Introduction
In this article, I am going to explain how to detect bugs, code vulnerabilities, and security weaknesses in the source code written in such well-known programming languages as C, C++, C#, Java, etc. Nowadays security plays a key role in the digital world and it is your responsibility to protect your online business from the unauthorized activity and build secure web/desktop/mobile applications.
As you all know, while working on any project, sometimes we make mistakes in source code making our applications potentially unsecured. To avoid such mistakes we need to review our source code before the module or project goes live. There are many source code analysis tools available on the Internet, and one of these is PVS-Studio, which we will talk about today.
PVS-Studio is a static code analyzer from a Russian company OOO "Program Verification Systems", whose main goal is to improve the quality of source code. The tool works under 64-bit systems, and its main purpose is not just finding errors in source code, but also making sure that the code complies to secure development standards.
Recently, I’ve got a proposition from the PVS-Studio team to overview their tool, and I’ve had an in-depth discussion with them on the features, supported languages, platforms, etc.
Requirements
1) What is PVS-Studio?
2) Supported platforms, compilers, and languages.
3) Features of PVS-Studio.
4) What are system requirements to run the PVS-Studio analyzer?
5) Examples of Errors Detected by PVS-Studio.
6) How to Download PVS-Studio?
Implementation
What is PVS-Studio?
PVS-Studio is a static code analyzer for developers/programmers. It works under 64-bit versions of Windows, Linux, and macOS, and is used to detect errors, bugs, vulnerabilities, and security weaknesses in code.
Supported platforms and languages
PVS-Studio supports various compilers, languages, and platforms including embedded ARM development as shown below.
On Windows, PVS-Studio provides support for:
1) Visual Studio 2010-2019 for C, C++, C#, C++/CLI, and C++/CX (WinRT)
2) Java
3) IAR Embedded Workbench
4) ARM Compiler for C/C++
5) Clang
6) MinGW
7) QNX Momentics
8) QCC
9) ARM Compiler 5/6
10) Keil µVision
11) DS-MDK
12) ARM Code Generation Tools
13) Texas Instruments Code Composer Studio
14) Arm Embedded GCC compiler
15) GNU Arm Embedded Toolchain
On Linux, PVS-Studio provides support for:
1) Java
2) Keil µVision
3) ARM Code Generation Tools
4) DS-MDK
5) ARM Compiler 5/6
6) Arm Embedded GCC compiler
7) Texas Instruments Code Composer Studio
8) GNU Arm Embedded Toolchain
9) GCC compiler for C and C++
10) Clang
On macOS, PVS-Studio provides support for:
1) Java
2) Clang
3) GNU Arm Embedded Toolchain
4) GCC compiler for C and C++
5) Arm Embedded GCC compiler
Features of PVS-Studio
- Integrates with Visual Studio version 2010 to 2019.
- Supports automatic analysis of individual files.
- Provides a compiler monitoring tool for Windows, which allows analyzing projects not meant to be built in Visual Studio.
- Provides a compiler monitoring tool for Linux (pvs-studio-analyzer).
- Integrates with SonarQube for continuous analysis and measurement of source code quality.
- Allows you to save results/output of your source code analysis in HTML format with full source code navigation.
- Provides a BlameNotifier utility that is used to send notifications via email to the developers about the issues that PVS-Studio found in their code during a night run.
- Is able to update automatically when running overnight builds.
- Has many other features that are described in detail on the official website.
PVS-Studio System Requirements
PVS-Studio works under 64-bit operating systems: Windows, Linux, and macOS. It can analyze source code written for x86, x64, and embedded ARM architectures. At least 1 GB of RAM is required per processor core and having 2 GB or more is recommended.
Windows
Supported Operating Systems: x64 versions of Windows Vista/7/8/10, Windows Server 2008/2012/2016/2019
RAM: at least 1 GB of RAM per CPU core (2 GB or more is recommended)
.NET Framework version: 4.7.2 or above (included in the PVS-Studio installation package)
Linux
Supported Operating Systems: 64-bit of Linux
Kernel versions: 2.6.x and above.
RAM: at least 1 GB of RAM per CPU core (2 GB or more is recommended)
macOS
Supported Operating Systems: 64-bit of macOS
Kernel versions: 10.9 and above.
RAM: at least 1 GB of RAM per CPU core (2 GB or more is recommended)
Examples of Errors Detected by PVS-Studio
The analyzer can detect different kinds of errors. Let’s demonstrate what static code analysis can do by examining some open source projects. There are two simple examples.
Example1
PVS-Studio warning: V3001 There are identical sub-expressions 'data1.IsReachableBlockData' to the left and to the right of the '==' operator. AnalysisEntityBasedPredicateAnalysisData.cs 39
protected AnalysisEntityBasedPredicateAnalysisData(....)
: base(....)
{
Debug.Assert(data1.IsReachableBlockData ==
data1.IsReachableBlockData);
....
}
The analyzer has found that the variable is compared to itself, which doesn’t make any sense.
Example2
PVS-Studio warning: V3004 The 'then' statement is equivalent to the 'else' statement. DirectorySearcher.cs 629
private SearchResultCollection FindAll(bool findMoreThanOne)
{
searchResult = null;
DirectoryEntry clonedRoot = null;
if (_assertDefaultNamingContext == null)
{
clonedRoot = SearchRoot.CloneBrowsable();
}
else
{
clonedRoot = SearchRoot.CloneBrowsable();
}
....
}
Regardless of whether the condition is true or false, the same actions will be undertaken.
How to Download PVS-Studio
You can direct download PVS-Studio tool for analysis of your project or source code from the official website of PVS-Studio.
Summary
In this article, we discussed detecting bugs, code vulnerabilities and security weaknesses in source code using a well-known tool PVS-Studio. Also, we learned about its supported operating systems, features, programming languages, etc.
