429,6 +17591,9 @@ # Type # { Yes, No } # +# Languages +# C# +# # Behavior # - Yes : all instructions inside the same class X that create # objects of the same type Y are treated as the same instruction. @@ -17457,7 +17622,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - CSHARP: Specific to the C# Build/Analysis # - WC_CSHARP.IO.INJ.CODE: Used by Code Injection (C#) # - WC_CSHARP.IO.INJ.COMMAND: Used by Command Injection (C#) # - WC_CSHARP.IO.INJ.DLL: Used by DLL Injection (C#) @@ -17510,6 +17674,9 @@ # Type # { Yes, No } # +# Languages +# C# +# # Behavior # - Yes : the C# analysis will track information about each field # of each object. @@ -17536,7 +17703,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - CSHARP: Specific to the C# Build/Analysis # - WC_CSHARP.CLASS.VIS.FIELD: Used by Field Too Visible (C#) # - WC_CSHARP.CLASS.VIS.SFIELD: Used by Static Field Too Visible # (C#) @@ -17544,6 +17710,9 @@ # Type # { PUBLIC, PROTECTED, PACKAGE, PRIVATE } # +# Languages +# C# +# # Behavior # Warning classes that reason about field visibility inspect fields # with visibility equal to, or less restrictive than, the value of @@ -17572,7 +17741,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - CSHARP: Specific to the C# Build/Analysis # - WC_CSHARP.DEEPNULL.EFIELD: Used by Field Element may be null # (deep) (C#) # - WC_CSHARP.DEEPNULL.FIELD: Used by Field may be null (deep) (C#) @@ -17594,6 +17762,9 @@ # Type # { Yes, No } # +# Languages +# C# +# # Behavior # - Yes : checks for the listed warning classes will not # incorporate additional supporting analyses such as reachability @@ -17619,7 +17790,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - CSHARP: Specific to the C# Build/Analysis # - WC_CSHARP.DEEPNULL.EFIELD: Used by Field Element may be null # (deep) (C#) # - WC_CSHARP.DEEPNULL.FIELD: Used by Field may be null (deep) (C#) @@ -17641,6 +17811,9 @@ # Type # { Yes, No } # +# Languages +# C# +# # Behavior # - Yes : checks for the listed warning classes will be preceded by # a "class initialization analysis" to determine the locations at @@ -17666,7 +17839,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - CSHARP: Specific to the C# Build/Analysis # - WC_CSHARP.DEEPNULL.EFIELD: Used by Field Element may be null # (deep) (C#) # - WC_CSHARP.DEEPNULL.FIELD: Used by Field may be null (deep) (C#) @@ -17688,6 +17860,9 @@ # Type # { Yes, No } # +# Languages +# C# +# # Behavior # - Yes : the analysis will account for the possibility of null # values in unwritten fields, values returned by library methods, @@ -17711,7 +17886,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - CSHARP: Specific to the C# Build/Analysis # - WC_CSHARP.CONCURRENCY.SYNC.MSS: Used by Missing synchronized # Statement (C#) # - WC_CSHARP.CONCURRENCY.UG.FIELD: Used by Unguarded Field (C#) @@ -17722,6 +17896,9 @@ # Type # { byValue, byName } # +# Languages +# C# +# # Behavior # For example, consider the following code. # @@ -17751,7 +17928,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - CSHARP: Specific to the C# Build/Analysis # - WC_CSHARP.CONCURRENCY.SYNC.MSS: Used by Missing synchronized # Statement (C#) # - WC_CSHARP.CONCURRENCY.UG.FIELD: Used by Unguarded Field (C#) @@ -17762,6 +17938,9 @@ # Type # { Yes, No } # +# Languages +# C# +# # Behavior # If CSHARP_ANALYSIS_CONCURRENCY_GUARDS_MODE=byValue, behavior is # as follows. @@ -17795,7 +17974,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - CSHARP: Specific to the C# Build/Analysis # - WC_CSHARP.NULL.RET.UNCHECKED: Used by Call Might Return Null # (C#) # - WC_CSHARP.INSEC.DTP: Used by Deprecated Transfer Protocol (C#) @@ -17829,6 +18007,9 @@ # Type # { Yes, No } # +# Languages +# C# +# # Behavior # - Yes : the analysis will perform stricter checking for the # listed warning classes. @@ -17856,7 +18037,6 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis -# - CSHARP: Specific to the C# Build/Analysis # - WC_CSHARP.STRUCT.EXCP.GEH: Used by Generic Exception Handler # (C#) # - WC_CSHARP.HARDCODED.IP: Used by Hardcoded IP Address (C#) @@ -17867,6 +18047,9 @@ # Type # { Yes, No } # +# Languages +# C# +# # Behavior # - Yes : the analysis will perform more pedantic checking for the # listed warning classes. @@ -17926,6 +18109,9 @@ # Regular Expression' # [http://www.boost.org/doc/libs/1_63_0/libs/regex/doc/html/boost_regex/syntax/basic_extended.html] # +# Languages +# C# +# # Behavior # These parameters are used to specify naming rules that # identifiers of a particular kind must not violate. If an @@ -17949,8 +18135,8 @@ # a mnemonic for the following regular expressions: # # aNy_CasE = ^.*$ -# lower_case = ^[a-z][a-z0-9_]*$ -# UPPER_CASE = ^[A-Z][A-Z0-9_]*$ +# lower_case = ^[a-z][a-z0-9]*(_+[a-z0-9]+)* +# UPPER_CASE = ^[A-Z][A-Z0-9]*(_+[A-Z0-9]+)* # camelBack = ^[a-z][a-zA-Z0-9]*$ # CamelCase = ^[A-Z][a-zA-Z0-9]*$ # Camel_Snake_Case = ^[A-Z][a-z0-9]*(_[A-Z][a-z0-9]*)* @@ -18055,3 +18241,28 @@ # * the identifier must start with an uppercase character, not an underscore. # */ # + + +# Parameter OBJSLICE_WARN_NEW_MEMBER_ONLY +# +# Purpose +# Specifies whether Object Slicing warnings should be issued only +# in the case where the derived class has additional data members +# not found in the converted-to base class. +# +# Tags +# - WARNING_THRESHOLD: Warning-Class-Specific Settings +# +# Type +# { Yes, No } +# +# Languages +# C# +# +# Behavior +# - Yes : Warning is not issued if derived class doesn't have +# additional data members. +# - No : Warning is issued even when derived class doesn't have +# additional data members. + +#OBJSLICE_WARN_NEW_MEMBER_ONLY = Yes