Warnings: Internal Representation (IR) Influence

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.2p0

CONFIDENTIAL

CodeSecure Inc

Warnings: Internal Representation (IR) Influence

CodeSonar operates by building its own internal representation (IR) of your regular software project, then performing an analysis that involves a series of checks involving various aspects of that IR. Any warnings issued by the analysis are then mapped back to your source code for presentation.

In some cases, text that appears in a project's source code files is not actually compiled into the project's object code, and so is also not included in the CodeSonar IR for the project. For example, a region of text may be excluded by the C or C++ preprocessor, and so not be included in the native software or its corresponding CodeSonar project. CodeSonar warnings will not be issued for this excluded text, because it is not part of the analyzed project.

This section describes some of the cases where text present in a source file is not represented in the underlying software or CodeSonar IR, and so will not trigger CodeSonar warnings.

File that wasn't analyzed

If a file is not included in the CodeSonar build/analysis, there will be no IR for any part of the file and so no warnings will be issued for any code in the file.

The mechanism for including a file in the CodeSonar build/analysis depends on the file language, as shown in the following table.

File language (click for detailed build/analysis information)	Ensuring CodeSonar constructs IR and reports warnings for a file
C, C++	The CodeSonar build/analysis must observe your native compiler compiling the source file as part of your regular software build. For the file to be represented in the analyzed IR, all of the following must be true. The file is compiled by the regular software build. If the file itself is generated (or partially generated) by the regular software build, you have set INVOKE_COMPILER_FIRST=Yes in the project configuration file. CodeSonar recognizes the compiler invocation when it observes the regular software build. (If it does not, see the resolution advice on the Build Troubleshooting page.) CodeSonar is able to parse the file without encountering too many errors. (Check the analysis Parse Log for details.)
Java	In order to identify and report vulnerabilities with respect to a Java source file, the CodeSonar build/analysis must observe a cs-java-scan command that specifies both of the following. The bytecode artifact built from the source file, specified with -include-artifacts. The -include-artifacts option is the best way to include a bytecode artifact for which you wish to see warnings: see Build and Analysis for Java Projects: Artifact Categories for more information. The source file itself, specified with -include-sources. CodeSonar uses the source file to present any warnings issued by the analysis.
C#	In order to identify and report vulnerabilities with respect to a C# source file, the CodeSonar build/analysis must observe a cs-dotnet-scan command that implicitly or explicitly specifies both of the following. The .NET assembly artifact built from the source file, specified with -include-artifacts. The -include-artifacts option is the best way to include a .NET assembly artifact for which you wish to see warnings: see Build and Analysis for C# Projects: Artifact Categories for more information. The PDB file corresponding to the artifact must be present in the same directory as the artifact. The source file itself, which may be either explicitly specified with -include-sources, or identified (with correct file path) by the PDB file corresponding to the artifact. CodeSonar uses the source file to present any warnings issued by the analysis.

File language
(click for detailed build/analysis information)

Ensuring CodeSonar constructs IR and reports warnings for a file

C, C++

The CodeSonar build/analysis must observe your native compiler compiling the source file as part of your regular software build.
For the file to be represented in the analyzed IR, all of the following must be true.

The file is compiled by the regular software build.
If the file itself is generated (or partially generated) by the regular software build, you have set INVOKE_COMPILER_FIRST=Yes in the project configuration file.
CodeSonar recognizes the compiler invocation when it observes the regular software build. (If it does not, see the resolution advice on the Build Troubleshooting page.)
CodeSonar is able to parse the file without encountering too many errors. (Check the analysis Parse Log for details.)

Java

In order to identify and report vulnerabilities with respect to a Java source file, the CodeSonar build/analysis must observe a cs-java-scan command that specifies both of the following.

The bytecode artifact built from the source file, specified with -include-artifacts.
The -include-artifacts option is the best way to include a bytecode artifact for which you wish to see warnings: see Build and Analysis for Java Projects: Artifact Categories for more information.
The source file itself, specified with -include-sources.
CodeSonar uses the source file to present any warnings issued by the analysis.

In order to identify and report vulnerabilities with respect to a C# source file, the CodeSonar build/analysis must observe a cs-dotnet-scan command that implicitly or explicitly specifies both of the following.

The .NET assembly artifact built from the source file, specified with -include-artifacts.
The -include-artifacts option is the best way to include a .NET assembly artifact for which you wish to see warnings: see Build and Analysis for C# Projects: Artifact Categories for more information.
- The PDB file corresponding to the artifact must be present in the same directory as the artifact.
The source file itself, which may be either
- explicitly specified with -include-sources,
  or
- identified (with correct file path) by the PDB file corresponding to the artifact.
CodeSonar uses the source file to present any warnings issued by the analysis.

[C/C++] Code that is preprocessed out

Code that is removed by the C or C++ preprocessor will never reach the compiler, so it cannot be part of the native software or its corresponding CodeSonar project. CodeSonar warnings will not be issued in code that has been preprocessed out.

Consider the following code fragment. Depending on the setting of preprocessor variable TESTVAR, it defines slightly different versions of dodiv(): one that can perform a division by zero and one that can't.

#if TESTVAR > 1
int dodiv(int i){
    if (i<0) return -1;
    return 5/i;
}
#else
int dodiv(int i){
    if (i<=0) return -1;
    return 5/i;
   }
#endif
int exercise(void){
  return dodiv(0);
}

Use preprocessor to select "good" dodiv()	Use preprocessor to select "bad" dodiv()
#define TESTVAR 1 #if TESTVAR > 1 /* The body of this "#if" branch is removed by the preprocessor. * - The "bad" version of dodiv() is not included in the * compilation, so does not appear in the underlying software * or the CodeSonar project. * - The CodeSonar GUI uses grey, italic text to display the #if body. * - No warnings will appear in the greyed-out #if body: it is not part * of the project. */ int dodiv(int i){ if (i<0) return -1; return 5/i; } #else int dodiv(int i){ if (i<=0) return -1; return 5/i; } #endif int exercise(void){ return dodiv(0); }	#define TESTVAR 2 #if TESTVAR > 1 int dodiv(int i){ if (i<0) return -1; return 5/i; /* Division by Zero warning issued here / } #else / The body of this "#else" branch is removed by the preprocessor. * - The "good" version of dodiv() is not included in the * compilation, so does not appear in the underlying software * or the CodeSonar project. * - The CodeSonar GUI uses grey, italic text to display the #else body. / int dodiv(int i){ if (i<=0) return -1; return 5/i; } #endif int exercise(void){ return dodiv(0); / Unreachable Data Flow warning issued here: * control cannot return from the call to "bad" dodiv(0) * because it will always perform division by zero */ }

Use preprocessor to select "good" dodiv()

Use preprocessor to select "bad" dodiv()

#define TESTVAR 1

#if TESTVAR > 1
   /* The body of this "#if" branch is removed by the preprocessor.
    * - The "bad" version of dodiv() is not included in the
    *   compilation, so does not appear in the underlying software
    *   or the CodeSonar project. 
    * - The CodeSonar GUI uses grey, italic text to display the #if body. 
    * - No warnings will appear in the greyed-out #if body: it is not part 
    *   of the project.  
    */

int dodiv(int i){
    if (i<0) return -1;
    return 5/i;
}
#else
int dodiv(int i){
    if (i<=0) return -1;
    return 5/i;
   }
#endif

int exercise(void){
  return dodiv(0);
}

#define TESTVAR 2

#if TESTVAR > 1
int dodiv(int i){
    if (i<0) return -1;
    return 5/i;      /* Division by Zero warning issued here */          
}
#else
   /* The body of this "#else" branch is removed by the preprocessor.
    * - The "good" version of dodiv() is not included in the
    *   compilation, so does not appear in the underlying software
    *   or the CodeSonar project. 
    * - The CodeSonar GUI uses grey, italic text to display the #else body. 
    */
int dodiv(int i){
     if (i<=0) return -1;
     return 5/i;
}
#endif

int exercise(void){
    return dodiv(0); /* Unreachable Data Flow warning issued here:
                      * control cannot return from the call to "bad" dodiv(0)
                      * because it will always perform division by zero
                      */
}

[C/C++] Inline functions that are not called

In most cases, CodeSonar does not produce IR for inline functions that are not called. Any errors in such functions will therefore not be detected by the CodeSonar analysis.

C++ compilers can implicitly inline functions even if they are not declared with the inline keyword.

#include <cstddef>

class NPDClass{

private:
  int *myptr;

public:
  NPDClass(void){myptr=NULL;};
  void npd_inl_called(int i){ 
      *(this->myptr) = i;  /* Null Pointer Dereference warning issued here:
                            * npd_inl_called() is implicitly inline, but has IR because it is called in the program. 
                            */
  };

  void npd_inl_uncalled(int i){
      *(this->myptr) = i;  /* No warning: npd_inl_uncalled() is implicitly inline and never called, so it has no IR.
                            * Because this function is never called, the null pointer dereference in its body can never be executed.
                            */
  };
};

void testNPDClass(){
  NPDClass N;
  N.npd_inl_called(5);
}