JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.
If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.
If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.
| CodeSonar® 9.2p0 | CONFIDENTIAL | CodeSecure Inc |
Every warning issued by CodeSonar is associated with exactly one warning class, which provides a classification for the problem or issue represented by the warning.
Every warning issued by CodeSonar is associated with exactly one warning class, which provides a classification for the problem or issue represented by the warning. Warning classes range from serious bugs like Buffer Overrun and Null Pointer Dereference to purely informative diagnostics like Thread Entry Point.
CodeSonar ships with checks for several hundred warning classes. In addition, it provides several mechanisms allowing users to define custom warning classes.
Every warning class has the following properties.
| Name |
A short English-language description of the class, which
functions as a unique identifier. The unique identifier
property is useful in various situations, including:
Note: Japanese-language translations of warning class names are provided in this manual and in the Web GUI for documentation purposes: these translations are not unique identifiers in the same sense and cannot be used in the ways described above. |
|---|---|
| Significance | Every warning class is associated with a significance value that provides a high-level indication of the purpose of the class and the likely severity of a warning of that class. |
| Categories | A (possibly empty) list of categories related to the class. Items in the list can include CodeSonar mnemonics, rule numbers from various MISRA C (2023, 2012, 2004) and MISRA C++ (2023, 2008) standards, CWE identifiers, Power of Ten rule numbers, DISA STIG identifiers, CERT coding standard identifiers, and user-specified categories. |
| Languages | The languages to which the class applies: some subset of {C,
C++, C#, Java}. The warning classes for Java, C/C++, and C#
are disjoint. |
CodeSonar ships with a large number of built-in warning classes. There are separate warning classes for C/C++, Java, and C#.
| C/C++ |
CodeSonar has a broad range of built-in C and C++ warning
classes, the majority of which are applicable to both C and
C++.
Section C and C++ Warning Classes provides an overview of these warning classes, and links to the individual class documentation pages. |
|---|---|
| Java |
CodeSonar has a broad range of built-in Java warning classes.
Section Java Warning Classes provides an overview of these warning classes, and links to the individual class documentation pages. |
| C# |
CodeSonar has a broad range of built-in C# warning classes,
which we divide into two groups:
Both discussion pages provide an overview of the corresponding warning classes, and links to the individual class documentation pages. |
CodeSonar ships with a large number of built-in warning classes corresponding to the results available from several third party analyzers.
| Language | Third party analyzer | Mnemonic hierarchy branch | More information, including list of built-in classes |
|---|---|---|---|
| Go | Staticcheck | GO.* | Go Warning Classes Corresponding to Staticcheck Checks |
| JavaScript | ESLint | JS.* | JavaScript Warning Classes Corresponding to ESLint Rules |
| Kotlin | detekt | KOTLIN.* | Kotlin Warning Classes Corresponding to detekt Rules |
| Python | Pylint | PYTHON.* | Python Warning Classes Corresponding to Pylint Messages |
| Rust | Clippy | RUST.* | Rust Warning Classes Corresponding to Clippy Lints |
| TypeScript | ESLint with typescript-eslint | TS.* | TypeScript Warning Classes Corresponding to typescript-eslint Rules |
CodeSonar provides several mechanisms for defining new warning classes and adding new checks to the analysis. Section Extending CodeSonar describes the available mechanisms and provides links to detailed information.
Not all warning classes are reported by default: in particular, classes that are only of interest to a subset of users are generally disabled by default.
Custom warning classes are always enabled by default, although additional configuration settings may be required in order for checking to work correctly.
To disable reporting for a warning class that is enabled by default, create WARNING_FILTER discard rule in a suitable configuration file. For example, to disable reporting for the Double Lock class:
WARNING_FILTER += discard class="Double Lock"
A WARNING_FILTER discard rule instructs the CodeSonar analysis not to submit matching warnings to the hub. The checking that produces the warnings is not necessarily itself disabled.
If a warning class is disabled by default, the requirements for enabling it will depend on the class: some classes only require a WARNING_FILTER allow rule, but others require additional settings in order to work correctly.
Consult individual warning documentation pages for enabling details.
When a SARIF file is imported into a CodeSonar project, the SARIF importer determines an associated warning class for each rule object in the SARIF rules, creating this warning class if it does not already exist.
To selectively import only some of the warnings represented in an imported SARIF file, specify one or more WARNING_FILTER discard rules in a suitable configuration file. You can also specify a combination of WARNING_FILTER discard and WARNING_FILTER allow rules, if that is the most convenient way to characterize a specific set.
Information about warning class properties is provided in the CodeSonar Web GUI as follows.
To report problems with this documentation, please visit https://support.codesecure.com/.