What’s New in Klocwork | Perforce Software

What’s New in Perforce Klocwork

Klocwork is now Perforce Klocwork. You've probably noticed that Perforce recently refreshed our brand with a new logo and color palette. Now, we're taking one more step toward unifying the Perforce portfolio by simplifying some of our product names. Accordingly, Klocwork is now officially "Perforce Klocwork."

While our logo and product names have changed, our commitment to providing a trusted static analysis solution remains the same. You'll see the new name rolled out gradually across our webpages, documentation, and the Perforce Klocwork product over the coming months.

Get the full release notes, download instructions, and upgraded licenses.

Request New Release

What's New in Perforce Klocwork 2025.2

Perforce Klocwork 2025.2 adds broader C/C++ analysis and improved accuracy for modern C++, together with improved support for source file encodings. This release also includes a new taxonomy for MISRA® C:2025 coverage and usability enhancements to the Visual Studio Code extension.

In the 2025.2 release, updates to Perforce Validate provide improved performance and scalability with reduced storage footprint for projects using CI builds. Other enhancements include a new table view for issue details as an alternative to the existing issues list and compliance report improvements for consistency between the MISRA and generic report formats.

C/C++ Analysis Engine

Broader C++ Analysis With Modern Engine as Default

Modern mode is now the default C/C++ analysis mode for dataflow analysis and provides improved language feature support and capabilities for analyzing modern C++ code.

Using modern mode can increase the number of new defects found due to improved language feature coverage. When upgrading to 2025.2, it is recommended that you run analysis on the same code version that you used for your last analysis before you upgraded to help isolate the changes related to the upgrade and then review the differences.

Other C/C++ Analysis Enhancements

Specific source file encodings can be set when using the modern mode.
Improved integration with the Bazel build system with C/C++ projects for handling of include directories in certain cases.

Perforce Validate Platform Improvements

Database Improvements

The database structure for CI builds has been updated to reduce the storage footprint and database churn during loads. This provides better performance and scalability, particularly for projects with frequent CI activity.

View and Manage Issues With Greater Flexibility

In the Validate Issues tab, you can now use either the existing List or new Table view to sort, select, search, and update issues; with full support for bulk actions.

Expanded Support for Rule Reference Queries

In Validate 2025.2, you can now search the issue list by taxonomy and rule reference. In the Validate Issues tab and Issue Details panel, all taxonomy and reference values applicable to an issue are presented. Taxonomy and reference queries are also supported using the Web API search actions.

Improved Workflow for Build Retention Policy

The Validate automatic build deletion feature helps manage storage by removing older builds once a specified limit is reached. You can now configure build retention at the project or stream level more granularly across the Validate portal, the Web API, and the command line tools.

Compliance Report Improvements

The content and layout of the Validate compliance reports has been updated for greater consistency between the MISRA and generic report formats and to provide additional information regarding the configuration applied for the selected build, including the suppression configuration file. In the generic compliance report, the File Summary now indicates the count of rule violations per file for improved clarity. A compliance license is also no longer required to generate a full (non-summary) compliance report.

Apart from the report content changes, new actions have been added to the Validate portal and the Web API to make it easier to delete compliance reports.

Coding Standards

New taxonomies have been added to Klocwork 2025.2 for:

MISRA C:2025

There are also other improvements to standards coverage for:

CERT C++
MISRA C:2023, MISRA C:2012 with Amendment 2

Additionally, the format of the rule/category text has been updated across several taxonomies to support changes in the compliance report for showing the rule names and descriptions split into separate columns.

Quality of Life Enhancements

IDE Plugins

The Perforce Static Analysis extension for VS Code now includes a rule reference column, allowing you to sort by rule name and category.
Added the ability to analyze a single file in the VS Code extension.

Analysis Tools

To help diagnose problems with your analysis flow and fix missing permissions, the kwcheck and kwciagent commands now return non-zero exit codes when issues are encountered.

Validate Usability Improvements

Line of code metrics are shown per file in the file tree in the issue details browser.

Compiler Support

Improved support for the following compilers:

Clang
TI cl430
GNU iccarm
QNX

Important Changes in Klocwork 2025.2

Removal of the kwmatch Utility in 2025.2

The kwmatch utility has been removed as of Klocwork 2025. If you are upgrading from a previous version, we recommend using streams to manage project branches and kwxsync for cross-project issue snychronization.

If you previously used kwmatch for specific projects and created a database for it, and then you migrate to those projects to 2025.2 or later, your database will no longer be used and you can remove it.

Removal of the dbvalidate Cleanup Utility in 2025.2

Starting in release 2025.2, you can no longer run the dbvalidate cleanup utility directly. Some dbvalidate commands for removing duplicated issues and comments remain available for use if advised specifically by Perforce Support.

License Management Changes

The following changes to licensing have been introduced from 2025.1:

Klocwork tools now use Reprise License Management (RLM) v16.1BL1. The upgraded server is included with the Validate installation and any earlier RLM servers need to be upgraded to this version in order to work with Klocwork 2025.1 and above.
2024 licenses are not compatible with Klocwork 2025.1 or newer. To use the latest version of the product, obtain a new license by contacting Perforce at [email protected].

Pre-Announcements

End-of-Life Notice for Visual Studio 2015 IDE Plugin in 2025.4

Starting in Klocwork 2025.4, the IDE plugin for Visual Studio 2015 will no longer be provided or supported in alignment with Microsoft's end of extended support for Visual Studio 2015.

What's New in Perforce Klocwork 2025.1

For the first release of 2025, Perforce Klocwork 2025.1 introduces new support for group synchronization with SAML/OIDC and performance improvements for the Perforce Validate server to reduce build load times and storage usage. The 2025.1 release also includes enhanced build system integration with improved support for Bazel and Android 15 for C/C++ analysis as well as better build capture with Gradle for mixed Kotlin and Java projects. In addition, there are enhancements to Klocwork IDE plugins with support for Kotlin in IDEA and Android Studio, and improved handling of projects with a high volume of results in the VS Code plugin.

Validate Platform Improvements

Validate Groups Authorization Integration With SAML/OIDC

Validate now supports group synchronization with SAML and OIDC authentication, allowing user group membership to be automatically fetched from the identity provider (IdP) during login. Group synchronization is opt-in and the steps for configuring the integration are described in the documentation.

Reduced Build Load Times and Disk Usage

Klocwork 2025.1 includes optimization and customization options to reduce load times and disk usage for builds on the Validate server. Testing with representative projects showed that medium to large projects load up to 40% faster, with disk usage reduced by 10-20%. Smaller projects also load 10-30% faster, with some reductions in disk usage. The performance improvements have been achieved through enhanced caching and limiting the metrics that are loaded with a build, with the selection of stored metrics being customizable using a new configuration file per project as described in the documentation.

Configurability of Issue Statuses for Counts and Reporting

A new configuration file has been added to the Validate server to allow customization of how issue statuses are used, namely:

Modifying statuses that determine Open counts in Validate for projects, views, builds, and CI builds.
Defining how compliance report deviations and violations are calculated.

There are also other improvements to compliance reports to include additional data about the view applied when generating the report, such as view name, search query, and module definitions.

Coding Standards

New taxonomies have been added to Klocwork 2025.1 for:

CWE 2024 Top 25 for C/C++, C#, and Java.
DISA STIG v6 for C/C++, C#, and Java.

There are also other improvements to standards coverage for:

CWE C#.
MISRA C:2023, MISRA C:2012 with Amendment 2.

C/C++ Analysis Engine

This release includes improved build system support with C/C++ projects and other analysis enhancements including :

Improved C and C++ support for the Bazel build system on Linux.
Improved the support of the Android 15 code base with the kwandroid utility.
Updated coverage for MISRA C:2012 up to Amendment 2 with Klocwork-supported checkers, removing the need for community checkers.
Improved accuracy of analysis with modern mode.

Java Analysis Engine

Improved support for Android 14 with Java analysis.

Quality of Life Enhancements

IDE Plugins

Added support for Kotlin analysis with the IntelliJ IDEA and Android Studio IDE plug-ins.
Improved handling of projects with millions of issues in the VS Code plugin.

Build System Support

Simplified build capture with Gradle for mixed Kotlin and Java projects using kwgradle.

Validate Usability Improvements

Added a Validate Web API endpoint that allows you to access and download a specified build.log file from Validate.
Added utilities to cleaning up unused issue records and duplicated comments in the Validate database.
Improved the handling of very large source files in the XRef or issue details pages in Validate.

Compiler Support

Improved support for the following compilers:

GNU
Clang
Analog Devices SHARC
Microsoft Visual C++

Important Changes in Klocwork 2025.1

License Management Changes

The following changes to licensing have been introduced in 2025.1:

Klocwork tools now use Reprise License Manager (RLM) v16.1BL1. The upgraded server is included with the Validate installation and any earlier RLM servers need to be upgraded to this version in order to work with Klocwork 2025.1 and above.
Project administration commands no longer consume a build license.
The license feature for use of streams has been removed.
License token names no longer include the year.
2024 licenses are not compatible with Klocwork 2025.1 or newer. To use the latest version of the product, obtain a new license by contacting Perforce at [email protected].

Deprecation of the kwmatch Utility in 2025.1

The kwmatch utility is deprecated as of Klocwork 2025.1 and will be removed in a future release. If you are upgrading from a previous version, we recommend using streams to manage project branches and kwxsync for cross-project issue synchronization.

Pre-Announcements

End-of-Life Notice for Visual Studio 2015 IDE Plugin in 2025.4

Starting in Klocwork 2025.4, the IDE plug-in for Visual Studio 2015 will no longer be provided or supported in alignment with Microsoft's end of extended support for Visual Studio 2015.

What's New in Perforce Klocwork 2024.4

Klocwork 2024.4 introduces expanded coverage for CERT C, C++, and Java and a new backup method for Validate enabling reduced server downtime. This release also includes improvements to Java project builds with support for the Bazel build system and differential analysis for CI/CD pipelines.

In addition, there are general enhancements to usability of the Validate interface and improved support for the latest versions of IDEA, CLion, and Android Studio with IDE plugins.

Validate Platform Improvements

Back Up Projects and Server Information With Minimal Downtime

To minimize downtime, you can safely back up Validate project and server data without having to stop the server. Scripts are provided to back up individual projects or Validate server configurations and restore them later as described in the documentation.

Improved Workflow for Application Token Authentication

Authenticating a client in automated environments is now more streamlined and secure. This enhancement is especially useful for Docker container deployments.

You can securely authenticate a client by storing the application token in a secret storage system such as Docker Secrets, then use your system's automated interaction methods to pass the token using the validate auth -t command.

Added Support for Regular Expressions for Modules Paths

Regular expressions are now supported along with Glob patterns when specifying paths for Modules in Validate. A wide range of standard regex characters are supported for precise pattern matching. For more information and examples, see the documentation.

Updated Taxonomy Page for Improved Navigation

To reduce visual clutter and simplify navigation, taxonomy categories are now collapsed by default to the level of the guidelines/rules. Categories can be expanded individually or all at once to show the mapping of the checkers to the guidelines.

Coding Standards

New and expanded standards coverage for Klocwork 2024.4 includes:

CERT C and C++, 100% coverage of Level 1 rules
CERT Java
HKMC C++
MISRA C:2023

C++ Analysis Engine

Improved language feature coverage and accuracy for C/C++ analysis including:

Improved defect detection for C/C++ concurrency checks with modern analysis mode.
Added path analysis for C/C++ for detecting use of non-array object as an array.
Replaced selected existing community MISRA C checkers with Klocwork supported checkers.
Improved robustness of C/C++ analyzer.

Java Analysis Engine

Added full Java support for the Bazel build system on both Windows and Linux.
Added support for differential analysis in kwciagent.

Quality of Life Enhancements

IDE Plugins

Updated IDE plugins to support newer versions of IntelliJ IDEA, Android Studio and CLion IDEs.
Added SAML/OIDC authentication to the VS Code plugin, allowing you to authenticate securely with the Validate server.

Operating System Support

Added support for Ubuntu 24.04 LTS, Debian 12 and Windows 11 24H2.

Build System Support

Full C, C++, and Java support for the Bazel build system on Windows and Linux.

Validate Usability Improvements

Added confirmation step for editing multiple issues at once to help ensure that your bulk changes are intentional. A confirmation box now appears when you edit multiple issues at once from the search screen.
To provide a comprehensive view of the build process, CI build logs now contain both the analysis and the import build logs, making it easier to debug and track the progress of CI builds.
Improved handling of stream permissions to allow stream admins to assign roles to users.

Build Tools

Improved checking of validity of suppressions file provided to kwbuildproject before initiating analysis.

Compiler Support

Improved support for the following compilers:

GNU
Clang

Important Changes in Klocwork 2024.4

End-of-Life for Windows Server 2012, SUSE Enterprise 12 — Klocwork 2024.4

Starting in Klocwork 2024.4, Windows Server 2012 and SUSE Enterprise 12 will no longer be supported.

Secure Authentication Tokens

As of Klocwork 2024.3, secure authentication tokens generated using 'kwauth'/'validate auth' are by default stored in a 'credentials' file in secure storage with Java KeyStore. The environment variable KLOCWORK_SECURE_TOKEN_STORAGE is set to JAVA_SECRET_STORAGE for new tokens and is set to empty for pre-existing tokens. If using 2024.1 or earlier Klocwork tools with a 2024.2 or newer Validate server, it is necessary to use insecure token storage. To use insecure storage with any authentication command, set the VALIDATE_SECURE_TOKEN_STORAGE environment variable to DISABLED.

License Management Changes

As of 2023.4, Klocwork tools use Reprise License Manager (RLM) v15.1BL2.

2023 licenses are not compatible with Klocwork 2024.1 or newer. To use the latest versions of the product, obtain a new license by contacting Perforce at [email protected].

Pre-Announcements

License Management Changes

A new version of the RLM server v16.1 will be made available with the Klocwork 2025.1 release. It will be necessary to upgrade the installed license server for compatibility with Klocwork and Validate.

What's New in Perforce Klocwork 2024.3

Klocwork 2024.3 introduces new functionality and performance improvements to the C/C++ analysis engine and build upload processes. This release also ships with enhanced security and user experience improvements, including better user authentication workflow in the IDE plugins for SAML/OIDC authentication. Other enhancements include broader coding standards coverage and improved integration with the Bazel build system.

Validate Platform Improvements

Build Loading

The speed of build uploads to Validate has been improved.

Authentication

Improved security for storing user tokens for authentication when using 'kwauth'/'validate auth'.
- The change to the use of ltokens and the new environment variables used to specify related file locations are described in the documentation.
Enhanced user authentication in IDE plugins when using Validate SAML/OIDC authentication.

Coding Standards

New and expanded standards coverage for Klocwork 2024.3:

MISRA C:2012
- 100% coverage of MISRA C:2012 Amendment 2 rules
CERT C and C++
- Selected Level 1 rules
Corresponding rules in AUTOSAR, HKMC C++, MISRA C++:2023

C/C++ Analysis Engine

Improved language feature coverage and defect detection for C/C++.

Improved analysis for detection of issues related to memory leaks or attempting to use memory after free.
Increased support for the Bazel build system on both Windows and Linux.

Quality of Life Enhancements

File Extensions

Klocwork 2024.3 allows file extensions in path matching for suppression configuration (in the .sconf file).

Build System Support

Support for integration with the Bazel build system on both Windows and Linux (support was added in 2024.1).

Licensing

Updated licensing for 'kwadmin'/'validate admin' to simplify use of build licenses.

Compiler Support

Additional or improved support for the following compilers:
- GNU
- Clang
- TI ARM Clang
- QNX
- iccarm
- Tricore

Important Changes in Klocwork 2024.3

Secure Authentication Tokens

As of 2024.3, secure authentication tokens generated using 'kwauth'/'validate auth' are by default stored in a 'credentials' file in secure storage with Java KeyStore. The environment variable KLOCWORK_SECURE_TOKEN_STORAGE is set to JAVA_SECRET_STORAGE for new tokens and is set to empty for pre-existing tokens. If using 2024.1 or earlier Klocwork tools with a 2024.2 or newer Validate server, it is necessary to use insecure token storage. To use insecure storage with any authentication command, set the VALIDATE_SECURE_TOKEN_STORAGE environment variable to DISABLED.

License Management Changes

As of 2023.4, Klocwork tools use Reprise License Manager (RLM) v15.1BL2.

2023 licenses are not compatible with Klocwork 2024.1 or newer. To use the latest version of the product, obtain a new license by contacting Perforce at [email protected].

End-of-Life Announcements

Deprecation of Structure 101 Integration

As of 2024.3, the integration between Klocwork and Structure 101 is deprecated and no longer supported.

Maintenance for Klocwork 2022 Ending

Maintenance for all versions of Klocwork 2022 ended on March 31, 2024. In addition, the end of maintenance (EOM) date and end of sale (EOS) date also occurred on March 31, 2024. For information about the availability of support for any release of Klocwork, see the Klocwork Product Lifecycle. 

End-of-Life for CentOS Linux 7 - Klocwork 2024.3

Starting in Klocwork 2024.3, CentOS Linux 7 will no longer be supported.

End-of-Life for NIS Access Control

Starting in Klocwork 2024.3, NIS access control will no longer be supported. When migrating from an earlier version to Klocwork 2024.3, it is necessary to switch to a different authentication method before migrating, to ensure that you can continue to sign in after the upgrade.

End-of-Life for Legacy Help Website

As of January 2024, Klocwork has shut down the legacy help website for versions prior to 2022, https://docs.roguewave.com/.

This is a notice to inform users to please use the new website https://help.klocwork.com/ for all your documentation needs.
The documentation for versions 2021.x and earlier will need to be accessed using the offline content provided in the release packages.

Discontinuation of Klocwork Server Installations in Release 2023.4

Starting with release 2023.4, Klocwork Server installations have been discontinued. We recommend transitioning to Validate installer for a more streamlined and integrated experience.

What's New in Perforce Klocwork 2024.2

Klocwork 2024.2 introduces significant accuracy and performance improvements to the modern C/C++ analysis engine. This release also includes enhanced security and authentication features and improved user experience, as well as MISRA® and CERT ruleset improvements, Java language enhancements, and a new CWE mapping for Kotlin.

C/C++ Analysis Engine

Klocwork 2024.2 introduces the option to run the modern analysis engine alone, bringing significant performance improvements and extended language feature support for modern C and C++code constructs.

"Modern Mode" Functionality

Provides greater code coverage and defect detection for C++17 and newer language versions.
Lower False Positives and False Negatives rates.
Faster analysis times of up to 25% for select projects*.

Note: "Modern Mode" may result in a more significant change in results due to increased analysis coverage and understanding.

*(based on internally benchmarked OSS projects)

New Validate Platform Authentication Improvements

Enhanced Security with SAML and OIDC Authentication

You can now integrate your identity provider with Validate using Security Assertion Markup Language (SAML) or OpenID Connect (OIDC) authentication to enjoy benefits like:

Enhanced security through centralized authentication.
Simplified user management and experience through single sign-on (SSO).

Identity providers tested with Validate include:

SAML: Keycloak, Okta, AWS, Cisco, GitHub.
OIDC: Keycloak, Google, Microsoft Entra (formerly Azure AD), AWS.

Authenticate and Manage User Sessions and Application Tokens in Validate

You can now create application tokens in Validate to securely authenticate with SAML or OIDC supported servers for the following tasks:

Sign in to the command line tools using kwauth or validate auth.
Import projects from Validate or the Web API.

Administrators can now manage individual user sessions through Validate by logging users out of their Validate sessions.

Additional improvements include enhanced password security in Validate when using basic authentication.

Java Analysis Engine

Use the -ignore files option in kwandroid without having to modify the build specification to focus on a select set of Java files for analysis.

Klocwork Utility Enhancements

New ability to specify which Java Virtual Machine (JVM) Klocwork tools should use by setting the KW_JAVA environment variable, allowing for greater flexibility and compatibility with different Java environments.
To streamline the deployment of your Klocwork analysis tool in automated environments, the continuous integration tools are now included in the Build Tools package.

MISRA® C and C++

Enforce MISRA compliance using Klocwork's improved presentation of the MISRA C and MISRA C++taxonomies.

Rule-first approach to taxonomies.
Checkers are now subcategories of rules in the taxonomies.

Coding Standards

New and expanded coding standards coverage and taxonomies for Klocwork 2024.2:

CWE for Kotlin

Quality of Life Enhancements

IDE Plugins and Extensions

Introduced new Validate authentication, which allows you to connect to a project stream in any plugin using either classic authentication, or SAML or OIDC authentication.

Compiler Support

Additional or improved support for the following compilers:

Clang
Clang-cl
GCC
IAR
Renesas

Important Changes in Klocwork 2024.2

License Management Changes

As of 2023.4, Klocwork tools now use Reprise License Manager (RLM) v15.1BL2.

The upgraded RLM v15.1BL2 server is included with the Klocwork 2023.4+ installations. Any earlier RLM servers need to be upgraded to this version in order to work with Klocwork 2023.4 and above.
FLEXlm/FlexNet Publisher support was deprecated in 2022.2 and will no longer work with the release of Klocwork 2023.1+.
2023 licenses are not compatible with Klocwork 2024.1 or newer. To use the latest version of the product, obtain a new license by contacting Perforce at [email protected]

Maintenance for Klocwork 2022 Ending

End of Life for Legacy Help Website

As of January 2024, Klocwork has shut down the legacy help website for versions prior to 2022, https://docs.roguewave.com/.

This is a notice to inform users to please use the new website https://help.klocwork.com/ for all your documentation needs.
The documentation for versions 2021.x and earlier will need to be accessed using the offline content provided in the release packages.

Deprecation of NIS Access Control

If using NIS access control, when migrating to 2024.2 from an earlier version it is necessary to switch to another authentication method. It is recommended to switch to an alternative method before migration to ensure users can continue to log in after the upgrade.

Discontinuation of the Jenkins Plugin

Starting in Klocwork 2024.2, the Jenkins plugin has been removed from Klocwork and the installation package is no longer provided.

Removal of Validate Code Review

Starting in Klocwork 2024.2, the Code Review function and its associated command line tools have been removed from Validate.

Pre-Announcements

End-of-Life for CentOS Linux 7 and RHEL 7 - Klocwork 2024.3

Starting in Klocwork 2024.3, CentOS Linux 7 and RHEL 7 will no longer be supported. CentOS Linux 7 is end-of-life and RHEL 7 is end-of-maintenance as of 30th June 2024.

Discontinuation of NIS Access Control

Starting in Klocwork 2024.3, NIS access control will no longer be supported. Some functionalities may be affected in the 2024.2 release.

What's New in Perforce Klocwork 2024.1

For the first release of this year, Klocwork 2024.1 introduces new functionality and improvements to Perforce's continuous security and code compliance platform, Validate. The Validate upgrade process is now faster, more resilient, and user-friendly. You can exclude projects, prioritize migrations, migrate projects individually without server restarts, handle failed migrations seamlessly, and more.
This release also improves support for projects using the Bazel build system developed using C/C++, C#, and Java. Klocwork 2024.1 expands coding standards enforcement coverage shipping support for MISRA C++:2023®. In addition to providing user experience enhancements such as improved search functionality and enhanced role permissions, Validate also includes a new feature allowing CSV download of issue lists, while the VSCode IDE plugin gains support for advanced differential analysis, greatly enhancing usability and overall quality of life for the user.

New Validate Platform Improvements and Functionality

Upgrade and Migration Improvements

Get up and running faster by starting the Validate Server, even if some projects fail to migrate. Successful migrations will be available immediately, and failed migrations will be automatically disabled. Save time by migrating individual projects without having to restart the Validate Server. Apply fixes and re-migrate problematic projects without interrupting the use of successfully migrated projects.

Project Migration Status

The Validate project list now indicates the current state of your project and provides actionable insights to resolve issues that may occur during upgrades and migration. Projects can be enabled/disabled to limit usage during upgrades, while projects that fail to migrate will no longer block Validate services from starting. Instead, project status will inform users that migration needs to be completed. Project status can also be checked using the kwadmin command or using the Web API to query the current project state.

Exclude Individual Projects from Migration

To help speed up migration, you can exclude specific projects. Excluded projects will not be migrated and will appear as disabled in the Validate tools. Later, you can migrate and enable excluded projects individually without restarting the Validate Server. For details, see Migrate your projects_root directory.

Prioritize Migration of Specific Projects

To prioritize important projects, you can assign a priority list which specifies the order in which projects will be migrated. Projects not included in the list will be migrated in the order of their project ID. To learn more, see Migrate your projects_root directory.

Import or Duplicate Existing Projects

You can now import a project from another Validate server, even if the project name matches an existing project on the target server. For more information, see Import your projects and server settings.

Improved Migration Logging

Migration logs are greatly improved to provide detailed information on the status of project migration steps and the logs are persisted to aid in troubleshooting if needed.

Download Issue List as CSV

The new CSV download button available at the top of the Issues page will download a list of defects based on the current search query in Validate. For additional issue information such as line number, comment, and justification, you require a subscription to the Validate Advanced Compliance Reporting package.

Expanded Search

Regular Expression (RegEx) search capabilities for Validate Modules provides increased support for the use of* and ** wildcard characters when specifying paths to your file system. See modules documentation for more information.

New Role Permission

Added change issue owner permission that provides the ability to allow users to change issue owner without being able to change issue status.

Preserve License Logs for Audit Purposes

You can now keep logs for auditing purposes, by appending the logs to your license server license.report.log file instead of overwriting the file after the server restarts. To learn about the append.license.logging setting, see kwservice or validate service.

Analyze Bazel Build Projects

2024.1 introduces improvements to analyze projects using the Bazel build system for C/C++, C#, and Java software development projects. Use the build integration command kwbazel on Linux, or the --bazel option in kwandroid for Android projects. For further usage and limitation information, see kwbazel.

MISRA C++:2023®

Enforce MISRA compliance using Klocwork's new coding standard taxonomy for MISRA C++:2023 rules.

Coding Standards

New and expanded standards coverage and taxonomies for Klocwork 2024.1:

CERT C/Java - Added level information to category name and meta data for C and Java.
CWE - C/C++
MISRA C++:2023

Quality of Life Enhancements

IDE Plugins

Visual Studio Code now supports differential analysis on file open/save.
Visual Studio status and info bars are improved to highlight important information and reduce visual distractions.

Compiler Support

Additional or improved support for the following compilers:

Clang
Clang-cl
Tasking Tricore

Important Changes in Klocwork 2024.1

License Management Changes

As of 2023.4, Klocwork tools now use Reprise License Manager (RLM) v15.1BL2.

The upgraded RLM v15.1BL2 server is included with the Klocwork 2023.4+ installations. Any earlier RLM servers need to be upgraded to this version in order to work with Klocwork 2023.4 and above.
FLEXlm/FlexNet Publisher support was deprecated in 2022.2 and will no longer work with the release of Klocwork 2023.1+.
2022 licenses are not compatible with Klocwork 2023.4 or newer. To use the latest version of the product, obtain a new license by contacting Perforce at [email protected].

Maintenance for Klocwork 2022 Ending

End-of-Life for Legacy Help Website

As of January 2024, Klocwork will be shutting down the legacy help website for version prior to 2022, https://docs.roguewave.com/.

This is a notice to inform users to please use the new website, https://help.klocwork.com/, for all your documentation needs.
The documentation for versions 2021.x and earlier will need to be accessed using the offline content provided in the release packages.

Discontinuation of Klocwork Server Installations in Release 2023.4

Starting with release 2023.4, Klocwork Server installations have been discontinued. We recommend transitioning to Validate installer for a more streamlined and integrated experience.

CLion Plugin and Desktop Tools 2023.4 Compatibility

This is a notice to inform users of the following limitations for backward compatibility with 2023.4 desktop tools.

Only the 2023.4 or later Klocwork desktop tool (kwcheck) can be used with the 2023.4 CLion plugin.
Only the 2023.4 or later server can be used with kwcheck and desktop tools from 2023.4 for connected projects.

Pre-Announcements

End-of-Life for Klocwork Jenkins Plugin - Klocwork 2024.2

This is a pre-announcement to inform customers of our plans to deprecate Klocwork's custom Jenkins plugin in 2023.4 and discontinue shipping it with releases from 2024.2. The benefits provided by this custom Jenkins plugin are now natively supported by Klocwork, providing more flexibility to integrate our tools with Jenkins, GitHub Actions, Azure DevOps, GitLab CI, etc. For information on managing CI builds, click here.

End-of-Life for Klocwork Code Review (Inspect) - Klocwork 2024.2

This is a pre-announcement to inform customers of our plans to deprecate and discontinue support, licensing, and selling of Code Review (Inspect). The feature is planned to be removed from Validate in 2024.2.

Removal of Issue-Grouping - H2 2024

Issue grouping was deprecated in 2023.3 and this is a pre-announcement that grouping is planned to be removed as an option in H2 2024.

This is a notice to recommend users to disable grouping if they are upgrading from a previous version prior to performing a migration.

Project Streams functionality is not compatible with Issue Grouping.
Disabling grouping improves the Validate database load times significantly for larger projects and larger files with high numbers of defects.

What's New in Perforce Klocwork 2023.4

Klocwork 2023.4 provides an improved issue-matching algorithm for greater consistency of results between Desktop and CI builds with the integration builds, and issue matching between successive builds. The latest version of Klocwork also provides C/C++ language improvements reducing false positives/negatives and introduces the capability of the C/C++ analysis engine to inter-procedurally track array values, in indices and values with constant expressions. In addition, there are general improvements for IDE Plugins, Installer packages, and improvements to Coding Standard Coverages for various C/C++, C# and Java coding guidelines.

C/C++ Analysis Engine

Improved language feature coverage and defect detection for C/C++

Added support for tracking array values, in indices and values with constant expressions, for C/C++ inter-procedural analysis.
New C/C++ rules for finding defects related to suspicious bounds checking of an array index prior to use.

Java Analysis Engine

Improved Java analysis for projects involving Android 13
Added support for Gradle 8.4

Coding Standards

New and expanded standards coverage and taxonomies for Klocwork 2023.4:

CERT - C++/Java
CWE & 2023 CWE Top 25 Most Dangerous Software Weaknesses for - C#/Java
DISA STIG v5 - C/C++/Java
HKMC v4.1 - C/C++
TS 17961 - C
MISRA C:2023
PCI DSS 3.2.1 - C/C++

Quality of Life Enhancements

IDE Plugins

Updated IDE plugins to support newer versions of IntelliJ IDEA, Android Studio, and CLion.
General stability improvements for Microsoft Visual Studio and CS Code.

Installer Packages

Consolidation of Klocwork and Validate installers to reduce number of packages.

Issue-Matching Algorithm

Improved consistency of results between Desktop and CI builds with the full integration builds and issue matching between successive builds.

Command Options for Exact Match and Override File

Introduced new functionalities for exact match and overrides file options in both kwcheck and kwciagent, see 2023.4 release notes for more information.

Validate Server

Apache Tomcat has been upgraded to version 8.5.96, with enhanced performance, security features, and additional optimizations for a more efficient and reliable server environment.

Streams Feature Enhancement

Expanded stream defect reporting to include the concept of issues found in a project on another stream.
Issue summary categorization now includes local, stream, and system reporting.

Utility Improvements

Improvements made to utilities in the support of migration.

Web API

Reports generated through the Web API now provide a relative link to a "compliance report" folder that the API endpoint can retrieve.

Important Changes in Klocwork 2023.4

End-of-Life for Legacy Help Website

As of January 2024, Klocwork will be shutting down the legacy help website for versions prior to 2022, https://docs.roguewave.com.

This is a notice to inform users to please use the new website https://help.klocwork.com for all your documentation needs.
The documentation for versions 2021.x and earlier will need to be accessed using the offline content provided in the release packages.

Discontinuation of Klocwork Server Installations in Release 2023.4

Starting with release 2023.4, Klocwork Server installations have been discontinued. We recommend transitioning to Validate installer for a more streamlined and integrated experience.

CLion Plugin and Desktop Tools 2023.4 Compatibility

This is a notice to inform users of the following limitations for backward compatibility with 2023.4 desktop tools.

Only the 2023.4 or later Klocwork desktop tool (kwcheck) can be used with the 2023.4 CLion plugin.
Only the 2023.4 or later server can be used with kwcheck and desktop tools from 2023.4 for connected projects.

License Management Changes

As of 2023.4, Klocwork tools now use Reprise License Manager (RLM) v15.1BL2.

Important: The Upgraded RLM v15.1BL2 server is included with the Klocwork 2023.4+ installations. Any earlier RLM servers need to be upgraded to this version in order to work with Klocwork 2023.4 and above.

Pre-Announcements

End-of-Life for Klocwork Jenkins Plugin - Klocwork 2024.2

End-of-Life for Klocwork Code Review (Inspect) - Klocwork 2024.2

Removal of Issue Grouping - Klocwork 2024.1

Issue grouping was deprecated in 2023.3, and this is a pre-announcement that grouping is planned to be removed as an option from 2024.1.

This is a notice to recommend that users disable grouping if they are upgrading from a previous version prior to performing a migration.

Project Streams functionality is not compatible with Issue Grouping.
Disabling grouping improves the Validate database load times significantly for larger projects and larger files with high numbers of defects.

What's New in Perforce Klocwork 2023.3

Klocwork 2023.3 provides build management improvements for Streams and CI/CD analysis pipelines using Build Tags. The C/C++ analysis engine gains the capability to track values of individual array elements referenced by constant indices. General improvements to Klocwork analysis engines provide greater results accuracy and new coding standards coverage for CWE 2023 Top 25 and MISRA C:2023®, now available.

Identify Builds with Build Tags

Build Tags have been introduced for system (regular) builds and CI builds, providing a way to enhance build identification.

Build Tags provide essential information for identifying builds, including branch names, commit IDs, platforms, etc.
- Custom metadata can be added to builds for scripting and organizational purposes.
- Builds can be associated with specific commits or branches, aiding in automated file matching overrides.
Build Tags can be managed through various methods, such as the Perforce Validate Platform, web API, and CLI commands.
To learn more, see "Using build tags."

File Matching Override

Use an override file to manually specify file matches, providing greater control over complex scenarios and reducing flickering issues due to file mismatches.

The override file is a simple text file that allows you to mark files as added, deleted, or renamed.
- To apply the overrides file, use the "file-overrides" option with "kwadmin load"or "validate admin load." See "Use file matching overrides file" for more information and examples.

C/C++ Analysis Engine

Improved language feature coverage and defect detection for C/C++.

Added support for tracking values of individual array elements, referenced by constant indices, in C/C++ intraprocedural analysis.
Enhanced support for C++14 and C++17 reducing FP/FNs.
Added new taxonomies for CWE 2023 Top 25 for C/C++, MISRA C:2023.

Java Analysis Engine

Improved language feature coverage and defect detection for Java.

Full support for Java 14 language specification.
Improved support of Java 14 for path analysis checkers.
Improved parsing of Android 13 for Java analysis.

Coding Standards Coverage

New and expanded standards coverage and taxonomies for Klocwork 2023.3:

CWE 2023 - 2023 CWE Top 25 Most Dangerous Software Weaknesses for C/C++
MISRA - MISRA C:2023
DISA STIG v5 - C++
HKMC v4.1 - C

Quality of Life Enhancements

Project Streams

Further enhanced the speed and performance when displaying, editing, and deleting streams in a project.

Microsoft Visual Studio Plugin

The Visual Studio plugin now uses the kwcheck external analysis engine by default.

Issue Matching Algorithm

Increased issue matching accuracy for issues in added, deleted, or moved files. To see the benefits of these changes in your system, follow these recommendations:
- Always use replace path.
- Enable exact file matching.
- Use a file matching overrides file.
- Use build tags.
- Create logical stream structures.
For more information, see "Recommended mechanisms for loading builds."

Operating Systems

Added support for Windows 11, Rocky Linux 9, AlmaLinux 9.

Important Changes in Klocwork 2023.3

Deprecation of Issue Grouping in Klocwork 2023.3

As of 2021.1, Klocwork no longer uses grouping (of defects) by default for integration analysis and will be deprecating the feature in 2023.3.

This is a notice to recommend users to disable grouping if they are upgrading from a previous version prior to performing a migration.
- Project Streams functionality is not compatible with Issue Grouping.
- Disabling grouping improves the Klocwork DB load times significantly for larger projects and larger files with high numbers of defects.

License Management Changes

As of 2023.2, Klocwork tools now use Reprise License Manager (RLM) v15.0.

Important: The upgraded RLM v15.0 server is included with the Klocwork 2023.2+ installations. Any earlier RLM servers need to be upgraded to this version in order to work with Klocwork 2023.2 and above. The upgrade to RLM v15.0 addresses possible issues with Validate server stability of 2023.1 in cases of high volume of connections to the server.
2022 licenses are not compatible with Klocwork 2023.2. Please contact [email protected] to obtain a new license when upgrading.

What's New in Perforce Klocwork 2023.2

With the release of 2023.2, Klocwork provides updates and improvements for C, C++, C#, Java, and JavaScript analysis. MISRA C:2012 AMD 2 coverage and DISA STIG ASD High Severity rule coverage for C/C++ up to 83% are provided. Additional path analysis for C language checkers have also been introduced.

The Validate platform now has enhanced issue browsing and filtering capabilities.

Additional enhancements include improved stability and performance for Microsoft Visual Studio plugin and Project Streams in Validate.

Investigate Issues in Validate

You can now more easily investigate issues in Validate by viewing, modifying, and navigating the issue search list without leaving the Issue Details page.

Search individual files and explore issues via the new File Navigation pane, which enables configurations that persist between sessions when using the same browser.

Additional Validate Platform Improvements

Edit threshold and total-metric-value report definitions in Validate with the Metrics report designer.
Leverage a new command line utilities wrapper providing generic naming for Validate commands.

C/C++ Analysis Engine

Improved language feature coverage and defect detection for C/C++:

Enhanced support for C++14 and C++17 analysis.
Added several MISRA rules and increased coverage for MISRA C:2012 (up to AMD 2).
Increased coverage for DISA STIG High Severity rules, CERT, OWASP, and CWE including adding a taxonomy for the 2022 CWE Top 25 Most Dangerous Software Weaknesses.

C# Analysis Engine

Improved support for the C# 8.0 language specification. New language feature support includes:

Static constructors in interface.
Nested types and operator declarations in interface.
Interpolated verbatim strings.
Ranges and indices supporting the .. and ^ operators.
Additional path analysis for C# checkers with modern engine.

Java Analysis Engine

Expanded coverage for the Java 14 language specification. New features include:

Improved support of Java 14 for path analysis checkers.
100% support for Jakarta EE.

JavaScript Analysis Engine

JavaScript analysis supports .eslintignore file
New option for kwjsspec tool to specify a project directory
- --project-dir

Coding Standards

New and expanded standards coverage and taxonomies for Klocwork 2023.2:

CERT
CWE – 2022 CWE Top 25 Most Dangerous Software Weaknesses
DISA STIG v 5 – C/C++ up to 83% of High Severity rules
MISRA – improved MISRA C:2012 AMD 2 coverage (additional utility available from support is required for maximum coverage)
OWASP

Quality of Life Enhancements

Microsoft Visual Studio Plugin

Use the Visual Studio extension to start analysis much sooner.

We have improved the performance of build specification generation for the Visual Studio extension when you use the kwcheck command as your external analysis engine.

Project Streams

Improved performance of Validate platform for large number of Project Streams.

The time it takes to display and be able to use the project list for streams has been significantly reduced.

Third-Party Dependencies

Upgraded versions of Apache Tomcat and Open JDK included in the package.

For more detailed information on what's new, please refer to the release notes.

Important Changes in Klockwork 2023.2

License Management Changes

As of 2023.2, Klocwork tools now use Reprise License Manager (RLM) v15.0.

Important: The upgraded RLM v15.0 server is included with the Klocwork 2023.2 installation. Any earlier RLM servers need to be upgraded to this version in order to work with Klocwork 2023.2 and above. The upgrade to RLM v15.0 addresses possible issues with Validate server stability of 2023.1 in cases of high volume of connections to the server.
2022 licenses are not compatible with Klocwork 2023.2. Please contact [email protected] to obtain a new license when upgrading.

2022.4 SR/Patches Available

Patches for 2021.4 to 2022.4 have been created to address the lost citing issue with auto-delete builds. Klocwork 2023.1 and later are not affected.

All customers on 2022.4 should upgrade to the latest version of the software.

What's New in Perforce Klocwork 2023.1

Klocwork 2023.1 introduces flexible management options for CI/CD analysis pipelines. Accelerate your Static Analysis scans using Differential Analysis, have in-context results with your CI/CD pipeline builds, and manage issues in the same ways you do server results.

Java 14/15 and C#8.0 language support has been expanded, and C/C++/C# PATH analysis performance has been improved by up to 50%*.

In addition, this release includes improvements to MISRA C:2012 and DISA STIG coding standard rule coverage, with the Visual Studio IDE plugin providing a new analysis mode option.

*(based on internally benchmarked OSS projects)

Manage Differential Analysis for CI/CD Pipelines in Validate

New workflow improvements have been made to Klocwork’s Continuous Integration tools and the Validate Platform to provide flexible management options and fast-feedback for CI/CD Analysis pipelines.

Manage your Differential Analysis continuous integration builds by using the new "CI Builds"tab in Validate.
- Use CI builds to quality gate new code submissions.
- Leverage Klocwork's Differential Analysis to identify issues faster based on delta changes, rather than having to run a full build.
- Name and filter CI builds.
- Manage issues in the same ways you do server issues.
Project Streams feature support for CI/CD builds.
New WebAPI commands have been added to create, update, or delete CI builds and also retrieve CI issue details.
- Provides easy integration with other CI/CD pipeline tools, such as Jenkins, to provide in-context results.

C/C++ Analysis Engine

Improved performance of C/C++ PATH analysis.

PATH analysis now leverages parallelization to take advantage of additional CPU cores/threads, providing greater performance for large and complex projects.
This change provides up to a 50%* reduction in analysis times for select projects and solutions.

*(based on internally benchmarked OSS projects)

Please Note: See details below in the "Important Changes in Klocwork 2023.1" section regarding the "PATH API version upgrade." For more information, see the Release Notes.

C# Analysis Engine

Improved performance of C# PATH analysis.

This change provides up to a 50%* reduction in analysis times for select projects and solutions.

*(based on internally benchmarked OSS projects)

Improved support for the C# 8.0 language specification. New language features include:

const member declarations in interfaces
readonly instance members
static local functions
default interface methods
nullable reference types
async streams
using declarations
disposable ref structs

Java Analysis Engine

Expanded support for the Java 14 & 15 language specification. New features include:

Improved build process monitoring and reduction of parse errors and warnings for Java 15.
Expanded PATH analysis to support Java 14 switch expressions.
Java 15 API support for Klocwork build integration tools.
Upgraded Java Knowledge Bases to provide higher accuracy and support of Java 15 APIs.
The kwandroid tool now supports the —lang option that you can use to generate separate build specifications for C++ or Java.

Coding Standards

New and expanded standards coverage and taxonomies for Klocwork 2023.1:

DISA STIG v5 — C, C++, and Java
MISRA C:2012 AMD2 with 99% rule coverage
CWE — C++, Java
CERT — C
Joint Strike Fighter Air Vehicle C++
OWASP Top 10 — Java

Quality of Life Enhancements

Visual Studio IDE Plugin

The VS Plugin now supports two analysis mode options for C/C++/C#:

Klocwork's native Visual Studio analysis provides results tailored to the settings of your locally configured project or solution.
The new External Engine option uses Klocwork's "kwcheck" tooling, providing additional new features.
- In comparison to the internal engine, kwcheck generates analysis results that are more consistent with those obtained from kwciagent and kwbuildproject.
- Syncs with the connected project to use the system configuration.
- Provides options to use the locally generated build specification or use an externally generated one.
- Takes advantage of incremental and parallelization for differential analysis.

For more detailed information on what's new, please refer to the release notes.

Important Changes in Klocwork 2023.1

License Management Changes

As of 2023.1, Klocwork now supports only the Reprise License Manager (RLM).

FLEXlm/FlexNet Publisher support was deprecated in 2022.2 and will no longer work with the release of Klocwork 2023.1.
New product license files will be generated for Reprise; if you require a FLEX license file for older Klocwork versions we can provide this for you.
2022 licenses are not compatible with Klocwork 2023.1. You need a new license to use the latest version of the product. Contact [email protected] to obtain a new license.

PATH API Version Upgrade

With the release of Klocwork 2023.1, custom C/C++ PATH checkers will need to be reviewed for multi-threaded compatibility. We recommend you review your custom checkers for potential race conditions and recompile using the 2023.1 Klocwork Path API headers and library. Custom checkers that are not recompiled will continue to work but will not be able to use the parallelization feature. Please refer to our release notes to find out more.

Maintenance for Klocwork 2021 Ending

Maintenance for all versions of Klocwork 2021 ended on March 31, 2023. In addition, the end of maintenance (EOM) date and end of sale (EOS) date also occurred on March 31, 2023. For information about the availability of support for any release of Klocwork, see the Klocwork Product Lifecycle.

End of Life Announcements

Beginning with Klocwork 2023.1, the following operating systems will not be supported, and corresponding installers will no longer be provided:

Mac OS

The following license manager will no longer be supported:

FLEXlm/FlexNet Publisher license manager

What's New in Perforce Klocwork 2022.4

For the final release in 2022, Klocwork 2022.4 provides updates and improvements for C, C++, C#, Java, with enhancements to Android 13 support.

In addition, this release includes improvements to MISRA C:2012 and DISA STIG coding standard rule coverage, a new and improved Divide by Zero vulnerability checker, and general quality of life improvements for many features within the Validate platform.

C# Analysis Engine

Improved support for the C# 7.3 language specification. New language features include:

Unmanaged type constraints
Auto-implemented property attributes
Reassignable ref locals
Initializer support for stackalloc arrays
Expression variables in initializers
Tuple equality

Java Analysis Engine

Support for the Java 14 language specification. New features include:

Improved build process monitoring and reduction of parse errors and warnings for Java 14.
Upgraded Java Knowledge Bases to provide higher accuracy and support of Java 14 APIs.
Language feature support:
- Switch expression
- Yield Statement
- Arrow Notation and Multi-Case

Support for Gradle Kotlin DSL format providing alternative syntax to traditional Groovy DSL.

C/C++ Analysis Engine

Improved handling of relative paths to enhance defect suppression feature.

Use the defect suppression feature to focus on issues that matter. Filter out noisy defects or issues in the code that you are not responsible for such as libraries, headers, and third-party code.

Android 13 Support Enhancements

Klocwork C, C++ and Java analyzers fully support Android 13.

Coding Standards

New and expanded standards coverage and taxonomies for Klocwork 2022.4:

DISA STIG v5 – Java
MISRA C:2012 AMD2 with 98% rule coverage

New Vulnerability Checkers

2022.4 improves several checkers across Klocwork-supported languages: C and C++. The checkers find defects for:

Divide by Zero
- DBZ.ITERATOR (intra-procedural defect detection)
- DBZ.ITERATOR.CALL (inter-procedural defect detection)

Both these improvements also include support for different step sizes, escape condition (if condition), and floating numbers.

Quality of Life Enhancements

Validate Platform

Customizable documentation links provide the ability to edit/add new documentation links on the front page.
Auto-Delete Builds Permission
- Manage auto-delete old builds flag on the “Builds” page and set auto-delete threshold
- Manage “Do no auto-delete this build” flag on the “Edit Build” page and “keepit” flag for “update_build” WebAPI command.
Manage Views Permission
- Adds the ability to manage “public” flag when creating a new view and editing private views that were shared with the permission carriers
Stream Permissions
- Users can be assigned permissions to limit access to parents or children of stream projects
Unique Issue counts improved to account for saved project “views”
WebAPI can now create Validate Projects & Streams

For more detailed information on what’s new, please refer to the release notes.

Important Changes in Klocwork 2022.4

License Management Changes

As of 2022.2, Klocwork now supports Reprise License Manager (RLM).

FLEXlm/FlexNet Publisher support is deprecated but will continue to work until the release of Klocwork 2023.1.
You can continue to use your existing FLEX license files until 2023.1. If you need new license files generated, please contact [email protected].
New product license files will be generated for Reprise, if you require a FLEX license file for older Klocwork versions we can provide this for you.

Pre-Announcements

Path API Version Upgrade – Klocwork 2023.1

Upon the release of Klocwork 2023.1, custom C/C++ PATH checkers will need to be reviewed for multi-threaded compatibility. We recommend you review your custom checkers for potential race conditions and recompile using the 2023.1 Klocwork Path API headers and library. Custom checkers that are not recompiled will continue to work but will not be able to use an upcoming parallelization feature. Please refer to our release notes to find out more.

End-of-Life Announcements – Klocwork 2023.1

Beginning with Klocwork 2023.1, the following operating systems and installers will not be supported:

Mac OS

Also, support for the FLEXlm/FlexNet Publisher license manager is ending with the release of Klocwork 2023.1.

What's New in Perforce Klocwork 2022.3

With the release of 2022.3, Klocwork delivers updates and improvements to our language coverage for C#, Java, JavaScript, Kotlin, and Python.

The Microsoft Visual Studio IDE plugin(s) have been improved to support multi-threaded and incremental analysis for C# providing up to a 200%* reduction in analysis times for select projects and solutions. In addition, 2022.3 includes an enhancement to the configurable defect suppression feature, expanded Android build specification generation CLI options, and broader coding standard coverage.

(*based on internally benchmarked OSS projects)

C# Analysis Engine

Improved support for the C# 7.2 language specification. New language features include:

Initializers on stackalloc arrays.
Use fixed statements with any type that supports a pattern.
Access fixed fields without pinning.
Reassign ref local variables.
Declare readonly struct types, to indicate that a struct is immutable and should be passed as an in parameter to its member methods.
Add the in modifier on parameters, to specify that an argument is passed by reference but not modified by the called method.
Use the ref readonly modifier on method returns, to indicate that a method returns its value by reference but doesn't allow writes to that object.
Declare ref struct types, to indicate that a struct type accesses managed memory directly and must always be stack allocated.
Use additional generic constraints.
Non-trailing named arguments.
- Named arguments can be followed by positional arguments.
Leading underscores in numeric literals.
- Numeric literals can now have leading underscores before any printed digits.
Private protected access modifier.
- The private protected access modifier enables access for derived classes in the same assembly.
Conditional ref expressions.
The result of a conditional expression (?:) can now be a reference.

Java Analysis Engine

Full support for the Java 13 language specification. New features include:

Improved build process monitoring and reduction of parse errors and warnings for Java 13.
Upgraded Java Knowledge Bases to provide higher accuracy and support of Java 13 APIs.

JavaScript, Kotlin, Python Analysis Engines

General upgrades and improvements to JavaScript, Kotlin, and Python analysis engines and checkers:

JavaScript

Support for JavaScript versions up to ECMAScript 2022 (ES13).
An added collection of 722 checks for code complexity, quality, performance, best coding practices, and more.

Kotlin

Support for Kotlin versions up to 1.6.21.
An added collection of 251 checks for code complexity, quality, performance, best coding practices, and more.

Python

Support for Python 3 versions up to 3.10.
An added collection of 335 checks for code complexity, quality, performance, best coding practices, and more.

C/C++ Analysis Engine

Enhanced the configurable defect suppression feature.

Use the defect suppression feature to focus on issues that matter. Filter out noisy defects or issues in the code that you are not responsible for such as libraries, headers, and third-party code.
- Introduced the ability to allow analysis optimizations when suppressing files or directories.
- Provides an alternative to project splitting.

Microsoft Visual Studio IDE Plugin

Use the Visual Studio desktop analysis plugin to quickly and easily detect and then fix issues before check-in.

The Microsoft Visual Studio IDE extension has been improved to support multi-threaded and incremental analysis for C#.

This change provides up to a 50%* reduction in analysis times for select projects and solutions.

(*based on internally benchmarked OSS projects)

Expanded Configuration Options for Android Project Analysis

The command line options for generating build specifications for Android analysis using kwandroid has been expanded to match other build monitoring utilities.

Coding Standards

New and expanded standards coverage and taxonomies for Klocwork 2022.3:

AUTOSAR – C++
CERT – C and C++
CWE – C, C++, and Java
DISA STIG v5 – C and C++
HKMC v4.1 – C and C++
ISO/IEC TS 17961 – C
JSF AV – C++
MISRA – C:2004 and C:2012
OWASP Top10 2021 – C#

New Vulnerability Checkers

2022.3 adds and improves several checkers across Klocwork-supported languages: C and C++. The new checkers find defects for:

Intraprocedural numeric overflow and wraparound detection.
Divide by zero within loops.

For more detailed information on what’s new, please refer to the release notes.

Important Changes in Klocwork 2022.3

License Management Changes

As of 2022.2, Klocwork now supports Reprise License Manager (RLM).

FLEXlm/FlexNet Publisher support is deprecated but will continue to work until the release of Klocwork 2023.1.
You can continue to use your existing FLEX license files until 2023.1. If you need new license files generated, please contact [email protected].
New product license files will be generated for Reprise, if you require a FLEX license file for older Klocwork versions we can provide this for you.

Pre-Announcements

Path API version upgrade – Klocwork 2022.4

Upon the release of Klocwork 2022.4, custom C/C++ PATH checkers will need to be reviewed for multi-threaded compatibility. We recommend you review your custom checkers for potential race conditions and recompile using the 2022.4 Klocwork Path API headers and library. Custom checkers that are not recompiled will continue to work but will not be able to use an upcoming parallelization feature. Please refer to our release notes to find out more.

End of Life Announcement – Klocwork 2023.1

Beginning with Klocwork 2023.1, the following operating systems and installers will not be supported:

Mac OS

What’s New in Perforce Klocwork 2022.2

With the release of 2022.2, Klocwork enables Project Streams support across all tools and plugins, allowing developers to work on multiple branches, variants, and streams by providing analysis results in-context to their development pipeline.

We’re also excited to share that Klocwork’s Portal will be rebranded into the Validate platform, which brings along with it a new look and feel. Even though the log-in screen will feature a new look, you will still be able to log in to the product-agnostic platform as usual.

In addition, this release also features performance improvements of up-to 63%* for Java projects, support for Microsoft Visual Studio 2022, new defect suppression options, and broader coding standard coverage.

(*based on internally benchmarked OSS projects)

Project Streams

Klocwork’s Project Streams now provides improved efficiency in managing multiple versions of the same codebase when working with streams projects, results storage, and project migration.

Enables desktop plugins to recognize streams allowing developers to switch context between projects and streams with the ability to synchronize results.
Completes stream support across all Klocwork’s toolchain and plugins.
Parallelized stream build loading provides improved performance when loading analysis results to Klocwork’s Validate platform.
Provides a path to migrate to streams from older legacy projects.

Java Analysis Engine

Klocwork’s Incremental and Differential Analysis now supports Java.

Up-to 63%* reduction in analysis times for Java projects when using Incremental and Differential Analysis features.
Differential Analysis uses system context data from the server to analyze only the files that were changed, while providing a Differential Analysis as if the entire system were analyzed, resulting in the shortest possible analysis times.

(*based on internally benchmarked OSS projects)

Microsoft Visual Studio 2022 IDE Plugin

Use the Visual Studio 2022 desktop analysis plugin to quickly and easily detect and then fix issues before check-in.

The IDE extension supports C, C++, C#, and mixed projects and solutions.

“Klocwork Portal” Is Being Rebranded into the Validate Platform

We’re excited to announce that Validate is the new platform that will house the Klocwork Portal.

It features a new log-in screen with the Validate by Perforce logo, yet the log-in process will not change. Users will still use the same credentials to log in and see their projects and data. The new look and feel will help users to better navigate the user interface.

The vision for the Validate platform is to be the single source of truth for Perforce Static Analysis products, Klocwork and Helix QAC. We start this journey with a new name, installer, look, and feel.

Stay tuned for more developments in future releases.

C/C++ Analysis Engine

Configurable Defect Suppression

Use the defect suppression feature to focus on issues that matter. Filter out noisy defects or issues in the code that you are not responsible for such as libraries, headers, and third-party code.

Coding Standards

New and expanded standards coverage and taxonomies for Klocwork 2022.2:

CERT – C and C++
CWE – Java, JavaScript, and Python
DISA STIG v5 – Java
OWASP Top10 – C, C++, and JavaScript

Important Changes in Klocwork 2022.2

License Management Changes

As of 2022.2, Klocwork now supports Reprise License Manager (RLM).

FLEXlm/FlexNet Publisher support is deprecated but will continue to work until the release of Klocwork 2023.1.
You can continue to use your existing FLEX license files until 2023.1.
New product license files will be generated for Reprise, if you require a FLEX license file for older Klocwork versions we can provide this for you.

Log4j Libraries Upgraded to v2

The log4j libraries used in the Klocwork tools have been upgraded to v2. Although Klocwork was previously using log4j v1 which was not affected by the log4shell vulnerability, the log4j libraries have been updated to the latest version to ensure enhanced cybersecurity for the Klocwork product.

Pre-Announcements

Path API version upgrade – Klocwork 2022.3

As of Klocwork 2022.3, custom C/C++ PATH checkers will need to be reviewed for multi-threaded compatibility. We recommend you review your custom checkers for potential race conditions and recompile using the 2022.3 Klocwork Path API headers and library. Custom checkers that are not recompiled will continue to work but will not be able to use an upcoming parallelization feature. Please refer to our release notes to find out more.

License Management Changes — Klocwork 2023.1

This is a six-month notice for the End-of-Life and support for FLEXIm/FlexNet Publisher license files. As of 2023.1, Klocwork will be moving to Reprise License Manager (RLM). New product license files will be generated for Reprise.

Contact [email protected] to obtain updated licenses.

End of Life Announcement – Klocwork 2023.1

Beginning with Klocwork 2023.1, the following operating systems and installers will not be supported:

Mac OS

What’s New in Perforce Klocwork 2022.1

Klocwork 2022.1 launches Kotlin as a new supported analysis language, providing the ability to scan Kotlin code for issues related to complexity, quality, performance, best coding practices, and more.

This release also features performance improvements of up-to 35%* for large C/C++ projects and quality-of-life updates to Project Streams.

In addition, the release also includes broader coding standards coverage, and general analysis and accuracy improvements for C/C++.

(*based on internally benchmarked OSS projects)

Kotlin Analysis Engine

Klocwork now supports the analysis of Kotlin as a new analysis language available for server and desktop scanning. Features include:

In-depth integration build analysis.
Support for Kotlin versions up-to 1.5.31.
A collection of 229 new checks for code complexity, quality, performance, best coding practices, and more.

Project Streams

Klocwork’s Project Streams feature now provides improved efficiency in dealing with multiple versions of the same codebase with respect to result storage, project migration, and navigation of stream projects.

This release enables support for CI/CD pipelines and desktop command line tools to recognize streams and load results to the correct projects/sub-projects.
Provides a path to migrate to streams from older legacy projects.
Filtering to improve project list navigation when using streams.

Performance

Up-to 35%* reduction in analysis times for large C/C++ products, such as Android, when using multiple CPUs.

(*based on internally benchmarked OSS projects)

C/C++ Analysis Engines

Increased support for Visual Studio 2019 C/C++ default headers.
Improved analysis of C++20 modules.

Coding Standards

New and expanded standards coverage for Klocwork 2022.1:

CERT C/C++
CWE C/C++
DISA STIG v5 C/C++ and C#
MISRA C 2012
MISRA C++ 2008

Log4j Vulnerability Checker

2022.1 includes an upgraded vulnerability checker to identify issues related to Log4j.

SV.LOG_FORGING

Klocwork Help

We've updated the look and feel of our embedded and online help and have moved the online help to a new website. You can now find the latest online help at https://help.klocwork.com.

For more detailed information on what’s new, please refer to the release notes.

Important Changes in Klocwork 2022.1

Maintenance for Klocwork 2020 Ending

Maintenance for all versions of Klocwork 2020 ended on March 31, 2022. In addition, the end of maintenance (EOM) date and end of sale (EOS) date also occurred on March 31. For information about the availability of support for any release of Klocwork, see the Klocwork Product Lifecycle.

What’s New in Perforce Klocwork 2021.4

In our final release of the year, Klocwork 2021.4 provides quality of life improvements and enhancements to Project Streams, as well as C, C++, C#, and Java Analysis, and new Coding Standard taxonomies.

Project Streams

This feature now includes a consolidated issue list for all your projects and related streams. This allows you to quickly determine the technical issue debt within your entire project codebase.

The consolidated issue list provides a sum of all issues in a project including all its related streams.

Java Analysis Engine

Full support for the Java 12 language specification. New features include:

Improved build process monitoring and reduction of parse errors and warnings for Java 12.
Upgraded Java Knowledge Bases to provide higher accuracy and support of Java 12 APIs.

C# Analysis Engine

Improved support for the C# 7.1 language specification. New language features include:

Target-typed "default" literal
Tuple name inference (Tuple projection initializers)
Pattern-matching with generics

C/C++ Analysis Engine(s)

Enhanced Incremental Analysis for mixed language projects
Accuracy and False Positive improvements

Coding Standards

New and expanded standards coverage for Klocwork 2021.4:

DISA STIG v5 – C/C++
OWASP Top 10 2017 – C#

For more detailed information on what’s new, please refer to the release notes.

Important Changes in Klocwork 2021.4

Checker Limitations on Windows as of Klocwork 2021.4

As of Klocwork 2021.4, 32-bit backward compatibility for custom checkers is no longer supported and the option '--force-32bit' is deprecated. You must rebuild all your old checkers by using a 64-bit compiler.

Contact support for more information.

Klocwork 2021.4 has Upgraded to use Python 3

Klocwork has upgraded to Python 3 and removed Python 2, which has reached End-Of-Life.

What’s New in Perforce Klocwork 2021.3

Klocwork 2021.3 introduces Project Streams functionality, Python Analysis Engine, and an integration with the Secure Code Warrior learning platform. In addition, the release improves coding standard coverage, Visual Studio Code plugin language support, and general analysis and accuracy improvements for our numerous supported languages.

New Project Streams Functionality

This feature provides easy management of shared code bases that have multiple variants or branches by simplifying project rule configuration, issue management, defect citing, reporting, and efficient data storage of analysis data.

Create multiple streams for a single code base, rather than needing to create separate projects per variant or branch. Streams provide the following benefits:

Assign a single project rule configuration to all variants.
Issues common to multiple variants are automatically kept in sync and only require citing once.
Easily identify identical issues across multiple streams and issues unique to a specific stream.
Generate reports on individual streams for compliance, functional safety, or other evidential purposes.
More convenient organization and efficient storage of analysis data.

Python Analysis Engine

Klocwork now supports the analysis of Python as a new analysis language available for server and desktop scanning. Features include:

Support for Python 2 and 3.
Server and desktop analysis available.
367 new checks for rule violations, security weaknesses, quality, concurrency, and best coding practices.

Secure Code Warrior Integration

Developing secure code is a priority concern across industries and with our new Secure Code Warrior integration, Klocwork customers have access to a free account providing lessons and training tools for many common development languages.

Visual Studio Code IDE Plugin

Use the Visual Studio Code desktop analysis plugin to quickly and easily detect and then fix issues before check-in.

Now supports JavaScript and Python.

C# Analysis Engine

Klocwork’s C# analysis engine now supports additional operating systems and frameworks.

Analyze C# .NET Core and Mono projects on Linux.
Improved support for Mono projects on Windows.

C++ Analysis Engine

Enhanced C++ analysis accuracy with improved handling of:

C++ 20 modules
Android 12

Java Analysis Engine

New Java analysis capabilities in this release include:

Improved build process monitoring and reduction of parse errors and warnings.
Increased analysis accuracy for Java 11 language features.
Support for JKB annotations and improved @Suppress annotation use.
Support for multiple Java generic parameters.
Android 12 support.

Coding Standards

New and expanded standards coverage for Klocwork 2021.3:

CWE Top25 2021 – C/C++, C#, and Java
CERT – C/C++
AUTOSAR
DISA STIG
Joint Strike Fighter Air Vehicle C++
MISRA
OWASP – Java

For more detailed information on what’s new please refer to the release notes.

Important Changes in Klocwork 2021.3

Checker Limitations on Linux as of Klocwork 2021.3

As of Klocwork 2021.3, 32-bit backward compatibility for custom checkers is no longer supported and the option '--force-32bit' is deprecated. You must rebuild all your old checkers by using a 64-bit compiler. Contact support for more information.

What’s New in Perforce Klocwork 2021.2

Klocwork 2021.2 launches JavaScript as a new supported analysis language providing the ability to scan JavaScript code for rule violations, security weaknesses, and more.

The release also features Differential Analysis for C# to deliver faster scan results, and the Klocwork Security and Compliance Portal gains the ability to import Helix QAC findings for a consolidated view of both Perforce tools in one place.

In addition, the release also includes broader coding standards coverage, new vulnerability checks, and general analysis and accuracy improvements for all supported languages.

JavaScript Analysis Engine

Klocwork now supports the analysis of JavaScript. Features include:

Support for JavaScript, TypeScript, JSX, React, and Vue.
284 new checks for rule violations, security weaknesses, quality, and best coding practices.

C++ Analysis Engine

Enhanced C++ analysis accuracy with improved handling of:

Android 11

C# Analysis Engine Improvements

Klocwork’s Differential Analysis now supports C#.

Differential Analysis uses system context data from the server to analyze only the files that were changed, while providing a diff analysis as if the entire system were analyzed, resulting in the shortest analysis times.
Improved analysis accuracy.

Java Analysis Engine Improvements

Full support for the Java 11 language specification. New language features include:
- Local Variable Syntax for Lambda Parameters

Klocwork Compliance and Application Security Testing (CAST) Portal

The Klocwork Compliance and Application Security Testing (CAST) Portal provides a single dashboard to view consolidated analysis results. 2021.2 introduces the ability to import Helix QAC findings to Klocwork.

Use Klocwork and Helix QAC together to provide industry-leading compliance coverage across the major embedded and automotive programming languages.
Import and integrate Helix QAC diagnostic results with Klocwork.
Review and manage security and compliance issues in one place.
Generate compliance reports to determine the health of your codebase and supply information necessary to claim compliance against a coding standard.

Klocwork Community

This release includes 26 new Klocwork Community checkers expanding rule coverage for CERT C and JSF AV C++ coding standards.

Coding Standards

New and expanded standards coverage for Klocwork 2021.2:

CERT – CWE – C++, C#, and Java
Joint Strike Fighter Air Vehicle C++
Klocwork Quality Community – C#
Klocwork Quality – JavaScript, TypeScript, React, Vue
MISRA
OWASP – Java

New Vulnerability Checkers

2021.2 adds and improves several checkers across Klocwork supported languages: C++, C#, Java, and JavaScript.

The new checkers find defects for:

Code complexity
Concurrency issues
Cross-site request forgery (CSRF) vulnerabilities
Cross-site scripting attack (XSS) vulnerabilities
Incorrect Authentication
Improper certificate validation
Improper Encapsulation
Incorrect error handling
Indeterminate Value Warnings
Invalid Arithmetic Operations
Maintainability Issues
Missing Authentication For Critical Function
Missing authorization checks
No configuration for a critical resource
No configuration for a protected resource
Object-oriented programming issues
Performance Issues
Possible Runtime Failures
Process and Path Injection
Pseudorandom number generation issues
Redundant Code
Stylistic Issues
Suspicious Code Practices
Suspicious Encapsulation
Suspicious Scoping
SQL injection
Unnecessary Code
Unreachable Code
Unsafe Code Practices
Unused Code
Unused Local Variables
Use of freed resources
Use of hard-coded credentials
Use of ldap anonymous bind
Use of weak cryptographic algorithm
XXE vulnerabilities

For more detailed information on what’s new please refer to the release notes.

Important Changes in Klocwork 2021.2

Licensing Changes

If you already upgraded your licenses for 2021 prior to the release of 2021.2, you need updated versions to use the JavaScript and Helix QAC import features. Contact [email protected] to obtain updated licenses.

What’s New in Perforce Klocwork 2021.1

Klocwork 2021.1 enhances the C# analysis engine with incremental analysis support, improves the Java analysis engine for Java 10 language features along with broader framework support, and C++ improvements for Android 11 analysis. The release also includes broader coding standards coverage, new vulnerability checks, and general accuracy improvements for all supported languages.

C# Analysis Engine Improvements

C# analysis engine supports fast incremental build feedback for code changes.
Improved analysis accuracy.

Java Analysis Engine Improvements

Full support for the Java 10 language specification. New language features include:
- Local-Variable Type Inference
- Unicode Language-Tag Extensions
- Klocwork Knowledge Base for Java 10 API
Broader Java framework support for:
- GWT
- Java Persistence API
- JAX RS
- JAX WS
- ReactiveX
- Vert.x
- WS XML-RPC
Improved analysis accuracy.

C++ Analysis Engine

Enhanced C++ analysis accuracy with improved handling of:
Android 11
Template syntax support (Custom KB)

Coding Standards

New and expanded standards coverage for Klocwork 2021.1:

CWE – C# and Java
AUTOSAR
MISRA
PCI DSS
Joint Strike Fighter Air Vehicle C++

New Vulnerability Checkers

We have added and improved several checkers across our supported languages: C++, C#, and Java.

The new checkers find defects for:

Use-after-free defects
DllPreload vulnerabilities
Cross-site request forgery (CSRF) vulnerabilities
Copy-Paste errors
Sensitive information leak
Resource leaks
String literal modification

For more detailed information on what’s new please refer to the release notes.

Important Changes in Klocwork 2021.1

End of Life Announcement

As of Klocwork 2021.1, the following operating systems and installers will not be supported:

AIX
Solaris
Klocwork 32-bit installers

Maintenance for Klocwork 2019 has Ended

Beginning on March 31, 2021 maintenance for all versions of Klocwork 2019 will end. In addition, the end of maintenance (EOM) date and end of sale (EOS) date will also begin on that date. For information about the availability of support for any release of Klocwork, see the Klocwork Product Lifecycle.

Default Behavior Change for Issue Grouping

Klocwork no longer uses grouping (of defects) by default for integration analysis. This improves the Klocwork DB load times significantly for larger projects and larger files with high numbers of defects. Existing projects and migrated projects will keep their current grouping behaviors, but new projects will default to having faster load times without grouping.

What’s New in Perforce Klocwork 2020.4 SR1

Klocwork 2020.4 SR1 enhances the C# analysis engine with parallel execution support, improves Java analysis for Android 10/11, introduces a Visual Studio Code IDE Plugin, and provides the ability to generate Compliance Reports that shows the health and coding standard enforcement level of your codebase. The release also includes broader coding standards coverage, new vulnerability checks, 64-Bit toolchain upgrades for Windows & Linux, and general accuracy improvements for all supported languages.

Visual Studio Code IDE Plugin

Use our new Visual Studio Code desktop analysis plugin to quickly and easily detect and fix issues before check-in.

The IDE extension supports C/C++, C#, Java languages, and mixed projects and solutions.

Compliance Reports

These new reports help you determine the health of your codebase and supply the information necessary to claim compliance against a coding standard. Generate reports for:

Secure Coding Standards.
MISRA Compliance 2020.
Your own custom coding standards.

C# Analysis Engine Improvements

To fully benefit from multi-core hardware available, C# analysis supports parallel execution. This results in significantly faster analysis times.
Improved analysis accuracy.

Java Analysis Engine Improvements

Improved analysis support for Android 10 and 11.
Upgraded Java Knowledge Bases to provide higher accuracy and support of Java 9 APIs.
Added support for a maven wrapper script.

Performance

64-Bit improvements for Windows & Linux:

All components of the Windows analysis toolchain have been upgraded to 64-bit architecture, so Klocwork can more effectively analyze large, complex codebases and projects.

Coding Standards

New and expanded standards coverage for Klocwork 2020.4 SR1:

CWE – C/C++, C#, and Java
CWE 2019 Top 25 — C# and Java
New CWE 2020 Top 25 — C/C++, C#, and Java
AUTOSAR
ISO IEC TS 17961 (C Secure)

New Vulnerability Checkers

We have added and improved several of our checkers across our supported languages: C, C++, C#, and Java.

The new checkers find defects for:

Dangerous Calls
Dangerous Casts
Division by zero
Incorrect using of autoboxing and unboxing
Privilege management
Sensitive information storage
Tainted Data
- Code injection
- Command injection
- Critical resource permissions
- Deserialization
- Path traversal
- Uncontrolled resource consumption
- Unrestricted File Uploads
Unsafe code practices

For more detailed information on what’s new please refer to the release notes.

Important Changes in Klocwork 2020.4 SR1

Pre-Announcement – End of Life Support

Beginning with Klocwork 2021.1, the following operating systems and installers will not be supported:

AIX
Solaris
Klocwork 32-bit installers

What’s New in Perforce Klocwork 2020.4

Klocwork 2020.4 enhances the C# analysis engine with parallel execution support, improves Java analysis for Android 10/11, introduces a Visual Studio Code IDE Plugin, and provides the ability to generate Compliance Reports that shows the health and coding standard enforcement level of your codebase. The release also includes broader coding standards coverage, new vulnerability checks, 64-Bit toolchain upgrades for Windows, and general accuracy improvements for all supported languages.

Visual Studio Code IDE Plugin

Use our new Visual Studio Code desktop analysis plugin to quickly and easily detect and fix issues before check-in.

The IDE extension supports C/C++, C#, Java languages, and mixed projects and solutions.

Compliance Reports

These new reports help you determine the health of your codebase and supply the information necessary to claim compliance against a coding standard. Generate reports for:

Secure Coding Standards.
MISRA Compliance 2020.
Your own custom coding standards.

C# Analysis Engine Improvements

To fully benefit from multi-core hardware available, C# analysis supports parallel execution. This results in significantly faster analysis times.
Improved analysis accuracy.

Java Analysis Engine Improvements

Improved analysis support for Android 10 and 11.
Upgraded Java Knowledge Bases to provide higher accuracy and support of Java 9 APIs.
Added support for a maven wrapper script.

Performance

64-Bit improvements for Windows:

All components of the Windows analysis toolchain have been upgraded to 64-bit architecture, so Klocwork can more effectively analyze large, complex code bases and projects.

64-Bit improvements for Linux – Coming in 2020.4.1

Coding Standards

New and expanded standards coverage for Klocwork 2020.4:

CWE – C/C++, C#, and Java
CWE 2019 Top 25 — C# and Java
New CWE 2020 Top 25 — C/C++, C#, and Java
AUTOSAR
ISO IEC TS 17961 (C Secure)

New Vulnerability Checkers

We have added and improved several of our checkers across our supported languages: C, C++, C#, and Java.

The new checkers find defects for:

Dangerous Calls
Dangerous Casts
Division by zero
Incorrect use of autoboxing and unboxing
Privilege management
Sensitive information storage
Tainted Data:
- Code injection
- Command injection
- Critical resource permissions
- Deserialization
- Path traversal
- Uncontrolled resource consumption
- Unrestricted File Uploads
Unsafe code practices

For more detailed information on what’s new please refer to the release notes.

Important Changes in Klocwork 2020.4

Pre-Announcement – End of Life Support

Beginning with Klocwork 2021.1, the following operating systems and installers will not be supported:

AIX
Solaris
Klocwork 32-bit installers

Service Release of Klocwork 2020.4 (2020.4.1)

A service release, Klocwork 2020.4.1, will be released that upgrades all components of the Linux analysis toolchain to 64-bit architecture.

What’s New in Perforce Klocwork 2020.3

Klocwork 2020.3 launches an enhanced Java analysis engine with major improvements that result in broader language coverage, expanded framework support, improved accuracy by 130%, and up to 2.5% new defects detected*. The release also includes improvements to the C# and Java analysis engines, product performance, and expanded coding standard support.

(*based on internally benchmarked OSS projects)

Major Update to Java Analysis Engine

New Java language coverage, expanded framework support and improved analysis accuracy by 130% with up to 2.5% more defect results*.

Full support of Java language specification for Java 9 and partial support for up to Java 11. New language features include:

Java Platform Module System
Private methods in interfaces
Diamond operator for anonymous inner class
@SafeVarargs on private instance methods
Try-with-resources Java 9 enhancement
Enums
Interfaces
Annotations
Lambda functions
Wildcards

Broader Java framework support for:

Android
Java SE/ EE
Junit
Hibernate ORM
Apache Cocoon
Apache Commons
Apache ECS
Apache Struts
Apache Tomcat
log4j
Eclipse SWT
JDOM
Spring Framework

(*based on internally benchmarked OSS projects)

Improvements to C# Analysis Engine

Support for custom C# Path checkers and increased analysis accuracy with up-to 3% more defect results*.

Klocwork Path analysis identifies complex defects using syntactic and interprocedural data-flow analysis:

Write custom C# rules using Klocwork’s Path language and enforce your own internal coding standard.

(*based on internally benchmarked OSS projects)

C++ Analysis Engine

Enhanced C++ analysis accuracy with improved handling of:

Function pointers
Initializer lists and uniform initialization
New and Delete

Performance

64-Bit improvements for Windows:

Several components in our toolchain have been upgraded to leverage 64-Bit architecture, so Klocwork can more effectively analyze large, complex code bases, and projects.

Coding Standards

New and expanded standards coverage for Klocwork 2020.3:

CWE & CWE 2019 Top 25 — C#, Java
MISRA C 2012 Amendment 2

New Vulnerability Checkers

We have added and improved several of our checkers across our supported languages: C, C++, C#, and Java.

The new checkers find defects for:

Information Leakage
Resource Leaks
Unvalidated User Input
Path/File/Process Injection
Tainted Data
Cross-Site Scripting (XSS)
Dangerous Coding Practices
Security Best Practices — Violations

For more detailed information on what’s new please refer to the release notes.

Important Changes in Klocwork 2020.3

Developer Network End of Life

In October of 2018, our technical Support Center at https://techsupport.roguewave.com was upgraded to include Klocwork. As part of that transition, Developer Network will no longer be available.

Option to Rebuild Lucene Index

We've added an option to the dbvalidate tool that rebuilds the Lucene index for the specified project, which often reduces the size of the index. For more information, see validate your database (mandatory).

What's New in Perforce Klocwork 2020.2

Klocwork 2020.2 launches an improved C# analysis engine with broader language support, improved accuracy, and new defect detection by up-to 30%*. This release also includes integrations for IDEs and CI/CD deployments, improvements to C++ analysis, and expanded coding standard support.

(*based on internally benchmarked OSS projects)

Major Update to C# Analysis Engine

Expanded C# language support, 64-Bit improvements, new project support, and increased analysis accuracy with up-to 30% more defect results*.

Full support for the C# 7.0 language specification has been added to Klocwork. New language features include:

Out variables as function arguments and discard out variables
Pattern matching
Tuples, tuple deconstruction, and discards in tuple deconstruction
Local functions
Binary literals and digit separators
Ref locals and returns
Generalized async return types
Expression bodied members for members formally returning void
Throw expressions

64-Bit improvements to the C# analysis engine allow effective analysis of large, complex code bases, and projects.

New build integration improvements now provide analysis results for mixed C/C++ and C# projects.

Added support for more Visual Studio project types such as .Net Core.

(*based on internally benchmarked OSS projects using these language features)

C++ Analysis Engine

Improved C++ defect detection for intraprocedural function pointer resolution and cases of function pointers that are returned directly or indirectly by function calls.
Improved support for rvalue references and override file mechanisms.
Upgraded KB customization for virtual methods allowing behavior definition to produce greater accuracy in your system.

New Jenkins Plugin

Our new Jenkins plugin provides an easy way for you to automate industry-leading static analysis as part of your Continuous Integration (CI) or Continuous Delivery (CD) pipeline.

The plugin provides Klocwork's Differential Analysis, which uses system context data from the server to analyze only the files that were changed, while providing a diff analysis as if the entire system were analyzed, resulting in the shortest analysis times.

CLion IDE Plugin

Use our new CLion desktop analysis plugin to quickly and easily detect and fix issues before check-in.

Coding Standards

New and expanded standards coverage for Klocwork 2020.2:

CWE & CWE 2019 Top 25 – C#
AUTOSAR
MISRA
CERT – C/C++
Community Taxonomies – PCI DSS (C/C++, Java, and C#), Joint Strike Fighter Air Vehicle (C++), CERT (C/C++), Community Quality (C++)

New Vulnerability Checkers

We have added and improved several of our checkers across our supported languages: C/C++, Java, and C#.

The new checkers find defects for:

Dangerous implicit conversions
Dangerous coding practices
Out-of-boundary violations
Identifier name clashes
Tainted data
- Buffer overflows using untrusted data
- Excessive resource consumption using untrusted data
- Integer overflows using untrusted data
- Assignment to global variables
- Dangerous Casts

For information on other accuracy and coverage improvements please refer to the release notes.

Important Changes in Klocwork 2020.2

Maintenance for Klocwork 2018 has Ended

Maintenance for all versions of Klocwork 2018 ended February 29, 2020. The end of maintenance (EOM) date and end of sale (EOS) date was also February 29, 2020. For information about the availability of support for any release of Klocwork, see the Klocwork Product Lifecycle.

What’s New in Perforce Klocwork 2020.1

Klocwork 2020.1 improves analysis accuracy and defect detection for C++ by up-to 28%*. This release also introduces the Klocwork Community: A set of almost 200 new checkers and coding standard taxonomies developed by partners and professional services that are widely used by the Klocwork customer base worldwide.

(*based on internally benchmarked OSS projects)

Performance

64-Bit improvements for Windows:

Several components in our toolchain have been upgraded to leverage 64-Bit architecture, so Klocwork can more effectively analyze large, complex code bases, and projects.

Analysis Engine

Greater C++ analysis accuracy with up-to 28% more defect results*:

Improved C++ defect detection for nested namespaces, references, and templates.
Upgraded standard C++ library Knowledge Bases provide higher accuracy for smart pointers, utilities, concurrency libraries, and more.

(*based on internally benchmarked OSS projects using these language features)

Coding Standards

New and expanded standards coverage for Klocwork 2020.1:

CWE 2019 Top 25 — C/C++, Java, and C#.
Community Taxonomies — AUTOSAR C++ 14, MISRA C 2012, CERT, and General Code Quality.
HIS Metrics for automotive projects.

MISRA checkers and taxonomies are now fully integrated into Klocwork by default. You no longer need to install and deploy MISRA checker packages separately. Making it as easy as adding a taxonomy to a project.

New Checkers

We have added close to 200 Klocwork Community checkers across our supported languages: C/C++, Java, and C#.

These new checkers find defects for:

Memory leaks
Concurrency issues
Security vulnerabilities, including:
- SQL injection
- Exposed fields
- Buffer overflows
Uninitialized data
Unused variables
Exception handling
Dangerous casting
Banned APIs
General best coding practices

Klocwork Community

The Klocwork Community provides a framework for our users and professional services team to help shape the future of our coding standard coverage. By expanding on the certified Klocwork-developed checkers, we’re now providing access to sets of complimentary checkers and taxonomies that make the work of the wider community available within the product. All without the need to create and deploy your own.

Important Changes in Klocwork 2020.1

Klocwork Release Numbering

Going forward, the first release of each year will have the year as the major release number and 1 as the minor release number. For example, 2020.1. Subsequent planned releases will increment the minor number. For example, 2020.2, 2020.3, and 2020.4.

End of Support Announcements

As of 2020.1, we have ended support for the Microsoft Visual Studio add-in. Our Visual Studio extension contains the complete feature set and supports Visual Studio versions 2012 to 2019.

Portal Licensing Changes

Klocwork has implemented additional licensing checks related to running the Klocwork Server, which — among other things — underpins the Klocwork portal. We recommend that you validate your licensing needs to ensure that you have a sufficient number of web service licenses.

What’s New in Perforce Klocwork 2019.3

Klocwork 2019.3 delivers improvements to vulnerability detection and compliance/coding standards.

Expanded MISRA C:2012 Rules

New and improved MISRA C:2012 standard rules — Rules 5.8 and 5.9 — provide greater coverage and accelerate time-to-market for compliance projects.

Improved Compiler Support

Klocwork has made updates and improvements to the following supported compliers:

Clang
GNU

Enhanced Analysis Engine

Improved implementation of Linux 64-bit architecture enables Klocwork to more effectively analyze large, complex code bases and projects.

Improved Checker

Klocwork has made improvements to the accuracy and coverage of the following checkers:

New C/C++ Checkers:

CWARN.DTOR.VOIDPTR: Detects the deletion of ‘pointer to void’ which may result in memory and resource leaks.
UNUSED.FUNC.STL_EMPTY: Detects accidental calls to empty() method instead of clear().

Additional New Checkers:

MISRA.IDENT.NONUNIQUE.EXTERNAL.2012
MISRA.IDENT.NONUNIQUE.INTERNAL.2012

Enabled Checkers:

CWARN.DTOR.VOIDPTR
UNUSED.FUNC.STL_EMPTY

Improved Taxonomies

Klocwork has made updates and improvements to the following taxonomies:

misra_c_2012_c90.tconf
misra_c_2012_c90_ja.tconf
misra_c_2012_c99.tconf
misra_c_2012_c99_ja.tconf

Important Changes in Klocwork 2019.3

The latest release of Klocwork includes the following changes.

Developer Network

The Rogue Wave Support Center now includes Klocwork. As a result, the Developer Network will no longer be available after November 30, 2019.

End of Support

Klocwork 2019.3 will be the last release to support the Vim plug-in.

2020 Portal Licensing Changes

Beginning in 2020, Klocwork will put into effect additional licensing checks related to the Portal.

System Requirement Changes

Klocwork has added support for the following system requirements:

Debian 10.0
OpenSUSE Leap to 15 to 15.1
SUSE Enterprise Leap 15 to 15.1
Red Hat Enterprise Linux 8.0
Ubuntu 16.04 to 16.04.6 LTS
glibc 2.29
Windows 10 versions 1709 to 1903
macOS 10.12x to 10.14.5
Microsoft Visual Studio 2017, up to version 15.9.14 and 2019, up to 16.1.6 (Visual Studio Extension only)
Android Studio 1.0 to 3.4.2
JetBrains IntelliJ IDEA 2019.1.1 to 2019.1.3
TeamCity 9.1.3 to 2019.1.1
Google Chrome 54.x to 75.x
Mozilla Firefox 67.x.x and 68.x.x
Apple Safari 9.1.x to 12.1.1
Microsoft Edge 44.x to 44.18362
Microsoft Internet Explorer 11.0.x to 11.0.135
gradle 3.x to 5.5.1

What's New in Perforce Klocwork 2019.2

Klocwork 2019.2 delivers improvements to security vulnerability detection, compliance/coding standards, and adds Visual Studio 2019 support.

Improved Security Vulnerability Detection

Improved security checkers that detect vulnerabilities related to the tracking of tainted data used through casting operations.

Expanded MISRA C:2012 Rules

New and improved MISRA C:2012 standard rules — Rules 21.13 and 21.19 — provide greater coverage and accelerate time-to-market for compliance projects.

Integrated ISO/IEC TS 17961 Standard

Klocwork can now ensure that C language projects are compliant with ISO/IEC TS 17961.

Improved Build Analysis

Projects using multiple compilers will see more accurate analysis results for C++ 14/17 langauge features.

Simplified Build Reporting

Improved functionality to optimize and reduce the size of the build log is now available for all C/C++ tools.

Upgraded Microsoft Visual Studio Support

The Klocwork Visual Studio Extension now supports Visual Studio 2019.

Expanded Compiler Support

Klocwork has made updates and improvements to the following supported compliers:

Archelon CSR Kalimba C
Clang
GNU
Green Hills
IAR Systems C (compiler/linker for ARM)

What's New in Perforce Klocwork 2019.1

Klocwork 2019.1 delivers improvements to security vulnerability detection, standards compliance, and 64-bit support for large projects.

Improved Security Vulnerability Detection

Improved security checkers that detect vulnerabilities related to the tracking of tainted data used in nested structures, stored as array elements, and through casting operations.

Expanded MISRA C:2012 Rules

New and improved MISRA C:2012 standard rules — Rules 18.1 and 19.1 — provide greater coverage and accelerate time-to-market for compliance projects.

Enhanced Analysis Engine

Integrated support for even larger and more complex projects with 64-bit build specification generation on Linux.

Simplified Build Reporting

Klocwork now makes it easier to evaluate the quality of analysis results and of the build requires review. In addition, there is new optional functionality to optimize and reduce the size of the build log.

Upgraded Microsoft Visual Studio Support

The Klocwork Visual Studio Extension now supports a broader range of Visual Studio 2017 versions and includes general performance improvements.

Added OWASP Top 10 Security Risks for 2017

A new Java taxonomy has been added that covers the OWASP Top 10 Security Risks for 2017.

Expanded Compiler Support

Klocwork has made updates and improvements to the following compiler support:

ARM Optimizing C/C++ compiler (formerly TI tms470 C/C++ compiler)
Clang
GNU
Green Hills
Microsoft Visual C++
Mono Headset SDK
Nvidia CUDA
Plan 9 C
WinAVR

What's New in Static Analysis and SAST

What’s New in Perforce Klocwork

What's New in Perforce Klocwork 2025.2

C/C++ Analysis Engine

Broader C++ Analysis With Modern Engine as Default

Other C/C++ Analysis Enhancements

Perforce Validate Platform Improvements

Database Improvements

View and Manage Issues With Greater Flexibility

Expanded Support for Rule Reference Queries

Improved Workflow for Build Retention Policy

Compliance Report Improvements

Coding Standards

Quality of Life Enhancements

IDE Plugins

Analysis Tools

Validate Usability Improvements

Compiler Support

Important Changes in Klocwork 2025.2

Removal of the kwmatch Utility in 2025.2

Removal of the dbvalidate Cleanup Utility in 2025.2

License Management Changes

Pre-Announcements

End-of-Life Notice for Visual Studio 2015 IDE Plugin in 2025.4

What's New in Perforce Klocwork 2025.1

Validate Platform Improvements

Validate Groups Authorization Integration With SAML/OIDC

Reduced Build Load Times and Disk Usage

Configurability of Issue Statuses for Counts and Reporting

Coding Standards

C/C++ Analysis Engine

Java Analysis Engine

Quality of Life Enhancements

IDE Plugins

Build System Support

Validate Usability Improvements

Compiler Support

Important Changes in Klocwork 2025.1

License Management Changes

Deprecation of the kwmatch Utility in 2025.1

Pre-Announcements

End-of-Life Notice for Visual Studio 2015 IDE Plugin in 2025.4

What's New in Perforce Klocwork 2024.4

Validate Platform Improvements

Back Up Projects and Server Information With Minimal Downtime

Improved Workflow for Application Token Authentication

Added Support for Regular Expressions for Modules Paths

Updated Taxonomy Page for Improved Navigation

Coding Standards

C++ Analysis Engine

Java Analysis Engine

Quality of Life Enhancements

IDE Plugins

Operating System Support

Build System Support

Validate Usability Improvements

Build Tools

Compiler Support

Important Changes in Klocwork 2024.4

End-of-Life for Windows Server 2012, SUSE Enterprise 12 — Klocwork 2024.4

Secure Authentication Tokens

License Management Changes

Pre-Announcements

License Management Changes

What's New in Perforce Klocwork 2024.3

Validate Platform Improvements

Build Loading

Authentication

Coding Standards

C/C++ Analysis Engine

Quality of Life Enhancements

File Extensions

Build System Support

Licensing

Compiler Support

Important Changes in Klocwork 2024.3

Secure Authentication Tokens

License Management Changes

End-of-Life Announcements

Deprecation of Structure 101 Integration