v6.26.0-rc1

🌟 Highlights

Ouath2 based Single Sign On Authentication

CodeChecker now provides Oauth2 based user authentication through various providers. It is now possible to configure up your CodeChecker server instance to accept user logins with their Google, Microsoft or GitHub accounts.
To enable this feature, you will first need to configure your CodeChecker server instance with the corresponding oauth provider and add a
new authentication method section in the codehchecker server configuration file.
If the user group memberships are managed by a Microsoft Entra identity server, these memberships will be fetched by CodeChecker through the graph API.

See CodeChecker authentication document document for configuration details.

The features was implemented in the following PRs:

• Implementation of Oauth of Github, Google and Microsoft by @feyruzb in #4298
• integrated signum fetching and using it as optional username by @feyruzb in #4517
• Add paging to the graph API query by @dkrupp in #4532

Personal Access token Management

Personal access tokens are generated "passwords" which can be used to login to CodeChecker. If MultiFacor Authentication is enabled, it is the only way to authenticate through the CLI.

• The personal access tokens now can be created on the GUI too, not only through the CLI.
• It is accessible if you click on you user name in the top right corner.
  

❗ Backward incompatible changes

• The personal Access tokens cannot be viewed after creation. It was possible to list the values of the personal access tokens after creation, but after this version it will only be possible to view once at creation time.

💻 CLI/Server improvements

• Cache __contains_no_intrinsic_headers and thus speedup parse_options ~2x by @irishrover in #4479
• [analyzer] debug_analyzer log level for analyzer commands by @bruntib in #4473
• [cmd] Emit errors instead of hiding flags by @Szelethus in #4465
• fix(report-converter): Support null column in eslint reports by @SweetVishnya in #4497
• [NFC] Eliminate the "W" form of clang-tidy warnings by @bruntib in #4438
• [fix] Unique key constraint violation fix by @bruntib in #4505
• [bugfix] Don't crash if clangsa binary is missing by @Szelethus in #4531
• Fix serving Bad request pages in case of some HTTP errors by @Discookie in #4506
• [feat] Display announcement message in the CLI by @noraz31 #4535

🔨 Other

• [fix] Adding run filter to router query by @cservakt in #4495
• [fix] Display chronological order in GUI by @bruntib in #4512
• fixed url strip error by @feyruzb in #4516
• [fix] Rename cmd modules to avoid conflict with built-in cmd by @gamesh411 in #4464
• E2E tests are flaky (fix) by @xb058t in #4493
• Make username-password login hidable by @gulyasgergely902 in #4537
• Simplify oauth interface by @gulyasgergely902 in #4539
• [fix] dead links, typos etc. in the documentation by @NagyDonat in #4526
• Fix a legacy mistake in the test by @irishrover #4543
• Fix issues in documentation by @gulyasgergely902 #4542

🌳 Environment

• [tools] bump sarif-tools version from 1.0.0 to 3.0.4 by @AlexFabre in #4466
• [fix] Fix missing CC_LIB_DIR when dev_package is used by @Szelethus in #4513
• [test] GitHub actions upgrade to 24.04 by @bruntib in #4524

New Contributors

• @AlexFabre made their first contribution in #4466
• @SweetVishnya made their first contribution in #4497
• @xb058t made their first contribution in #4493
• @gulyasgergely902 made their first contribution in #4537
• @NagyDonat made their first contribution in #4526

Full Changelog: v6.25.1...v6.26.0-rc1

v6.25.1

• Add OWASP Top 10 guideline #4482
• [fix] Bug report bubble display bugfix #4480

Full Changelog: v6.25.0...v6.25.1

6.25.0

🌟 Highlights

Guideline Statistics page under the statistics tab to generate SEI Cert and CWE Top 25 Compliance reports

A new Guideline Statistics page is added under the statistics tab to generate SEI Cert Compliance reports.

This page shows the compliance of an analyzed program to a coding guideline (such as SEI Cert C/C++) . It shows all checkers corresponding to a guideline rule, their configuration status (on/off) and all outstanding and closed reports per guideline rule.

It is possible to generate the table into HTML and CSV format.

The first supported guidelines are SEI Cert C and C++ and CWE Top 25

Facebook Infer as a new C/C++ analyzer plugin

Besides clang-tidy, clang static analyzer, cppcheck and gcc, Facebook Infer is a well known open-source static code analyzer tool https://github.com/facebook/infer

CodeChecker will support executing this analyzer. It will not be enabled by default, but is available for testing.

PVS Studio report conversion

From now on, it will be possible to convert the reports of the https://pvs-studio.com/en/pvs-studio/ analyzer and handle them with CodeChecker.
PVS-Studio Static Code Analyzer support by @feeelin in #4356

❗ Backward incompatible changes

• Resolve checker enable/disable ambiguity by @noraz31 in #4377 and by @cservakt in #4392
  CodeChecker analyze emits an error (instead of a warning) when the enabled checkers/profiles/checker prefix groups are given ambiguously. In these cases the ambiguity must be resolved. For example CodeChecker analyze -e security command is ambiguous as security is a checker group (all checkers starting with security. and a profile at the same time. Please define explicitly CodeChecker -e prefix:security if you mean the prefix group, or profile:security if you mean the security profile.

CodeChecker -e clang-diagnostic-format will give an error, because it is ambiguous if the user means the clang-diagnostic-format single checker, or all checkers starting with clang-diagnostic-format. To refer the former, the user must user checker:clang-diagnostic-format or to the latter prefix:clang-diagnostic-format.

If you have such clashing cases, you must resolve them. The following namespaces can be used
prefix: - to mach checkers starting with a prefix
profile: - to match a checker profile
checker: - to match a single checker
guideline: - to match checkers belonging to a guideline
severity: - to match checkers belonging to a given severity.

• The skip file handling changed! Adding a --drop-reports-from-skipped-files parameter to analyze by @dkrupp in #4332
  After this patch, the skip files will only skip the analysis of the listed files, but will not filter out any reports. This may result in more reports than before.
  By default CodeChecker used to filter out all reports from files which were on the skip list. This can hide true positive reports starting from unskipped code and ending in skipped files (typical with CTU and header related findings).
  This patch removes the default report filtering post processing step from CodeChecker analyze --skip SKIPFILE operation.
  The legacy functionality is still available with the --drop-reports-from-skipped-files parameter.

• guideline:sei-cert cannot be used anymore. The sei-cert guideline profile was split to guideline:sei-cert-c for the C guideline and guideline:sei-cert-cpp for the C++ guideline. #4400

• CodeChecker -e W* syntax is not supported anymore. Clang warnings only appear as clang-diagnostic-* checkers and they can be enabled using the standard checker checker on/off mechanism e.g. CodeChecker analyze -e clang-diagnostic-unused-function

• The --saargs, --tidyargs and --cppcheckargs flags are now deprecated. The corresponding analyzer configuration option should be used instead, e.g. --analyzer-config clangsa:cc-verbatim-args-file=<filename>. The old flags are still working, but will be converted to the new form under the hood.

🐛 Analyzer improvements

• [fix] Resolve checker enable/disable ambiguity #4392
• [fix] Don't capture cc1 by the logger. by @bruntib in #4300
• Add -mmitigate-rop to ignored options by @noraz31 in #4295
• Removing alpha checkers from the security profile so it can be used in production by @dkrupp in #4284
• [analyzer] Adds -fno-freestanding to ignored GCC compiler flags by @ArchieAtkinson in #4281
• [analyzer] Disable clang-diagnostic-error checker by @cservakt in #4325
• [analyzer] Ignore -fno-printf-return-value by @pdgendt in #4329
• [anayzer] Fb infer by @stt08 in #4257
• [feat] Introduce cc-verbatim-args-file @bruntib #4456

💻 CLI/Server improvements

• Fix trim-path-prefix functionality in HTML export by @dkrupp #4387
• Automatic addition of database before connecting to it by @feyruzb #4316
• Resolve paths when blaming files by @tomhughes #4357
• Fix the endpoint parsing issue by @dkrupp in 8953b30
• Removing the root user creation by @dkrupp in 3bb2cbf
• [feat] Adding report annotation for json export by @cservakt in #4380
• [fix] Get product configuration with view permission by @bruntib in #4375
• CodeChecker authentication fixed by @dkrupp in #4369
• [fix] Forwarding --ctu-ast-mode to analyze command by @bruntib in #4341
• [fix] Better SQL SELECT instead of a timeout query by @bruntib in #4363
• Speeding up store by removing nested query by @dkrupp in #4358
• Environment initialization for binaries by @dkrupp in #4337
• [fix] Missing analyzer error by @cservakt in #4330
• [fix] Don't reset PATH in Cppcheck plugin by @bruntib in #4320
• [feat] Implicit include paths added with -idirafter by @bruntib in #4315
• Revert "[analyzer] Use absolute path to logger.so in LD_PRELOAD" by @dkrupp in #4314
• [cmd] Checker name prefixes are meant along separator characters by @bruntib in #4311
• [fix] Support joker characters at annotation filter by @bruntib in #4306
• Analyzer binary dependent environment by @dkrupp in #4305
• [fix] Minor fixing for statistics tabs by @cservakt in #4304
• [fix] Don't enable checkers by suffix by @bruntib in #4307
• [Fix] Report sorting in unique mode by @cservakt in #4294
• [fix] Error when debug logging skipped actions by @bruntib in #4301

🌳 Environment

• PVS-Studio Static Code Analyzer support by @feeelin in #4356
• Bump webpack from 5.91.0 to 5.94.0 in /web/server/vue-cli by @dependabot in #4334
• [cfg] Add setuptools as a dependency by @bruntib in #4285
• Deprecate distutils by @EinarArnason in #4286
• Bump urllib3 from 2.2.1 to 2.2.2 in /scripts/labels/label_tool by @dependabot in #4290
• [cfg] Upgrade to pylint 3.2.4 by @bruntib in #4279
• [cfg] Upgrade lxml version by @bruntib in #4262
• Bump follow-redirects from 1.15.4 to 1.15.6 in /web/server/vue-cli by @dependabot in #4192

📖 Documentation updates

• Modified documentation to match current procedures for changing schema by @feyruzb in #4366
• chore: Remove ancient, unused docs/checker_docs.md by @whisperity in #4283
• additional library was required for venv_dev by @stt08 in #4273

🔨 Other

• [cfg] Add info for new unix.Chroot Checker by @vabridgers #4391
• Add test for Disable clang-diagnostic-error checker #4325 by @noraz31 in #4339
• Github Actions: stop previous jobs when a new one was pushed by @stt08 in #4351
• Bring code borrowed from http.server in sync with upstream by @Discookie in #4379
• [test] Fix test with new clang version by @bruntib in #4382
• [cmd] Display warning instead of debug log for missing diagtool by @bruntib in https://github.com/Ericsson/code...

v6.24.7

• The CodeChecker server in the codechecker-web docker image could not connect to LDAP servers for authentication using SSL and the authentication was not working. This was fixed.

Full Changelog: v6.24.6...v6.24.7

v6.24.6

• Update the Python version in the codechecker-web Docker image
• Fix an URL parsing error in the web server
  Full Changelog: v6.24.5...v6.24.6

v6.24.5

This is a security patch release

Move from cookie-based to token-based authentication
Session-based authentication is deprecated, but left in for the benefit of old CLI clients.
When performing upgrade, all users will need to re-authenticate.

v6.25.0-rc1

🌟 Highlights

Guideline Statistics page under the statistics tab to generate SEI Cert Compliance reports

A new Guideline Statistics page is added under the statistics tab to generate SEI Cert Compliance reports.

This page shows the compliance of an analyzed program to a coding guideline (such as SEI Cert C/C++) . It shows all checkers corresponding to a guideline rule, their configuration status (on/off) and all outstanding and closed reports per guideline rule.

It is possible to generate the table into HTML and CSV format.

The first supported guidelines are SEI Cert C and C++.

Facebook Infer as a new C/C++ analyzer plugin

Besides clang-tidy, clang static analyzer, cppcheck and gcc, Facebook Infer is a well known open-source static code analyzer tool https://github.com/facebook/infer

CodeChecker will support executing this analyzer. It will not be enabled by default, but is available for testing.

PVS Studio report conversion

From now on, it will be possible to convert the reports of the https://pvs-studio.com/en/pvs-studio/ analyzer and handle them with CodeChecker.
PVS-Studio Static Code Analyzer support by @feeelin in #4356

❗ Backward incompatible changes

• Resolve checker enable/disable ambiguity by @noraz31 in #4377 and by @cservakt in #4392
  CodeChecker analyze emits an error (instead of a warning) when the enabled checkers/profiles/checker prefix groups are given ambigously. In these cases the ambiguity must be resolved. For example CodeChecker analyze -e security command is ambigous as security is a checker group (all checkers starting with security. and a profile at the same time. Please define explicitly CodeChecker -e prefix:security if you mean the prefix group, or profile:security if you mean the security profile.

CodeChecker -e clang-diagnostic-format will give an error, because it is ambigous if the user means the clang-diagnostic-format single checker, or all chekcers starting with clang-diagnostic-format. To refer the former, the user must user checker:clang-diagnostic-format or to the latter prefix:clang-diagnostic-format.

If you have such clashing cases, you must resolve them. The following namespaces can be used
prefix: - to mach checkera starting with a prefix
profile: - to match a checker profile
checker: - to match a single checker
guideline: - to match checkers belonging to a guideline
severity: - to match checkers belonging to a given severity.

• The skip file handling changed! Adding a --drop-reports-from-skipped-files parameter to analyze by @dkrupp in #4332
  After this patch, the skip files will only skip the analysis of the listed files, but will not filter out any reports. This may result in more reports than before.
  By default CodeChecker used to filter out all reports from files which were on the skip list. This can hide true positive reports strating from unskipped code and ending in skipped files (typical with CTU and header related findings).
  This patch removes the default report filtering post processing step from CodeChecker analyze --skip SKIPFILE operation.
  The legacy functionality is still available with the --drop-reports-from-skipped-files paramer.

• guideline:sei-cert cannot be used anymore. The sei-cert guideline profile was split to guideline:sei-cert-c for the C guideline and guideline:sei-cert-cpp for the C++ guideline. #4400

• CodeChecker -e W* syntax is not supported anymore. Clang warnings only appear as clang-diagnostic-* checkers and the

🐛 Analyzer improvements

• [fix] Resolve checker enable/disable ambiguity #4392
• [fix] Don't capture cc1 by the logger. by @bruntib in #4300
• Add -mmitigate-rop to ignored options by @noraz31 in #4295
• Removing alpha checkers from the security profile so it can be used in production by @dkrupp in #4284
• [analyzer] Adds -fno-freestanding to ignored GCC compiler flags by @ArchieAtkinson in #4281
• [analyzer] Disable clang-diagnostic-error checker by @cservakt in #4325
• [analyzer] Ignore -fno-printf-return-value by @pdgendt in #4329
• [anayzer] Fb infer by @stt08 in #4257

💻 CLI/Server improvements

• Fix trim-path-prefix functionality in HTML export by @dkrupp #4387
• Automatic addition of database before connecting to it by @feyruzb #4316
• Resolve paths when blaming files by @tomhughes #4357
• Fix the endpoint parsing issue by @dkrupp in 8953b30
• Removing the root user creation by @dkrupp in 3bb2cbf
• [feat] Adding report annotation for json export by @cservakt in #4380
• [fix] Get product configuration with view permission by @bruntib in #4375
• CodeChecker authentication fixed by @dkrupp in #4369
• [fix] Forwarding --ctu-ast-mode to analyze command by @bruntib in #4341
• [fix] Better SQL SELECT instead of a timeout query by @bruntib in #4363
• Speeding up store by removing nested query by @dkrupp in #4358
• Environment initialization for binaries by @dkrupp in #4337
• [fix] Missing analyzer error by @cservakt in #4330
• [fix] Don't reset PATH in Cppcheck plugin by @bruntib in #4320
• [feat] Implicit include paths added with -idirafter by @bruntib in #4315
• Revert "[analyzer] Use absolute path to logger.so in LD_PRELOAD" by @dkrupp in #4314
• [cmd] Checker name prefixes are meant along separator characters by @bruntib in #4311
• [fix] Support joker characters at annotation filter by @bruntib in #4306
• Analyzer binary dependent environment by @dkrupp in #4305
• [fix] Minor fixing for statistics tabs by @cservakt in #4304
• [fix] Don't enable checkers by suffix by @bruntib in #4307
• [Fix] Report sorting in unique mode by @cservakt in #4294
• [fix] Error when debug logging skipped actions by @bruntib in #4301

🌳 Environment

• PVS-Studio Static Code Analyzer support by @feeelin in #4356
• Bump webpack from 5.91.0 to 5.94.0 in /web/server/vue-cli by @dependabot in #4334
• [cfg] Add setuptools as a dependency by @bruntib in #4285
• Deprecate distutils by @EinarArnason in #4286
• Bump urllib3 from 2.2.1 to 2.2.2 in /scripts/labels/label_tool by @dependabot in #4290
• [cfg] Upgrade to pylint 3.2.4 by @bruntib in #4279
• [cfg] Upgrade lxml version by @bruntib in #4262
• Bump follow-redirects from 1.15.4 to 1.15.6 in /web/server/vue-cli by @dependabot in #4192

📖 Documentation updates

• Modified documentation to match current procedures for changing schema by @feyruzb in #4366
• chore: Remove ancient, unused docs/checker_docs.md by @whisperity in #4283
• additional library was required for venv_dev by @stt08 in #4273

🔨 Other

• [cfg] Add info for new unix.Chroot Checker by @vabridgers #4391
• Add test for Disable clang-diagnostic-error checker #4325 by @noraz31 in #4339
• Github Actions: stop previous jobs when a new one was pushed by @stt08 in #4351
• Bring code borrowed from http.server in sync with upstream by @Discookie in #4379
• [test] Fix test with new clang version by @bruntib in #4382
• [cmd] Display warning instead of debug log for missing diagtool by @bruntib in #4342
• [test] The assertDictContainsSubset() is depreceted and removed by @bruntib in #4322
• [fix] fix compare_results.py sciprt by @bruntib in #4319
• [script] Script for querying all reports by @bruntib in #4245
• chore(config): Apply invariant fixes from label-tool by @whisperity in #4291
• [cfg] Upgrade pycodestyle to 2.12.0 by @bruntib in https://github.com/Ericsson/c...

v6.24.4

This release fixes a bug about permission settings:

• [fix] Get product configuration with view permission #4375
  Users with admin rights couldn't get product configuration page for changing product configuration or setting user permissions.

v6.24.3

This release fixes an authentication issue:

• CodeChecker authentication fixed #4369
  Version 6.24.2 introduced the super_user field in the server_config.json.
  If this field was missing from the config file, the authentication did not work for any user.

v6.24.2

This release contains security vulerability fixes.
It is highly recommended to upgrade to this as soon as possible.

1. [fix] Removing the root user creation 3bb2cbf
   Backward incompatible change: The built-in root user generated at CodeChecker server start with
   CodeChecker --reset-root ... has been disabled.
   Instead, the user can give SUPER_USER permission to an existing user in the server_config.json
   For further details, see https://github.com/Ericsson/codechecker/blob/master/docs/web/user_guide.md#initial-super-user

2. Fix the endpoint parsing issue 8953b30
   CodeChecker web server has accepted some invalid URLs. The URL parsing has been hardened.