Cppcheck-2.0

Overview

The command line is not changed drastically. Your old cppcheck scripts should work as before.

Compiling: There is a new dependency Z3. When compiling with the Makefile it is highly recommended to use "USE_Z3=yes".

Improved clang-tidy integration

Several fixes to;

• improve parsing
• detect more bugs with existing checks
• fix false alarms

Clang import

Clang is a C/C++ compiler that has a very robust and well made parser.

Cppcheck will always use its internal parser by default. However there is now an option to use the Clang parser instead.

It is recommended that you use the default internal Cppcheck parser unless you notice that it fails to parse your code properly (syntax errors, strange false alarms).

Bug hunting

There is a new "soundy" analysis in Cppcheck that should detect most bugs. You should expect false alarms, however the false alarms will not be overwhelming.

This new "soundy" analysis is not intended to replace normal Cppcheck analysis. There are use cases where false alarms can not be tolerated.

We have added 1 checker and that checks for division by zero:

• It detects all "integer division by zero" bugs in the Juliet test suite.
• It detects all "division by zero" bugs in the ITC test suite.
• There was 28 division by zero CVEs published in 2019 for C/C++ open source projects, and we could quickly see that 21 of the bugs are found by Cppcheck. There is no CVE bug that we know Cppcheck fails to diagnose. But there are 7 CVEs that would require additional investigation to establish if it is really detected or not.

You can read more about this analysis in the "Bug hunting" chapter in the manual.