I ran across this great photo on Reddit the other day – someone had posted a photo of their grandfather’s pliers, with a few extras welded on: a hammer head, and two screwdriver bits. Although not the most beautiful tool in the world, I think we’d all agree it probably saves a lot of time!
This week, we released Klocwork 2016.1 and it includes a number of new features and updates that prompt the question – why use two tools when one will do?
Improvements to the CI workflow
Now, users of the Klocwork CI module can do more than just view their defects in Jenkins – they can sign in with their Klocwork credentials and work directly with defects inside of the Jenkins interface. This means viewing full defect and traceback information and even performing defect citation directly through Jenkins! Why use two tools when one will do?
Find more security and quality defects
In Klocwork 2016.1, new CWE/SANS Top 25 security checkers are available to improve application security. For example, the new checker for CWE-798 detects the use of hard-coded credentials in your source code. Although developers should certainly know better by now, the issue of hard-coded credentials is not going away any time soon. Just this year, over 40,000 security camera systems included a hard-coded default password that gave access to administrator privileges. The hard-coded password was actually the postal code of the DVR manufacturer!
Klocwork 2016.1 also helps improve password security, with the addition of a checker for CWE-759, which verifies that all one-way hashes are salted before use. This simple technique prevents attackers from easily compromising large numbers of passwords that are stored in hashed format using precalculated hash tables. A high-profile case of this type of attack is the LinkedIn password breach of 2012, in which more than 170 million user passwords were decoded. By salting each password hash with a user-specific piece of information (some systems might use the userid for this purpose), the precalculated hash tables must be generated for each individual password, increasing the time and complexity needed to expose many millions of passwords.
In addition to these security updates, Klocwork 2016.1 includes improvements to help users find more resource leaks, uses of tainted data, and array bounds violations. Coverage of the MISRA 2012 standard has also increased with the addition of new mandatory and required rules .
With the best coverage of security and quality defects, why use two tools when one will do?
Better integration with the tools you use
The Klocwork team is committed to improving the use of static code analysis by integrating with the tools developers use every day. Klocwork 2016.1 has support for the latest CI tools, IDEs and operating systems that you’ve been asking for.