New

• Include paths from environment variables in analysis phase #1184
• --include flags shouldn't be skipped during analysis #1237
• In anonymous mode allow superuser permission #1137
• Understand HTTPS product and server URLs without a port specified as 443 #1146
• Showing severity report count at the statistics page #1104
• Enable copy-paste for links #1164
• How to handle false positives HOWTO #1185
• Feature comparison of cmd and webgui #1197
• Performance/stress tests #808
• Command line diff performance improvements #956
• Show unique bug count in the run list page (instead of non unique) #1202
• Include paths from environment variables in analysis phase #1184
• Schema migration support of product databases #351
• Mount the same configuration database to multiple servers #876

Changes

• New report storage method: store every single bug report even if hash clashes, remove outdated resolved paths at run update #1213
• Put full date in log messages not only the time #1214
• Improve comments for the LDAP authentication #1217
• Rename some column labels #1200
• Use absolute path in logger #1097
• Upgrade SQLAchemy to 1.1.11 #1107
• Improve performance of report filters #1038
• Do not reparse unchanged files to get suppression to improve performance #1231
• Don't log as error if multiple source and triple is present in the log file #1230
• Update plist file with report hash #1239
• File cleanup refactoring #1131

Bug fix

• Fix run storage error (AddFileRecord return value) #1215
• Update line and column fields of report #1106
• Mismatch between filter result count and number of listed reports #1093
• Wrong handling of builtin includes during CTU collect phase #1143
• --enable-all with other options doesn't run most of the clang-tidy checkers #1148
• Server should not start in case of incorrectly formatted json file #1149
• Exception is thrown if product name is not specified #1174
• Exception is thrown while parsing compilation json #1180
• After a run is deleted the counter is not updated #1152
• Bug tree shows issues from all runs even if one run selected #1117
• Remove gcc intrinsic and include-fixed include directories from analysis #1183
• Ordering by File when Unique reports are enabled doesn't give an alphabetical order #1198
• Handle more plist parsing errors #1225
• Remove linecache usage #1227
• Review status false positive is not set #1223
• Failure zip does not contain all dependent headers (CTU) #1159
• Make sure that file is closed if plist parsing fails #1216
• Don't attempt to add the same file multiple times to the ZIP #1234
• Generate report hash fix #1235
• Fix server general exception #1242
• Do not store same bug from plist files #1247

Bug fixes

• Web GUI filters for Checker name now shows the full list of checkers, not just the first 10. (#1156)
• --enable-all given to check was not passed through to analyze. (#1163)
• Fixed a bug at compiler target detection (#1180)
• Fixed a connection handling issue to LDAP authentication backends. (#1139)
• Fix CodeChecker making Clang-SA/Tidy use system GCC headers instead of the Clang's ones. (#1144, #1173)

Enhancements

• URLs in the command-line specifying http:// or https:// should use port 80 and 443 respectively, if an explicit port is not given. (#1146, #1150, #1175)
• CodeChecker server will now refuse to start if the session_config.json file is malformed. (#1151)
• Comparing a local result folder to a run stored on the server has received a massive performance improvement. (#1169)

Miscellaneous

• Added scripts to aid the debugging of failed analyses. (#1113)
• Upgraded SQLAlchemy to a newer version. (#1142)

New features

• Local Compare mode (CodeChecker cmd diff) can generate HTML files with bug path #748
• Show number of runs on the list of runs view #1079
• Show the granted permissions for the currently logged in user on the GUI #875

Enhancements

• Introduce better (debug) logging for CTU analysis #886, #1069, #1100, #1050
• Group reports only by bug hash when uniqueing #1121
• Make sure query strings and filters cannot be used for SQL attacks #902
• Report storage session improvements for large amount of reports #1072
• Add icons for tabs #1086
• Development environment improvements #1105
• Logging improvements #1119

Bug fixes

• clang-tidy hash was incorrectly generated in some cases which caused some false new reports shown in diff view #1114
• Fix Analysis failure if multiple cross-compiler was used (compilation target is registered per build action) #1099
• Relative paths in compilation database were not properly handled at analysis which caused some analysis failures #1116
• Performance improvement of unresponsive server (when the results contained thousands of files) #1053
• Show the supported browser version #1084
• Bad function parameter call at statistics #1103
• Product page error in Firefox #1101
• Fix a typo in the doc for psql commands #1108
• Bug report was not opened correctly when opened from the All Reports view #1118

Changes

• Remove cppcoreguidelines-pro-type-vararg from the sensitive profile #1080

  Two checkers are conflicting and causing the analyzer to hang, until the checkers are fixed
  we removed the checker from the sensitive profile so it will not be enabled implicitly.

Bug fixes

• Clang-tidy result parsing error which caused increasing memory consumption #1064
• UI fix: in the bug overview the result count and the number of shown bugs differs #533
• UI fix: bug path was not shown in some cases #1033
• CodeChecker analyze does not show analysis errors when it only re-analyze files #1043
  If there was no explicit report output directory the default report directory was not cleaned up between two analysis runs, which could cause misleading results from the parse command.
• Storage should be stopped immediately if a storage is already ongoing on with the same name #1013
• --verbose debug_analyzer did not print the analysis calls #999

Improvements

• report filter query performance improvements #1052
• Limit the up loadable data size to the server #840
• improve command line client coding convention #1070
• documentation updates with CI loop script examples #994
• test infrastructure updates #1055

Changes!

• severity level of misc-string-compare checker was changed from HIGH to LOW #1058

New features, improvements:

• HTML report file generation support for CodeChecker parse command. These HTML files contain the full control-flow path of the detected bugs. They can be viewed off-line without accessing the CodeChecker server or sent in an email. #1034
• CodeChecker cmd diff can be called for multiple runs. That is your results in the report directory can be compared against multiple runs using wildcards. #978
• Checker profiles. Checker pre-selection profiles were introduced to help in the selection of checkers. Three new profiles were introduced in increasing order of sensitivity (and false positive rate): default, sensitive, extreme. #907
• Clang will not warn about unused compiler arguments #985
• Print clang generated report hash at the command line parse with the steps together #1009

Analyzer invocation

• Better detection of gcc/g++ cross compilation parameters. --saargs and --tidyargs parameters should not be used for cross-compilation anymore. #995
• Include directory detection for clang-tidy #993

Documentation changes:

• New user guide accessible at the server #737
• Improved PostgreSQL database setup documentation #1001

Bug fixes:

Web UI:

• Report step were not shown on the UI #986 and #988
• Statistics view did not show the results #950
• Statistics view should not collect run names in the drop down #979
• Product listing did not work properly in Firefox #912
• Run without reports were not rendered correctly #1002
• Run history tab switch did not work properly #1017
• If there were many runs the loading of the run list was slow #1019

Command line:

• Storage failed with sqlite db backend if there were many results. #1005
• CodeChecker cmd sum command error #1004
• CodeChecker cmd sum report uniqueing #1025
• CodeChecker cmd sum get statistics only for the specified run names #1026
• CodeChecker check command did not work properly when it was called without output directory #992

BUG Fixes and small feature additions

• #883 Analysis runs show the store duration
• #958 Show the latest run tag in the run list table
• #959 sorting by severity does not work in the bug list
• #960 Show severity at the parse output
• #961 Show result summary at the parse output
• #962 run name filter in diff command
• #963 update run tag if the same tag is used in one run

CodeChecker 6.0 brings a huge amount of improvements to the CodeChecker infrastructure. This new major release sets forth a new direction aimed to increase the usability and effectiveness of CodeChecker as a code analysis and defect triaging system.

❗ Massive backward incompatibility changes ❗

This new major release changed the infrastructure in a way that your current CodeChecker usage might no longer be applicable.

• Due to internal database layout changes, any CodeChecker database that was created with versions of CodeChecker 5 is not usable. You'll need to reanalyze your project.
• The invocation of CodeChecker scripts have changed. Please make sure your custom integration scripts (if such exist) are working before relying on them. There is a high chance they won't.
• The API to access the server programmatically has also changed. Custom clients, such as the Eclipse plugin, may no longer work properly.

Most important backward incompatible command line changes

• CodeChecker store and cmd subcommands now take --url instead of --host, --port as per the product system, to specify on which server and in which product the commands should be executed on. For example instead of CodeChecker store --host localhost --port 8555 -n run_name you should use CodeChecker store --url localhost:8555/Default

• The check command which wrapped over log-analyze-store has been dropped. quickcheck has been renamed to check. An extra argument, --quiet has been introduced to analyze which silences analyzer output from the standard output. (#882)

Analysis framework

Major improvements

• analyze now supports incremental analysis, in which the subsequent analyses of the project updates the contents of the OUTPUT_DIR folder, without duplicating plist files, or requiring the user to do a full analysis. (#719)
• --add-compiler-defaults option detects compilation target and gcc include directories, thus cross-compilation can be auto-detected. If --saargs or --tidyargs were used for the analyze sub-command to specify (cross) compilation target or include directories, they can now be replaced by a simple --add-compiler-defaults switch, which will auto-detect these compiler settings. (#921)

Minor changes

• Various crashes and infinite hangs arising from analysis failure handling and dependency generation have been fixed. (#790)
• CodeChecker analyze now takes an optional --capture-analysis-output argument which makes successful analyzer invocations' output to be saved into the OUTPUT_DIR. (#802)
• Skip-files not applying to headers have been fixed. (#860)
• The checkers sub-command has been unified to the new structure, so CodeChecker checkers now does the same as codechecker-checkers did since version 5.8. (#856)

Discontinued features

• The check command which wrapped over log-analyze-store has been dropped. quickcheck has been renamed to check. An extra argument, --quiet has been introduced to analyze which silences analyzer output from the standard output. (#882)

Report storage

Major improvements

• With the changes introduced in incremental analysis, CodeChecker now stores the detection status of a bug report. This feature requires the user to always analyze into the same OUTPUT_DIR and then store the results from this folder. A bug can be new, unresolved, resolved or reopened. (#724)
  • Each bug begins its life as new. When a subsequent store call finds this bug again, the status will change to unresolved, and will stay there, until the bug disappears from the analyzer output. In this moment, the status will be resolved. If a resolved bug ever appears again in the analyzer results, its status will change to reopened. A reopened bug can turn resolved or unresolved in the next check depending on its status.
• Storing analysis results have been made much faster by introducing a simpler transmission approach. (#724)
• The multiple product system gives the users the ability to attach multiple analysis result databases to the same running CodeChecker server instance. These are separate databases each containing analysis results, managed in a new "configuration database", which is specified in the server's command-line. (#773)
• Subsequent store calls with the same run name can now be tagged, e.g. to point out which version of the project was used. (#885)

Minor changes

• CodeChecker subcommands now take --url instead of --host, --port as per the product system, to specify on which server and in which product the results should be stored to. (#773)

Web viewer application

Major improvements

• CodeChecker now has a logo! (#771)
• Bug reports can now be commented. Comments are shown for the same report found in multiple runs. (#742)
• Bugs can now be assigned a review status of Unreviewed, Confirmed bug, False positive, Won't fix, along with an optional comment on why this status was applied. (#768)
  • This replaces the suppress feature of the web application. Source code suppressions are imported into this new system as False positive reports.
• A new filtering system has been created which makes the Web viewer much more versatile at searching for reports. (#847)
• The history of run updates are stored and it is possible to recall the results of an earlier run (run history). It is also possible to "version tag" each update from command line and search for active reports based on update date. (#781)
• Report Uniqueing: The same bug can be found by the analyzer on multiple paths and in multiple runs. A semantically unique bug is identified with a bug identifier hash. In the web viewer it is possible to list only semantically unique bug reports. (#811)
• Checkers Summary Table: Provides a summary statistics of reports found by checkers summarized for all runs. (#826)
• The web viewer has been updated with a new homepage that gives the users ability to search and select the product they want to view. (#773)
• A new user guide for the web application has been added. (#865)
• Reports that refer to semantically the same bug are now grouped on the viewer. (#891)

Minor changes

• Tool-tip showing the full message in the bug path list is placed to start accordingly to the path list, not at the left center of the browser. (#720)
• The list of runs can now be filtered for substrings in the run's name. (#753)
• The username of the logged in user is now shown in the viewer. (#754)
• Diffing two runs can now be made with radio buttons explicitly showing what will be diffed against which other run, instead of having to tick two check boxes in an order. (#766)
• The bug steps are now also shown in the left-hand view, not just in the code. Floating bug step bubbles in the code were given better highlighting. (#798)
• The code viewer has been made significantly faster. (#815, #871)

Command-line viewer client

Major improvements

• The CodeChecker cmd sum sub-command now prints a more detailed breakdown on what reports are found per a particular checker. (#870)
• The command-line viewer also takes some new arguments for the new filtering system. (#918)

Minor changes

• Due to the removal of the suppress feature, CodeChecker cmd suppress now can only be used to import suppression data into a server. (#768)
• CodeChecker cmd subcommands now take --url instead of --host, --port as per the product system, to specify on which server and in which product the commands should be executed on. (#773, #873)
• Most of the command-line tools now take run names as a positional argument instead of --name. (#856)
• Local compare mode will now properly understand suppressions in the souce code on the local side. (#858)

Security

Major improvements

• CodeChecker Web server can be accessed through secure (encrypted, authenticated) HTTPS. (#899)
• CodeChecker now supports a way to isolate user access and define permissions between the products configured. (#857)

Miscellaneous improvements

• The bug report storage database has been revised, the new version of the database stores considerably less data from analyses, and we improved response time by making the database faster. (#709, #756, #764)
• The documentation has been heavily extended to help our users better.

The v5.10 version brings Cross--Translation-Unit analysis support to CodeChecker, along with minor bug fixes and usability improvements.

Cross Translation Unit analysis support

CTU is an experimental feature not yet introduced to release versions of Clang which will enable more accurate static analysis via the ability of finding code across the entire project. You can retrieve a version of Clang that is CTU-capable from Ericsson's clang fork.

To support the easy usage of CTU analysis, CodeChecker has been extended to invoke the analyzer in a CTU-compatible way.

CodeChecker analyze now take the argument --ctu which enables the analysis. These arguments are only available if the Clang on the system has CTU analysis capabilities.

Usability improvements

• Instead of severity strings, show a colourful icon indicating the severity of the bug.
• If an analysis fails, the entire source code is compressed with the analyzer output and the build commands into a failure zip archive.

Bugfixes

• Fixed CodeChecker server --stop-all not being usable.
• Fixed CodeChecker server ignoring the --sqlite argument and always using the workspace's ~/.codechecker/codechecker.sqlite as database.
• Fixed analyzer crashes if the source file's name contained spaces.
• Fixed analyzer automatic detection ignoring the order set in the PATH environment variable.

Miscellaneous changes

• Various parts of the documentation has been improved.
• Various minor bug fixes to the command-line output has been applied.

Release 5.9 brings new improvements and changes for an easier, more secure use to CodeChecker.

Incompatible command line changes!

Previously, to store analysis results, you needed to provide a database connection. This has been changed for both a more easier and secure usage model, which no longer requires having to know and input database credentials. A CodeChecker server is now needed by CodeChecker store to connect to and store runs in the database it is connected to. Because of this the command-line invocation has changed!, as follows:

• A CodeChecker server needs to be started before analysis results can be stored to the database, i.e. before executing store or check commands.
• Database-related arguments (--dbaddress, --dbport, --dbusername, --dbname, --sqlite, and --postgresql) have been removed from check and store.
• Instead, --host and --port is to be used to specify which CodeChecker server accepts and stores the analysis results.
• Servers which have authentication enabled require a valid session before allowing storage of analysis results. Use CodeChecker cmd login before calling store or check if your server is password protected.
  • If the server is configured for a short time-out period for valid sessions and building your project and analyzing it takes too long, the session on the server can time out before the storage of results can commence. Please use log, analyze and store separately, or configure your server for a longer timeout.

New features

• CodeChecker cmd diff allows diffing a run on a server and a local report folder containing plist files.
  • E.g. CodeChecker cmd diff --basename release --newname ~/my_analyze_output --new will show reports introduced in your local folder without having to store your results to a CodeChecker server.

Improvements

• CodeChecker cmd diff shows the source code line where the bug was found in its output.

Fixes

• Fixed a rare crash that resulted because of special characters in the source files badly decoded by the client.
• Fixed CodeChecker store unable to import any useful information from a report folder that did not contain metadata files alongside the plists.

Miscellaneous

• CodeChecker debug has been removed.

The new release comes with many new features and bug fixes/improvements.
For a more detailed list of changes see the v5.8 milestone.

The v5.8 release tag was changed because some bug fixes we wanted to put into 5.8.
Please update the git tags if you use them. Sorry for the inconvenience.

New features

• improved run deletion in the command line (delete multiple runs, before/after a specific date ...)
• automatically detect the installed clang versions on the host machine and select the newest version
• suppression was re enabled on the UI even if no suppress file was given to the viewer server at start
  • new command line option is available to export and import suppress information after an analysis
• viewer server instance handling in the command line (list/stop already started servers)

Command line changes

• the old commands kept for backward compatibility for now (check, server ...)
• all of the command line options were refactored
• new commands are available (see user guide for further details)
  • log (only to generate a compile command json file)
  • analyze (run the analysis (clangsa, clang-tidy) and generate plist reports)
  • parse (parse the generated plist reports and print them to the stdout)
  • store (process the generated plist reports and store them to a database)

GUI improvements

• show version info
• improved report path coloring and visualization

Checker changes

• two clang-tidy checkers were removed from the default enabled list (generating too much reports) #675 users can enable them if needed
  • misc-misplaced-widening-cast
  • misc-throw-by-value-catch-by-reference

New features

This is a bug fix release no new features were added.

Bugfixes/changes

• Improved GUI bugpath arrows
• Fixed browser refresh errors
• Fixed some plist importer bugs
• Changed authentication using command line
• No longer limiting the number of entries in the command line json output
• ...

See milestone for further details.

Notice!

If you checked your project with the same run name multiple times just to update the results you might realized that some of the results were not removed or updated. This release should fix this problem but to work properly you might need to remove all the existing results and reanalyze your project.

New features

• better (cross) compiler handling (compiler built-in defines and includes) with the --add-compiler-defaults flag

Other improvements

• better error reporting
• log messages with timestamps
• source code cleanups and re-factoring

Bugfixes

• checker result cleanup if run is updated
• GUI filtering
  ...

New features:

• multiple authentication methods are supported now (PAM, LDAP, ...)
• improved command line client (filtering, csv output)
• improved quickcheck (skip and suppress support)
• view analysis progress

UI improvements:

• load results faster
• show additional build related data

_Many bugfixes, usability improvements and source cleanup._

What's new in this release:

• OSX support #315
• Use intercept-build for compilation command logging required for OSX optional on Linux
• Store separately generated plist results into database #322
• Documentation updates
• Bugfixes

Some improvements worth to mention:

• update mode analysis fixed
• support for environment variables in configuration files #302
• some small GUI improvements #312 #313
• test infrastructure and documentation updates
• further bugfixes ...

• simplified and better visualization of bug events on the GUI
• Clang/Clang-tidy v3.8 support
• test infrastructure improvements
• multiple bug fixes (command-line/GUI)

Major changes:

• SQLite is the new default database (--sqlite is deprecated) use --postgresql to store results into PostgreSQL
• Update mode is enabled by default if analysis name is the same (--force is used to cleanup run results, --update is deprecated)
• Sourcing init.sh script is not required anymore (add CodeChecker/bin to the PATH)
• Some default arguments were changed (default work directory, server port, PostgreSQL port)

New Features:

• Clang-tidy analyzer support
• Forward arguments or configuration options to the analyzers
• UI improvements

Bug fixes:

• SQLite support fixes
• Better CMake support. (logging more compiler names)
• Performance improvements for deleting runs

Improved documentation

New release with many bug fixes and new features.

Some highlights:

• SQLite support
• pg8000 interface support for PostgreSQL
• new client APIs
• web based GUI improvements

With the new 5.0 version we switched to rolling release.
Automatic database upgrades are supported to newer schema versions.

New features compared to 3.0

• new you can add paths with regular expressions in the skip file
• module and target field are removed from the database and filters (they are superflous)
• bug fixes