What's New in Klocwork?

What's New in Klocwork 2022.3

With the release of 2022.3, Klocwork delivers updates and improvements to our language coverage for C#, Java, JavaScript, Kotlin, and Python.

The Microsoft Visual Studio IDE plugin(s) have been improved to support multi-threaded and incremental analysis for C# providing up to a 200%* reduction in analysis times for select projects and solutions. In addition, 2022.3 includes an enhancement to the configurable defect suppression feature, expanded Android build specification generation CLI options, and broader coding standard coverage.

(*based on internally benchmarked OSS projects)

C# Analysis Engine

Improved support for the C# 7.2 language specification. New language features include:

• Initializers on stackalloc arrays.
• Use fixed statements with any type that supports a pattern.
• Access fixed fields without pinning.
• Reassign ref local variables.
• Declare readonly struct types, to indicate that a struct is immutable and should be passed as an in parameter to its member methods.
• Add the in modifier on parameters, to specify that an argument is passed by reference but not modified by the called method.
• Use the ref readonly modifier on method returns, to indicate that a method returns its value by reference but doesn't allow writes to that object.
• Declare ref struct types, to indicate that a struct type accesses managed memory directly and must always be stack allocated.
• Use additional generic constraints.
• Non-trailing named arguments.
  • Named arguments can be followed by positional arguments.
• Leading underscores in numeric literals.
  • Numeric literals can now have leading underscores before any printed digits.
• Private protected access modifier.
  • The private protected access modifier enables access for derived classes in the same assembly.
• Conditional ref expressions.
• The result of a conditional expression (?:) can now be a reference.

Java Analysis Engine

Full support for the Java 13 language specification. New features include:

• Improved build process monitoring and reduction of parse errors and warnings for Java 13.
• Upgraded Java Knowledge Bases to provide higher accuracy and support of Java 13 APIs.

JavaScript, Kotlin, Python Analysis Engines

General upgrades and improvements to JavaScript, Kotlin, and Python analysis engines and checkers:

JavaScript

• Support for JavaScript versions up to ECMAScript 2022 (ES13).
• An added collection of 722 checks for code complexity, quality, performance, best coding practices, and more.

Kotlin

• Support for Kotlin versions up to 1.6.21.
• An added collection of 251 checks for code complexity, quality, performance, best coding practices, and more.

Python

• Support for Python 3 versions up to 3.10.
• An added collection of 335 checks for code complexity, quality, performance, best coding practices, and more.

C/C++ Analysis Engine

Enhanced the configurable defect suppression feature.

• Use the defect suppression feature to focus on issues that matter. Filter out noisy defects or issues in the code that you are not responsible for such as libraries, headers, and third-party code.
  • Introduced the ability to allow analysis optimizations when suppressing files or directories.
  • Provides an alternative to project splitting.

Microsoft Visual Studio IDE Plugin

Use the Visual Studio desktop analysis plugin to quickly and easily detect and then fix issues before check-in.

• The Microsoft Visual Studio IDE extension has been improved to support multi-threaded and incremental analysis for C#.

This change provides up to a 50%* reduction in analysis times for select projects and solutions.

(*based on internally benchmarked OSS projects)

Expanded Configuration Options for Android Project Analysis

The command line options for generating build specifications for Android analysis using kwandroid has been expanded to match other build monitoring utilities.

Coding Standards

New and expanded standards coverage and taxonomies for Klocwork 2022.3:

• AUTOSAR – C++
• CERT – C and C++
• CWE – C, C++, and Java
• DISA STIG v5 – C and C++
• HKMC v4.1 – C and C++
• ISO/IEC TS 17961 – C
• JSF AV – C++
• MISRA – C:2004 and C:2012
• OWASP Top10 2021 – C#

New Vulnerability Checkers

2022.3 adds and improves several checkers across Klocwork-supported languages: C and C++. The new checkers find defects for:

• Intraprocedural numeric overflow and wraparound detection.
• Divide by zero within loops.

For more detailed information on what’s new, please refer to the release notes.

Important Changes in Klocwork 2022.3

License Management Changes

As of 2022.2, Klocwork now supports Reprise License Manager (RLM).

• FLEXlm/FlexNet Publisher support is deprecated but will continue to work until the release of Klocwork 2023.1.
• You can continue to use your existing FLEX license files until 2023.1. If you need new license files generated, please contact [email protected].
• New product license files will be generated for Reprise, if you require a FLEX license file for older Klocwork versions we can provide this for you.

Pre-Announcements

Path API version upgrade – Klocwork 2022.4

Upon the release of Klocwork 2022.4, custom C/C++ PATH checkers will need to be reviewed for multi-threaded compatibility. We recommend you review your custom checkers for potential race conditions and recompile using the 2022.4 Klocwork Path API headers and library. Custom checkers that are not recompiled will continue to work but will not be able to use an upcoming parallelization feature. Please refer to our release notes to find out more.

End of Life Announcement – Klocwork 2023.1

Beginning with Klocwork 2023.1, the following operating systems and installers will not be supported:

• Mac OS

What’s New in Klocwork 2022.2

With the release of 2022.2, Klocwork enables Project Streams support across all tools and plugins, allowing developers to work on multiple branches, variants, and streams by providing analysis results in-context to their development pipeline.

We’re also excited to share that Klocwork’s Portal will be rebranded into the Validate platform, which brings along with it a new look and feel. Even though the log-in screen will feature a new look, you will still be able to log in to the product-agnostic platform as usual.

In addition, this release also features performance improvements of up-to 63%* for Java projects, support for Microsoft Visual Studio 2022, new defect suppression options, and broader coding standard coverage.

(*based on internally benchmarked OSS projects)

Project Streams

Klocwork’s Project Streams now provides improved efficiency in managing multiple versions of the same codebase when working with streams projects, results storage, and project migration.

• Enables desktop plugins to recognize streams allowing developers to switch context between projects and streams with the ability to synchronize results.

• Completes stream support across all Klocwork’s toolchain and plugins.
• Parallelized stream build loading provides improved performance when loading analysis results to Klocwork’s Validate platform.
• Provides a path to migrate to streams from older legacy projects.

Java Analysis Engine

Klocwork’s Incremental and Differential Analysis now supports Java.

• Up-to 63%* reduction in analysis times for Java projects when using Incremental and Differential Analysis features.
• Differential Analysis uses system context data from the server to analyze only the files that were changed, while providing a Differential Analysis as if the entire system were analyzed, resulting in the shortest possible analysis times.

(*based on internally benchmarked OSS projects)

Microsoft Visual Studio 2022 IDE Plugin

Use the Visual Studio 2022 desktop analysis plugin to quickly and easily detect and then fix issues before check-in.

• The IDE extension supports C, C++, C#, and mixed projects and solutions.

“Klocwork Portal” Is Being Rebranded into the Validate Platform

We’re excited to announce that Validate is the new platform that will house the Klocwork Portal.

It features a new log-in screen with the Validate by Perforce logo, yet the log-in process will not change. Users will still use the same credentials to log in and see their projects and data. The new look and feel will help users to better navigate the user interface.

The vision for the Validate platform is to be the single source of truth for Perforce Static Analysis products, Klocwork and Helix QAC. We start this journey with a new name, installer, look, and feel.

Stay tuned for more developments in future releases.

C/C++ Analysis Engine

Configurable Defect Suppression

• Use the defect suppression feature to focus on issues that matter. Filter out noisy defects or issues in the code that you are not responsible for such as libraries, headers, and third-party code.

Coding Standards

New and expanded standards coverage and taxonomies for Klocwork 2022.2:

• CERT – C and C++
• CWE – Java, JavaScript, and Python
• DISA STIG v5 – Java
• OWASP Top10 – C, C++, and JavaScript

Important Changes in Klocwork 2022.2

License Management Changes

As of 2022.2, Klocwork now supports Reprise License Manager (RLM).

• FLEXlm/FlexNet Publisher support is deprecated but will continue to work until the release of Klocwork 2023.1.
• You can continue to use your existing FLEX license files until 2023.1.
• New product license files will be generated for Reprise, if you require a FLEX license file for older Klocwork versions we can provide this for you.

Log4j Libraries Upgraded to v2

The log4j libraries used in the Klocwork tools have been upgraded to v2.  Although Klocwork was previously using log4j v1 which was not affected by the log4shell vulnerability, the log4j libraries have been updated to the latest version to ensure enhanced cybersecurity for the Klocwork product.

Pre-Announcements

Path API version upgrade – Klocwork 2022.3

As of Klocwork 2022.3, custom C/C++ PATH checkers will need to be reviewed for multi-threaded compatibility. We recommend you review your custom checkers for potential race conditions and recompile using the 2022.3 Klocwork Path API headers and library. Custom checkers that are not recompiled will continue to work but will not be able to use an upcoming parallelization feature. Please refer to our release notes to find out more.

License Management Changes — Klocwork 2023.1

This is a six-month notice for the End-of-Life and support for FLEXIm/FlexNet Publisher license files. As of 2023.1, Klocwork will be moving to Reprise License Manager (RLM). New product license files will be generated for Reprise.

Contact [email protected] to obtain updated licenses.

End of Life Announcement – Klocwork 2023.1

Beginning with Klocwork 2023.1, the following operating systems and installers will not be supported:

• Mac OS

What’s New in Klocwork 2022.1

Klocwork 2022.1 launches Kotlin as a new supported analysis language, providing the ability to scan Kotlin code for issues related to complexity, quality, performance, best coding practices, and more.

This release also features performance improvements of up-to 35%* for large C/C++ projects and quality-of-life updates to Project Streams.

In addition, the release also includes broader coding standards coverage, and general analysis and accuracy improvements for C/C++.

(*based on internally benchmarked OSS projects)

Kotlin Analysis Engine

Klocwork now supports the analysis of Kotlin as a new analysis language available for server and desktop scanning. Features include:

• In-depth integration build analysis.
• Support for Kotlin versions up-to 1.5.31.
• A collection of 229 new checks for code complexity, quality, performance, best coding practices, and more.

Project Streams

Klocwork’s Project Streams feature now provides improved efficiency in dealing with multiple versions of the same codebase with respect to result storage, project migration, and navigation of stream projects.

• This release enables support for CI/CD pipelines and desktop command line tools to recognize streams and load results to the correct projects/sub-projects.
• Provides a path to migrate to streams from older legacy projects.
• Filtering to improve project list navigation when using streams.

Performance

Up-to 35%* reduction in analysis times for large C/C++ products, such as Android, when using multiple CPUs. 

(*based on internally benchmarked OSS projects)

C/C++ Analysis Engines

• Increased support for Visual Studio 2019 C/C++ default headers.
• Improved analysis of C++20 modules.

Coding Standards

New and expanded standards coverage for Klocwork 2022.1:

• CERT C/C++
• CWE C/C++
• DISA STIG v5 C/C++ and C#
• MISRA C 2012
• MISRA C++ 2008

Log4j Vulnerability Checker

2022.1 includes an upgraded vulnerability checker to identify issues related to Log4j.

• SV.LOG_FORGING

Klocwork Help

We've updated the look and feel of our embedded and online help and have moved the online help to a new website. You can now find the latest online help at https://help.klocwork.com.

For more detailed information on what’s new, please refer to the release notes.

Important Changes in Klocwork 2022.1

Maintenance for Klocwork 2020 Ending

Maintenance for all versions of Klocwork 2020 ended on March 31, 2022. In addition, the end of maintenance (EOM) date and end of sale (EOS) date also occurred on March 31. For information about the availability of support for any release of Klocwork, see the Klocwork Product Lifecycle.

What’s New in Klocwork 2021.4

In our final release of the year, Klocwork 2021.4 provides quality of life improvements and enhancements to Project Streams, as well as C, C++, C#, and Java Analysis, and new Coding Standard taxonomies.

Project Streams

This feature now includes a consolidated issue list for all your projects and related streams. This allows you to quickly determine the technical issue debt within your entire project codebase.

• The consolidated issue list provides a sum of all issues in a project including all its related streams.

Java Analysis Engine

Full support for the Java 12 language specification. New features include:

• Improved build process monitoring and reduction of parse errors and warnings for Java 12.
• Upgraded Java Knowledge Bases to provide higher accuracy and support of Java 12 APIs.

C# Analysis Engine

Improved support for the C# 7.1 language specification. New language features include:

• Target-typed "default" literal
• Tuple name inference (Tuple projection initializers)
• Pattern-matching with generics

C/C++ Analysis Engine(s)

• Enhanced Incremental Analysis for mixed language projects
• Accuracy and False Positive improvements

Coding Standards

New and expanded standards coverage for Klocwork 2021.4:

• DISA STIG v5 – C/C++
• OWASP Top 10 2017 – C#

For more detailed information on what’s new, please refer to the release notes.

Important Changes in Klocwork 2021.4

Checker Limitations on Windows as of Klocwork 2021.4

As of Klocwork 2021.4, 32-bit backward compatibility for custom checkers is no longer supported and the option '--force-32bit' is deprecated. You must rebuild all your old checkers by using a 64-bit compiler.

Contact support for more information.

Klocwork 2021.4 has Upgraded to use Python 3

Klocwork has upgraded to Python 3 and removed Python 2, which has reached End-Of-Life.

What’s New in Klocwork 2021.3

Klocwork 2021.3 introduces Project Streams functionality, Python Analysis Engine, and an integration with the Secure Code Warrior learning platform. In addition, the release improves coding standard coverage, Visual Studio Code plugin language support, and general analysis and accuracy improvements for our numerous supported languages.

New Project Streams Functionality

This feature provides easy management of shared code bases that have multiple variants or branches by simplifying project rule configuration, issue management, defect citing, reporting, and efficient data storage of analysis data.

Create multiple streams for a single code base, rather than needing to create separate projects per variant or branch. Streams provide the following benefits:

• Assign a single project rule configuration to all variants.
• Issues common to multiple variants are automatically kept in sync and only require citing once.
• Easily identify identical issues across multiple streams and issues unique to a specific stream.
• Generate reports on individual streams for compliance, functional safety, or other evidential purposes.
• More convenient organization and efficient storage of analysis data.

Python Analysis Engine

Klocwork now supports the analysis of Python as a new analysis language available for server and desktop scanning. Features include:

• Support for Python 2 and 3.
• Server and desktop analysis available.
• 367 new checks for rule violations, security weaknesses, quality, concurrency, and best coding practices.

Secure Code Warrior Integration

Developing secure code is a priority concern across industries and with our new Secure Code Warrior integration, Klocwork customers have access to a free account providing lessons and training tools for many common development languages.

Visual Studio Code IDE Plugin

Use the Visual Studio Code desktop analysis plugin to quickly and easily detect and then fix issues before check-in.

• Now supports JavaScript and Python.

C# Analysis Engine

Klocwork’s C# analysis engine now supports additional operating systems and frameworks.

• Analyze C# .NET Core and Mono projects on Linux.
• Improved support for Mono projects on Windows.

C++ Analysis Engine

Enhanced C++ analysis accuracy with improved handling of:

• C++ 20 modules
• Android 12

Java Analysis Engine

New Java analysis capabilities in this release include:

• Improved build process monitoring and reduction of parse errors and warnings.
• Increased analysis accuracy for Java 11 language features.
• Support for JKB annotations and improved @Suppress annotation use.
• Support for multiple Java generic parameters.
• Android 12 support.

Coding Standards

New and expanded standards coverage for Klocwork 2021.3:

• CWE Top25 2021 – C/C++, C#, and Java
• CERT – C/C++
• AUTOSAR
• DISA STIG
• Joint Strike Fighter Air Vehicle C++
• MISRA
• OWASP – Java

For more detailed information on what’s new please refer to the release notes.

Important Changes in Klocwork 2021.3

Checker Limitations on Linux as of Klocwork 2021.3

As of Klocwork 2021.3, 32-bit backward compatibility for custom checkers is no longer supported and the option '--force-32bit' is deprecated. You must rebuild all your old checkers by using a 64-bit compiler. Contact support for more information.

What’s New in Klocwork 2021.2

Klocwork 2021.2 launches JavaScript as a new supported analysis language providing the ability to scan JavaScript code for rule violations, security weaknesses, and more.

The release also features Differential Analysis for C# to deliver faster scan results, and the Klocwork Security and Compliance Portal gains the ability to import Helix QAC findings for a consolidated view of both Perforce tools in one place.

In addition, the release also includes broader coding standards coverage, new vulnerability checks, and general analysis and accuracy improvements for all supported languages.

JavaScript Analysis Engine

Klocwork now supports the analysis of JavaScript. Features include:

• Support for JavaScript, TypeScript, JSX, React, and Vue.
• 284 new checks for rule violations, security weaknesses, quality, and best coding practices.

C++ Analysis Engine

Enhanced C++ analysis accuracy with improved handling of:

• Android 11

C# Analysis Engine Improvements

Klocwork’s Differential Analysis now supports C#.

• Differential Analysis uses system context data from the server to analyze only the files that were changed, while providing a diff analysis as if the entire system were analyzed, resulting in the shortest analysis times.
• Improved analysis accuracy.

Java Analysis Engine Improvements

• Full support for the Java 11 language specification. New language features include:
  • Local Variable Syntax for Lambda Parameters

Klocwork Compliance and Application Security Testing (CAST) Portal

The Klocwork Compliance and Application Security Testing (CAST) Portal provides a single dashboard to view consolidated analysis results. 2021.2 introduces the ability to import Helix QAC findings to Klocwork.

• Use Klocwork and Helix QAC together to provide industry-leading compliance coverage across the major embedded and automotive programming languages.
• Import and integrate Helix QAC diagnostic results with Klocwork.
• Review and manage security and compliance issues in one place.
• Generate compliance reports to determine the health of your codebase and supply information necessary to claim compliance against a coding standard.

Klocwork Community

This release includes 26 new Klocwork Community checkers expanding rule coverage for CERT C and JSF AV C++ coding standards.

Coding Standards

New and expanded standards coverage for Klocwork 2021.2:

• CERT – CWE – C++, C#, and Java
• Joint Strike Fighter Air Vehicle C++
• Klocwork Quality Community – C#
• Klocwork Quality – JavaScript, TypeScript, React, Vue
• MISRA
• OWASP – Java

New Vulnerability Checkers

2021.2 adds and improves several checkers across Klocwork supported languages: C++, C#, Java, and JavaScript.

The new checkers find defects for:

• Code complexity
• Concurrency issues
• Cross-site request forgery (CSRF) vulnerabilities
• Cross-site scripting attack (XSS) vulnerabilities
• Incorrect Authentication
• Improper certificate validation
• Improper Encapsulation
• Incorrect error handling
• Indeterminate Value Warnings
• Invalid Arithmetic Operations
• Maintainability Issues
• Missing Authentication For Critical Function
• Missing authorization checks
• No configuration for a critical resource
• No configuration for a protected resource
• Object-oriented programming issues
• Performance Issues
• Possible Runtime Failures
• Process and Path Injection
• Pseudorandom number generation issues
• Redundant Code
• Stylistic Issues
• Suspicious Code Practices
• Suspicious Encapsulation
• Suspicious Scoping
• SQL injection
• Unnecessary Code
• Unreachable Code
• Unsafe Code Practices
• Unused Code
• Unused Local Variables
• Use of freed resources
• Use of hard-coded credentials
• Use of ldap anonymous bind
• Use of weak cryptographic algorithm
• XXE vulnerabilities

For more detailed information on what’s new please refer to the release notes.

Important Changes in Klocwork 2021.2

Licensing Changes

If you already upgraded your licenses for 2021 prior to the release of 2021.2, you need updated versions to use the JavaScript and Helix QAC import features. Contact [email protected] to obtain updated licenses.

What’s New in Klocwork 2021.1

Klocwork 2021.1 enhances the C# analysis engine with incremental analysis support, improves the Java analysis engine for Java 10 language features along with broader framework support, and C++ improvements for Android 11 analysis. The release also includes broader coding standards coverage, new vulnerability checks, and general accuracy improvements for all supported languages.

C# Analysis Engine Improvements

• C# analysis engine supports fast incremental build feedback for code changes.
• Improved analysis accuracy.

Java Analysis Engine Improvements

• Full support for the Java 10 language specification. New language features include:
  • Local-Variable Type Inference
  • Unicode Language-Tag Extensions
  • Klocwork Knowledge Base for Java 10 API
• Broader Java framework support for:
  • GWT
  • Java Persistence API
  • JAX RS
  • JAX WS
  • ReactiveX
  • Vert.x
  • WS XML-RPC
• Improved analysis accuracy.

C++ Analysis Engine

• Enhanced C++ analysis accuracy with improved handling of:
• Android 11
• Template syntax support (Custom KB)

Coding Standards

New and expanded standards coverage for Klocwork 2021.1:

• CWE – C# and Java
• AUTOSAR
• MISRA
• PCI DSS
• Joint Strike Fighter Air Vehicle C++

New Vulnerability Checkers

We have added and improved several checkers across our supported languages: C++, C#, and Java.

The new checkers find defects for:

• Use-after-free defects
• DllPreload vulnerabilities
• Cross-site request forgery (CSRF) vulnerabilities
• Copy-Paste errors
• Sensitive information leak
• Resource leaks
• String literal modification

For more detailed information on what’s new please refer to the release notes.

Important Changes in Klocwork 2021.1

End of Life Announcement

As of Klocwork 2021.1, the following operating systems and installers will not be supported:

• AIX
• Solaris
• Klocwork 32-bit installers

Maintenance for Klocwork 2019 has Ended

Beginning on March 31, 2021 maintenance for all versions of Klocwork 2019 will end. In addition, the end of maintenance (EOM) date and end of sale (EOS) date will also begin on that date. For information about the availability of support for any release of Klocwork, see the Klocwork Product Lifecycle.

Default Behavior Change for Issue Grouping

Klocwork no longer uses grouping (of defects) by default for integration analysis. This improves the Klocwork DB load times significantly for larger projects and larger files with high numbers of defects. Existing projects and migrated projects will keep their current grouping behaviors, but new projects will default to having faster load times without grouping.

What’s New in Klocwork 2020.4 SR1

Klocwork 2020.4 SR1 enhances the C# analysis engine with parallel execution support, improves Java analysis for Android 10/11, introduces a Visual Studio Code IDE Plugin, and provides the ability to generate Compliance Reports that shows the health and coding standard enforcement level of your codebase. The release also includes broader coding standards coverage, new vulnerability checks, 64-Bit toolchain upgrades for Windows & Linux, and general accuracy improvements for all supported languages.

Visual Studio Code IDE Plugin

Use our new Visual Studio Code desktop analysis plugin to quickly and easily detect and fix issues before check-in.

• The IDE extension supports C/C++, C#, Java languages, and mixed projects and solutions.

Compliance Reports

These new reports help you determine the health of your codebase and supply the information necessary to claim compliance against a coding standard. Generate reports for:

• Secure Coding Standards.
• MISRA Compliance 2020.
• Your own custom coding standards.

C# Analysis Engine Improvements

• To fully benefit from multi-core hardware available, C# analysis supports parallel execution. This results in significantly faster analysis times.
• Improved analysis accuracy.

Java Analysis Engine Improvements

• Improved analysis support for Android 10 and 11.
• Upgraded Java Knowledge Bases to provide higher accuracy and support of Java 9 APIs.
• Added support for a maven wrapper script.

Performance

64-Bit improvements for Windows & Linux:

• All components of the Windows analysis toolchain have been upgraded to 64-bit architecture, so Klocwork can more effectively analyze large, complex codebases and projects.

Coding Standards

New and expanded standards coverage for Klocwork 2020.4 SR1:

• CWE – C/C++, C#, and Java
• CWE 2019 Top 25 — C# and Java
• New CWE 2020 Top 25 — C/C++, C#, and Java
• AUTOSAR
• ISO IEC TS 17961 (C Secure)

New Vulnerability Checkers

We have added and improved several of our checkers across our supported languages: C, C++, C#, and Java.

The new checkers find defects for:

• Dangerous Calls
• Dangerous Casts
• Division by zero
• Incorrect using of autoboxing and unboxing
• Privilege management
• Sensitive information storage
• Tainted Data
  • Code injection
  • Command injection
  • Critical resource permissions
  • Deserialization
  • Path traversal
  • Uncontrolled resource consumption
  • Unrestricted File Uploads
• Unsafe code practices

For more detailed information on what’s new please refer to the release notes.

Important Changes in Klocwork 2020.4 SR1

Pre-Announcement – End of Life Support

Beginning with Klocwork 2021.1, the following operating systems and installers will not be supported:

• AIX
• Solaris
• Klocwork 32-bit installers

What’s New in Klocwork 2020.4

Klocwork 2020.4 enhances the C# analysis engine with parallel execution support, improves Java analysis for Android 10/11, introduces a Visual Studio Code IDE Plugin, and provides the ability to generate Compliance Reports that shows the health and coding standard enforcement level of your codebase. The release also includes broader coding standards coverage, new vulnerability checks, 64-Bit toolchain upgrades for Windows, and general accuracy improvements for all supported languages.

Visual Studio Code IDE Plugin

Use our new Visual Studio Code desktop analysis plugin to quickly and easily detect and fix issues before check-in.

• The IDE extension supports C/C++, C#, Java languages, and mixed projects and solutions.

Compliance Reports

These new reports help you determine the health of your codebase and supply the information necessary to claim compliance against a coding standard. Generate reports for:

• Secure Coding Standards.
• MISRA Compliance 2020.
• Your own custom coding standards.

C# Analysis Engine Improvements

• To fully benefit from multi-core hardware available, C# analysis supports parallel execution. This results in significantly faster analysis times.
• Improved analysis accuracy.

Java Analysis Engine Improvements

• Improved analysis support for Android 10 and 11.
• Upgraded Java Knowledge Bases to provide higher accuracy and support of Java 9 APIs.
• Added support for a maven wrapper script.

Performance

64-Bit improvements for Windows:

• All components of the Windows analysis toolchain have been upgraded to 64-bit architecture, so Klocwork can more effectively analyze large, complex code bases and projects.

64-Bit improvements for Linux – Coming in 2020.4.1

Coding Standards

New and expanded standards coverage for Klocwork 2020.4:

• CWE – C/C++, C#, and Java
• CWE 2019 Top 25 — C# and Java
• New CWE 2020 Top 25 — C/C++, C#, and Java
• AUTOSAR
• ISO IEC TS 17961 (C Secure)

New Vulnerability Checkers

We have added and improved several of our checkers across our supported languages: C, C++, C#, and Java.

The new checkers find defects for:

• Dangerous Calls
• Dangerous Casts
• Division by zero
• Incorrect use of autoboxing and unboxing
• Privilege management
• Sensitive information storage
• Tainted Data:
  • Code injection
  • Command injection
  • Critical resource permissions
  • Deserialization
  • Path traversal
  • Uncontrolled resource consumption
  • Unrestricted File Uploads
• Unsafe code practices

For more detailed information on what’s new please refer to the release notes.

Important Changes in Klocwork 2020.4

Pre-Announcement – End of Life Support

Beginning with Klocwork 2021.1, the following operating systems and installers will not be supported:

• AIX
• Solaris
• Klocwork 32-bit installers

Service Release of Klocwork 2020.4 (2020.4.1)

A service release, Klocwork 2020.4.1, will be released that upgrades all components of the Linux analysis toolchain to 64-bit architecture.

What’s New in Klocwork 2020.3

Klocwork 2020.3 launches an enhanced Java analysis engine with major improvements that result in broader language coverage, expanded framework support, improved accuracy by 130%, and up to 2.5% new defects detected*. The release also includes improvements to the C# and Java analysis engines, product performance, and expanded coding standard support.

(*based on internally benchmarked OSS projects)

Major Update to Java Analysis Engine

New Java language coverage, expanded framework support and improved analysis accuracy by 130% with up to 2.5% more defect results*.

Full support of Java language specification for Java 9 and partial support for up to Java 11. New language features include:

• Java Platform Module System
• Private methods in interfaces
• Diamond operator for anonymous inner class
• @SafeVarargs on private instance methods
• Try-with-resources Java 9 enhancement

• Enums
• Interfaces
• Annotations
• Lambda functions
• Wildcards

Broader Java framework support for:

• Android
• Java SE/ EE
• Junit
• Hibernate ORM
• Apache Cocoon
• Apache Commons
• Apache ECS
• Apache Struts
• Apache Tomcat
• log4j
• Eclipse SWT
• JDOM
• Spring Framework

(*based on internally benchmarked OSS projects)

Improvements to C# Analysis Engine

Support for custom C# Path checkers and increased analysis accuracy with up-to 3% more defect results*.

Klocwork Path analysis identifies complex defects using syntactic and interprocedural data-flow analysis:

• Write custom C# rules using Klocwork’s Path language and enforce your own internal coding standard.

 (*based on internally benchmarked OSS projects)

C++ Analysis Engine

Enhanced C++ analysis accuracy with improved handling of:

• Function pointers
• Initializer lists and uniform initialization
• New and Delete

Performance

64-Bit improvements for Windows:

• Several components in our toolchain have been upgraded to leverage 64-Bit architecture, so Klocwork can more effectively analyze large, complex code bases, and projects.

Coding Standards

New and expanded standards coverage for Klocwork 2020.3:

• CWE & CWE 2019 Top 25 — C#, Java
• MISRA C 2012 Amendment 2

New Vulnerability Checkers

We have added and improved several of our checkers across our supported languages: C, C++, C#, and Java.

The new checkers find defects for:

• Information Leakage
• Resource Leaks
• Unvalidated User Input
• Path/File/Process Injection
• Tainted Data
• Cross-Site Scripting (XSS)
• Dangerous Coding Practices
• Security Best Practices — Violations

For more detailed information on what’s new please refer to the release notes.

Important Changes in Klocwork 2020.3

Developer Network End of Life

In October of 2018, our technical Support Center at https://techsupport.roguewave.com was upgraded to include Klocwork. As part of that transition, Developer Network will no longer be available.

Option to Rebuild Lucene Index

We've added an option to the dbvalidate tool that rebuilds the Lucene index for the specified project, which often reduces the size of the index. For more information, see validate your database (mandatory).

What's New in Klocwork 2020.2

Klocwork 2020.2 launches an improved C# analysis engine with broader language support, improved accuracy, and new defect detection by up-to 30%*. This release also includes integrations for IDEs and CI/CD deployments, improvements to C++ analysis, and expanded coding standard support.

(*based on internally benchmarked OSS projects)

Major Update to C# Analysis Engine

Expanded C# language support, 64-Bit improvements, new project support, and increased analysis accuracy with up-to 30% more defect results*.

Full support for the C# 7.0 language specification has been added to Klocwork. New language features include:

• Out variables as function arguments and discard out variables
• Pattern matching
• Tuples, tuple deconstruction, and discards in tuple deconstruction
• Local functions
• Binary literals and digit separators
• Ref locals and returns
• Generalized async return types
• Expression bodied members for members formally returning void
• Throw expressions

64-Bit improvements to the C# analysis engine allow effective analysis of large, complex code bases, and projects.

New build integration improvements now provide analysis results for mixed C/C++ and C# projects.

Added support for more Visual Studio project types such as .Net Core.

(*based on internally benchmarked OSS projects using these language features)

C++ Analysis Engine

• Improved C++ defect detection for intraprocedural function pointer resolution and cases of function pointers that are returned directly or indirectly by function calls.
• Improved support for rvalue references and override file mechanisms.
• Upgraded KB customization for virtual methods allowing behavior definition to produce greater accuracy in your system.

New Jenkins Plugin

Our new Jenkins plugin provides an easy way for you to automate industry-leading static analysis as part of your Continuous Integration (CI) or Continuous Delivery (CD) pipeline.

The plugin provides Klocwork's Differential Analysis, which uses system context data from the server to analyze only the files that were changed, while providing a diff analysis as if the entire system were analyzed, resulting in the shortest analysis times.

CLion IDE Plugin

Use our new CLion desktop analysis plugin to quickly and easily detect and fix issues before check-in.

Coding Standards

New and expanded standards coverage for Klocwork 2020.2:

• CWE & CWE 2019 Top 25 – C#
• AUTOSAR
• MISRA
• CERT – C/C++
• Community Taxonomies – PCI DSS (C/C++, Java, and C#), Joint Strike Fighter Air Vehicle (C++), CERT (C/C++), Community Quality (C++)

New Vulnerability Checkers

We have added and improved several of our checkers across our supported languages: C/C++, Java, and C#.

The new checkers find defects for:

• Dangerous implicit conversions
• Dangerous coding practices
• Out-of-boundary violations
• Identifier name clashes
• Tainted data
  • Buffer overflows using untrusted data
  • Excessive resource consumption using untrusted data
  • Integer overflows using untrusted data
  • Assignment to global variables
  • Dangerous Casts

For information on other accuracy and coverage improvements please refer to the release notes.

Important Changes in Klocwork 2020.2

Maintenance for Klocwork 2018 has Ended

Maintenance for all versions of Klocwork 2018 ended February 29, 2020. The end of maintenance (EOM) date and end of sale (EOS) date was also February 29, 2020. For information about the availability of support for any release of Klocwork, see the Klocwork Product Lifecycle.

What’s New in Klocwork 2020.1

Klocwork 2020.1 improves analysis accuracy and defect detection for C++ by up-to 28%*. This release also introduces the Klocwork Community: A set of almost 200 new checkers and coding standard taxonomies developed by partners and professional services that are widely used by the Klocwork customer base worldwide.

(*based on internally benchmarked OSS projects)

Performance

64-Bit improvements for Windows:

• Several components in our toolchain have been upgraded to leverage 64-Bit architecture, so Klocwork can more effectively analyze large, complex code bases, and projects.

Analysis Engine

Greater C++ analysis accuracy with up-to 28% more defect results*:

• Improved C++ defect detection for nested namespaces, references, and templates.
• Upgraded standard C++ library Knowledge Bases provide higher accuracy for smart pointers, utilities, concurrency libraries, and more.

(*based on internally benchmarked OSS projects using these language features)

Coding Standards

New and expanded standards coverage for Klocwork 2020.1:

• CWE 2019 Top 25 — C/C++, Java, and C#.
• Community Taxonomies — AUTOSAR C++ 14, MISRA C 2012, CERT, and General Code Quality.
• HIS Metrics for automotive projects.

MISRA checkers and taxonomies are now fully integrated into Klocwork by default. You no longer need to install and deploy MISRA checker packages separately. Making it as easy as adding a taxonomy to a project.

New Checkers

We have added close to 200 Klocwork Community checkers across our supported languages: C/C++, Java, and C#.

These new checkers find defects for:

• Memory leaks
• Concurrency issues
• Security vulnerabilities, including:
  •  SQL injection
  • Exposed fields
  • Buffer overflows
• Uninitialized data
• Unused variables
• Exception handling
• Dangerous casting
• Banned APIs
• General best coding practices

Klocwork Community

The Klocwork Community provides a framework for our users and professional services team to help shape the future of our coding standard coverage. By expanding on the certified Klocwork-developed checkers, we’re now providing access to sets of complimentary checkers and taxonomies that make the work of the wider community available within the product. All without the need to create and deploy your own.

Important Changes in Klocwork 2020.1

Klocwork Release Numbering

Going forward, the first release of each year will have the year as the major release number and 1 as the minor release number. For example, 2020.1. Subsequent planned releases will increment the minor number. For example, 2020.2, 2020.3, and 2020.4.

End of Support Announcements

As of 2020.1, we have ended support for the Microsoft Visual Studio add-in. Our Visual Studio extension contains the complete feature set and supports Visual Studio versions 2012 to 2019.

Portal Licensing Changes

Klocwork has implemented additional licensing checks related to running the Klocwork Server, which — among other things — underpins the Klocwork portal. We recommend that you validate your licensing needs to ensure that you have a sufficient number of web service licenses.

Klocwork 2019.3 delivers improvements to vulnerability detection and compliance/coding standards.

Expanded MISRA C:2012 Rules

New and improved MISRA C:2012 standard rules — Rules 5.8 and 5.9 — provide greater coverage and accelerate time-to-market for compliance projects.

Improved Compiler Support

Klocwork has made updates and improvements to the following supported compliers:

• Clang
• GNU

Enhanced Analysis Engine

Improved implementation of Linux 64-bit architecture enables Klocwork to more effectively analyze large, complex code bases and projects.

Improved Checker

Klocwork has made improvements to the accuracy and coverage of the following checkers:

New C/C++ Checkers:

• CWARN.DTOR.VOIDPTR: Detects the deletion of ‘pointer to void’ which may result in memory and resource leaks.
• UNUSED.FUNC.STL_EMPTY: Detects accidental calls to empty() method instead of clear().

Additional New Checkers:

• MISRA.IDENT.NONUNIQUE.EXTERNAL.2012
• MISRA.IDENT.NONUNIQUE.INTERNAL.2012

Enabled Checkers:

• CWARN.DTOR.VOIDPTR
• UNUSED.FUNC.STL_EMPTY

Improved Taxonomies

Klocwork has made updates and improvements to the following taxonomies:

• misra_c_2012_c90.tconf
• misra_c_2012_c90_ja.tconf
• misra_c_2012_c99.tconf
• misra_c_2012_c99_ja.tconf

Important Changes in Klocwork 2019.3

The latest release of Klocwork includes the following changes.

Developer Network

The Rogue Wave Support Center now includes Klocwork. As a result, the Developer Network will no longer be available after November 30, 2019.

End of Support

Klocwork 2019.3 will be the last release to support the Vim plug-in.

2020 Portal Licensing Changes

Beginning in 2020, Klocwork will put into effect additional licensing checks related to the Portal.

System Requirement Changes

Klocwork has added support for the following system requirements:

• Debian 10.0
• OpenSUSE Leap to 15 to 15.1
• SUSE Enterprise Leap 15 to 15.1
• Red Hat Enterprise Linux 8.0
• Ubuntu 16.04 to 16.04.6 LTS
• glibc 2.29
• Windows 10 versions 1709 to 1903
• macOS 10.12x to 10.14.5
• Microsoft Visual Studio 2017, up to version 15.9.14 and 2019, up to 16.1.6 (Visual Studio Extension only)
• Android Studio 1.0 to 3.4.2
• JetBrains IntelliJ IDEA 2019.1.1 to 2019.1.3
• TeamCity 9.1.3 to 2019.1.1
• Google Chrome 54.x to 75.x
• Mozilla Firefox 67.x.x and 68.x.x
• Apple Safari 9.1.x to 12.1.1
• Microsoft Edge 44.x to 44.18362
• Microsoft Internet Explorer 11.0.x to 11.0.135
• gradle 3.x to 5.5.1

Klocwork 2019.2 delivers improvements to security vulnerability detection, compliance/coding standards, and adds Visual Studio 2019 support.

Improved Security Vulnerability Detection

Improved security checkers that detect vulnerabilities related to the tracking of tainted data used through casting operations.

Expanded MISRA C:2012 Rules

New and improved MISRA C:2012 standard rules — Rules 21.13 and 21.19 — provide greater coverage and accelerate time-to-market for compliance projects.

Integrated ISO/IEC TS 17961 Standard

Klocwork can now ensure that C language projects are compliant with ISO/IEC TS 17961.

Improved Build Analysis

Projects using multiple compilers will see more accurate analysis results for C++ 14/17 langauge features.

Simplified Build Reporting

Improved functionality to optimize and reduce the size of the build log is now available for all C/C++ tools.

Upgraded Microsoft Visual Studio Support

The Klocwork Visual Studio Extension now supports Visual Studio 2019.

Expanded Compiler Support

Klocwork has made updates and improvements to the following supported compliers:

• Archelon CSR Kalimba C
• Clang
• GNU
• Green Hills
• IAR Systems C (compiler/linker for ARM)

Klocwork 2019.1 delivers improvements to security vulnerability detection, standards compliance, and 64-bit support for large projects.

Improved Security Vulnerability Detection

Improved security checkers that detect vulnerabilities related to the tracking of tainted data used in nested structures, stored as array elements, and through casting operations.

Expanded MISRA C:2012 Rules

New and improved MISRA C:2012 standard rules — Rules 18.1 and 19.1 — provide greater coverage and accelerate time-to-market for compliance projects.

Enhanced Analysis Engine

Integrated support for even larger and more complex projects with 64-bit build specification generation on Linux.

Simplified Build Reporting

Klocwork now makes it easier to evaluate the quality of analysis results and of the build requires review. In addition, there is new optional functionality to optimize and reduce the size of the build log.

Upgraded Microsoft Visual Studio Support

The Klocwork Visual Studio Extension now supports a broader range of Visual Studio 2017 versions and includes general performance improvements.

Added OWASP Top 10 Security Risks for 2017

A new Java taxonomy has been added that covers the OWASP Top 10 Security Risks for 2017.

Expanded Compiler Support

Klocwork has made updates and improvements to the following compiler support:

• ARM Optimizing C/C++ compiler (formerly TI tms470 C/C++ compiler)
• Clang
• GNU
• Green Hills
• Microsoft Visual C++
• Mono Headset SDK
• Nvidia CUDA
• Plan 9 C
• WinAVR