🕵🏿 👩‍🎨 ♨️ Overview of PVS-Studio version 7.07 features 🏇 🐰 😽

The purpose of this article is an overview demonstration of the capabilities of the PVS-Studio static analyzer. The easiest and most visual way to do this is to show the operation of the tool with examples. Verification of the project will be shown using the plug-in for Visual Studio, launching the analyzer in the Linux operating system, importing the analysis results into SonarQube.

general information

PVS-Studio is a static code analyzer written in C, C ++, C # and Java. PVS-Studio performs a wide range of code checks, but is most powerful at finding typos and the consequences of a failed Copy-Paste (examples: one , two , three , four ). Static analysis is a good complement to one of the oldest and most reliable methods for detecting defects - code review. Some errors are hard to find during a joint review of the code (for example, the same typos). For instance:

int trans_rest(transcoder_settings *trans)
{
  ....
  for(i=0; i<16; i++);
  {
    trans->eq.eq.preamp[i]   = 0.0;
    for(j=0; j<32; j++)
    {
      trans->eq.eq.boost[i][j] = 0.0;
    }
  }
}

For those who have not noticed, pay attention to the semicolon after the first for . Or:

private class ObjectArrayComparer : IEqualityComparer<object[]>
{
  public bool Equals(object[] x, object[] y)
  {
    ....
    for (int i = 0; i < x.Length; i++)
    {
      if (!object.Equals(x[0], y[0])) 
      {
        return false;
      }
    }
    return true;
  }
  ....
}

The same elements are always compared. In order not to waste your time searching for such errors, it is just worth introducing a static analyzer. You can download and try PVS-Studio at this link.

Plugin for visual studio

PVS-Studio has a plugin for Visual Studio 2010-2019. Before we proceed directly to the verification, I will demonstrate the capabilities of the plugin. Let's go over some points that may raise questions in the spirit of "what is it all about?"

I’ll draw attention to the Suppress Messages item, which opens a window for working with suppressed analyzer warnings and now I will explain what this item is. The fact is that PVS-Studio can suppress warnings, which makes it easy to start using the analyzer even in a large project. This allows you to quickly and easily incorporate a static analyzer into the development process.

If your project is small, then implementing the analyzer will be quite simple. However, if the project is “with history”, then you probably have doubts crept in: who will be involved in processing and filtering the results, how much time you need to devote to this, etc. I'll try to dispel them.

The ideal use of the analyzer in this case is as follows. You run it on your project and see a bunch of analyzer messages. Then, using the warning suppression mechanism, instruct PVS-Studio not to display these messages. Because Since your project has been developing for a long time, then in the analyzer report there will almost certainly be few warnings related to some critical defects. Further, during the development process, you and your colleagues see only those errors that relate to the changed or new code. Those warnings that have been suppressed are now your technical duty, which you can return to gradually. The warning suppression mechanism is described in more detail here .

Next, go to the item “Display CWE Codes in Output Window”. PVS-Studio is a tool for static application security testing (Static Application Security Testing, SAST). PVS-Studio alerts can be classified according to the Common Weakness Enumeration (CWE). To learn about the classification of PVS-Studio alerts according to CWE, why CWE is needed, what it is and so on, I suggest that you read the following links:

Let's move on to the “Options” tab.

In the "Detectable Errors (C, C ++)" section, we can control the display of analyzer message types. Those diagnostic messages that for some reason are not relevant for this project can be hidden or disabled. For example, MISRA diagnostics are unlikely to interest anyone other than embedded developers. Therefore, they are disabled by default . The user who first decided to use the analyzer, the number of MISRA warnings can scare off and enter into a stupor. And the part of users who purposefully launched the analyzer to check their project for compliance with MISRA standards can simply turn them on in the settings.

Here you can enter paths / masks to exclude some files or folders from analysis. You can choose either a mask by the path (Path Mask) or a mask by the file name (FileName Mask). They are needed if you want to exclude third-party libraries, automatically generated files, etc. from the analysis. After setting exclusion masks, messages from the files corresponding to them will disappear from the PVS-Studio output window, and they will not be included in the next scan. Thus, the exclusion of files and directories through masks can significantly reduce the overall analysis time of the entire project.

More details here .

You can also filter the output of the analyzer according to the text contained in it. For example, in your analyzer report there are warnings that mention the my_super_function function in the text , but you are sure that all these warnings are false. Then you can add the word my_super_function in this field. All warnings that contained this word will be filtered out. Well, just in case, I’ll leave a link here to the corresponding section of the documentation .

Note. In PVS-Studio there are other ways to mark false warnings in code or macros. They are described in the documentation in the Suppressing False Alerts section .

After we are done with an overview of the settings, let's move on to checking the project. As you may have noticed, the article had several settings related to C ++ projects, but there were no specifics for C # and Java. There are simply more settings for C ++ than for C #, so we decided to dwell on these brief reviews. But for a change of story, let's check with the help of the plug-in for Visual Studio not a C ++, but a C # project and see what the analyzer report looks like.

Naturally, after the first check of the project, you will have to return to the settings in order to reduce the percentage of false positives. False positives are inevitable, but their percentage can be reduced by setting to an acceptable value. See the article: " Characteristics of the PVS-Studio analyzer using the EFL Core Libraries example, 10-15% of false positives ."

Select the item “Analyze Solution with PVS-Studio”.

A window with a progress bar will appear.

And then we can see the analyzer report.

By the way, here you can also filter out some warnings. For example, you can hide the first warning in our report by selecting it and clicking on the “Mark selected messages as False Alarms” item. For more details, refer again to the section Suppressing False Alerts .

Linux

Earlier we tested the C # project. Now let's try to check the code written in C ++. To add variety to the article, we will test it under Linux. By the way, under Windows, Linux and macOS, you can check projects in any language (C, C ++, C #, Java).

We clone a repository.

We launch a configuration script for assembly.

We launch PVS-Studio in trace mode and assemble the project. An installed strace utility is required . Instead of the make command, in your case there can be any command to start building the project with all the necessary parameters.

We analyze the files from the project using the results of the previous step. The -a switch allows you to specify which warnings should be included in the report.

We convert the log to html and enjoy the results.

I described only one option for checking a project under Linux and very formally, without going into details. There are other ways to check the project, for example, by writing the analyzer call in the makefile. For a more detailed review, I recommend referring to the following links:

Sonarquube

SonarQube is an open source platform for continuous analysis and measurement of code quality, supporting a large number of programming languages and allowing you to receive reports on metrics such as code duplication, compliance with coding standards, test coverage, code complexity, potential errors, etc.

PVS-Studio has a plugin for importing analysis results into SonarQube, let's try to use it.

To get started, we get the analyzer report and the sonar-project.properties configuration file.

Next, we need a scanner launch command.

Result :)

Also, the configuration file can be created (or edited). For example, in the screenshot above, we enabled the addition of the MISRA identifier to analyzer warnings. Yes, that is, by default, MISRA is disabled here. If you need to check your code for MISRA compliance, then add “active” to your configuration file to include.

In the Measures tab, various code metrics and graphs are available.

You can also build graphs using the PVS-Studio section. You can learn more about integrating PVS-Studio analysis results into SonarQube in this section of the manual.

PVS-Studio Java

We now looked at the settings for C ++ projects, tested the project in C #, but Java somehow fell out of the article. It is necessary to fix this and tell what the PVS-Studio Java analyzer is all about. The analyzer has several different ways to integrate into a project. Depending on the build system, you can use the plugin for Maven or Gradle. You can also use the analyzer core directly. Using Gradle, Maven or kernel plugins directly allows you to easily work with Sonar Qube or CI (Jenkins). If you have these plugins enabled, then the Java project is checked by static analysis directly during the build process and as a result you will receive not only your assembled project, but also a log from the PVS-Studio analyzer.

PVS-Studio Java analyzer can also be used as a plug-in for IntelliJ IDEA. In this case, the analysis of the project structure is carried out by means of this IDE, and the plug-in provides a convenient graphical interface for working with the analyzer.

I suggest reading in more detail in the section on how to start PVS-Studio Java .

Also, by checking a Java project, you can suppress analyzer messages so that integration into a large project is quick and painless.

In IntelliJ IDEA, it looks like this.

In this window we see the analyzer report.

By right-clicking on the selected message, we see such a context menu. In it we can select the highlighted item and the message will disappear from the analyzer output.

We can also suppress all analyzer messages.

To suppress analyzer warnings in Gradle, execute the command:

./gradlew pvsSuppress "-Ppvsstudio.report=/path/to/report.json"
  "-Ppvsstudio.output=/path/to/suppress_base.json"

To suppress analyzer warnings in Maven, run the command:

mvn pvsstudio:pvsSuppress "-Dpvsstudio.report=/path/to/report.json"
  "-Dpvsstudio.output=/path/to/suppress_base.json"

Read more about the suppression mechanism here .

To summarize

The purpose of this article was to show the capabilities of the PVS-Studio static analyzer, how to easily work with it using the plug-in for Visual Studio and for Linux. Thanks to the ability to integrate with the SonarQube platform, you can provide continuous analysis and quality management of your code, which is just one of the many features described in the documentation.

Integration of the static analyzer into the CI system allows you to detect bugs immediately after building the project. This reduces the cost of finding and correcting errors. Below are links to articles with integrations with the most popular cloud services:

If you want to share this article with an English-speaking audience, then please use the link to the translation: Ekaterina Nikiforova. PVS-Studio 7.07: Features Overview .