PVS-Studio is a static analyzer on guard of code quality, security (SAST), and code safety (original) (raw)

When it is time to use the PVS‑Studio analyzer

For a developer

You make occasional mistakes during development

Debugging when searching for errors is time consuming

Errors get into the version control system

Once an error is found by QA specialists, it’s difficult to debug that code

How PVS-Studio finds potential vulnerabilities

PVS-Studio detects various errors – typos, dead code, and potential vulnerabilities (Static Application Security Testing, SAST).

The analyzer matches warnings to the Common Weakness Enumeration, SEI CERT Coding Standards, and supports the MISRA standard.

Click the links below to see PVS-Studio warning classifications for various standards:

Where does PVS-Studio integrate into?

Distributed build

Game engines

Embedded

Keil µVision, DS-MDK

IAR Embedded Workbench

QNX Momentics

TI ARM Code Generation

Virtualization

WSL

CI

Supported languages and compilers

Windows

Visual Studio, C, C++, C++/CLI, C++/CX (WinRT)

MinGW C, C++

Texas Instruments Code Composer Studio, C6000-CGT, C, C++

Windows/Linux/macOS

GNU Arm Embedded Toolchain, Arm Embedded
GCC compiler, C, C++

GNU toolchain for RISC-V, C, C++

CLion, Qt Creator, GCC, Clang, C, C++

IntelliJ IDEA, Android Studio, Java

Visual Studio, JetBrains Rider, C#, .NET Framework, .NET

Windows/Linux

IAR Embedded Workbench, C/C++ Compiler for ARM C, C++

QNX Momentics, QCC C, C++

Keil µVision, DS-MDK, ARM Compiler 5/6 C, C++

Texas Instruments Code Composer Studio, ARM Code
Generation Tools C, C++

MPLAB XC8 C

Getting started with PVS‑Studio is easy

Trying for the first time? Check the most interesting warnings

A special filter chooses those warnings that most likely indicate an error.

Integrating PVS‑Studio into the project?

Hide the warnings on the legacy code

This way you will only work with warnings issued on the newly written code. If necessary, you can return the hidden warnings later

Problem types that PVS-Studio detects

Quality

Typos

Null pointer/reference dereference

Array index out of bounds

Incorrect shift operations

and others.

Customers choose PVS-Studio for...

Expert technical support

Over the years, we have built a team of proven code analysis experts. Clients get support directly from our analyzer developers.

Offline use availability

You can use our analyzer offline. This includes the installation, activation, launch, source code analysis, and all other use case scenarios. This is a perfect solution for companies that employ isolated development environments and develop software for finance or government sectors.

Ease of use

To take a quick peek at the analyzer, use the compilation monitoring system. It is designed for Windows and Linux and does not require you to integrate PVS-Studio into a project.

Diagnostic abilities

We have developed more than 1100 diagnostic rules and add new ones every month.

Cross-platform integration

Many apps are created for several platforms to meet the current market's demand. Our cross-platform analyzer provides such clients with full code coverage.

Easy-to-use analyzer reports

The analyzer reports are available in Html, Xml, Csv, Txt, Json, CompileError, TaskList, TeamCity formats. The report generator itself is posted on GitHub for custom modifications.

Convenient CLI

You can choose one of the three easy approaches: run the analyzer from the command line, integrate it into a build script or CI.

Plugins

To enhance interaction with the analyzer, we provide plugins for Visual Studio, IntelliJ IDEA, Rider, SonarQube, Jenkins, and other similar products.

Mode for checking Legacy code

Some clients are uncertain about introducing an analyzer into their development process because of the large code base. PVS-Studio accommodates these clients by introducing Legacy code checking mode. You can install PVS-Studio, hide warnings for old (Legacy) code until later, and use the analyzer to check new code.

Dealing with false alarms

Static analysis implies you’ll get false warnings. In addition to contacting our support, users have many ways to deal with false positives. This makes the work with the analyzer very convenient.

The number of diagnostics
in PVS-Studio increases each year

How does PVS-Studio do all this?

Preprocessing of C and C++ source files (based on compilation parameters) allows to expand preprocessor directives, i.e. to include header files and to substitute macros. The analyzer uses this feature to build the most complete semantic model of the analyzed code.

The pattern-based analysis that is based on an abstract syntax tree searches for fragments in the source code that are similar to the known code patterns with an error.

Method annotations provide more information about the used methods than one can obtain by analyzing only their signatures.

Data-flow analysis is used to evaluate limitations that are imposed on variable values when processing various language constructs. For example, data-flow analysis helps evaluate values that a variable can take inside if/else blocks.

Type inference that is based on a program semantic model provides the analyzer with full information about all variables and statements in the code.

Symbolic execution evaluates variables' values that can lead to errors, performs checks of values' range.

Tainted data analysis detects cases when an application uses unverified user data. Trusting such data excessively may cause vulnerabilities (for example, SQLI, XSS, path traversal).

Intermodular analysis enables the diagnostics to account for functions declared in other translation units.

Software composition analysis (SCA) looks for the application dependencies on components that contain vulnerabilities.