PVS\-Studio 7\.34: support for Apple Silicon ARM64, \.NET 9, taint analysis in Java analyzer, and more

PVS-Studio 7.34 has been released. Discover the latest features, including support for Apple Silicon processors with ARM64 architecture, .NET 9 project compatibility, the introduction of the taint analysis mechanism in the Java analyzer, and more! Explore more details in our press release.

You can download the latest PVS-Studio version here.

PVS-Studio on Apple Silicon ARM64

PVS-Studio analyzers for macOS now support Apple Silicon processors with ARM64 architecture, which has broken new ground for macOS users. With version 7.34, we've introduced native builds that let you harness the full potential of this platform.

PVS-Studio C# analyzer introduces support for .NET 9 projects

Now, users can analyze C# code with all new .NET 9 features.

Therefore, the requirements for the C# analyzer on Windows have changed (details under the Breaking Changes heading).

Taint analysis implementation in PVS-Studio Java analyzer

In the latest update of PVS-Studio Java analyzer, our team has introduced the taint analysis mechanism. We've created the first diagnostic rule based on this mechanism, V5309. It can help detect SQL injection vulnerabilities.

Next year, our Java team will focus on SAST, expand coverage of the OWASP Top 10 list of the most common potential vulnerabilities, and add more diagnostic rules for taint analysis.

Modified file analysis mode

We've updated the PVS-Studio_Cmd and pvs-studio-dotnet command lines. Now they include a modified file analysis mode that auto-detects source files changed between analysis runs. This mode is an alternative to incremental analysis, and you can use it to check pull requests.

For more details on this mode, please consult the documentation.

Viewing analysis results in the CodeChecker web interface

Starting with the CodeChecker 6.25.0 release, users can upload PVS-Studio reports directly into the web interface for a streamlined review of code analysis results. For more details on this integration, please consult the documentation.

Flexible include files in the analysis

You can now more easily include or exclude source files and configuration files from the analysis in the .pvsconfig analyzer configuration files. You can use this mechanism to check Unreal Engine projects with UnrealBuildTool, starting with version 5.5.2. Learn more about it in the documentation.

Breaking Changes

The latest release introduces changes that break backward compatibility with previous analyzer versions. You may need to alter the way you use the analyzer.

The C# analyzer requirements on Windows (updated):

• The analysis of .NET projects will now require installation of the .NET 9 SDK.
• To analyze .NET Standard and .NET Framework SDK-style projects, the .NET SDK 9.0 installation is also required.
• The requirements for analyzing classic .NET Framework projects have not changed: if Visual Studio or MSBuild versions 2017, 2019, or 2022 are installed, the.NET Framework 4.7.2 is sufficient.
• Classic .NET Framework projects on systems with Visual Studio or MSBuild versions 2015 or earlier will also require the.NET 9 SDK.
• To use the silent installation mode on Windows and analyze projects that require the .NET 9 SDK, the DOTNET component must be specified to install the .NET 9 SDK if it is not already installed on the system.

In the pvs-studio-analyzer command line utility, the behavior of the --sourcecetree-root (-r) flag has changed. Now, when a path is replaced in the generated report, the existence of the base directory path is checked.

• If some paths fail to be replaced, a warning message is displayed; however, the return code remains 0.
• If the path replacement fails for all the paths, the return code is non-zero, accompanied by the warning message.

New diagnostic rules

C, C++:

• V1116. Creating an exception object without an explanatory message may result in insufficient logging.
• V1117. The declared function type is cv-qualified. The behavior when using this type is undefined.
• V2022. Implicit type conversion from integer type to enum type.
• V5014. OWASP. Cryptographic function is deprecated. Its use can lead to security issues. Consider switching to an equivalent newer function.

C#:

• V3207. The 'not A or B' logical pattern may not work as expected. The 'not' pattern is matched only to the first expression from the 'or' pattern.
• V3208. Unity Engine. Using 'WeakReference' instance with 'UnityEngine.Object' is not supported. GC will not properly reclaim memory from this object because it is linked to a native object.
• V3209. Unity Engine. Re-applying await to an Awaitable object will result in an exception.
• V3210. Unity Engine. Unity does not allow removing the 'Transform' component using 'Destroy' or 'DestroyImmediate' methods. The method call will be ignored.
• V4007. Unity Engine. Avoid creating and destroying UnityEngine objects in performance-sensitive context. Consider activating and deactivating them instead.

Java:

• V6123. Modified value of the operand is not used after the increment/decrement operation.
• V6124. Converting an integer literal to the type with a smaller value range will result in overflow.
• V6125. Calling the 'wait', 'notify', and 'notifyAll' methods outside of synchronized context will lead to 'IllegalMonitorStateException'.
• V5309. Possible SQL injection. Potentially tainted data is used to create SQL command.

Articles

For those, who code in C++:

• C++ programmer's guide to undefined behavior: part 11 of 11
• Brain debugging. Interview with Anders Schau Knatten, author of "C++ Brain Teasers: Exercise Your Mind"
• C++ programmer's guide to undefined behavior: part 10 of 11
• 5 lines of fortune: what program keeps under wraps
• History of C and C++. Part one: emergence and standardization of C language. C with Classes becomes C++
• 19 errors in LLVM 19
• Debugging bugs in x64dbg debugger. Step out to GUI
• What's up with Telegram messenger: dozen errors detected
• DPDK: 100 big and small bugs
• C++ programmer's guide to undefined behavior: part 9 of 11
• Finding errors in unit tests
• C++ programmer's guide to undefined behavior: part 8 of 11
• Realm of gaming experiments: potential developer errors in emulator creating
• Most striking error I found with PVS-Studio in 2024
• C++ programmer's guide to undefined behavior: part 7 of 11

For those, who code in C#:

• How can one code line crash application? Looking for issues and vulnerabilities in ScreenToGif
• What's new in .NET 9?
• .NET Digest #4
• Catch vulnerability on your own: user annotations for C# code
• What's new in C# 13: overview
• What's new in Unity 6? Overview of release updates and source code issues
• The last source code: digging into bugs in projects after indie game studio shuts down

For those, who code in Java:

• Inside Java Enterprise code: let's check Flowable
• Java serialization: let's dig it up
• YYYY? yyyy!
• Belay the Metamorphosis: analyzing Kafka project

Other articles:

• CodeChecker—code quality control using PVS-Studio
• Redesigning our conference swag: here we go again
• From WALL-E to Terminator: bugs, how robots work, and developers' fantasies

Webinars

C++ Semantics

In the webinar on C++ semantics, we explored symbols and name resolution. We discussed various types of lookups, scope importing, and overload resolution, along with the specifics of templates.

Evaluation

In that talk, we touched upon the topic of compile-time evaluation. We saw how we could use the AST to calculate values and why this approach could be difficult at times. Also, we looked at intermediate representation (IR) and saw how it could help us.

Do you want to check a project with PVS-Studio? Then start from this page.

If you'd like to get news on the latest releases, subscribe to the PVS-Studio newsletter here.