Klocwork 2017.3 Release Notes Contents

Release notes...... 3 What's new in Klocwork 2017.3...... 3 What's new in Klocwork 2017.2...... 6 What's new in Klocwork 2017.1...... 9 What's new in Klocwork 2017...... 18 Fixed issues in Klocwork 2017.3...... 22 Fixed issues in Klocwork 2017.2...... 23 Fixed issues in Klocwork 2017.1...... 24 Fixed issues in Klocwork 2017...... 26 Limitations...... 27

2 | Contents | Klocwork Release notes These release notes cover Klocwork 2017.3. We've reorganized the Release notes by moving items to a section called Limitations on page 27. We also moved some items into troubleshooting topics. Changes affecting migration This section details product changes that affect how Klocwork data is migrated from a previous version. For general information about upgrading, see Upgrading from a previous version. Licensing changes 11.x licenses are not compatible with Klocwork 2017.3. You need a new license to use the latest version of the product. Contact [email protected] to obtain a new license. We also upgraded the version of FlexNet Publisher as of Klocwork 2017. See What's new in Klocwork 2017.1 on page 9 for more information. Disabled checkers If you chose to migrate your projects_root directory, verify that you have the same checker configuration as the previous release before your first integration build analysis. Visual Studio 2017 help As of Visual Studio 2017, the Help Viewer component is no longer installed by default and must be explicitly selected during installation. If you attempt to install our Klocwork extension for Visual Studio and you do not have this component installed, you will receive an error as our local help is unable to be installed. For more details on this, see Klocwork Help registration could not acquire the location of the Help Viewer. Kwvcprojparser not supported for Visual Studio 2017 The kwvcprojparser command is not supported for Visual Studio 2017 projects built from the command line. Workaround: Use the kwinject command to create the build specification. Android N Java analysis with Jack toolchain When building Android N using the Jack compiler, some jar files required for Klocwork Java analysis are not generated during the build process. Therefore, kwbuildproject encounters "Unresolved import", "Unresolved method", and "Unresolved name" semantic errors that affect the accuracy of the analysis results. Workaround: Open a ticket with Klocwork customer support. Customer support can provide a script that can generate the jar files required for analysis. Run the script after running the kwinject command and before running the kwbuildproject command.

What's new in Klocwork 2017.3 Here are the highlights for Klocwork 2017.3. If you're upgrading, also see the Limitations on page 27 for items that affect how you use Klocwork. Analysis engine accuracy and performance Building on our reputation for high-performance analysis, we have improved our support of 64-bit platforms for Linux and Mac, extending our ability to analyze very large, complex code bases. Licensing In release 2017.3, we upgraded the version of FlexNet Publisher that we support for Windows, Linux, and Mac platforms to version 2016 R2 (11.14.1.2). The versions of FlexNet Publisher used with AIX and Sun Solaris are unchanged.

Klocwork | Release notes | 3 If you are using your own FlexNet Publisher license server, the Windows, Linux and Mac installations of Klocwork 2017.3 are compatible with FlexNet Publisher 2016 R2 (11.14.1.2) and later. The versions of FlexNet Publisher used by Solaris and AIX are not compatible; therefore, for example, a Klocwork integration build analysis on a Windows machine will not be able to check out a license from a license server running on Solaris or AIX. For more information, see Supported versions of Flex Net Publisher. Improvements to supported compilers We've improved support for the following compilers: • Keil CA51 • StarCore Freescale For the full list of supported C/C++ compilers, see C/C++ compilers supported for build integration. Changes to the Path API In Klocwork 2016, we made a number of changes to the C++ version of our Path API. Chapter 2 of the Klocwork C/C++ Path Analysis API Reference contains a list of deprecated functions and provides a proposed replacement for each. As of Klocwork 2017.1, the use of deprecated functions causes compiler errors instead of compiler warnings. We plan to fully retire the C version of the Path API in 2017, so if you're using deprecated functions, we recommend you migrate to supported functions now. For more information, see Important changes to the Path API in version 11.2. Checker improvements From release to release, we improve issue detection to bring state-of-the-art capabilities to our customers. As a result, expect your analysis results to change as accuracy and coverage improve. New checkers We added the following checkers:

Checker Description MISRA.TOKEN.CPCOM.MULTILINE.2012 Implements MISRA C 2012 Rule 3.2: Line-splicing shall not be used in // comments. MISRA.FUNC.NODECL.CALL.2012 Implements MISRA C 2012 Rule 17.3: A function shall not be declared implicitly. MISRA.DEFINE.WRONGNAME.C90.2012 and Implement MISRA C 2012 Rule 20.4: A macro shall not MISRA.DEFINE.WRONGNAME.C99.2012 be defined with the same name as a keyword.

MISRA.STDLIB.INCOMPAT_ARGS.2012_AMD1 Implements MISRA C 2012 Rule 21.15: The pointer arguments to the Standard Library functions memcpy, memmove and memcmp shall be pointers to qualified or unqualified versions of compatible types.

Modified checkers We modified the following checkers:

Checker Impact ABV.GENERAL New defects detected. INFINITE_LOOP.LOCAL New defects detected. MISRA.ETYPE.ASSIGN.2012 Fewer false positives are expected. MISRA.RESOURCES.FILE.READ_ONLY_WRITE.2012 New defects detected.

4 | Release notes | Klocwork Checker Impact MISRA.STMT.COND.NOT_BOOLEAN.2012 Fewer false positives are expected.

Enabled or disabled checkers No changes were made to the default enabled field of the checker configuration files for this release. Taxonomy improvements As part of our installation, we offer several custom taxonomy files that map our checkers to standards such as MISRA, CWE, OWASP and DISA STIG. The following is the list of changes to these files in this release: Note: If you've imported a custom taxonomy (for example, MISRA) in a previous release, you need to import the new taxonomy file to pick up these changes.

Taxonomy file Changes in this release misra_c_2012_c90.tconf and We added the following checkers: misra_c_2012_c90_ja.tconf • MISRA.FUNC.NODECL.CALL.2012 (rule 17.3) • MISRA.DEFINE.WRONGNAME.C90.2012 (rule 20.4) We removed the following checkers: • MISRA.FUNC.NOPROT.CALL (rules 8.2 and 17.3) • MISRA.FUNC.UNMATCHED.PARAMS (rule 17.3)

misra_c_2012_c99.tconf and We added the following checkers: misra_c_2012_c99_ja.tconf • MISRA.TOKEN.CPCOM.MULTILINE.2012 (rule 3.2) • MISRA.DEFINE.WRONGNAME.C99.2012 (rule 20.4) We removed the following checkers: • MISRA.FUNC.NOPROT.CALL (rule 8.2)

misra_c_2012_with_amd1_c90.tconf We added the following checkers: and • MISRA.FUNC.NODECL.CALL.2012 (rule 17.3) misra_c_2012_with_amd1_c90_ja.tconf • MISRA.DEFINE.WRONGNAME.C90.2012 (rule 20.4) • MISRA.STDLIB.INCOMPAT_ARGS.2012_AMD1 (rule 21.15) We removed the following checkers: • MISRA.FUNC.NOPROT.CALL (rules 8.2 and 17.3) • MISRA.FUNC.UNMATCHED.PARAMS (rule 17.3)

misra_c_2012_with_amd1_c99.tconf We added the following checkers: and • MISRA.TOKEN.CPCOM.MULTILINE.2012 (rule 3.2) misra_c_2012_with_amd1_c99_ja.tconf • MISRA.DEFINE.WRONGNAME.C99.2012 (rule 20.4) • MISRA.STDLIB.INCOMPAT_ARGS.2012_AMD1 (rule 21.15) We removed the following checkers: • MISRA.FUNC.NOPROT.CALL (rule 8.2)

Changes to system requirements This section lists changes to the System requirements. We've added support for the following: • CentOS 7.3-1611 • Debian 8.9 and 9.1

Klocwork | Release notes | 5 • Fedora 25 • OpenSUSE 42.3 • Red Hat Enterprise Linux 7.4 • Ubuntu 16.04.2 and 17.04 • AIX 7.2 TL1 • Android Studio 2.3.3 • Eclipse 4.7 • IntelliJ IDEA 2017.1.2, 2017.2.2 • Internet Explorer 11.0.10240 • Jenkins 2.7 • TeamCity 2017.1 • FlexNet Publisher for Windows, Linux, and Mac, to 2016 R2 (11.14.1.2) Changes to commands and options We haven't modified any commands or command options in this release. For more information about Klocwork commands, see Command Reference. What's new in Klocwork 2017.2 Here are the highlights for Klocwork 2017.2. If you're upgrading, also see the Limitations on page 27 for items that affect how you use Klocwork. Quality report In this release, we've introduced a new quality report. Similar to the security report, our new quality report provides a health check for your project that includes a one-page summary for the selected Klocwork Quality Standard taxonomy. Review items such as the trend of the top three defects, source code directories with the most quality issues, and more. For more information, see Report types. In conjunction with the quality report, the Klocwork Quality Standard taxonomies provide a quick and easy way to manage the quality of your projects: • Klocwork Quality Standard mapped to Klocwork Java checkers • Klocwork Quality Standard mapped to Klocwork C/C++ checkers • Klocwork Quality Standard mapped to Klocwork C# checkers Microsoft Visual Studio extension We've added two issue filters so that you can now filter issues by severity or by status. The status filter replaces the "Show ignored issues" filter and provides you with the ability to filter issues by any status. For more information, see Tips and tricks for Klocwork Desktop Plug-in for Visual Studio. DISA-STIG version 4 taxonomies We've added support for DISA-STIG version 4. For more information, see DISA STIG version 4 IDs mapped to Klocwork C and C++ checkers and DISA STIG version 4 IDs mapped to Klocwork Java checkers. Improvements to supported compilers We've added support for the following compilers: • Renesas CC-RL We've improved support for the following compilers: • TI tms320c28x For the full list of supported C/C++ compilers, see C/C++ compilers supported for build integration. Licensing In the first release of Klocwork 2017, we upgraded the version of FlexNet Publisher that we support for Windows, Linux, and Mac platforms. We support version 2016 R1 (11.14.0.2). This upgrade includes a number

6 | Release notes | Klocwork of security updates and removes the NIC naming limitation of FlexNet Publisher 11.10.0. The versions of FlexNet Publisher used with AIX and Sun Solaris are unchanged. If you are using your own FlexNet Publisher license server, the Windows, Linux and Mac installations of Klocwork 2017.2 are compatible with FlexNet Publisher 2016 R1 (11.14.0.2) and later. Earlier versions of FlexNet Publisher are not compatible; therefore, for example, a Klocwork integration build analysis on a Windows machine will not be able to check out a license from a license server running on Solaris or AIX. Changes to the Path API In Klocwork 2016, we made a number of changes to the C++ version of our Path API. Chapter 2 of the Klocwork C/C++ Path Analysis API Reference contains a list of deprecated functions and provides a proposed replacement for each. As of Klocwork 2017.1, the use of deprecated functions causes compiler errors instead of compiler warnings. We plan to fully retire the C version of the Path API in 2017, so if you're using deprecated functions, we recommend you migrate to supported functions now. For more information, see Important changes to the Path API in version 11.2. Checker improvements From release to release, we improve issue detection to bring state-of-the-art capabilities to our customers. As a result, expect your analysis results to change as accuracy and coverage improve. New checkers We added the following checkers:

Checker Description MISRA.EXPR.SIZEOF.ARRAY_PARAM.2012_AMD1 Implements MISRA C 2012 Rule 12.5: The sizeof operator shall not have an operand which is a function parameter declared as "array of type". MISRA.ELIF.COND.NOT_BOOL.2012 Implements MISRA C 2012 Rule 20.8: The controlling expression of a #if or #elif preprocessing directive MISRA.IF.COND.NOT_BOOL.2012 shall evaluate to 0 or 1.

Modified checkers We modified the following checkers:

Checker Impact MISRA.LITERAL.NULL.PTR.CONST.2012 Fewer false positives are expected. NPE.RET Fewer false positives are expected.

Enabled or disabled checkers No changes were made to the default enabled field of the checker configuration files for this release. Taxonomy improvements As part of our installation, we offer several custom taxonomy files that map our checkers to standards such as MISRA, CWE, OWASP and DISA STIG. The following is the list of changes to these files in this release: Note: If you've imported a custom taxonomy (for example, MISRA) in a previous release, you need to re-import the new taxonomy file to pick up these changes.

Taxonomy file Changes in this release disa_stig_v4_cxx.tconf and These are new taxonomies that map Klocwork C/C++ checkers to DISA-STIG disa_stig_v4_cxx_ja.tconf version 4.

Klocwork | Release notes | 7 Taxonomy file Changes in this release disa_stig_v4_java.tconf and These are new taxonomies that map Klocwork Java checkers to DISA-STIG disa_stig_v4_java_ja.tconf version 4. kw_quality_std_cs.tconf and These new Klocwork Quality Standard taxonomies help you manage the kw_quality_std_cs_ja.tconf quality of your C# projects and are used in conjunction with our new Quality report. kw_quality_std_cxx.tconf and These new Klocwork Quality Standard taxonomies help you manage the kw_quality_std_cxx_ja.tconf quality of your C/C++ projects and are used in conjunction with our new Quality report. kw_quality_std_java.tconf and These new Klocwork Quality Standard taxonomies help you manage the kw_quality_std_java_ja.tconf quality of your Java projects and are used in conjunction with our new Quality report. misra_c_2012_c90.tconf and We added the following checkers misra_c_2012_c90_ja.tconf • MISRA.ELIF.COND.NOT_BOOL.2012 (rule 20.8) • MISRA.IF.COND.NOT_BOOL.2012 (rule 20.8)

misra_c_2012_c99.tconf and We added the following checkers misra_c_2012_c99_ja.tconf • MISRA.ELIF.COND.NOT_BOOL.2012 (rule 20.8) • MISRA.IF.COND.NOT_BOOL.2012 (rule 20.8)

misra_c_2012_with_amd1_c90.tconf We added the following checkers and • MISRA.EXPR.SIZEOF.ARRAY_PARAM.2012_AMD1 (rule 12.5) misra_c_2012_with_amd1_c90_ja.tconf • MISRA.ELIF.COND.NOT_BOOL.2012 (rule 20.8) • MISRA.IF.COND.NOT_BOOL.2012 (rule 20.8)

misra_c_2012_with_amd1_c99.tconf We added the following checkers and • MISRA.EXPR.SIZEOF.ARRAY_PARAM.2012_AMD1 (rule 12.5) misra_c_2012_with_amd1_c99_ja.tconf • MISRA.ELIF.COND.NOT_BOOL.2012 (rule 20.8) • MISRA.IF.COND.NOT_BOOL.2012 (rule 20.8)

owasp_2013_10_java.tconf and We added the following checkers owasp_2013_10_java_ja.tconf A6 Sensitive Data Exposure • SV.SENSITIVE.DATA • SV.SENSITIVE.OBJ A8 Cross-Site Request Forgery (CSRF) • SV.CSRF.GET • SV.CSRF.ORIGIN • SV.CSRF.TOKEN

Changes to system requirements This section lists changes to the System requirements. We've added support for the following: • Microsoft Edge 40.15063 Changes to commands and options We haven't modified any commands or command options in this release. For more information about Klocwork commands, see Command Reference.

8 | Release notes | Klocwork What's new in Klocwork 2017.1 Here are the highlights for Klocwork 2017.1. If you're upgrading, also see the Limitations on page 27 for items that affect how you use Klocwork. Security report We're excited to introduce our new security report! The security report provides a security health check for your project that includes a one-page summary for the selected security taxonomy. Review items such as the trend of the top three vulnerabilities, riskiest areas, and more. For more information, see Report types. Microsoft Visual Studio extension • We've added support for Microsoft Visual Studio 2017. • We've made improvements to overall stability and server issue performance. • The latest version of our Klocwork extension for Visual Studio is supported for Visual Studio 2012 and up. For Visual Studio 2010 or older, we recommend you use our Klocwork add-in for Visual Studio. For more information, see Downloading and deploying the desktop analysis plug-ins. Analysis engine accuracy and performance In this release, we've improved how variable names are included in defect messages and traces. We've also made some under-the-hood changes to support upcoming improvements to our analysis engine. Licensing In the first release of Klocwork 2017, we upgraded the version of FlexNet Publisher that we support for Windows, Linux, and Mac platforms. We support version 2016 R1 (11.14.0.2). This upgrade includes a number of security updates and removes the NIC naming limitation of FlexNet Publisher 11.10.0. The versions of FlexNet Publisher used with AIX and Sun Solaris are unchanged. If you are using your own FlexNet Publisher license server, the Windows, Linux and Mac installations of Klocwork 2017.1 are compatible with FlexNet Publisher 2016 R1 (11.14.0.2) and later. Earlier versions of FlexNet Publisher are not compatible; therefore, for example, a Klocwork integration build analysis on a Windows machine will not be able to check out a license from a license server running on Solaris or AIX. CERT taxonomy enhancements We've made extensive enhancements to the SEI CERT C and C++ taxonomy, mapping checkers to 50 additional rules. For more information, see Taxonomy improvements on page 10. Changes to the Path API In Klocwork 2016, we made a number of changes to the C++ version of our Path API. Chapter 2 of the Klocwork C/C++ Path Analysis API Reference contains a list of deprecated functions and provides a proposed replacement for each. As of this release, the use of deprecated functions causes compiler errors instead of compiler warnings. We plan to fully retire the C version of the Path API in 2017, so if you're using deprecated functions, we recommend you migrate to supported functions now. For more information, see Important changes to the Path API in version 11.2. C# 6.0 support We've improved support for the following C# 6.0 features: • Exception filters • Improved overload resolution We now fully support C# 6.0. C++ 11 support We improved C++11 support in Klocwork Checker Studio.

Klocwork | Release notes | 9 Improvements to supported compilers We've added support for the following compilers: • Microchip MPLAB XC8 C We've improved support for the following compilers: • GNU • Microsoft Visual C++ • Synopsys ARC MetaWare For the full list of supported C/C++ compilers, see C/C++ compilers supported for build integration. Checker improvements From release to release, we improve issue detection to bring state-of-the-art capabilities to our customers. As a result, expect your analysis results to change as accuracy and coverage improve. New checkers We added the following checkers:

Checker Description MISRA.TOKEN.UNTERMINATED.ESCAPE.2012 Implements MISRA C 2012 Rule 4.1: Octal and hexadecimal escape sequences shall be terminated. MISRA.DEFINE.NOT_DISTINCT.C90.2012 Implements MISRA C 2012 Rule 5.4: Macro identifiers shall be distinct. MISRA.DEFINE.NOT_DISTINCT.C99.2012

MISRA.FUNC.ARRAY.PARAM.STATIC.2012 Implements MISRA C 2012 Rule 17.6: The declaration of an array parameter shall not contain the static keyword between the [ ]. MISRA.RESOURCES.FILE.READ_ONLY_WRITE.2012 Implements MISRA C 2012 Rule 22.4: There shall be no attempt to write to a stream which has been opened as read-only. SV.SENSITIVE.DATA For Java, implement CWE-311: Missing Encryption of Sensitive Data. SV.SENSITIVE.OBJ

SV.CSRF.GET For Java, implement CWE-352: Cross-Site Request Forgery. SV.CSRF.ORIGIN SV.CSRF.TOKEN

Modified checkers We modified the following checkers:

Checker Impact ABV.GENERAL Fewer false positives are expected.

Enabled or disabled checkers The following changes were made to the default enabled field of the checker configuration files for this release: The checkers SV.SENSITIVE.DATA and SV.SENSITIVE.OBJ are enabled by default. Taxonomy improvements As part of our installation, we offer several custom taxonomy files which map our checkers to standards such as MISRA, CWE, OWASP and DISA STIG. The following is the list of changes to these files in this release:

10 | Release notes | Klocwork Note: If you've imported a custom taxonomy (for example, MISRA) in a previous release, you need to re-import the new taxonomy file to pick up these changes.

Taxonomy file Changes in this release cert_c_cpp.tconf and These taxonomies have significant updates that map additional Klocwork cert_c_cpp_ja.tconf checkers to the SEI CERT C and C++ coding standards. In previous releases, these We added the following rules and checkers: taxonomy files were called CERT ARR01-C: cert_10_cxx.tconf and cert_10_cxx_ja.tconf, respectively. • CWARN.MEMSET.SIZEOF.PTR CERT ARR38-C • ABV.ANY_SIZE_ARRAY • ABV.GENERAL • ABV.ITERATOR • ABV.STACK • ABV.TAINTED • ABV.UNKNOWN_SIZE CERT DCL01-C • MISRA.VAR.HIDDEN CERT DCL07-C • MISRA.FUNC.PROT_FORM.KR.2012 • MISRA.FUNC.NOPROT.DEF • MISRA.CAST.FUNC_PTR.2012 CERT DCL10-C • SV.FMT_STR.PRINT_PARAMS_WRONGNUM.FEW • SV.FMT_STR.PRINT_PARAMS_WRONGNUM.MANY • SV.FMT_STR.SCAN_PARAMS_WRONGNUM.FEW • SV.FMT_STR.SCAN_PARAMS_WRONGNUM.MANY CERT DCL13-C • MISRA.PPARAM.NEEDS.CONST CERT DCL23-C • MISRA.IDENT.DISTINCT.C99.2012 CERT DCL36-C • MISRA.FUNC.STATIC.REDECL CERT DCL37-C • MISRA.DEFINE.WRONGNAME.UNDERSCORE • MISRA.STDLIB.WRONGNAME.UNDERSCORE • MISRA.STDLIB.WRONGNAME CERT ENV01-C • ABV.ANY_SIZE_ARRAY • ABV.GENERAL • ABV.ITERATOR • ABV.MEMBER • ABV.STACK

Klocwork | Release notes | 11 Taxonomy file Changes in this release • ABV.TAINTED • ABV.UNKNOWN_SIZE • ABV.UNICODE.BOUND_MAP • ABV.UNICODE.FAILED_MAP • ABV.UNICODE.NNTS_MAP • ABV.UNICODE.SELF_MAP CERT ERR34-C • MISRA.STDLIB.ATOI CERT EXP00-C • MISRA.EXPR.PARENS.2012 CERT EXP08-C • ABV.ITERATOR • ABV.GENERAL CERT EXP12-C • MISRA.FUNC.UNUSEDRET.2012 This rule no longer maps to MISRA.FUNC.UNUSEDRET. CERT EXP16-C • CWARN.FUNCADDR CERT EXP30-C • PORTING.VAR.EFFECTS CERT EXP36-C • PORTING.CAST.PTR.FLTPNT • PORTING.CAST.PTR • PORTING.CAST.PTR.SIZE • PORTING.CAST.SIZE • MISRA.CAST.PTR.UNRELATED • MISRA.CAST.PTR_TO_INT CERT EXP37-C • MISRA.FUNC.UNMATCHED.PARAMS CERT EXP44-C • MISRA.SIZEOF.SIDE_EFFECT CERT EXP46-C • MISRA.LOGIC.OPERATOR.NOT_BOOL CERT EXP52-CPP • MISRA.SIZEOF.SIDE_EFFECT CERT FIO34-C • CWARN.CMPCHR.EOF CERT FIO42-C • RH.LEAK

12 | Release notes | Klocwork Taxonomy file Changes in this release CERT FIO45-C • SV.TOCTOU.FILE_ACCESS CERT FIO46-C • SV.INCORRECT_RESOURCE_HANDLING.URH CERT FLP30-C • MISRA.FOR.COND.FLT • MISRA.FOR.COUNTER.FLT CERT INT04-C • SV.TAINTED.ALLOC_SIZE • SV.TAINTED.BINOP • SV.TAINTED.CALL.BINOP • SV.TAINTED.CALL.INDEX_ACCESS • SV.TAINTED.CALL.LOOP_BOUND • SV.TAINTED.INDEX_ACCESS • SV.TAINTED.LOOP_BOUND CERT INT07-C • PORTING.SIGNED.CHAR CERT INT09-C • MISRA.ENUM.IMPLICIT.VAL.NON_UNIQUE.2012 CERT INT12-C • MISRA.BITFIELD.TYPE CERT INT13-C • MISRA.BITS.NOT_UNSIGNED • MISRA.BITS.NOT_UNSIGNED.PREP CERT INT30-C • NUM.OVERFLOW • CWARN.NOEFFECT.OUTOFRANGE CERT INT31-C • PRECISION.LOSS • PRECISION.LOSS.CALL CERT INT33-C • DBZ.CONST • DBZ.CONST.CALL • DBZ.GENERAL • DBZ.ITERATOR CERT INT36-C • MISRA.CAST.OBJ_PTR_TO_INT.2012 CERT MEM00-C • MLK.MIGHT • MLK.MUST

Klocwork | Release notes | 13 Taxonomy file Changes in this release • MLK.RET.MIGHT • MLK.RET.MUST • FNH.MIGHT • FNH.MUST • FUM.GEN.MIGHT • FUM.GEN.MUST • RH.LEAK CERT MEM05-C • MISRA.FUNC.RECUR CERT MEM12-C • MLK.MIGHT • MLK.MUST • MLK.RET.MIGHT • MLK.RET.MUST • RH.LEAK CERT MEM31-C • MLK.RET.MUST • MLK.RET.MIGHT This rule also no longer maps to UFM.FFM.MIGHT or UFM.FFM.MUST CERT MEM35-C • INCORRECT.ALLOC_SIZE CERT MEM50-CPP • UFM.DEREF.MIGHT • UFM.DEREF.MUST • UFM.FFM.MIGHT • UFM.FFM.MUST • UFM.RETURN.MIGHT • UFM.RETURN.MUST • UFM.USE.MIGHT • UFM.USE.MUST CERT MSC01-C • MISRA.SWITCH.WELL_FORMED.DEFAULT.2012 • INFINITE_LOOP.GLOBAL • INFINITE_LOOP.LOCAL • INFINITE_LOOP.MACRO This rule no longer maps to MISRA.SWITCH.NODEFAULT. CERT MSC07-C • LA_UNUSED • UNREACH.GEN • UNREACH.RETURN • UNREACH.SIZEOF • INVARIANT_CONDITION.UNREACH CERT MSC12-C

14 | Release notes | Klocwork Taxonomy file Changes in this release • LA_UNUSED • VA_UNUSED.GEN • VA_UNUSED.INIT • INVARIANT_CONDITION.UNREACH CERT MSC17-C • MISRA.SWITCH.WELL_FORMED.BREAK.2012 This rule no longer maps to MISRA.SWITCH.NO_BREAK CERT POS39-C • BYTEORDER.NTOH.RECV • BYTEORDER.NTOH.READ • BYTEORDER.HTON.SEND • BYTEORDER.HTON.WRITE This rule no longer maps to PORTING.BYTEORDER.SIZE CERT POS51-C • CONC.DL CERT POS52-C • CONC.SLEEP CERT POS54-C • SV.RVT.RETVAL_NOTTESTED CERT PRE00-C • MISRA.DEFINE.FUNC CERT PRE01-C • MISRA.DEFINE.NOPARS CERT PRE02-C • MISRA.DEFINE.BADEXP CERT PRE05-C • MISRA.DEFINE.SHARP.ORDER.2012 CERT PRE06-CPP • MISRA.INCGUARD CERT PRE06-C • MISRA.INCGUARD CERT PRE10-C • MISRA.DEFINE.BADEXP CERT STR05-C • MISRA.STRING_LITERAL.NON_CONST.2012 CERT STR32 • MISRA.STRING_LITERAL.NON_CONST.2012 CERT WIN00-C

Klocwork | Release notes | 15 Taxonomy file Changes in this release • SV.DLLPRELOAD.NONABSOLUTE.DLL • SV.DLLPRELOAD.NONABSOLUTE.EXE • SV.DLLPRELOAD.SEARCHPATH CERT WIN30-C • FMM.MIGHT • FMM.MUST

cwe_10_java.tconf and We added the following checkers: cwe_10_java_ja.tconf • SV.CSRF.GET (CWE-352) • SV.CSRF.TOKEN (CWE-352) • SV.CSRF.ORIGIN (CWE-352) • SV.SENSITIVE.DATA (CWE-311) • SV.SENSITIVE.OBJ (CWE-311)

cwe_25_java.tconf and We added the following checkers: cwe_25_java_ja.tconf • SV.CSRF.GET (CWE-352) • SV.CSRF.TOKEN (CWE-352) • SV.CSRF.ORIGIN (CWE-352) • SV.SENSITIVE.DATA (CWE-311) • SV.SENSITIVE.OBJ (CWE-311)

dista_stig_10_cxx.tconf and We added the following checkers: dista_stig_10_cxx_ja.tconf APP3120 • MISRA.CATCH.ALL • MISRA.CATCH.NOALL • MISRA.CATCH.WRONGORD APP3150.1, APP3330, APP3340 • RCA • RCA.HASH.SALT.EMPTY • HCC • HCC.USER • HCC.PWD APP3510 • SV.TAINTED.BINOP • SV.TAINTED.CALL.BINOP • SV.TAINTED.PATH_TRAVERSAL • SV.TAINTED.SECURITY_DECISION • SV.TAINTED.DEREF • SV.TAINTED.CALL.DEREF APP3550 • DBZ.GENERAL • DBZ.CONST.CALL • DBZ.ITERATOR • MISRA.UMINUS.UNSIGNED • MISRA.CAST.UNSIGNED_BITS • MISRA.CAST.FLOAT

16 | Release notes | Klocwork Taxonomy file Changes in this release • MISRA.CAST.FLOAT_INT • MISRA.CAST.FLOAT.WIDER • MISRA.CAST.FUNC_PTR • MISRA.CAST.FUNC_PTR.2012 • MISRA.CAST.FUNC_PTR.CPP • MISRA.CAST.INCOMPLETE_PTR_TO_ANY.2012 • MISRA.CAST.INT • MISRA.CAST.INT_FLOAT • MISRA.CAST.INT.SIGN • MISRA.CAST.INT_TO_PTR • MISRA.CAST.INT.WIDER • MISRA.CAST.OBJ_PTR_TO_INT.2012 • MISRA.CAST.OBJ_PTR_TO_NON_INT.2012 • MISRA.CAST.OBJ_PTR_TO_OBJ_PTR.2012 • MISRA.CAST.POLY.TYPE • MISRA.CAST.PTR • MISRA.CAST.PTR_TO_INT • MISRA.CAST.PTR.UNRELATED • MISRA.CAST.PTR.VRCLASS • MISRA.CAST.UNSIGNED_BITS • MISRA.CAST.VOID_PTR_TO_INT.2012 • MISRA.CAST.VOID_PTR_TO_OBJ_PTR.2012 • SV.TAINTED.BINOP • SV.TAINTED.CALL.BINOP APP3590.1 • RABV.CHECK

misra_c_2012_c90.tconf and We added the following checkers misra_c_2012_c90_ja.tconf • MISRA.DEFINE.NOT_DISTINCT.C90.2012 (rule 5.4) • MISRA.RESOURCES.FILE.READ_ONLY_WRITE.2012 (rule 22.4)

misra_c_2012_c99.tconf and We added the following checkers misra_c_2012_c99_ja.tconf • MISRA.DEFINE.NOT_DISTINCT.C99.2012 (rule 5.4) • MISRA.FUNC.ARRAY.PARAM.STATIC.2012 (rule 17.6) • MISRA.RESOURCES.FILE.READ_ONLY_WRITE.2012 (rule 22.4)

misra_c_2012_with_amd1_c90.tconf We added the following checkers and • MISRA.DEFINE.NOT_DISTINCT.C90.2012 (rule 5.4) misra_c_2012_with_amd1_c90_ja.tconf • MISRA.RESOURCES.FILE.READ_ONLY_WRITE.2012 (rule 22.4)

misra_c_2012_with_amd1_c99.tconf We added the following checkers and • MISRA.DEFINE.NOT_DISTINCT.C99.2012 (rule 5.4) misra_c_2012_with_amd1_c99_ja.tconf • MISRA.FUNC.ARRAY.PARAM.STATIC.2012 (rule 17.6) • MISRA.RESOURCES.FILE.READ_ONLY_WRITE.2012 (rule 22.4)

Changes to system requirements This section lists changes to the System requirements. We've added support for the following:

Klocwork | Release notes | 17 • Debian 7.11, 8.7 • Red Hat Enterprise Linux 7.3 • OpenSUSE 11.4 (Ent), 12.2 (Ent), 42.2 • Mac OS X 10.11.6 • Microsoft Visual Studio 2017 • Android Studio 2.2.2 • JetBrains IntelliJ IDEA 2016.3 • Gradle (up to) version 3.41 Windows, Linux, Solaris, and Mac now use MySQL 5.6.35. We've updated the version of Tomcat to 7.0.76. Changes to commands and options We haven't modified any commands or command options in this release. For more information about Klocwork commands, see Command Reference. What's new in Klocwork 2017 Here are the highlights for Klocwork 2017. If you're upgrading, also see the Limitations on page 27 for items that affect how you use Klocwork. SmartRank your issues Tired of sorting and filtering issues in the usual ways? You can use SmartRank to prioritize and review issues in your projects. Based on a sophisticated analysis of your code, including factors such as analysis complexity, we identify and apply a SmartRank recommendation to a subset of detected issues. These are issues that you can be highly confident are true issues and we recommend you investigate them first. For more information, see Using SmartRank to prioritize issues. Microsoft Visual Studio extension We've simplified how issues are described in the Visual Studio extension. Local issues and System issues are now simply referred to as Desktop issues. Issues that have only been found by the integration build are referred to as Server issues. We've also improved the overall performance of the Visual Studio extension. Analysis engine accuracy and performance In this release, we upgraded our analysis engine to improve the tracking of numeric intervals for symbolic expressions. In addition to increasing the accuracy of the analysis engine, you can also expect to see, on average, a 10% improvement in analysis speed. C# 6.0 support We've added support for the following C# 6.0 features: • Auto-property initializers • Function members with expression-bodies • Getter-only auto-properties • Index initializers • Using static C++11 support We've added support for the following C++11 features: • Alignment support • Strongly-typed enums Licensing For Windows, Linux, and Mac platforms, we've upgraded the version of FlexNet Publisher that we support to version 2016 R1 (11.14.0.2). This upgrade includes a number of security updates and removes the NIC naming

18 | Release notes | Klocwork limitation of FlexNet Publisher 11.10.0. The versions of FlexNet Publisher used with AIX and Sun Solaris are unchanged. If you are using your own FlexNet Publisher license server, the Windows, Linux and Mac installations of Klocwork 2017 are compatible with FlexNet Publisher 2016 R1 (11.14.0.2) and later. Earlier versions of FlexNet Publisher are not compatible. Changes to the Path API In case you missed it last time, in Klocwork 2016 we made a number of changes to the C++ version of our Path API. Chapter 2 of the Klocwork C/C++ Path Analysis API Reference contains a list of deprecated functions and provides a proposed replacement for each. Currently, the use of deprecated functions causes compiler warnings to be generated. In a future release of Klocwork 2017, Klocwork will generate compiler errors instead of compiler warnings. We plan to fully retire the C version of the Path API by mid-2017, so if you're using deprecated functions, we recommend you migrate to supported functions now. For more information, see Important changes to the Path API in version 11.2. Continuous integration improvements The Jenkins CI plug-in now runs on Mac OS. For more information about our continuous integration work flow, see Continuous integration and Klocwork analysis and our continuous integration videos. If you are an existing customer interested in Klocwork's continuous integration feature, contact your sales professional. Improvements to supported compilers We've added support for the following compilers: • HI-CROSS+ Motorola HC16 • MPLAB XC16 C • Nintendo N32 and N64 We've improved support for the following compilers: • Clang • GNU • Intel C++ • Synopsys ARC MetaWare • WindRiver GCC For the full list of supported C/C++ compilers, see C/C++ compilers supported for build integration. Checker improvements From release to release, we improve issue detection to bring state-of-the-art capabilities to our customers. As a result, expect your analysis results to change as accuracy and coverage improve. New checkers We added the following checkers:

Checker Description MISRA.FUNC.MODIFIEDPAR.2012 Implements MISRA C 2012 Rule 17.8: A function parameter should not be modified. MISRA.INCR_DECR.SIDEEFF.2012 Implements MISRA C 2012 Rule 13.3: A full expression containing an increment (++) or decrement (--) operator should have no other potential side effects

Klocwork | Release notes | 19 Checker Description other than that caused by the increment or decrement operator. MISRA.PTR.ARITH.2012 Implements MISRA C 2012 Rule 18.4: The +, -, += and -= operators should not be applied to an expression of pointer type. MISRA.RESOURCES.FILE.USE_AFTER_CLOSE.2012 Implements MISRA C 2012 Rule 22.6: The value of a pointer to a FILE shall not be used after the associated stream has been closed. MISRA.FUNC.NOPROT.DEF.2012 Implements MISRA C 2012 Rule 8.4: A compatible declaration shall be visible when an object or function with external linkage is defined. MISRA.STDLIB.ABORT.2012_AMD1 Implements MISRA C 2012 Rule 21.8: The library functions abort, exit, and system of 'stdlib.h' shall not be used. MISRA.STDLIB.FENV.2012 Implements MISRA C 2012 Rule 21.12: The exception handling features of should not be used. MISRA.STDLIB.FENV.MACRO.2012

Modified checkers We modified the following checkers:

Checker Impact INFINITE_LOOP.LOCAL New defects detected. ITER.CONTAINER.MODIFIED Fewer false positives are expected. MISRA.CAST.OBJ_PTR_TO_OBJ_PTR.2012 New defects detected. MISRA.FUNC.UNUSEDPAR Fewer false positives are expected. RABV.CHECK Fewer false negatives are expected RCA New defects detected. SV.TAINTED.INDEX_ACCESS New defects detected.

Enabled or disabled checkers No changes were made to the default enabled field of the checker configuration files for this release. No checkers previously enabled by default were disabled. None of the new checkers are enabled by default. Taxonomy improvements As part of our installation, we offer several custom taxonomy files which map our checkers to standards such as MISRA, CWE, OWASP and DISA STIG. The following is the list of changes to these files in this release: Note: If you've imported a custom taxonomy (for example, MISRA) in a previous release, you need to re-import the new taxonomy file to pick up these changes.

Modified taxonomies

Custom taxonomy file Changes in this release misra_c_2012_c90.tconf and We added the following checkers: misra_c_2012_c90_ja.tconf • MISRA.RESOURCES.FILE.USE_AFTER_CLOSE.2012 (Rule 22.6)

20 | Release notes | Klocwork Custom taxonomy file Changes in this release • MISRA.FUNC.NOPROT.DEF.2012 (Rule 8.4) • MISRA.PTR.ARITH.2012 (Rule 18.4) • MISRA.INCR_DECR.SIDEEFF.2012 (Rule 13.3) • MISRA.FUNC.MODIFIEDPAR.2012 (Rule 17.8) We removed one checker: • MISRA.FUNC.NOPROT.DEF (Rule 8.4)

cwe_25_cxx.tconf and cwe_25_cxx_ja.tconf We modified the following items: • NNTS.TAINTED now maps to CWE-120. • NUM.OVERFLOW, SV.TAINTED.BINOP, and SV.TAINTED.CALL.BINOP now map to CWE-190.

cwe_10_cxx.tconf and cwe_10_cxx_ja.tconf We modified the following items: • INCORRECT.ALLOC_SIZE no longer maps to CWE-190. • SV.TAINTED.BINOP and SV.TAINTED.CALL.BINOP maps to CWE-190. • CONC.DL no longer maps to CWE-362. • SV.TOCTOU.FILE_ACCESS now maps to CWE-362. • MISRA.STDLIB.ATOI no longer maps to CWE-676.

misra_c_2012_c99.tconf and We added the following checkers: misra_c_2012_c99_ja.tconf • MISRA.RESOURCES.FILE.USE_AFTER_CLOSE.2012 (Rule 22.6) • MISRA.FUNC.NOPROT.DEF.2012 (Rule 8.4) • MISRA.PTR.ARITH.2012 (Rule 18.4) • MISRA.STDLIB.FENV.2012 and MISRA.STDLIB.FENV.MACRO.2012 (Rule 21.12) • MISRA.INCR_DECR.SIDEEFF.2012 (Rule 13.3) • MISRA.FUNC.MODIFIEDPAR.2012 (Rule 17.8) We removed one checker: • MISRA.FUNC.NOPROT.DEF (Rule 8.4)

misra_c_2012_with_amd1_c90.tconf and New taxonomy that includes all MISRA C 2012 C90 misra_c_2012_with_amd1_c90_ja.tconf checkers, plus all checkers related to MISRA C: 2012 Amendment 1. misra_c_2012_with_amd1_c99.tconf and New taxonomy that includes all MISRA C 2012 C99 misra_c_2012_with_amd1_c99_ja.tconf checkers, plus all checkers related to MISRA C: 2012 Amendment 1.

Changes to system requirements This section lists changes to the System requirements. We've added support for the following: • Windows 10 Anniversary • Windows Server 2016 • Ubuntu 16.10 • Fedora 25 • AIX 7.1 TL 4 • Eclipse 4.6.2

Klocwork | Release notes | 21 We no longer support the following: • Ubuntu 12.04, 15.10 • Fedora 22 • OpenSUSE 13.1 • CentOS 5.11 • QNX Momentics 4.6, 4.7, 4.8, 5.0 • Visual Studio 2005 • AIX 6.1 TL 9, 7.1 TL 2 • Mac OS X Mavericks 10.9.5 • Windows Vista • Microsoft Edge 34.14291 • Safari versions 6.x and earlier Changes to commands and options We modified the kwadmin load command by removing the --copy-tables option. If you are an existing customer and have scripts that use this option, it will be ignored. For more information about Klocwork commands, see Command Reference.

Fixed issues in Klocwork 2017.3 The following issues were fixed in Klocwork 2017.3. General issues Number Description 00034958 00035338 Fixed a license issue related to hardware dongles. 00035770 Corrected a term that had been mis-translated in Japanese. 00035636 00035954 Fixed an issue with print preview related to issues that contain comments 00035446 Improved support for the StarCore Freescale compiler. 00034900 00035956, Fixed a build issue related to Gradle version 3.3. 00035506 00035654 Improved support for the Keil CA51 compiler. 00034748 Fixed an issue with checker configuration related to MISRA checkers being available on C# projects in Visual Studio. 00035089, 00035878 Improved support for Incredibuild version 8.0.1. 00035566, 00036200 Fixed a licensing issue related to stuck licenses not being released after the linger time expired. 00035361 00035947, Fixed an issue with loading tables in an environment where the server and analysis 00035808, 00036033 are separated.

Checker issues Number Description 00035014, Improved the accuracy of the checker MISRA.ETYPE.ASSIGN.2012. 00035543, 00030294 00030946, 00035471 00030818, Improved the accuracy the checker MISRA.STMT.COND.NOT_BOOLEAN.2012. 00035219, 00035470, 00035472

22 | Release notes | Klocwork Documentation issues Number Description 00035645 00035773 Added a troubleshooting topic regarding NFS file locking issues. 00035767 Added a troubleshooting topic regarding kwadmin load issues in a 32-bit Windows environment. 00035656 Fixed the code samples for the checker CS.NPS. 00035839 Corrected text descriptions for several checkers. 00035959 Updated the list of required Linux operating system packages. 00030131 Updated the instructions for deploying custom checkers to state that you need to deploy custom checkers to each build machine as well as the Klocwork Server. 00030805 Added information about how Structure 101 licenses work. 00035158, Added information about how to ensure custom C# checkers show up properly when 00035580, deployed to the desktop. 00035922,

Fixed issues in Klocwork 2017.2 The following issues were fixed in Klocwork 2017.2 General issues Number Description 00030187, 00033738 Fixed an issue with Checker Studio where the final keyword was not recognized. 00035168 Fixed an issue with the dbvalidate tool related to defects with multiple creation times. 00034524 Fixed an issue with the Eclipse plug-in related to Code Review. 00034430 Fixed an issue where the grouping messages were displayed in Japanese even if the project locale was set to English. 00034412 Fixed an error with the kwbuildproject command related to adding a metric threshold file. 00034403 Fixed an issue with the kwxsync command related to the cleanup of temporary files. 00032428, 00033151 Fixed an issue related to search queries that used a combination of both included and excluded modules. 00033889, 00035133 Fixed a build issue related to alignment pragmas that are isolated in a separate file. 00035116, 00035188 Fixed an issue with the kwbuildproject command related to missing include errors. 00024766 Fixed an issue with the reports filter related to the metrics taxonomy. 00035203 Fixed an issue with the Visual Studio extension related to closing files during analysis. 00034668 Fixed an issue with Android O that significantly improved analysis time. 00035083 Improved support for the TI tms320c28x C/C++ compiler. 00034546 Added support for MISRA C 2012 rule 20.7. 00035371 Added new taxonomies to support DISA-STIG version 4. 00034958, 00035338 Fixed an issue with licensing related to hardware dongles. 00033617 Added support for the Renesas CC-RL compiler. 00034581 Fixed an issue that prevented analysis on a specific project to from completing properly.

Klocwork | Release notes | 23 Number Description 00035132 Fixed a build issue related to entity IDs. 00034782 Fixed a build issue that caused duplicate entries in the build specification file. 00034228 Fixed an issue related to line numbers not being included in exported XML files.

Checker issues Number Description 00034357, 00022288 Reduced false positives with the checker NPE.RET related to virtual methods. 00034114, Reduced false positives with the checker MISRA.LITERAL.NULL.PTR.CONST.2012. 00034548, 00034662, 00034786, 00034933

Documentation issues Number Description 00034038 Improved the procedure for installing the Wind River plug-in. 00034382 Clarified that Klocwork does not support using the minus sign with either the comment keyword or the state keyword. 00033279 Added an example for the kwbuildproject --add-compiler-options command that shows how to specify a path name that contains spaces. 00034320 Improved the instructions for setting up single sign-on. 00034823 Improved the procedure for installing the MISRA checker packages.

Fixed issues in Klocwork 2017.1 The following issues were fixed in Klocwork 2017.1. General issues Number Description 00034049 In the Jenkins CI plugin, removed the requirement for the Perform Klocwork Analysis check box to be selected. 00033205 Improved support for the Microsoft Visual C++ compiler. 00033757 Fixed parse error for Android N related to processing lambda conversions. 00032032 Fixed an issue with Andorid N and M related to the removeCallbacks method. 00033824 For Windows, Linux, Solaris, and Mac platforms, upgraded the version of MySQL to 5.6.35. 00034562 Fixed an issue with the kwprojcopy command related to Shift-JIS encoding. 00030935 Adding support for additional options (-cc1 and -main-file-name) in the qdsp compiler filter. 00034220 Fixed an issue with analysis related to the method GetFullName(). 00033780 Improved support for the Microsoft Visual Studio compiler. 00033937 Improved support for the Synopsys ARC MetaWare compiler.

24 | Release notes | Klocwork Number Description 00033981 Fixed an issue with Visual Studio 2012 related to a null value in a list of pre-defined macros. 00032338 To restrict database access to localhost, added support for binding mysql to localhost. 00034582 Fixed an issue with analysis related to cases where file descriptors are not readable. 00033531 Fixed a compiler issue related to integral number suffixes. 00030628 Removed license restrictions associated with the update_status api. 00032619 Added/improved support for LLVM. 00033651, Added support for the Microchip MPLAB XC8 C compiler. 00033826, 00033827 00034104 Fixed parse errors on a project related to compiler identification. 00034851 Improved support for Internet Explorer version 11.0.9600 following Microsoft Security Bulletin MS17-006. 00034121 Fixed an issue with VS 2015 analysis related to the _Bool keyword. 00034271, 00034275 Updated the server subcomponent installation packaging to include a new file. 00034681 Fixed an issue with the Visual Studio Extension related to server synchronization. 00021283 Updated the Linux installer to add a message to the log file if a user installs a 32-bit version of the product on a 64-bit OS. 00034207 Upgraded the version of the Apache Commons collections that Klocwork uses to fix a security vulnerability. 00034640 Fixed an issue related to the analysis of projects with zero defects. 00033576 Fixed an issue with Andoid N related to the storage of semantic information. 00034942 Enhanced file name checks to prevent users from importing configuration files if the name doesn't exist locally (to prevent typos in filenames).

Documentation issues Number Description 00033427 Improved the Japanese translation for kwcreatchecker --help messages. 00034027 00034476 Updated the Japanese translation of the list of Fixed issues for Klocwork 2016.3 and Supported platforms to include all the content in the English versions of the topics. 00034428 Updated the documentation to state that Klocwork supports the LEVINHER class-level metric for Java. 00033391 Verified that a link in the online documentation for getting started with the Eclipse plugin points to the correct section. 00033735 Clarified which builds Klocwork includes in the build count when a build retention policy is set. 00034924 Added a link from the top section of the Release Notes to What's New so that users can more easily locate information about licensing changes in Klocwork 2017. 00032077 Added the section, "Validate your database" to the section "Importing an existing project into a new projects root" as it is a mandatory step in both imports and migrations.

Klocwork | Release notes | 25 Fixed issues in Klocwork 2017 The following issues were fixed in Klocwork 2017. General issues Number Description 00033008 Fixed a performance issue with kwxsync. 00030204, Fixed an issue with the Portal related to searching for comments. 00030815, 00031092, 00033263 00032427 Fixed an issue in C# analysis related to the handling of arguments and parameters with no type. 00032909 Corrected parse errors when analyzing CUDA source files. 00032124 Fixed an issue where the source code for a defect and the build number displayed in the portal could be out of sync, especially for fixed defects. 00032907 Added support for the Nintendo N32 and N64 compilers. 00033559 00028539 Improved support for C++11 related to a decltype specifier. 00032396 Added support in kwlogparser for custom script files referenced in the emake annotation file from Electric Cloud. 00033484 Added support for the HI-CROSS+ Motorola HC16 compiler. 00032910 Improved support for the Intel C++ compiler. 00033611 Fixed a build issue related to C++ friend declarations. 00031951 Fixed an issue that caused a previously cited issue to be displayed as a new issue. 00033505 Fixed an issue with the Jenkins plug-in related to trace information not showing. 0032528, 00031706, Upgraded to version 11.14.0 of FlexNet Publisher for Linux, Windows, and Mac 00031720, platforms. 00032006, 00032399, 00032528, 00033801 0033486 Fixed parse errors on a project related to macro expansion. 00033696 Fixed an issue with kwbuildproject related to memory allocation. 00033583 Fixed parse errors related to function templates. 00033194 Improved support for the Intel C++ compiler. 00032298 Fixed an issue with generating build specifications for Andoid N related to incremental linking and object file copying. 00030656 Fixed an issue with the Clang compiler related to the --save-temps option. 00027552, Fixed an issue with metrics related to incorrect NCNBLOC_METHOD values. 00029290, 00029109 00030790

Checker issues Number Description 00033196 Reduced false positives with the checker ITER.CONTAINER.MODIFIED related to the range_end iterator.

26 | Release notes | Klocwork Number Description 00033040 Corrected false negatives with the checker SV.TAINTED.INDEX_ACCESS related to converting to and from a pointer. 00033429 Corrected false negatives with the checker MISRA.CAST.OBJ_PTR_TO_OBJ_PTR.2012 related to a cast between a pointer to an object and a different pointer type. 00032019 Reduced false positives with the checker MISRA.FUNC.UNUSEDPAR related to template functions inside of class templates.

Documentation issues Number Description 00031745 Added a note to the documentation to state that we don't support snapshot views for ClearCase. 00032984 Rewrote the section about installing MISRA checkers for clarity.

Limitations This section contains limitations added in both this release and in previous releases. Limitations for installation, upgrade and deployment If re-installing the Klocwork plug-in for TeamCity, make sure the Project Settings do not have the 'klocwork.step.enabled' parameter If you have installed and uninstalled the Klocwork plug-in for TeamCity previously, this parameter may have been defined. When doing a new installation, ensure this parameter has been removed. Workaround: To remove this parameter, access your TeamCity server and go to Administration -> -> Project Settings -> Configuration Parameters. From this page, remove the 'klocwork.step.enabled' parameter. Limitations for Checker configuration migration Note the following limitations with checker configuration files during the upgrade process (via the import process): • Only modifications to default checker configuration files are imported. If you had a non-default checker enabled in an earlier installation and it was renamed in a new version, you will not see the checker in new builds. You must manually re-enable the checker in the new version of Klocwork. • If a checker that was enabled by default was renamed in the new version of Klocwork, you will not see new codes until the first system build of the new installation. java_wrappers.conf is no longer used to edit heap size setting A new file, java_wrappers_memory.conf is created during installation, that populates appropriate heap sizes according to your machine's memory. If you want to modify the heap size, modify this file. The previous recommendation to modify the java_wrappers.conf on Windows is deprecated, as those settings are ignored. Similarly, the previous recommendation for Linux, to modify the last two lines in the shell scripts under /bin, is unsafe as it may conflict with the java_wrappers_memory.conf settings. Limitation for importing projects with existing reports If you attempt to import a project with existing reports that use default metric names, you may see unexpected results. Workaround: When importing a project, ensure that the reports do not use default metric names. If you encounter this error message, you can either delete and re-create the report or edit the metrics.xml file, ensuring that missing or disabled definitions are enabled.

Klocwork | Release notes | 27 You must have the Microsoft .NET 4.0 Framework installed in order to run Windows services This framework is installed by default as part of Windows 8 and Windows 10. For all other versions of Windows, you must download the Microsoft .NET 4.0 Framework Installer and install the framework manually. Limitations for Mac OS support • On Mac, clients running version 11.14.0.2 cannot connect to a Klocwork 2017.3 server running 11.14.1.2. For a workaround, see kwlef error states license is not valid. • Distributed Analysis is not supported. • For developers, plug-in support is provided for Eclipse and IntelliJ IDEA. If your developers are not using Eclipse or IntelliJ IDEA, they need to use Klocwork Desktop Command Line for C/C++ or Java (kwcheck) or Klocwork Desktop to analyze their code and view detected issues. See Fixing issues before check-in with Klocwork Desktop Analysis. • System Integrity Protection (SIP) blocks the kwinject command from running properly on Mac OS X 10.10 and later. Kwinject returns the following warning, with error code 1: "System Integrity Protection is enabled. kwinject cannot inject to process." Workaround: Disable SIP on the machine running the Klocwork analysis or see Using kwwrap plus kwinject to generate a build specification. Limitations for build integration Cannot load Android 4.4 (KitKat) using the default memory settings for kwloaddb, kwadmin and kwjava When building the Android platform, you may need to increase the memory settings for certain Klocwork tools on the machine invoking the load process. These values can be modified in the /config/java_wrappers_memory.conf file. Limitations for C# analysis Klocwork's C# analysis is supported only on Windows. The following features are not supported for C# integration projects:

Feature Details Build integration • kwinject cannot be used to create a build specification for a C# project. Instead, use kwcsprojparser. • Build specification templates

Integration build analysis • Mixed-language projects (you need to create one C/C++ project and one C# project) • Parallel analysis • Incremental analysis

Klocwork Static Code Analysis • "Show implementation", "Show declaration", and Source Cross-Reference

Distributed analysis • Distributed analysis is not supported for C#.

The following features are not supported for C# desktop analysis: • On-the-fly analysis • Display of server issues in Visual Studio • Parallel analysis • Incremental analysis • File-level analysis in Visual Studio (only solutions and projects can be analyzed) • Using metric thresholds and knowledge bases Using metric thresholds and knowledge bases is not supported for C# server build analysis.

28 | Release notes | Klocwork Limitations for Klocwork Static Code Analysis In Microsoft Edge, some items may not be clickable Due to a Microsoft Edge issue, some items in the portal may not be clickable. For more information, see https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/5782378/ Workaround: Refresh the page. Middle-clicking a link doesn't open it in a new tab when using Google Chrome Due to a bug in Google Chrome, some links do not open in a new tab when they are middle clicked, shift-clicked or ctrl-clicked after the first time the link is opened in this manner. Each successive attempt simply opens the link within the active tab. For more information, see http://code.google.com/p/chromium/issues/detail?id=177502. Workaround: Refresh the page and this will allow you to open the link in a new tab the first time you attempt it. Limitations for Klocwork Desktop Analysis Analysis is not supported for 'no-resolve' mode in certain scenarios The "no-resolve" mode was added to support symbolic links to source files on Linux. Symbolic links to directories are not supported. The Eclipse plug-in supports the "no-resolve" mode only if project is configured to use an external build specification, and that build specification was created by using kwinject with "--no-resolve" option. For WindRiver Workbench users, you will receive an error message if you attempt to use a project with exterior sources linked to it. Limitations for the Visual Studio plug-in The filter by severity option in the Microsoft Visual Studio extension may not display custom severities for C++ projects For C++ projects where you have defined custom severities, the severity filter list may not display the correct items. The list may display default severity names, or in the case where you have a mixed C++ and C# project, the list will display the C# severities. You can still use the filter, but the severity names displayed in the issue tree may not match the items you selected in the list (as the filter is applied by severity number). After uninstalling the Klocwork Microsoft Visual Studio extension, the Klocwork help content is not removed Due to a limitation of the Microsoft VSIX installer, Klocwork help is not removed after uninstalling the plug-in. Workaround: You can uninstall the help files manually. Go to Help > Add and Remove Help Content; In the Klocwork Inc. section, click the Remove action next to Klocwork Desktop Plugin. You can install a future version of the plug-in without issue. For the Microsoft Visual Studio extension, minor performance degradation when working with server issues if connection to server is lost A lost server connection causes a delay of up to three seconds when working with server issues, for example, when opening or citing a server issue. Workaround: Work with local issues only by clicking the "Show local issues only" button. F1 help does not work when you attempt to open help for an issue from the Klocwork Issues window in Visual Studio for the Klocwork extension for Visual Studio If you click on an issue in the Klocwork Issues window and attempt to open the help for it by pressing F1, the shortcut opens the incorrect help in the Help Viewer. Workaround: Open the help for the checker by right-clicking on the issue and select View Checker Documentation from the Manage Checker menu.

Klocwork | Release notes | 29 Klocwork server option fails to retrieve projects when you use a hard-coded IP address If you use a hard-coded IP address in the Klocwork server dialog under the Klocwork options menu, the Klocwork extension for Visual Studio fails to retrieve the list of projects. Workaround: Use the host name instead of the IP address; if this is not an option, you can add an entry in the hosts file for the IP address. Klocwork plug-in for Android Studio installs to unexpected location If IntelliJ IDEA 2017 and Android Studio are both installed, and you install the Android Studio plug-in, the IntelliJ IDEA path will be auto-filled instead of the Android Studio path. Klocwork automatically detects your IntelliJ IDEA directory and installs the plug-in to that location. Workaround: If more than one installation directory is detected, you must browse to the preferred location for Android Studio manually. Klocwork plug-in installation fails when running the executable in administrator mode on Windows 10 If you run the VSIX plug-in installer in administrator mode on Windows 10 and/or specify the '-a' flag on the command line with the vsixinstaller command, the installation fails. Workaround: Perform a normal, non-administrator installation. Do not select 'Run as Administrator' and do not specify the '-a' flag on the command line. Limitations for Klocwork Desktop Analysis is not supported with any of the following configurations: • When a project with symbolic links is configured with an external build specification that does not have the attribute "no-resolve". If a project uses symbolic links, the user must configure the project using an external build specification, and the external build specification must be created with the "no-resolve" option passed to kwinject. • When a project with symbolic links is configured to use the Eclipse CDT toolchain. The Eclipse plug-in does not allow the user to set a "no-resolve" option. • When a project contains a symbolic link to a directory. The plug-in supports symbolic links to files only. Limitations for Klocwork extensibility C/C++ Path checker compilation makefile compatibility The makefile generated by kwcreatechecker on Unix systems requires GNU make to build the checker. The default make installed on non-GNU systems such as AIX or Solaris may not compile Klocwork extensions for C/C++. On Windows, the makefile generated by kwcreatechecker requires nmake to build the checker. Workaround: None.

30 | Release notes | Klocwork Toll-free: 1.800.487.3217 This document, as well as the software described in it, is furnished under license and Direct: 1.613.836.8899 may only be used or copied in accordance with the terms of such license. The information contained herein is the property of Rogue Wave Software, Inc. and is confidential between [email protected] Rogue Wave Software, Inc. and the client and remains the exclusive property of Rogue [email protected] Wave Software, Inc. No part of this documentation may be copied, translated, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, 1315 West Century Drive, Suite 150, Louisville, CO 80027 photocopying, recording or otherwise without the prior written permission of Rogue Wave Software, Inc. If you find any problems in the documentation, please report them www.roguewave.com to us in writing. Rogue Wave Software, Inc. does not warrant that this document is error-free. www.klocwork.com Klocwork is a registered trademark of Rogue Wave Software, Inc.

All other trademarks are the property of their respective owners. All help content for Klocwork's MISRA checkers is copyright by MIRA Ltd, on behalf of the MISRA Consortium.

Copyright notices for third-party software are contained in the file THIRDPARTYLICENSEREADME.txt, located in the Klocwork installation directory.

Copyright © 2017 Rogue Wave Software Inc. All rights reserved.