At the beginning of the year, our team of the year held several meetings and worked out an internal map for the development of the company and the PVS-Studio product for 2021. We decided to form part of our plans in the form of this article. Are the unpublished part of the plans secret? No, but our readers are unlikely to be interested in the details of training plans for individual employees or when and which server we plan to purchase. Here we will describe the main plans for the development of the PVS-Studio software product itself and its positioning.
PVS-Studio as a product in general
PVS-Studio is a general-purpose static analyzer, and this is how we will continue to develop it. However, this year we will be making a bias towards positioning it as a static application security testing (SAST) tool. For these purposes, we will focus on support for CWE, OWASP, SEI CERT, MISRA, AUTOSAR.
Currently PVS-Studio supports the analysis of programs in C, C ++, C #, Java. Certain C ++ language extensions are also supported, such as C ++ / CLI and C ++ / CX. In 2021, we are not planning to implement support for new languages, but we are planning to develop the analyzer in breadth. Namely, I would like to support several new compilers (C, C ++) for microcontrollers and some development environments such as CLion.
In addition to the improvements that will be described below, the cores of all analyzers (C ++, C #, Java) will develop in the following areas:
- Support for new versions of programming languages;
- Improvement of existing diagnostics in order to reduce the number of false positives;
- Implementation of new general purpose diagnostics (GA);
- Manual annotation of functions in popular libraries to increase the number of detected defects;
- Development of internal mechanisms of analyzers, such as data flow analysis, symbolic computation, interprocedural and intermodular analysis, etc.
We decided to immediately list all these points so as not to repeat them below for each of the languages.
Note. If you are not familiar with the terms “data flow analysis” and “manual function annotation”, then we suggest that you familiarize yourself with the publication “Technologies used in the PVS-Studio code analyzer to find bugs and potential vulnerabilities“.
New analyzer website
The constant development of the analyzer requires updating the site to reflect the latest information and organize clear access to new features with documentation. At some point, the product outgrows the ideology and capabilities of the current site. Now we have that moment. And in the first half of 2021, we will completely update our website, redesigning the placement of information on it and making a new design.
Email newsletter subscription
When preparing a new site, we carried out work on categorizing and tagging our existing articles. Now this approach will allow you to make relevant mailings. For example, you can subscribe to articles about project verification, or only to release announcements or theoretical articles.
MISRA C, MISRA C ++, AUTOSAR
Support for the MISRA C and MISRA C ++ coding standards will continue. But beyond that, it’s time to also support the more modern set of rules described in The AUTOSAR C ++ 14 Coding Guidelines. This document is an update to the MISRA C ++: 2008 standard and is also based on other leading coding standards and research done by the organization. AUTOSAR…
Cross-module data flow analysis
The cores of the PVS-Studio analyzer for C # and Java are able to carry out inter-module analysis in one form or another. For a number of reasons, the implementation of inter-module analysis in the C ++ analyzer is more complicated and was constantly postponed. In 2021, we feel the strength to implement cross-module data flow analysis. This will allow you to find, for example, such errors when a null pointer is passed to a function, and this function, implemented in another translation unit, dereferences this pointer without performing a preliminary check.
Let’s clarify just in case. No, we are not talking about modules from C ++ 20. Maintaining modules is another task that we will be doing too, but maybe not this year. This is an analysis that takes into account the interaction of functions implemented in different * .cpp files (in different translation units).
It is planned to partially support the extraction of additional information from the code marked up using the annotation language Microsoft Source-Code (SAL)…
Compilers for embedded platforms
Over the past few years PVS-Studio for C and C ++ significantly expanded support for various compilers, while we focused mainly on compilers for the ARM platform. In the coming year, we will also focus on more exotic platforms.
We will study the issue of the possibility of porting the C ++ analyzer core to the platform Elbrus… About a year ago we already thought about such an experiment, but the compiler for this platform lags behind the modern C ++ language standard. The PVS-Studio analyzer is written using the latest innovations of the language, since we ourselves need to train ourselves with new constructions of the C ++ language :). But here writing code in this style is a disadvantage. We’ll see how things are going this year, but we don’t promise anything yet.
It is planned to release a plugin for the CLion development environment. It is a cross-platform IDE for C and C ++ from JetBrains. By the way, if you want to become a beta tester of this plugin, then you can go to this link and fill out the form. And we will contact you when we have the first implementation.
Now the PVS-Studio analyzer for C ++ can be used on Unix-like systems (Linux, macOS) together with a large number of IDEs and build systems. However, integration with such cross-platform IDEs is carried out through the standard tools of the IDE itself, usually in the form of loading the analyzer report in the format of compiler warnings. This integration method, although it is quite sufficient for work, nevertheless loses to the analyzer’s integration through an extension (plug-in) for the IDE, as is the case with the PVS-Studio plug-in for Visual Studio. Through the IDE plugin, the user has access to many additional analyzer capabilities, such as message suppression, convenient marking of false positives, etc.
Due to the fact that for Unix-like systems, unlike Windows with its Visual Studio, there is no one most common IDE, until now we have postponed the development of a full-fledged plug-in for any of the cross-platform IDEs for the C ++ language. Nevertheless, since now we see that the popularity of JetBrains CLion among our users is growing every year, and we already have support for environments “close” to this IDE IntelliJ IDEA and Rider, we decided it was time to support CLion as well.
CSharp (Habr does not know how a level 2 heading with a hash mark in Markdown mode 🙂
When implementing new diagnostics, it is planned to focus on OWASP and especially OWASP Top 10. In our opinion, a static analyzer for C # will greatly benefit from an increase in the number of security diagnostics.
We plan to add support for .NET 5 projects, as well as work with .NET 5 SDK. Along with this, analysis of the code written in C # 9 will be added.
According to Microsoft’s roadmap, new releases of .NET are planned every year. Therefore, in 2021 it is planned to release already .NET 6, support for which we also want to add.
Consider the features of C # 8 and C # 9 in old diagnostics
I would like to audit old diagnostics in order to see how they take into account the innovations of the language that appeared in versions C # 8 and C # 9. Perhaps some diagnostics can be improved, and they will start to generate triggers on the code using the most modern constructs. It is unlikely that there will be many such cases, but it will definitely be useful to conduct such a study.
It is planned to mark up some of the existing diagnostics to match the OWASP classification of potential vulnerabilities. It is also planned to create new diagnostics, focusing on OWASP and especially on OWASP Top 10.
Visual Studio Code
Perhaps this year we will implement a plug-in for Visual Studio Code, which will allow you to conveniently view reports generated by the console version of the analyzer. Now you can use the utility for this C and C ++ Compiler Monitoring UIincluded in the PVS-Studio distribution kit. Or convert report in HTML format… These are quite working options, but using the plugin for Visual Studio Code it will be more convenient to work with the report and make edits to the code.
Above, in the section about CLion support, we also wrote about the current situation with the “zoo” of various IDEs for Unix-like systems. Now we see the prospect that it is Visual Studio Code, due to its openness and modularity, that has a chance to become de facto the most universal IDE for development for a large number of languages, compilers and platforms. This is another reason why we plan to focus on this particular IDE in the coming year.
In addition to the product development plan, the roadmap includes tasks related to advertising activities. This is our internal kitchen, but I want to voice one moment publicly.
We have always actively participated in various conferences and other offline events (description of how it went the first and second half year 2019). In 2020, almost all such activities have been phased out, and 2021 may go similarly.
We really miss offline events. First, it was a great way to get feedback from our customers, potential users, and generally find out what’s going on in the software world from visitors. Secondly, it was a good way to make additional touches, to stir up interest in the product. And thirdly, it had a positive effect on employees. They could attend events in order to take a break, see others and show themselves.
Therefore, we thought and decided to try in 2021 to organize a cycle of our own small offline events. It will be somewhere between business lunches and seminars. We will gather representatives of client companies, as well as those who are just considering the possibility of purchasing a license. We will talk about the new features of PVS-Studio, about ways to integrate them with various systems such as Jenkins, IncrediBuild, Travis CI, SonarQube. For a change, we may also invite third-party speakers who want to tell something about static code analysis. And naturally there will be discussions, answers to questions and a demonstration of how and what works.
For simplicity, we want to start from Moscow. And if we like how everything is going, then we will expand the geography of events. The events will be free for participants.
A question for readers. Is there someone here who already wants to take part in such an event as a listener? If so, please Write to usthat you would like to be present as a listener or speaker. This way we will be able to understand the audience’s interest in such offline activities, and we will be able to better plan their conduct. Thanks in advance.