v6.13.0

New feature highlights

New web UI

In this release the UI framework was completely replaced to increase usability, stability and performance.
The new framework allows a lot of improvements like:

• faster page load
• faster navigation
• improved front-end testing
• less load on the server

With the new UI the permalinks are backward compatible so the saved URLs should work as before.
Additionally to the UI improvements there is a new feature.
If Unique reports is enabled on the reports view there is a drop down list for each report showing the similar reports
with the same report hash (but maybe with a different execution path)

Note! When building the package nodejs newer than v10.14.2 is required!
Please check the install guide for further instructions on how to install the dependencies.

Apply checker fixits

Some checkers in Clang-Tidy can provide source code changes (fixits) to automatically modify the source code
and fix a report. This feature can also be used to modernize the source code.
To use this feature the clang-tidy analyzer and the clang-apply-replacements tools needs to be available in the PATH.
During the clang-tidy analyzer execution the fixits are automatically collected.

CodeChecker analyze -o report_dir -j4 -e modernize -e performance -e readability compile_command.json --analyzers clang-tidy

Use the CodeChecker fixit report_dir command to list all collected fixits.
Fixits can be applied for a source file automatically like this:

CodeChecker fixit report_dir --apply --file "*mylib.h"

or in interactive mode where every source code modification needs to be approved:

CodeChecker fixit report_dir --interactive --file "*mylib.h"

Fixits can be applied based on a checker name, so to cleanup all the readability-redundant-declaration results execute this command:

CodeChecker fixit report_dir --apply --checker-name readability-redundant-declaration

Coding guideline mapping to checkers (SEI-CERT)

There are coding guidelines like (SEI-CERT, C++ Core Guidelines, etc.) which contain best practices on avoiding common programming mistakes. To easily identify which checker maps to which guideline the--guideline flag was introduced.

To list the available guidelines where the mapping was done, use this command:

CodeChecker checkers --guideline

The checkers which cover a selected guideline can be listed like this:

CodeChecker checkers --guideline sei-cert

If we want to get which checker checks the sei-cert rule err55-cpp by executing
the command below we can get that the bugprone-exception-escape checker should be enabled if the err55-cpp rule needs to be checked.

CodeChecker checkers --guideline err55-cpp 
  bugprone-exception-escape

More detailed information about the checkers and the guideline mapping can be found by executing
this command:

CodeChecker checkers --guideline sei-cert --details

Makefile output

CodeChecker can generate a Makefile without executing the analysis.
The Makefile will contain all the necessary analysis commands as build targets.
With this Makefile the analysis can be executed by make or by some distributed
build system which can use a Makefile to distribute the analysis commands.

Locally with a simple make it can be executed like this:

CodeChecker analyze --makefile -o makefile_reports compile_command.json
make -f makefile_reports/Makefile -j8

On demand CTU analysis support

With this new flag (--ctu-ast-mode) the user can choose choose the way ASTs are loaded during CTU analysis.
There are two options:

• load-from-pch (the default behavior now, works with older clang versions v9 or v10)
• parse-on-demand (needs clang master branch or clang 11)

The mode 'load-from-pch' can use significant disk-space for the serialized ASTs.
By using the 'parse-on-demand' mode some runtime CPU overhead can incur in the second phase of the analysis but uses much less disk space is used.

Execute this command to enable the on-demand mode:

CodeChecker analyze -j4 -o reports_ctu_demand --ctu --ctu-ast-mode parse-on-demand

See the pull request for more information.

Disable all warnings like checker groups

Clang compiler warnings are reported (clang-tidy) by checker names staring with clang-diagnostic-.
Disabling them could be done previously only one-by-one.
In this release the warnings can be disabled now with the corresponding checker group.

CodeChecker analyze --analyzers clang-tidy -d clang-diagnostic

IPv6 support

The CodeChecker server can be configured to listen on IPv6 addresses.

Performance improvements

• diff command printing out source code lines got a performance improvement #2772
• report storage performance got improved #2804

Changes

• DEPRECATED flag!
  --ctu-reanalyze-on-failure flag is marked as deprecated and it will be removed in one of the upcoming releases.
  It will be removed because the Cross Translation Unit (CTU) analysis functionality got more stable in the Clang Static analyzer so this feature can be removed.

Other improvements and changes

There are a lot of further improvements and bug fixes in this release.
The full list of changes can be found here.

Contributors

Big thanks to everyone who helped us creating this release: @sylvestre @thresheek

v6.12.1

Feature change!

Incremental analysis extension introduced in v6.12.0 feature was changed in #2786!
Getting the c/cpp files that are dependencies of a changed header is not done automatically from now on, the user has to generate the c/cpp file list which should be analyzed.
To support this use case the tu_collector tool was extended to be able to generate the dependency source file list like this:

tu_collector --dependents -l ./full_compilation_database.json -f "*/main.h"

Additional helper scripts and examples can be found in the tu_collector documentation how to analyze the source and header files which were modified in a git commit.

Bugfixes

• The parse command could not generate HTML output files #2771
• Fix analyzer --file option. The reports from the included header files should not be skipped #2788
• Fix update comments if the message did not change #2780
• Fix source component update error #2778
• Fix run history tag filter #2769
• Fix tidyargs file encoding error #2767
• Fix segmentation fault in the compile command logger #2768
• The wrong codechecker_api version was used in the developer virtual environments #2770
• The hash overwrite feature crashed if the plist report file was missing #2779

v6.12.0

New feature Highlights

Show clang-tidy reports in headers

Clang-tidy reports are shown from headers (non system) now, this change can increase the number of new results!
Use the following analyzer configuration to turn back the old behavior by setting the HeaderFilterRegex value to an empty string:
CodeChecker analyze compile_command.json --analyzer-config clang-tidy:HeaderFilterRegex=\"\"

Python 3 only

Because of Python 2 sunset at the beginning of 2020 CodeChecker was ported to Python 3 the minimal required version is 3.6. Because of the Python version change and a lot of 3pp dependencies were updated it is required to remove the old and create a new virtual environment to build the package!

Store results from multiple static and dynamic analyzer tools

Starting with this version CodeChecker can store the results of multiple static and dynamic analyzers for different programming languages:

• Facebook Infer (C/C++, Java)
• Clang Sanitizers (C/C++)
• Spotbugs (Java)
• Pylint (Python)
• Eslint (Javascript)
• ...

The complete list of the supported analyzers can be found here.
To be able to store the reports of an analyzer a report converter tool is available which can convert the reports of the supported analyzers to a format which can be stored by the CodeChecker store command.

New build and CI system features and improvements

GitLab integration

Inside a GitLab Runner CodeChecker can executed to provide a code quality report for each GitLab review request. The codeclimate json output format was added to the Codechecker parse and
CodeChecker cmd diff commands to generate a json file which can be parsed
by GitLab as a quality report. See the GitLab integration guide for more details how to configure the GitLab runners and CodeChecker.

Gerrit

Integration was simplified, no extra output parsing and converter scripts are needed. The CodeChecker cmd diff -o gerrit ... command can generate an output format which can be sent to gerrit as a review result.

Bazel build system support

Compilation commands executed by the Bazel build system can now be logged with the Codechecker logger to run the static analyzers on the source files. Check out the Bazel build system integration guide for more details.

Compilation errors as reports

Compilation errors occurred during the analysis are now captured as reports by the clang-diagnostic-error checker. These types of reports can be disabled as a normal checker like this:
CodeChecker analyze --disable clang-diagnostic-error ...

Analyzer and checker configuration from the command line

The Clang and Clang-tidy static analyzers and the checkers can be configured from the command line with the newly introduced --analyzer-config and --checker-config options.

Analyzer configuration

Use these commands to list the available analyzer config options (use the --details flag for the default values and more description):

• CodeChecker analyzers --analyzer-config clangsa
• CodeChecker analyzers --analyzer-config clang-tidy

A Clang Static Analyzer configuration option can be enabled during analysis like this:
CodeChecker analyze compile_command.json -o reports --analyzer-config clangsa:suppress-c++-stdlib=false -c

Checker configuration

Use the CodeChecker checkers --checker-config command to list the checker options, or the CodeChecker checkers --checker-config --details command to get the checker options with the default values.

A checker option can be set like this:
CodeChecker analyze compile_command.json -o reports -e cplusplus.Move --checker-config clangsa:cplusplus.Move:WarnOn="All"

Select only a few files to be analyzed from the compile command database

There is no need for a complex skip file or to create smaller compile command database files to execute the analysis only on a few files. With the --file option the important files can be selected the analysis for the other files will be skipped.
CodeChecker analyze compile_command.json --file "*main.cpp" "*lib.cpp"

Incremenetal Analysis Extension: Analyze c/cpp files that are dependencies of a changed header

Header files can not be analyzed without a c/cpp file. If a skip file contains a header file (with a "+" tag) like this:

+*lib.h
-*

Which means the header file should be analyzed. CodeChecker tries to find all the c/cpp files including that header file and execute the analysis on those c/cpp files too so the header file will be analyzed.
The only limitation is that the full compilation database is required to collect this information.

CodeChecker CLI configuration files

The CodeChecker commands can be saved in a config file which can be put into a version control system or distributed between multiple developers much easier. In the previous release v6.11.0 the support for the analyzer configuration file was added. In this release it was extended to the web server related commands (store, server) so they can be stored into a configuration file too.
It is not required to type out the options in the command line all the time to store the analysis reports.
With an example store_cfg.json config file like this:

{
  "store":
    [
      "--name=run_name",
      "--tag=my_tag",
      "--url=http://codechecker.my/MyProduct"
    ]
}

The CodeChecker store command can be this short: CodeChecker store reports --config store_cfg.json

Other new features worth mentioning

• The review comments in the source code are shown by the CodeChecker parse command
• A free text description can be store to every run which can contain any compilation or analysis related description.
  CodeChecker store --description "analysis related extra information" ...

Removed command line options

These CodeChecker check and CodeChecker analyze options were already deprecated and were removed in this release:

• -f/--force
• --add-compiler-defaults

Other improvements and changes

There are a lot of improvements and bug fixes in this release.
The full list of changes can be found here.

License change

This is the last release with the NCSA license the new license after the release will be: "Apache 2.0 with LLVM Exception", SPDX License Identifier: "Apache-2.0 WITH LLVM-exception"

Contributors

Big thanks to everyone who helped us creating this release: @itzurabhi, @Tilya, @themightyoarfish @rpavlik @sylvestre

v6.11.1

Improvements

• Handle two kinds of implicit includes differently (gcc include-fixed and *intrin.h headers) #2562 #2541
• Filter out include directories containing *intrin.h header files #2569
• Add -fno-keep-static-consts flag to gcc ignore list #2568

Bugfixes

• Translation unit collector did not detect CCache in the build commands #2524
• Fix row output type in command line #2547
• Number of reports was not calculated right for parse command #2539 #2556 #2550
• Path normalization fix for the file skip feature #2548
• Fix error when query limit is larger than max limit #2533
• CodeChecker check no longer works analyzer #2505 #2506 #2532
  • fixes the problem where ClangSA is not available in the PATH

Changes

• Do not enable all modernize checkers in sensitive profile #2502 #2558

v6.11.0

New Feature highlights

• Show system comments for bugs GUI #746
  Review status changes by the users are automatically stored and shown at the report comment section
  for each report. With this feature the status changes of the reports can be easily tracked.

• Introduce different compiler argument filtering if the original compiler was clang #2382 #2482
  If the original compiler used to build a project was clang/clang++ only a minimal compilation
  flag filtering or modification is done.
  In the case where the original compiler was gcc/g++ many non compatible compiler flags were
  filtered which is not required if the original compiler is clang.

• Store the Cppcheck plist reports #2474
  Plist reports generated by Cppcheck can be stored by the CodeChecker store command.
  For a more detailed example how to configure Cppcheck to generate the reports in the right format
  see the documentation.

• CodeChecker config file support for the analysis arguments #427 #2268
  The arguments for a CodeChecker analyze command can be given in a config file.
  A more detailed description about the usage and the config file format can be
  found here.

• Log compile commands with absolute paths #2447
  With the introduction of a new environment variable (CC_LOGGER_ABS_PATH) the compiler include paths
  will be converted to an absoute path.
  This conversion can be necessary if the compiler command database created
  by CodeChecker will be used by other static analyzers (E.g. Cppcheck).

• Enforce taking the analyzers from PATH #2378
  With the newly introduced environment variable the usage of the static analyzers in the PATH
  can be forced even if the configuration contains analyzers not from the PATH.

• List ClangSA checker options #2425
  The Clang Static Analyzer options can be listed now (requires clang v9.0.0 or newer).
  Use the command CodeChecker analyzers --dump-config clangsa to print the static analyzer configuration.

• Support json output for parse command #2424
  The parse command can generate json output from the reports if required:
  CodeChecker parse -e json analyzer_reports

• Use CodeChecker parse with multiple directories #2384
  The CodeChecker cmd parse command now accepts multiple directories to parse the reports from.

• Update the name of a run from the command line #1778

Improvements and bug fixes

Analyzer

• Detect -MG as a precompilation flag #2472
• CodeChecker analyze and parse fails for non ascii. #2454
• Document some new checkers #2445
• Incorrect full path reconstruction for -include #2440
• Resolve symlinks of compiler binaries #2430
• Add missing lxml dependency to the analyzer #2414
• Document two new checks #2405
• Replace analyzer option api-metadata-path with package option APIMetadataPath #2403
• Skip handler must be run before compiler options parsing not after #2396
• Incremental analysis failures on the same file results in stupid failure ZIP #2395
• Do not count a number of skipped actions in progress log #2394
• 'aggressive-binary-operation-simplification' should be clang version dependent #2390
• Do not load plugins when CC_ANALYZERS_FROM_PATH is used #2483
• Print a log message when overwriting a plist file #2375
• Ignore -mllvm option #2374
• Fix taint issue #2426
• Fix missing analyzer binary #2437
• Fix failure zip #2444
• Fix handling '--sysroot=' flag format #2453
• Handle enabled checker per profile for ClangSA #2337
• Do not disable all clang static analyzer checkers unconditionally #2386
• Less argument processing if skip file used without ctu and stats #2462
• Set io.open encoding to utf-8 #2484
• Add 4 new checker severity levels #2485
• some specific Xclang arguments modify the output #2492
• do not disable all clang static analyzer checkers unconditionally #2386

Web

• args.config has been renamed to args.config_file #2478
• Can not delete run #2473
• Always generate a new token on login #2423
• Use saved credentials if auto login is enabled #2421
• Trim white spaces from the user name when adding new permissions to it #2420
• Fix personal access token generation #2413
• Add a heartbeat and readiness URL #2410
• Keep the selected sub tab on run tab switch #2401
• Run tab switch jumps back to previous tab #2400
• Disable run limitation #1949
• Fix hiding tooltip of the source component filter item #2489

Other

• Documentation for cppcheck report storage #2481
• Remove SimpleStream checker from sensitive profile #2480
• Extra comments for clang compiler change in travis #2469
• Bump up the minimal required clang version #2468
• OSX does not have include-fixed in its include path #2464
• The existence of a config file influences the test #2463
• Fix test case for has_analyzer_option #2460
• Sort report lines for files #2459
• Fix missing type imports for the tests #2456
• Update to xcode10 in travis #2455
• Upgrade tests to run with Clang 9.0.0 #2451
• Remove fail zip first in case of write mode. #2450
• Fix pylint errors #2448
• Fix travis error code handling. #2446
• Adding compilation database to JSON in tu_collector #2441
• Revert "add label configuration for the github actions" #2438
• Update authentication.md for codechecker.readthedocs.io publishing #2436
• Fix thrift path on osx #2431
• Fix pylint warnings #2422
• Add more example how to use credentials #2416
• Simplify Gerrit integration documentation #2415
• Rename shared.thrift to codechecker_api_shared.thrift #2406
• Fix travis failure #2392
• Add default values to the package_layout.json #2385
• Refactoring package_layout.json file #2379
• Increment CodeChecker version to 6.11.0 #2313
• It is not possible to order runs by run name #2235
• Support response files #2092
• Introduce code owners file #2075

API changes

• New filter options for CodeChecker cmd runs command #2343

Contributors

Big thanks to everyone who helped us creating this release: @josod, @LebedevRI, @sylvestre, @hpwxf, @irishrover, @scphantm

v6.10.1

This is a bug fix release including many fixes and documentation updates. There are no new features or backward incompatible changes.

Bugfixes

Most important

• Fix exception handling for HTTP POST requests #2331
  The improper handling of a possible exception caused the server to hang and not respond to the new requests.
• Autocompletion for the login form #2276
  The login form will be autocompleted if the credentials are saved by the browser.
• fix backslash in user name #2332
  LDAP user names containing a backslash caused exception at the server.
• Skip lists should not be applied to the CTU pre-analysis step #2299
  To collect the required information for the CTU and statistics based analysis no source
  files are skipped from the compilation database at the pre-analysis step.
• api modeling checkers should be enabled in all profiles #2305
• Increase the severity of some checker that indicate Undefined Behaviour #2370
• Removing alpha.security.MallocOverflow from the sensitive profile throws too many false positives #2366

compiler include path related fixes

• Keep GCC include-fixed dirs in include paths #2272
  The include-fixed include paths by gcc might be required for the analysis, but that is
  project dependent a new --keep-gcc-include-fixed flag is introduced so the projects can keep or remove
  the include paths for the analysis.
• Additional -nostdinc[++] #2344, -stdlib #2303 compilation flags are considered at the implicit compiler include path detection, because they affect the list of the include paths.
• Clang searches for builtin includes relative to the binary #2302
  Clang builtin include paths were added by an --isystem flag at a fixed place if the include files were in the package, standard clang installation should not be affected by this change.

compilation command logging related fixes

• Fix ld_logger crash #2309
  A crash during logging prevented to collect the compilation commands.
• Give absolute path in the CC_GCC_LOGGER_LIKE environment variable #2315
  If there are compiler wrapper scripts named the same way as the original compiler (gcc/g++) logging the original compiler was hard because the difference was only in the path of the executable. With this change the logging the original compiler execution can be done too.

Analyzer

• Fix Z3 refutation detection #2231
• return 0 in case no analysis is needed #2255
• Crash in splitting output of "clang -### ..." #2300
• Plist files should contain absolute paths #2360
• import get_logger in clang_options.py #2296
• CodeChecker disables apiModeling by default #2289
• Introduce clang version dependent options #2287
• fix env forwarding for the subprocess in ctu autodetect #2284
• Fix a typo on setup_process_timeout call #2281
• -fstack-reuse is not supported by clang #2280
• Determine language based on compiler name #2277
• Remove skip list handler from common module #2274
• remove argument handling class from common module #2254
• move report parsing related code to the parse cmd #2252
• fix context free report hash generation doc #2251
• refactor suppress file handler #2250
• Fix LOG.debug #2248
• move proc timeout functions and tests to analyzer #2246
• move get_binary_in_path to analyzer module #2245
• Add tests for cmdline #2283

Web

• Store analyzer version instead of CodeChecker version #2373
• Upgrade JQuery to 3.4.1 #2345
• Fix double scroll bar on the GUI #2334
• Extend the help message of "CodeChecker cmd del" command #2325
• indentation of the call graph is not always correct #2320
• Make placeholder help for source components more descriptive #2310
• "loading" label for unauthorized users #2307
• Fix local session creation #2301
• Fix comment update #2282
• Fix pg8000 test command #2275
• Revise how events are indented in a bug report #2269
• Web GUI doesn't honor new lines for comments #2259
• move profiler from common to server #2247
• Impossible to delete run in the web GUI #2234
• Fix reading worker_processes config value #2227
• Fix source code comment regex #2356

Other

• Description of incremental analysis using skipfile #2381
• Remove whitespace characters at cmd results #2362
• Buggy 'CodeChecker parse --print-steps' filename outputs when a report is ranging across TUs. #2358
• Format main README.md #2355
• Fix daily script #2316
• package_layout.json "ctu_func_map_cmd" is not considered #2330
• Update documentation #2323
• ld_logger improvement #2317
• gcc compiler flags against Spectre unknown by clang #2304
• match for multiple digit clang versions in tests #2298
• Update travis ci base image to bionic #2291
• replace StackAddressEscape checker in analyzer tests #2288
• Omit extra newlines while logging build commands #2286
• Add standalone package target #2273
• remove unused db version information #2270
• create reports and project for the update test #2266
• enable build matrix for travis #2261
• tu_collector tests can be run independently #2253
• update travis to clang8 #2244
• Exception on regex characters in checker name #2241
• Fix Clang version regex in tests #2239
• bump up version to v6.10.1 #2225

API

• Fix getDiffResultsHash API function #2265

Credits

Big thanks to everyone who helped us creating this release: @gwangmu, @irishrover, @zingo

v6.10.0

Backward incompatible CLI change

• CLI run name filter delimiter was changed from ":" to " ".
  With this change run names containing ":" can be filtered.
  The previous solution prevented to filter run names containing ":". #2113

Analyzer

New Features

• Add support to enable Z3 refutation.
  Use the Z3 theorem prover if Clang is built with it, to cross check the results by Clang Static Analyzer.
  The usage of this solver can reduce the false positives produced by the ranged-based solver,
  and using refutation should not increase the analysis time a lot. #2091
  This feature is enabled by default if available.

• Add support to enable Z3 Theorem Prover #2087
  Use the Z3 theorem prover if Clang is built with it. In this case the built in range-based constraints
  solver will be replaced by Z3 in Clang Static Analyzer.
  The performance is worse than the default range-based constraint solver right now.
  It can be enabled by the --z3 flag.

• Give warning if an enabled or disabled checker is missing or there was a typo in the checker name #2215

• Clang warnings can be listed with the CodeChecker checkers --warnings #1693

• Add --trim_path_prefix option for parser command #2076

Improvements

• Multiple improvements and bug fixes for build environments with ccache #2202, #2126
• Collect compiler information for multiple languages (C/C++) #2193
• If available use lxml library to parse plist files to improve performance #2170
• Skip sources argument when parsing the precompilation options #2072
• Define severity for new checkers #2128, #2132, #2141
• Adding clang8 checker naming related changes #2216
• Try to autodetect mapping tool based on clang version, required for CTU analysis with clang8 and newer #2030
• Improvements to log compilation commands during the build process #2131, #2160, #2139

Web

New Features

• Filtering can be done based on the bug path length on the web UI #2197
• CLI is now able to return the detailed bug path if required #2068
• The diff command prints the summary of the results now #2165
• New documentation and configuration files to create docker images for easier setup and installation #2038
• New docker image is available on dockerhub

Improvements

• Multiple performance improvements to speed up the storage and query of the results #2177, #2175, #2172, #2188, #2169, #2178, #2163, #2135
• Case insensitive LDAP group search and comparison #2073
• Don't allow users to see the results of a product where no permissions were set #2158
• Send back a valid Thrift error response instead of HTTP error codes #2149
• Implicit initial wildcard in search fields for easier search #2134
• Multiple third party dependencies were updated (SQLAlchemy, psycopg2) #2079, #2181

Web API changes

• Create separate API function to get analysis statistics #2182
• Run history limitation was introduced #2177
• getRunData limitation was introduced #2175
• New API function is available to get check command #2172

Other bug fixes and improvements

You can find a more detailed list of changes here: milestone 6.10

v6.9.1

New

• Enabling expand-macros feature of clang #1994
  • Since clang v8 macros can be expanded in the reports. This feature is enabled by default in CodeChecker
    so the reports will always contain macro expansions for better report understanding.
• Specify only a sub string of the checker name for suppression #2019
  • Source code review status comments will work with checker name sub strings (useful if a checker is moved between packages)
• New security checkers profile #1054
  • New security profile with multiple security related checkers is available.
    Run CodeChecker checkers --profile security for the full list of checkers.

Changes

• Added severity levels of yet uncategorized checkers and checker profiles were updated #2034

Default profile:

Added

• alpha.cplusplus.UninitializedObject
• bugprone-copy-constructor-init
• bugprone-terminating-continue
• bugprone-throw-keyword-missing
• bugprone-unused-return-value
• bugprone-virtual-near-miss
• cert-fio38-c
• cplusplus.InnerPointer
• optin.cplusplus.VirtualCall

Sensitive profile:

Added

• alpha.cplusplus.UninitializedObject
• alpha.security.MmapWriteExec
• bugprone-copy-constructor-init
• bugprone-exception-escape
• bugprone-macro-parentheses
• bugprone-terminating-continue
• bugprone-throw-keyword-missing
• bugprone-unused-return-value
• bugprone-virtual-near-miss
• cert-dcl54-cpp
• cert-err09-cpp
• cert-fio38-c
• cert-msc51-cpp
• cplusplus.InnerPointer
• optin.cplusplus.VirtualCall

Extreme profile:

Added

• alpha.cplusplus.UninitializedObject
• alpha.security.MmapWriteExec
• bugprone-copy-constructor-init
• bugprone-exception-escape
• bugprone-macro-parentheses
• bugprone-terminating-continue
• bugprone-throw-keyword-missing
• bugprone-unused-return-value
• bugprone-virtual-near-miss
• cert-dcl54-cpp
• cert-err09-cpp
• cert-fio38-c
• cert-msc51-cpp
• cplusplus.InnerPointer
• cppcoreguidelines-narrowing-conversions
• misc-unused-parameters
• optin.cplusplus.VirtualCall
• optin.performance.Padding
• security.insecureAPI.bcmp
• security.insecureAPI.bcopy
• security.insecureAPI.bzero
• security.insecureAPI.strcpy

You can get more information about the checkers here and here.

Improvements

• Show supported analyzers at cmd checkers #2055
• add readthedocs link #2041
• introduce readthedocs #1935
• add docs as a special route #2052
• Gerrit-Jenkins integration is extended #2061
• rename passwords json file in the doc #2035
• add new mkdocs target to build the documentation #2026
• update test documentation #1985
• Resurrect --compiler-info-file analyze flag. #2039
• [userguide] Disable review status change feature #2002
• Travis clang back to 7 #2022
• run brew cleanup only in osx in travis #2016
• load only files with ".so" extension as a plugin #2014
• Run python style tests before test target #2010
• Improve web test performance #2004
• Keep clang flags #2003
• Update travis llvm version #1998
• Create pip package from tu-collector #1995
• Pip package from plist-to-html #1993
• Increase performance of the travis jobs #1991
• Add pylint and pycodestyle targets #1952
• Add more test targets to the main Makefile #1951
• Handle cases when plugin directory does not exist #1946
• Use compiler_info.json file in debug scripts #1941
• Give better error message on keyerror at package context #1933
• Extend version file with git information #1931
• Download external dependencies with Makefile #1929
• Add example for CodeChecker cmd diff #1927
• Tool to create new compiler info files from old ones. #1909
• return error in case of wrong checker profile name #2059
• create test case for mixed compilation x dependency file case #2050

plist to html tool improvements

• Improve plist-to-html sort performance #2037
• [plist-to-html] Ordering of reports #1973
• [plist-to-html] Link to index.html #1972
• [plist-to-html] Sort the reports in ascending order by file path #2054
• [plist-to-html] Ordering reports #2028
• collect statistics for plist to html parser #1035

Bug Fixes

• The skipped flags are skipped in case of Clang too #2062
• A compiler doesn't provide an architecture target #2067
• fix missing sys import #2064
• isystem path was set wrong #2060
• fix profile listing on name conflict #2058
• handle character decoding problems (locale mismatch) #1770
• review status is not set #1647
• filter based on detection date without setting the hour value #2048
• detection date filter not set from url #2047
• plist to html index.html sorting problem #2046
• Fix package build #2029
• Yet another logger fix #2027
• Logging does not preserve escaped quotes #2025
• Cleanup database on run remove #2018
• Fix travis missing "then" keyword #2017
• Refactoring docs #2013
• Processing target architecture first in log parser #2008
• Fix run_test target #2006
• Fix default target call #2000
• return an empty string at getting compiler includes #1997
• Fix cleaning venv_dev #1996
• Compile action contains bot compiler and preprocessor flags #1989
• Fix authentication #1988
• fix analyzer_statistics module import #1982
• Introducing --compile-uniqueing parameter #1965
• Fix run_test target #1958
• Fix cleanup target #1950
• Do not store failed files when using 6.9.0 version #1943
• Fix failed source list of analysis statistics #1942
• There is no way to jump to a note, like you can to events #1940
• fix action list length check #1938
• Fix verbosity in build scripts #1936
• CodeChecker log generated json can't handle filenames with spaces #1366
• Incorrection documentation about "cmd login" #1133

Source repository changes

This release contains many bug fixes and a large amount of source code refactoring.
We started the refactoring to split up the source tree to easier manageable pieces.
The work is not fully finished but we are close.
Separating the main parts will allow us to release and develop them independently in the future.

The main new parts of the restructured repository are:

• analyzer (run and configure the supported static analyzers)
  • tools/build-logger/ (log compiler invocations during build)
• web (web server and client to store/query and manage the reports)
• tools (independent tools which are used by the analyzer or web)
  • plist_to_html
  • tu_collector

You can find more details about the new layout here #1830

Refactoring

• Move webserver unit tests under server #1955
• allow to set the base wp dir from env variable for tests #1983
• Allow to set workspace for web tests #1980
• Reduce the number of travis matrices #1975
• Cache downloaded binary osx packages on travis #1966
• Skip generated files from tests projects in gitignore #1959
• use templates to generate html files #2040
• Create commands.json for sub-commands #1932
• Create package directory #1977
• Separate directory for analyzers #1976
• call setup.py only in the target #2015
• Refactoring web docs #2024
• Revert back package build scripts to py2 #1945
• remove py3 incompatible uppercase conversion #1923
• python3 compatible exception cleanup #1922
• Build the package before running functional tests #1954
• cleanup make targets with/without virtualenv #2007
• merge dev and test virtual environments #2005
• Refactoring CONTRIBUTING.md file after split up #2011
• Use Makefile to build CodeChecker package #1937
• Refactoring generated CodeChecker dependency #1990
• Refactoring plist to html #1986
• Refactoring config files #1979
• Add targets to build analyzer and web separately #1974
• Rename libcodechecker to codechecker_common #1968
• Remove .noserc from root #1967
• Split up source repository #1964
• Split up refactoring #1963
• Fix CodeChecker version after split up #1962
• Get analyzer_statistics module from analyzer #1961
• Move some files to webserver common #1960
• Split up docs #1956
• Create separate contexts for analyzer and server #1953
• Split up server/client handling parts #1944
• Split up analyzer handling part #1939
• Remove psycopg2 from analyzer requirements #1999
• Prepare split up #1921
• finish logging cleanup #1911
• fix pylint old-style class warnings #1917
• py3 fix iterator protocol (next method change) #1926
• fix dict.items referenced when not iterating py3 #1925
• fix dict item was referenced when not iterating py3 #1928
• Move analyzer specific test projects under analyzer #1947
• Move server related test projects under server #1948

v6.9.0

Release 6.9.0

New Features

• New "OFF" and "UNAVAILABLE" detection statuses were introduced #1850
  Mark a report "OFF" in case the checker is available but it was turned off in a later analysis.
  Mark a report "UNAVAILABLE" in case the checker was removed or renamed between different analyzer releases.
  They influence the analysis statistics numbers, see the documentation for further details
  (diff calculation)
• Disable review status change on the WEB UI #1825
  Review status changed for a product can be disabled by a product admin.
• Improved logging for build systems using ccache #1864
• Filter by detection date in command line #1899
• CallAndMessageUnInitRefArg was removed from extreme profile #1897
• Add run name filter to Codechecker cmd runs command #1849
• Report uniqueing arguments in command line #1877
• Handle compile errors and analyzer crash separately #1829
• New documentation about report identification #1831
• Add left/right arrow to the bug steps in the webui #1813
• Add extra analyzer flag if the iterator checkers are enabled #1833
• Highlight selected event in the generated html report #1893
• Announcement banner. #1861

Improvements

• Log optimization #1886
• Do not convert notes to events #1882
• Edit doxygen main page and add images #1884
• Ignore encoding errors #1852
• Warning when upgrading SQLite database #1858
• Update architecture overview #1880
• Correct way to convert clang-tidy .rst to .md correctly rendered by CodeChecker #1857
• Show link to the ClangTidy site for ClangTidy checks in "Show Docs" #1848
• Remove unused analyze arguments from User Guide. #1891
• NFC: just sort checker names #1847
• Add bugprone-parent-virtual-call check for clang-tidy v7+ #1843
• Set user name in the HTTP response header #1828
• Unnecessary signal handling in performance test. #1826
• Write more info logs at the server #1824
• Print statistics on signal #1823
• ugrade boost before thrift install #1821
• Freeze test requirements and move requirements.txt #1820
• New dockerfiles for test environments #1819
• Source venv before pycodestyle #1817
• Upgrade test environment for clang7 #1816
• Initial mkdocs support #1812
• Documentation cleanup #1811
• Bump up version to 6.9.0 #1809
• Constructing config handler is the analyzer classes' responsibility #1788
• Modify curl arguments for 3pp downloads #1718
• Review sql queries #1700
• Contradiction expensive to evaluate #864
• Refactoring fail zip #1772
• Add stats collector hook #1872
• Option parser refactoring #1814
• Make ImplicitCompilerInfo's methods static. #1892
• Reformat usage guide for mkdocs #1832
• Add tooltips to detection status filter items #1907

Bug Fixes

• Add clang_analayzer macro to CTU pre analysis #1865
• Fix --timeout as clang-sa spawned child processes are not killed now #1844
• Tash files are created in cwd by --stats-collect #1881
• Whitespace escaping in source path #1871
• Fix HTML converter layout file default path #1894
• Fix PlistToHTML bug path arrows #1889
• Fix escaping in command line arguments #1888
• Fix: macros are under diagnosics instead of path #1887
• Test OSX Travis #1873
• Fix default value of Boolean column at migration #1869
• Option parser refactoring broke osx tests #1868
• Combobox with False-positive/Intended/... is not shown on last revision #1863
• Update postgresql in osx travis ci #1856
• Fix running psql test cases #1846
• Fix source code comment unicode error #1845
• [CTU] Compiler default C++ dialect is not added when generating the PCH files #1838
• Fix documentation (markdown syntax and typo) #1810
• When many products are added (>30) the product list page takes ~6s to load #1730
• If the json file is incorrect formatted, show the impacted file #1665
• Fix typo #1896
• Fix slow boost build in travis #1822
• Fix command line help message #1854
• Small fixes found by PyCharm's static analysis #1837
• Upload compiler_info.json #1900
• Fix storage of analysis statistics test #1901
• Store statistics if it contains failed zips #1902
• Small log parser fixes. #1903
• Enable statistics checkers before workers #1905
• Fix password request for cmd #1910
• Fix missing space in warning message #1912
• Add missing future imports #1913

v6.8.1

Improvements

• Select hash generation method #1801
  Analyzer report hash generation algorithm can be selected in the command line
• Add dates to the run tag list at report filter #1781
• New documentation for Gerrit-Jenkins integration #1746
• Don't parse command line options for skipped files. #1790
• Improve option_parser.py::arg_check to reduce number of regexps compiled #1789
• Log invalid LDAP credentials as warnings #1787
• Preserve -nostdinc++ in command line, the same as for -nostdinc #1779
• Slightly cleaner handling of constructing analyzers #1774
• Option to do database migration without user interaction #1769
• Print out which product is garbage collected #1767
• Online server configuration file reload #1766
• Handle SIGTERM to stop the server running. #1762
• Remove trivial properties. Rename some files. #1759
• Add missing python requirement. #1756
• Add logo files #1750
• Skip '-Xclang ' at argument parsing #1744
• Add .editorconfig file #1697

Bug Fixes

• GUI Bug bug path numbering #1806
• --force argument for store does not work #1802
• Hash generation failed because of decoding error #1800
• Bug fix: if there is an issue present, parse_output_parser.py #1799
• Multiple configuration option for the same checker #1791
• Check that the given product exist at server #1786
• Fix long line #1785
• Fix exception message printing at server #1784
• Break long lines at cmd analyze and check commands #1783
• Convert relative include paths to absolute #1782
• Fix scrolling at Bug List data grid #1780
• Add missing images to user guide #1776
• Remove lock file at the end of logging #1773
• Fix profileit function #1768
• Fix storing check command #1764
• Fix instance manager file lock #1763
• Fix plist to html parser #1758
• Fix non breakable space character #1754
• Slugify run name when storing analysis statistics #1753
• Fix plist to html converter missing severity #1751
• Fix run tab change #1748
• Increase performance of loading products #1740
• check command's -c flag should remove the report directory #1646
• Fix SQL query #1808