Releases: Ericsson/codechecker
v6.27.4
This is a security release that fixes a critical authorization issue. Please, upgrade your servers as soon as possible.
Corresponding CVE ID: CVE-2026-25660
Thanks for @mtolley for reporting this issue.
- Add missing VIEW permission check 7d60d1e
- Additional logic for handling missing auth sessions 75b3913
- Relax permissions requirements for task management fd9f405
- [fix] Fix invisible chars in error plist (#4809)
Full Changelog: v6.27.3...v6.27.4
Contributors
Assets 2
v6.27.3
v6.27.2
Bug fixes
- Fix: Handle empty stdin gracefully in fixit command #4766
- [fix] Can't list server instances at PyPI installation #4757
- Fix fnmatch.translate() in skiplist handler #4754
- [fix] Fix fnmatch regex generation assert #4753
- [fix] "CodeChecker checkers" crash when infer used #4748
- Fix the issue where the ReportTree component remains in a loading state when the result exceeds MAX_QUERY_SIZE #4747
- [fix] Crash on non-existing variable #4742
- Log full OS error message when the connection fails #4740
Enhancement
- [fix] Add -j flag to "CodeChecker store"#4763
- Added flags to set server processes #4772
- Remove store_time.log #4770
Configuration
- Add "-fdump-rtl.*" to ignored GCC compiler options#4765
- [add] add severity for sarif #4761
- [analyzer] Completely remove -analyzer-opt-analyze-headers #4760
- [analyzer] Remove -analyzer-opt-analyze-headers flag #4752
- Upgrade deps #4751
- [fix] Missing OWASP Top10 link from checker labels #4749
- Print analysis length with 2 decimals #4745
- Upgrade SQLAlchemy to version 2.0 #4729
- [refactor] Do not use pinned versions in requirements.txt #4714
v6.27.1
v6.27.0
🌟 Highlights
Asynchronous Store
CodeChecker changes it's store execution model from synchronous to asynchronous mode.
The CodeChecker store command will not have to wait synchronously for the server to finish the storage procedure of the reports, but can seamlessly continue execution after the store process started. Then later, it can query the status of the storage task from the server.
This provides more stable report storage procedures as many users expereinced broken TCP connections during large analysis results storage batches.
CodeChecker will provide a command line utility for admins to query ongoing/finished/cancelled storage processes with filtering option.
❯ build/CodeChecker/bin/CodeChecker cmd serverside-tasks --enqueued-after 2024:08:19 --status cancelled
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Token | Machine | Type | Summary | Status | Product | User | Enqueued | Started | Last seen | Completed | Cancelled?
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
8b62497c7d1b7e3945445f5b9c3951d97ae07e58f97cad60a0187221e7d1e2ba | xxxxxxxxxxxxx:8001 | taskService::DummyTask | Dummy task for testing purposes | CANCELLED | | | 2024-08-19 15:55:34 | 2024-08-19 15:55:34 | 2024-08-19 15:55:35 | 2024-08-19 15:55:35 | Yes
6fa0097a9bd1799572c7ccd2afc0272684ed036c11145da7eaf40cc8a07c7241 | xxxxxxxxxxxxx:8001 | taskService::DummyTask | Dummy task for testing purposes | CANCELLED | | | 2024-08-19 15:55:53 | 2024-08-19 15:55:53 | 2024-08-19 15:55:53 | 2024-08-19 15:55:53 | Yes
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Detailed analysis status command
CodeChecker parse --status ./report_dir [--detailed] [-e json]
This command provides a clear overview of the current state of analysis results within the report directory, indicating which reports are up to date, which are outdated, which analyses have failed, and which files were never processed (e.g. skipped).
Example output:
----==== Summary ====----
Up-to-date analysis results
clangsa: 311
clang-tidy: 311
Outdated analysis results
Failed to analyze
clangsa: 20
clang-tidy: 20
Missing analysis results
clangsa: 18
clang-tidy: 18
cppcheck: 349
Total analyzed compilation commands: 331
Total available compilation commands: 349
----=================----
The --detailed flag shows the exact files involved instead of just counts. For automated workflows, the -e json option provides the status info in a format that can be easily processed.
New Component Filter mode: single-origin-report
A new report filter option is introduced to CodeChecker: Single Origin mode. This option makes it possible to filter only those reports which are contained entirely within a source code component. To use it, select the "Single Origin" mode when editing the Source Component filter in the Reports view.
This new option is also available from the command line using the --single-origin-report argument. E.g:
CodeChecker cmd results --single-origin-report --component my_component ...
Highlight non-compliant guideline rules
Non-compliant rules are highlighed in the SEI-Cert statistics and compliant rules can be hidden.
[feat] Highlight non-compliant rules in the Guideline statistics by @noraz31 in #4616
Navigable numbers in the product statistics page
The values of the outstanding reports graph are now clickable.
[feat] Show found issues on a given date from statistics by @gulyasgergely902 in #4615
What's Changed
- [ci] Add CodeChecker analyze to GitHub Actions by @gulyasgergely902 in #4604
- [fix] Fix codechecker GitHub gating by @gulyasgergely902 in #4623
- [feat] Show found issues on a given date from statistics by @gulyasgergely902 in #4615
- [feat] Highlight non-compliant rules in the Guideline statistics by @noraz31 in #4616
- [fix] Cppcheck suppress unusedFunction checker only once by @bruntib in #4599
- [fix] Fix github gating authentication issue by @gulyasgergely902 in #4630
- [fix] Fix statistics page components by @gulyasgergely902 in #4631
- [fix] Fix updating fixed_at time by @gulyasgergely902 in #4621
- Typo fix by @bruntib in #4639
- Upgrade psycopg2-binary to 2.9.10 by @bruntib in #4640
- [feat] Store hashed pwds in server config by @dr-antimonious in #4641
- Upgrade pg8000 to 1.31.4 by @bruntib in #4644
- Bump urllib3 from 2.2.2 to 2.5.0 in /scripts/labels by @dependabot[bot] in #4605
- Manage secrets outside of server_config.json by @barnabasdomozi in #4633
- feat(server): Asynchronous server-side background task execution by @bruntib in #4603
- Update psutils to version with wheels by @elupus in #4499
- [doc] Fix documentation link by @bruntib in #4652
- Rework config_directory by @barnabasdomozi in #4645
- [doc] Fix section links in readthedocs.io documentation by @bruntib in #4653
- [fix] Parallelize parse_unique_log to speed-up ~nproc times by @irishrover in #4607
- fix link ref in usage.md by @SimonHeimberg in #4655
- [report-converter] Improve documentation maintainability by @gamesh411 in #4424
- Url format checker doesn't recognize - as part of url by @feyruzb in #4627
- Bump requests from 2.32.3 to 2.32.4 in /web/requirements_py/auth by @dependabot[bot] in #4598
- 6512 documentation on GitHub gating by @gulyasgergely902 in #4634
- feat(cmd): Implemented a CLI for task management by @bruntib in #4609
- [fix] get analyzer name from SARIF report by @Rayzedan in #4671
- Replace CTU query functions to ClangSA by @bruntib in #4672
- Fix ClangTidy default hash type in codechecker_report_converter by @barnabasdomozi in #4661
- [fix] ld_logger not available in MacOS by @bruntib in #4673
- Guideline stats sorting issue by @gulyasgergely902 in #4681
- Fix statistics numbers by @gulyasgergely902 in #4680
- Async store 3 by @bruntib in #4662
- [fix] The hash should mach the package in package-lock.json by @bruntib in #4687
New Contributors
- @Marsman1996 made their first contribution in #4618
- @dr-antimonious made their first contribution in #4641
- @elupus made their first contribution in #4499
- @SimonHeimberg made their first contribution in #4655
- @salticecream made their first contribution in #4654
- @Rayzedan made their first contribution in #4671
Full Changelog: v6.26.2...v6.27.0
Contributors
Assets 2
v6.27.0-rc1
🌟 Highlights
Asynchronous Store
CodeChecker changes it's store execution model from synchronous to asynchronous mode.
The CodeChecker store command will not have to wait synchronously for the server to finish the storage procedure of the reports, but can seamlessly continue execution after the store process started. Then later, it can query the status of the storage task from the server.
CodeChecker will provide a command line utility for admins to query ongoing/finished/cancelled storage processes with filtering option.
❯ build/CodeChecker/bin/CodeChecker cmd serverside-tasks --enqueued-after 2024:08:19 --status cancelled
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Token | Machine | Type | Summary | Status | Product | User | Enqueued | Started | Last seen | Completed | Cancelled?
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
8b62497c7d1b7e3945445f5b9c3951d97ae07e58f97cad60a0187221e7d1e2ba | xxxxxxxxxxxxx:8001 | taskService::DummyTask | Dummy task for testing purposes | CANCELLED | | | 2024-08-19 15:55:34 | 2024-08-19 15:55:34 | 2024-08-19 15:55:35 | 2024-08-19 15:55:35 | Yes
6fa0097a9bd1799572c7ccd2afc0272684ed036c11145da7eaf40cc8a07c7241 | xxxxxxxxxxxxx:8001 | taskService::DummyTask | Dummy task for testing purposes | CANCELLED | | | 2024-08-19 15:55:53 | 2024-08-19 15:55:53 | 2024-08-19 15:55:53 | 2024-08-19 15:55:53 | Yes
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
What's Changed
- [ci] Add CodeChecker analyze to GitHub Actions by @gulyasgergely902 in #4604
- [fix] Fix codechecker GitHub gating by @gulyasgergely902 in #4623
- [feat] Show found issues on a given date from statistics by @gulyasgergely902 in #4615
- [feat] Highlight non-compliant rules in the Guideline statistics by @noraz31 in #4616
- [fix] Cppcheck suppress unusedFunction checker only once by @bruntib in #4599
- [fix] Fix github gating authentication issue by @gulyasgergely902 in #4630
- [fix] Fix statistics page components by @gulyasgergely902 in #4631
- [fix] Fix updating fixed_at time by @gulyasgergely902 in #4621
- Typo fix by @bruntib in #4639
- Upgrade psycopg2-binary to 2.9.10 by @bruntib in #4640
- [feat] Store hashed pwds in server config by @dr-antimonious in #4641
- Upgrade pg8000 to 1.31.4 by @bruntib in #4644
- Bump urllib3 from 2.2.2 to 2.5.0 in /scripts/labels by @dependabot[bot] in #4605
- Manage secrets outside of server_config.json by @barnabasdomozi in #4633
- feat(server): Asynchronous server-side background task execution by @bruntib in #4603
- Update psutils to version with wheels by @elupus in #4499
- [doc] Fix documentation link by @bruntib in #4652
- Rework config_directory by @barnabasdomozi in #4645
- [doc] Fix section links in readthedocs.io documentation by @bruntib in #4653
- [fix] Parallelize parse_unique_log to speed-up ~nproc times by @irishrover in #4607
- fix link ref in usage.md by @SimonHeimberg in #4655
- [report-converter] Improve documentation maintainability by @gamesh411 in #4424
- Url format checker doesn't recognize - as part of url by @feyruzb in #4627
- Bump requests from 2.32.3 to 2.32.4 in /web/requirements_py/auth by @dependabot[bot] in #4598
- 6512 documentation on GitHub gating by @gulyasgergely902 in #4634
- feat(cmd): Implemented a CLI for task management by @bruntib in #4609
- [fix] get analyzer name from SARIF report by @Rayzedan in #4671
- Replace CTU query functions to ClangSA by @bruntib in #4672
- Fix ClangTidy default hash type in codechecker_report_converter by @barnabasdomozi in #4661
- [fix] ld_logger not available in MacOS by @bruntib in #4673
- Guideline stats sorting issue by @gulyasgergely902 in #4681
- Fix statistics numbers by @gulyasgergely902 in #4680
- Async store 3 by @bruntib in #4662
- [fix] The hash should mach the package in package-lock.json by @bruntib in #4687
New Contributors
- @Marsman1996 made their first contribution in #4618
- @dr-antimonious made their first contribution in #4641
- @elupus made their first contribution in #4499
- @SimonHeimberg made their first contribution in #4655
- @salticecream made their first contribution in #4654
- @Rayzedan made their first contribution in #4671
Full Changelog: v6.26.2...v6.27.0-rc1
Contributors
Assets 2
v6.26.2
This is a bugfix release with minor feature updates the following highlights:
Security
This patch fixes a buffer overflow vulnerabilty in the CodeChecker log command line client. CVE-2025-40843
Other
- Fix gcc exception if it is enabled only but a clang analyzer config i…
- Add memory-safety guideline (https://github.com/Ericsson/codechecker/pull/4654[)](https://github.com/Ericsson/codechecker/commit/c2590be8eec6964962da5382a59d389e5c5b79b8)
- Parallelize parse_unique_log to speed-up ~nproc times
- [fix] Fix statistics page report numbers
- [feat] Simplify product overview tab in Statistics
- [feat] Store hashed pwds in server config
- [feat] Simplify product overview tab in Statistics
- [feat] Highlight non-compliant rules in the Guideline statistics
- [fix] Cppcheck suppress unusedFunction checker only once
Full Changelog: v6.26.1...v6.26.2
v6.26.1: [fix] Personal access token name fix
- Install "requests" Python dependency #4596
- [fix] Fix migration logging #4597
- [fix] Add global view permission requirement for viewing products #4608
- [feat] Sync group permissions with login provider to prevent out-of-sync groups. #4610
- [fix] Significant speed-up for create_actions_map and start_workers #4611
- Fix SeverityIcon color error #4618
- [fix] Blank page on invalid session token #4622
- [fix] Personal access token name fix #4628
Full Changelog: v6.26.0...v6.26.1
v6.26.0
🌟 Highlights
Ouath2 based Single Sign On Authentication
CodeChecker now provides Oauth2 based user authentication through various providers. It is now possible to configure up your CodeChecker server instance to accept user logins with their Google, Microsoft or GitHub accounts.
To enable this feature, you will first need to configure your CodeChecker server instance with the corresponding oauth provider and add a
new authentication method section in the codehchecker server configuration file.
If the user group memberships are managed by a Microsoft Entra identity server, these memberships will be fetched by CodeChecker through the graph API.
See CodeChecker authentication document document for configuration details.
The features was implemented in the following PRs:
- Implementation of Oauth of Github, Google and Microsoft by @feyruzb in #4298
- integrated signum fetching and using it as optional username by @feyruzb in #4517
- Add paging to the graph API query by @dkrupp in #4532
Personal Access token Management
Personal access tokens are generated "passwords" which can be used to login to CodeChecker. If MultiFacor Authentication is enabled, it is the only way to authenticate through the CLI.
- The personal access tokens now can be created on the GUI too, not only through the CLI.
- It is accessible if you click on you user name in the top right corner.
❗ Backward incompatible changes
- The personal Access tokens cannot be viewed after creation. It was possible to list the values of the personal access tokens after creation, but after this version it will only be possible to view once at creation time.
💻 CLI/Server improvements
- Cache __contains_no_intrinsic_headers and thus speedup parse_options ~2x by @irishrover in #4479
- [analyzer] debug_analyzer log level for analyzer commands by @bruntib in #4473
- [cmd] Emit errors instead of hiding flags by @Szelethus in #4465
- fix(report-converter): Support null column in eslint reports by @SweetVishnya in #4497
- [NFC] Eliminate the "W" form of clang-tidy warnings by @bruntib in #4438
- [fix] Unique key constraint violation fix by @bruntib in #4505
- [bugfix] Don't crash if clangsa binary is missing by @Szelethus in #4531
- Fix serving Bad request pages in case of some HTTP errors by @Discookie in #4506
- [feat] Display announcement message in the CLI by @noraz31 #4535
- Personal access token by @bruntib in #4540
- [fix] Bug report bubble display bugfix by @bruntib in #4480
- [analyzer] Add --use-absolute-ldpreload-path flag to log command by @gamesh411 in #4518
- [fix] Apply heuristics when diagtool comes with version number by @bruntib in #4515
- Fix CSP when HTTPS is not enabled on the server by @Discookie in #4544
- [feat] Add JSCPD report converter by @noraz31 in #4530
- [bugfix] Pass the correct interpreter from bin/CodeChecker to the analyzers by @Szelethus in #4558
- [fix][report-converter] Fix hash where file was pulled from report instead of event. by @jstevens176 in #4403
- Utilize personal access token expiration date by @gulyasgergely902 in #4551
- Add OAuth templates, simplify OAuth configuration flow by @Discookie in #4559
- [ld_logger] Fix suffix match on non-absolute paths by @bruntib in #4577
- [feat] Implement configurable Personal Acces Token expiry by @gulyasgergely902 in #4567
- Fix return_to directive when the user is already logged in by @Discookie in #4582
- Restrict the SQL database creation to the config directory by @Discookie in #4521
- Only respond to valid endpoints on the frontend by @Discookie in #4588
- [feat][server] Make personal access token max expiration length configurable by @gulyasgergely902 in #4590
- Ensure the compiler has no L18Ned output by @cmorty in #4562
- [fix] Fix missing default value for max pers auth token. by @gulyasgergely902 in #4593
- [feat] Check if file path is absolute or not in gerrit py. by @gulyasgergely902 in #4594
🔨 Other
- [fix] Adding run filter to router query by @cservakt in #4495
- [fix] Display chronological order in GUI by @bruntib in #4512
- fixed url strip error by @feyruzb in #4516
- [fix] Rename cmd modules to avoid conflict with built-in cmd by @gamesh411 in #4464
- E2E tests are flaky (fix) by @xb058t in #4493
- Make username-password login hidable by @gulyasgergely902 in #4537
- Simplify oauth interface by @gulyasgergely902 in #4539
- [fix] dead links, typos etc. in the documentation by @NagyDonat in #4526
- Fix a legacy mistake in the test by @irishrover #4543
- Fix issues in documentation by @gulyasgergely902 #4542
- Add OWASP Top 10 guideline by @noraz31 in #4482
- Add chronological order column to exported HTML report by @gulyasgergely902 in #4553
- Add 6.26.0 release notes to the New Features menu by @noraz31 in #4556
- Check shown file when rendering error message by @gulyasgergely902 in #4557
- Fix a code duplication by @irishrover in #4548
- [feat] Return custom message in cli upon failed authentication by @noraz31 in #4546
- feat(script): Support
label-tool-skipdirective labels by @whisperity in #4274 - [refactor] Make analyzer and checker options typed by @bruntib in #4566
- [gui] Conditionally hide timestamp, test case and chronological order by @gulyasgergely902 in #4574
- Fix bug path node coloring by @gulyasgergely902 in #4561
- [fix][server] Fix announcement message cannot be edited as superuser by @gulyasgergely902 in #4578
- [fix] Fix the flaky tests for personal access token expiration by @gulyasgergely902 in #4583
- [fix] Emit error message when SQLite DB is not under workspace dir by @bruntib in #4584
- [fix] Demote product not found errors to debug in the CC logs by @noraz31 in #4587
- Extended tests for OAuth by @feyruzb in #4533
🌳 Environment
- [tools] bump sarif-tools version from 1.0.0 to 3.0.4 by @AlexFabre in #4466
- [fix] Fix missing CC_LIB_DIR when dev_package is used by @Szelethus in #4513
- [test] GitHub actions upgrade to 24.04 by @bruntib in #4524
- Moving authlib to the mandatory requirements by @dkrupp in #4522
- [version] Bump python version to 3.9 by @pdgendt in #4550
- [docs] README.md install guide fix apt install by @barnabasdomozi in #4570
- Document API endpoints by @Discookie in #4572
- [cfg] Update clang-tidy, clangsa and cppcheck configurations by @gamesh411 in #4568
- [cfg] Add unix.cstring.NotNullTerminated to default profile by @gamesh411 in #4576
- Thrift upgrade by @bruntib in #4581
- [doc] Update checker_and_analyzer_configuration.md by @NagyDonat in #4579
- removing clang-diagnostic-implicit-void-ptr-cast from the sensitive p… by @dkrupp in #4580
- Add Thrift 0.22.0 dockerfile & add ws* to gitignore by @gulyasgergely902 in https://github.com/Eri...
Contributors
Assets 2
v6.26.0-rc1
🌟 Highlights
Ouath2 based Single Sign On Authentication
CodeChecker now provides Oauth2 based user authentication through various providers. It is now possible to configure up your CodeChecker server instance to accept user logins with their Google, Microsoft or GitHub accounts.
To enable this feature, you will first need to configure your CodeChecker server instance with the corresponding oauth provider and add a
new authentication method section in the codehchecker server configuration file.
If the user group memberships are managed by a Microsoft Entra identity server, these memberships will be fetched by CodeChecker through the graph API.
See CodeChecker authentication document document for configuration details.
The features was implemented in the following PRs:
- Implementation of Oauth of Github, Google and Microsoft by @feyruzb in #4298
- integrated signum fetching and using it as optional username by @feyruzb in #4517
- Add paging to the graph API query by @dkrupp in #4532
Personal Access token Management
Personal access tokens are generated "passwords" which can be used to login to CodeChecker. If MultiFacor Authentication is enabled, it is the only way to authenticate through the CLI.
- The personal access tokens now can be created on the GUI too, not only through the CLI.
- It is accessible if you click on you user name in the top right corner.
❗ Backward incompatible changes
- The personal Access tokens cannot be viewed after creation. It was possible to list the values of the personal access tokens after creation, but after this version it will only be possible to view once at creation time.
💻 CLI/Server improvements
- Cache __contains_no_intrinsic_headers and thus speedup parse_options ~2x by @irishrover in #4479
- [analyzer] debug_analyzer log level for analyzer commands by @bruntib in #4473
- [cmd] Emit errors instead of hiding flags by @Szelethus in #4465
- fix(report-converter): Support null column in eslint reports by @SweetVishnya in #4497
- [NFC] Eliminate the "W" form of clang-tidy warnings by @bruntib in #4438
- [fix] Unique key constraint violation fix by @bruntib in #4505
- [bugfix] Don't crash if clangsa binary is missing by @Szelethus in #4531
- Fix serving Bad request pages in case of some HTTP errors by @Discookie in #4506
- [feat] Display announcement message in the CLI by @noraz31 #4535
🔨 Other
- [fix] Adding run filter to router query by @cservakt in #4495
- [fix] Display chronological order in GUI by @bruntib in #4512
- fixed url strip error by @feyruzb in #4516
- [fix] Rename cmd modules to avoid conflict with built-in cmd by @gamesh411 in #4464
- E2E tests are flaky (fix) by @xb058t in #4493
- Make username-password login hidable by @gulyasgergely902 in #4537
- Simplify oauth interface by @gulyasgergely902 in #4539
- [fix] dead links, typos etc. in the documentation by @NagyDonat in #4526
- Fix a legacy mistake in the test by @irishrover #4543
- Fix issues in documentation by @gulyasgergely902 #4542
🌳 Environment
- [tools] bump sarif-tools version from 1.0.0 to 3.0.4 by @AlexFabre in #4466
- [fix] Fix missing CC_LIB_DIR when dev_package is used by @Szelethus in #4513
- [test] GitHub actions upgrade to 24.04 by @bruntib in #4524
New Contributors
- @AlexFabre made their first contribution in #4466
- @SweetVishnya made their first contribution in #4497
- @xb058t made their first contribution in #4493
- @gulyasgergely902 made their first contribution in #4537
- @NagyDonat made their first contribution in #4526
Full Changelog: v6.25.1...v6.26.0-rc1