Professional Documents
Culture Documents
Code Sight Documents
Code Sight Documents
1
Documentation
© 2021 Synopsys, Inc.
Code Sight 2021.1 Documentation
Contents
Getting Started..........................................................................................4
Coverity Setup Considerations....................................................................................................... 5
Support Matrix........................................................................................ 45
Installation............................................................................................... 46
Installing Code Sight in IntelliJ..................................................................................................... 46
Installation Prerequisites.................................................................................................... 46
To install the plug-in.......................................................................................................... 47
To install the plug-in on a system not connected to the Internet.......................................48
To uninstall the plug-in...................................................................................................... 49
Installing Code Sight in Eclipse....................................................................................................51
Installation Prerequisites.................................................................................................... 51
To install the plug-in.......................................................................................................... 52
To install the plug-in on a system not connected to the Internet.......................................54
To uninstall the plug-in...................................................................................................... 57
Installing Code Sight in Visual Studio.......................................................................................... 59
Installation Prerequisites.................................................................................................... 59
To install the extension......................................................................................................60
To install the extension on a system not connected to the Internet.................................. 63
To uninstall the extension..................................................................................................64
Installing Code Sight in Visual Studio Code................................................................................ 65
Installation Prerequisites.................................................................................................... 65
To install the extension......................................................................................................67
To install the extension on a system not connected to the Internet.................................. 68
To uninstall the extension..................................................................................................69
ii
Contents
Authentication.........................................................................................71
To choose a tool: Code Sight Configuration................................................................................ 71
To authenticate Black Duck........................................................................................................ 72
To authenticate Coverity............................................................................................................. 73
To authenticate Coverity using a self-signed certificate.................................................... 75
Reviewing and Updating Authenticated Tools..............................................................................75
Administration.........................................................................................76
Configuring Black Duck................................................................................................................ 76
Requirements for Black Duck............................................................................................ 76
Configuring Coverity......................................................................................................................77
Configure Coverity Analysis to Use Polaris.......................................................................77
Configure Coverity Analysis to Use Coverity Connect...................................................... 78
Creating and Locating the ‘coverity.conf’ File....................................................................79
Alternative Coverity Configuration Settings....................................................................... 80
Frequently Asked Questions..............................................................................................83
Release Notes......................................................................................... 86
Version 2021.1.............................................................................................................................. 86
Version 2020.11............................................................................................................................ 88
Version 2020.8.1........................................................................................................................... 90
Version 2020.8.............................................................................................................................. 90
Version 2020.6.............................................................................................................................. 92
Version 2020.4.............................................................................................................................. 93
Version 2020.2.............................................................................................................................. 97
Version 2020.1.............................................................................................................................. 98
Version 2019.11............................................................................................................................ 99
Version 2019.9............................................................................................................................ 100
Version 2019.7............................................................................................................................ 102
Version 2019.6............................................................................................................................ 102
Version 2019.4............................................................................................................................ 104
Version 2019.3: Synopsys Code Sight Plug-in Features........................................................... 105
iii
Code Sight 2021.1 Documentation
Getting Started
Here is information to help you quickly get started using Code Sight.
4
Getting Started
4. Authenticate yourself
Next, after you enter your ID and the URL of the server with which the Synopsys tool will communicate,
enter your password.
If your credentials are accepted and the tool is already installed, then Code Sight is ready to run.
If the tool you chose is not yet installed, Code Sight automatically downloads the tool from the server
and then installs it.
Note: The Detect component of Black Duck installs quickly. The download of Coverity Analysis can
take some time.
5
Code Sight 2021.1 Documentation
You can also run local Coverity (SAST) scans of your source code, without connecting to the
Internet. Instructions for installing Code Sight on a disconnected (or air-gapped) system are provided
in each installation guide.
• Special-purpose configurations:
Some setups might need additional configuration settings before you run Code Sight. For more
details, see the Administration section.
2. To see more information about the issue, look at the Details panel.
6
Using Code Sight
The Details displayed depend on whether the reported issue is a composition analysis (SCA) issue
or a static analysis (SAST) issue. See “Issue Details: Black Duck (SCA)” or “Issue Details: Coverity
(SAST)”.
From the Details panel, you can access the Contributing Events view, which displays still more
information.
If the issue you highlighted is a static analysis issue, then information about it is also displayed in
the IDE’s Code Editor. See “Issues in the Editor”.
Status
The Status view provides overall information about the plug-in, and the scans that it has run.
7
Code Sight 2021.1 Documentation
Notifications panel
Contains messages from the plug-in itself, such as the Welcome page that appears when you first install
Code Sight.
Scans panel
Lists the scans that have completed, along with the name and location of the source file that was
scanned, and whether the scan was successful.
While a full scan is running, the Full scans area of the Scans panel shows these icons as well. After
the full scan completes, this area shows when the most recent full scan completed. In front of this text,
an icon indicates where the scan took place:
8
Using Code Sight
The familiar Cloud logo indicates that the scan took place on a server.
To disable automatic scanning, you can use the Automatic Scanning Preferences.
Remember: When automatic scanning is enabled, opening or closing a code file launches a scan, but
there is a difference between Coverity and Black Duck. Coverity scans only the individual source file.
Black Duck, on the other hand, always scans the entire project.
Launching scans
On the Scans panel, you can launch a full Black Duck scan by clicking the Run new full scan icon
in the “Full scans” area.
For Coverity (SAST), you can launch a scan of an individual file by clicking the same icon in the “Single-
file scans” area, where the tooltip for the icon says, Scan next.
Also for Coverity, you can launch a single-file scan from the Issue Details panel or from the IDE Editor
right-click context menu: Scan with Code Sight.
9
Code Sight 2021.1 Documentation
Finally, in the Project or Solution window, when a source file is selected (but not a project or a solution),
the right-click context menu also displays the Scan with Code Sight choice.
10
Using Code Sight
Note: The name of this window depends on the IDE: For IntelliJ, other JetBrains environments, and
Eclipse, it is the Project Explorer; for Visual Studio, it is the Solution Explorer; and in Visual Studio
Code, it is simply called Explorer.
11
Code Sight 2021.1 Documentation
At times, when this seems advisable, Code Sight reminds you that a full Coverity scan should be run.
This reminder appears on the Notifications panel.
Cancelling scans
While a scan is running, you can cancel it by clicking the Cancel icon to the right of the progress
bar.
In addition to the status bar, while a scan is running a clickable Cancel icon also appears in the
“Single-file scans” area or the “Full scans” area.
Issues
The Issues view shows detailed information about the results of scans.
Like the Status view, the Issues view has subordinate panels of its own:
Current File Shows issues found only in the source file that is
currently open in the Editor.
All Scanned Files Shows issues found in all source files whose scan
has completed successfully.
Dismissed Shows issues that have been dismissed (Coverity
issues only).
12
Using Code Sight
Severity (not labeled) Icons in this column indicate the severity level of
the issue:
Low
Medium
High
13
Code Sight 2021.1 Documentation
Full scan
First Detected Indicates how long ago the issue was first
detected.
Issue Details
Code Sight displays issue details when you click to highlight an issue in the Issues list. The Issue
Details panel also gives you access to a view titled Contributing Events.
The detail information shown by these two views, and the accompanying controls, depend on whether
the issue is a composition analysis (SCA) issue, or a static analysis (SAST) issue.
• If you are interested in SCA scans, please see “Issue Details: Black Duck (SCA)” and “Contributing
Events: Black Duck (SCA)”.
• If you are interested in SAST scans, please see “Issue Details: Coverity (SAST)” and “Contributing
Events: Coverity (SAST)”.
Filtering Issues
The Filter control lets you filter out issues that are found only in full scans.
Clicking Filter displays a dialog that lets you set the filtering conditions.
14
Using Code Sight
The interface for filtering is a bit different in the Code Sight extension for Visual Studio Code. For details,
see “Filtering controls” in “Code Sight Within Visual Studio Code” for VS Code.
Coverity (SAST)
When the option Found by Coverity (SAST) is chosen, the Issues list includes issues that have been
found by Coverity Analysis.
15
Code Sight 2021.1 Documentation
In most development environments, you can access the Code Sight Preferences by clicking the icon
that appears above the Code Sight views. In some cases, the icon is accompanied by a label.
Typically the Code Sight preferences appear as a panel of the Preferences interface that is native to the
platform your system runs. The following is an example, from Eclipse:
16
Using Code Sight
Authentication group
The Authentication group shows the status of your credentials: that is, your user ID, your password,
and the URL of the server to use. If the connection was successfully made, this part of the Preferences
panel shows a message to that effect; for example:
17
Code Sight 2021.1 Documentation
If the connection was not successfully made, or if it is broken for some reason while you are using the
IDE, then this this part of the Preferences panel shows a message to indicate the problem. Here is one
example:
In a case where the connection was established, but later broken, probably you will not need to contact
your system administrator—but you will need to know your password. Click Change Credentials to re-
enter your password and establish the server connection once again.
Customization group
This group shows links to preference panels that are native to the platform you use, such as a panel to
customize colors in the interface, or a panel to assign keyboard shortcuts.
In Visual Studio, if you click the Code Sight Preferences button or label, the Synopsys Code Sight
panel appears in the Options dialog. This panel does not have customization controls, but at the left of
the dialog you can navigate to other Visual Studio options.
Troubleshooting group
The Troubleshooting group contains an Export Logs button. This can be helpful when you need to
troubleshoot a problem by working with Synopsys Support. When you click Export Logs, Code Sight
zips the current logs and saves them to a location that it displays in this panel. You can attach this logs
file to your Support request.
When a project has a particularly large code base, disabling automatic scanning can be a way to
manage the time spent on testing that code—but with automatic scanning disabled, it is a good idea to
adhere to a regular schedule of running scans.
18
Using Code Sight
When chosen, Code Sight scans source code only when you instruct it to do so.
• Auto-scan on for IDE (recommended)
(The default) When chosen, Code Sight scans source code whenever a source file is opened or
closed.
• Disable auto-scanning for current solution: 'project-name'
When this check box is chosen, automatic scanning is disabled for the current project only.
The Code Sight Preferences give you access to the color-customization options that are native to the
IDE in which Code Sight is running.
The way to access these options varies, depending on the IDE, as follows:
The JetBrains family, including IntelliJ; also Click Issue Highlighting Colors in the Code
Eclipse Sight Preferences panel > Customization group.
19
Code Sight 2021.1 Documentation
Using the IDE’s native color controls, you should be able to create a custom display that is more easily
legible.
20
Using Code Sight
For an issue found by Black Duck (SCA), the diamond-shaped issue icon highlights a line that
tells how many issues were encountered. This is followed by a list of open-source compoenents that
result in the issue; the names of the security vulnerabilities detected; and then by further details such as
the license used and dates and times on which the issues were detected.
21
Code Sight 2021.1 Documentation
Each occurrence of an issue shows an icon that indicates whether the issue is a direct (declared)
dependency or a transitive (indirect) dependency:
Direct dependency
Transitive dependency
Click the Edit icon to open pom.xmls in the IDE Code Editor. This lets you fix the issue manually
by updating the dependency file.
22
Using Code Sight
If the project is built using Apache® Maven™, then clicking Fix It does not repair the problem, but does
display a page that presents advice on how to fix the issue manually.
Figure 19: Page that appears when an automatic fix is not possible
23
Code Sight 2021.1 Documentation
The icons to indicate a dependency type are the same as on the Details panel: A ‘D’ for
Direct and a ‘T’ for Transitive.
To see this view, click the Occurrences > Open link in the Issue Details panel.
Tip: Depending on the IDE you are using, you might be able to show the Contributing Events view by
using the view or window controls as well as the Issue Details panel.
Coverity (SAST)
Coverity® is a Synopsys® product that performs static application security testing (SAST), which is also
known as static analysis.
Coverity scans source code to check for quality issues, which can cause code to fail when it is
executed, and for security issues, which can leave code vulnerable to attack. Resolving the issues
reported by Coverity will increase your confidence in the reliability and security of the software that you
publish.
24
Using Code Sight
A dynamic analysis of code typically focuses on a particular issue, and typically has to do with program
security: stress testing, penetration testing, fuzz testing, and so on.
Static analysis, by contrast, can search for various kinds of issues, and it computes all possible
execution paths.
25
Code Sight 2021.1 Documentation
The ability to search all paths in an execution tree is one of the strengths of static analysis.
In a production environment, we recommend you use static analysis as one component of an overall
testing strategy, and combine it with appropriate types of dynamic analysis, so that the resulting code is
as robust and secure as possible.
26
Using Code Sight
In addition to scanning one source file at a time, you can run a full scan on all the files in the current
project, in order to generate analysis summaries. These summaries enable quick detection of issues
across multiple files that a file-level scan, on its own, would not be able to find.
Typically, if Code Sight is synchronized, an administrator will set this up for your particular installation.
Once synchronization is enabled, Code Sight downloads issue information for the most recent full
central scan, either from Coverity Connect or from Polaris.
When it has a server connection, there are two kinds of data that Code Sight shares:
• Analysis summaries
• Triage Information
By default, Code Sight does not display issues that are not duplicated locally. You can control this
behavior by using the Filter button.
Analysis Summaries
Coverity Analysis creates summaries when you run a full SAST scan of the code base. It uses such
summaries to improve the accuracy of single-file scans.
When connected, Code Sight obtains analysis summaries from the server. This reduces the need to run
full scans locally.
27
Code Sight 2021.1 Documentation
These icons can appear in the Details and Contributing Events panels, too.
A diamond-shaped icon indicates the line where the issue was detected.
When you click or right-click the issue icon, a pop-up menu gives you various choices, including the
selection of this particular issue.
A double diamond indicates that multiple issues (or events) appear on the same line of code.
28
Using Code Sight
When you click or right-click the multiple-issue icon, a pop-up menu lets you choose which of the issues
or events to select.
A circular icon indicates a line that contains an event that contributed to an issue.
An icon with branching arrows indicates a line with a control-flow path that led to detection of
the issue.
29
Code Sight 2021.1 Documentation
30
Using Code Sight
Figure 28: Links to Security eLearning pages on the Issue Details panel
Attention: Access to Security eLearning is licensed separately from Coverity. To view these
pages, you or your organization must have a subscription and login information.
31
Code Sight 2021.1 Documentation
To see this view, click the Contributing code events > Open link in the Issue Details panel.
Tip: Depending on the IDE you are using, you might be able to show the Contributing Events view by
using the view or window controls as well as the Issue Details panel.
Triaging Issues
In the list of active issues, you can triage Coverity issues by dismissing issues you consider to be
unimportant and that don’t require attention.
Dismissed issues are shown in the Issues view > Dismissed scope. You have the option of un-
dismissing an issue to make it active once again, and visible again in the Current File and All Scanned
Files scopes.
If your Code Sight installation is connected to a server, local triage information is regularly synchronized
with triage information on the server, so that all developers working in the code base see the same
active issues. Local triage activity is always pushed to the server before any triage data from the server
is downloaded during synchronization.
32
Using Code Sight
Note: Locally dismissed issues are synchronized with Coverity Connect as classification == Intentional
and action == Ignore.
To dismiss an issue found by a Coverity Analysis scan
When a static analysis issue is highlighted, you have the option to dismiss it.
1. Go to the Issues view, then click an issue entry in the Current File list or the All Scanned Files list.
A description of the issue appears in the Issue Details panel.
3. Code Sight displays a dialog where you must enter a comment to explain why you are dismissing
this issue.
Figure 32: Dismiss Issue dialog
33
Code Sight 2021.1 Documentation
1. In the Issues view, click the Dismissed scope button to view the list of dismissed issues.
3. Click Un-Dismiss.
4. Code Sight displays a dialog where you must enter a comment to explain why you are undoing the
dismissal.
Figure 35: Un-Dismiss Issue dialog
34
Using Code Sight
You can open the drop-down list to go directly to one of the occurrences, or you can click one of the
the left/right arrows to either side of the drop-down list, in order to step through the occurrences in
sequence.
Important: If, after you correct the code and scan again, an issue does not disappear from the list,
this does not necessarily mean that your fix was wrong. Different paths through the same code can
35
Code Sight 2021.1 Documentation
sometimes lead to the same issue. This is why the Issue Details panel reports multiple occurrences of
the same issue.
When a static-analysis issue occurs more than once, the Contributing Events panel can help you see if
different occurrences arise from the same contributing logic, or if there are multiple areas of contributing
code that might be problematic.
When all occurrences of the issue have been resolved, the issue should disappear from the Issues list
altogether.
Missing Files
If Code Sight cannot match a file from the server to a local file, both the Issues list and the Issue Details
panel report this error.
36
Using Code Sight
1. In the code editor, icons next to line numbers show Coverity (SAST) issues and other findings.
2. A line of code that has a Coverity (SAST) issue is highlighted and commented.
3. This tabular panel shows either status or issues.
4. Contributing Events appear in a panel of their own.
37
Code Sight 2021.1 Documentation
1. In the code editor, icons next to line numbers show Coverity (SAST) issues and other findings.
2. A line of code that has a Coverity (SAST) issue is highlighted.
3. The Code Sight view has tabs for Issues, Status , and Contributing Events.
Tip: If you don’t see a Code Sight window in the Eclipse interface, go to the menu and chooose
Window > Show View > Other. This opens the Show View dialog. In the hierarchy that the dialog
displays, click to expand the Synopsys entry. Click to choose the Code Sight window you want to see,
then click Open.
38
Using Code Sight
1. In the code editor, icons indicate lines that have Coverity (SAST) issues or other findings.
2. A line of code that has a Coverity (SAST) issue is highlighted and commented. Click More to see a
pop-up panel that provides more detail.
3. Most Code Sight controls appear in the Synopsys Code Sight window.
4. Tabs let you switch between the main Code Sight views and the Contributing Events view.
5. The status of running jobs is displayed in a window of its own. For the status of completed jobs, see
the Code Sight window > Status view > Scans panel.
Tip: If you don#t see a Code Sight window in the Visual Studio interface, go to the menu and choose
View > Other Windows and then click one of the Synopsys Code Sight entries to choose the window
you want to see displayed.
39
Code Sight 2021.1 Documentation
1. To see the Code Sight interface, click the activity bar button with the Synopsys logo.
2. In the side bar, ISSUES FOUND are displayed above, and STATUS is displayed below.
3. In the code editor, icons next to line numbers show Coverity (SAST) issues and other findings.
4. A line of code that has a Coverity (SAST) issue is highlighted.
5. Clicking controls in the STATUS area can display information in other Editor tabs. For example,
clicking No running scans [View History] displays the Code Sight Scan Status panel shown
here.
Note: The Code Sight extension for VS Code does not provide links to Synopsys eLearning pages.
40
Using Code Sight
Figure 39: ISSUES FOUND and STATUS areas in Visual Studio Code
Issue details
To see details in Visual Studio Code, look at the Editor and hover your mouse over the issue’s line of
code. A drop-down panel displays the detailed information.
41
Code Sight 2021.1 Documentation
To dismiss issues
1. In the ISSUES FOUND list, select an issue or a group of issues, and then right-click.
The Scope icons let you choose what sorts of issues to display in the list, as follows:
•
All Scanned Files
(The default) Shows issues from all files whose scan has completed.
•
Current File
42
Using Code Sight
Filtering controls
As in other development environments, in VS Code filtering is enabled by default. While filtering is
enabled, the control appears on a line of its own in the ISSUES FOUND area of the side bar.
43
Code Sight 2021.1 Documentation
To disable filtering, simply click to clear the ‘x’ icon at the right end of that line.
To enable filtering again, click the Filter icon to the right of the ISSUES FOUND label. Code Sight
opens a drop-down menu. On the drop-down menu, click to turn Filter back on. This menu also lets you
choose one of the options for sorting the Issues list.
The sorting options don’t have a counterpart in the versions of Code Sight for other IDEs. You can use
the search field at the top of this drop-down menu to find a sorting option quickly.
44
Support Matrix
Support Matrix
These tables show the IDEs, platforms, and Synopsys products that support the current release of Code
Sight.
• The PhpStorm, PyCharm, RubyMine, and WebStorm environments use the same installation steps
as IntelliJ.
Note: In Code Sight release 2021.1, Black Duck scanning is supported by the Eclipse and IntelliJ
environments. Visual Studio supports Black Duck only on a limited customer availability (LCA) basis.
Visual Studio Code does not run Black Duck software composition analysis.
Attention: As of Code Sight 2021.1, Eclipse version 4.6 is no longer supported. Also, support
for Eclipse version 4.7 has been deprecated, and will become unavailable in a future release of
the Code Sight plug-in.
Attention: Also as of Code Sight 2021.1, support for version 2018.2 of the JetBrains IDEs
IntelliJ, PhpStorm, PyCharm, RubyMine, and WebStorm has been deprecated. In a future
release of the Code Sight plug-in, 2019.1 will become the earliest supported version for this
family of IDEs.
Platforms
These are the platforms on which Code Sight can run.
45
Code Sight 2021.1 Documentation
Attention: As of Code Sight 2020.11, macOS® 10.13 support has been deprecated. In an
upcoming release of Code Sight, this operating system will no longer be an available platform.
Installation
Here are the instructions for installing Code Sight in the officially supported development environments.
(Certain environments might be supported only in beta: For current information, see the Release Notes.)
The Code Sight plug-in, or extension, is available for a number of integrated development environments
(IDEs). A particular IDE can run on one or more platforms; currently supported platforms include Linux™,
macOS®, and Microsoft® Windows®.
Installation Prerequisites
Before you install the Synopsys Code Sight plug-in, you should make sure your system is ready for it.
You should already have installed the following software:
• A supported version of a JetBrains environment
You can download these IDEs from the JetBrains pages at https://www.jetbrains.com/.
46
Installation
Note: The Community edition of IntelliJ IDEA supports Java but does not officially support scripting
languages. However, in most cases Code Sight will find and report issues in the source for these
languages as well.
• A code project to work with
For languages that Code Sight supports in these IDEs, please see the “Support Matrix”.
If Coverity® Analysis is already installed on your system, the Code Sight plug-in is able to use it.
If Coverity Analysis is not installed, this is not a problem: The first time you run the plug-in, it can
download and install Coverity Analysis automatically.
1. Start the IDE, then go to plug-in installation for the platform you are using.
On Windows® or Linux® systems, the menu choice is File > Settings | Preferences > Plugins; on
Mac® systems, the menu choice is IntelliJ IDEA > Preferences > Plugins.
3. In the search field, enter synopsys, and then click the Code Sight entry when a tooltip displays the
name of the plug-in.
Tip: You can find find the Code Sight plug-in by searching the JetBrains Marketplace,
https://plugins.jetbrains.com/. The direct link to the Marketplace page for Code Site is https://
plugins.jetbrains.com/plugin/11516-synopsys-code-sight
47
Code Sight 2021.1 Documentation
5. The Install button changes to a button labeled Restart IDE. Click this button.
After the IDE starts again, the Code Sight interface appears within it. To use Code Sight, you will
need to authenticate yourself.
48
Installation
1. On a system that is connected to the Net, navigate to the IntelliJ (JetBrains) Marketplace, and
download the ZIP file of the Code Sight plug-in to a portable storage device: for example, a thumb
drive will do.
This file is named synopsys-code-sight-intellij-<version number>.zip.
2. On the air-gapped system, save the ZIP file to a location you will remember.
The Downloads/ directory is one possibility.
Attention: You don’t have to unzip the ZIP file: The JetBrains IDEs can load the plug-in in
its compressed form.
3. Start the IDE, then go to plug-in installation for the platform you are using.
On Windows® or Linux® systems, the menu choice is File > Settings | Preferences > Plugins; on
Mac® systems, the menu choice is IntelliJ IDEA > Preferences > Plugins.
5.
At the top of the Plugins panel, click the Utilities icon, then from the drop-down menu choose
Install Plugin from Disk.
The IDE displays a regular file dialog.
6. In the file dialog, navigate to the directory that contains the Code Sight ZIP file you saved. Click to
highlight the ZIP file, and then click Open.
The IDE adds a “Synopsys Code Sight” entry to the Plugins panel.
7. Both the plug-in entry and its information page include a button that says Restart IDE. Click one of
those buttons.
1. Start the IDE, then go to plug-in installation for the platform you are using.
On Windows® or Linux® systems, the menu choice is File > Settings | Preferences > Plugins; on
Mac® systems, the menu choice is IntelliJ IDEA > Preferences > Plugins.
49
Code Sight 2021.1 Documentation
4.
Click the Plugin Settings icon to open the drop-down menu, and choose Uninstall.
6. Click Yes, then as you did when you installed the Code Sight plug-in, when prompted click Restart
to restart the IDE so the change will take effect.
50
Installation
2. Remove the Synopsys desktop/ folder. The default location of this directory/folder depends on the
operating system you are using. See the following table:
Some sites install the desktop/ folder in a custom location. If it is not in the default location,
consult your system administrator.
Installation Prerequisites
Before you install the Synopsys Code Sight plug-in for Eclipse, you should make sure your system is
ready for it.
You should already have installed the following software:
• A supported version of Eclipse
You can download Eclipse from https://www.eclipse.org/downloads/.
• A code project to work with
For languages that Code Sight supports in this IDE, please see the “Support Matrix”.
If Coverity® Analysis is already installed on your system, the Code Sight plug-in is able to use it.
51
Code Sight 2021.1 Documentation
If Coverity Analysis is not installed, this is not a problem: The first time you run the plug-in, it can
download and install Coverity Analysis automatically.
4. If the Synopsys Code Sight plug-in does not appear in this dialog, click Browse for more
solutions.
Eclipse opens a browser window. Scroll down in this window to see the Synopsys Code Sight entry.
52
Installation
Tip: You can find the Code Sight plug-in by searching the Eclipse Marketplace, https://
marketplace.eclipse.org. The direct link to the Code Sight plug-in is https://marketplace.eclipse.org/
content/synopsys-code-sight
5. Move your mouse over the Install widget. As the tooltips instruct you, drag the widget over a
different Eclipse window, and then release the mouse button.
6. When Code Sight has finished loading, click Next once again.
53
Code Sight 2021.1 Documentation
Eclipse displays the Install dialog’s Review Licenses panel. Accept the license agreement, and then
click Finish.
After the IDE starts again, the Code Sight interface appears within it. To use Code Sight, you will
need to authenticate yourself.
1. On a system that is connected to the Net, navigate to the GitHub page, https://github.com/coverity/
Code-Sight-for-Eclipse/releases. Download the compressed file for the Code Sight plug-in to a
portable storage device: for example, a thumb drive will do.
• For a Windows system, click Source code (zip).
The GitHub page downloads Code-Sight-for-Eclipse-<version_number>.zip.
• For a macOS or Linux system, click Source code (tar.gz).
The GitHub page downloads Code-Sight-for-Eclipse-<version_number>.tar.gz.
2. On the air-gapped system, save the compressed file to a location you will remember.
The Downloads/ directory is one possibility.
3. Double-click the entry for the compressed file to extract its contents.
This creates a subdirectory that has the same name as the compressed file, without the filename
extension.
54
Installation
You can uncompress to the same directory where you saved the compressed file.
55
Code Sight 2021.1 Documentation
8. In the file dialog, navigate to the uncompressed directory. Click to highlight the update-site/
subdirectory, and then click Open.
The Add Repository dialog appears again, this time with its Location field naming the Code Sight
subdirectory. After you click Add, Eclipse returns to the Install dialog.
9. In the main window of the Install dialog, click to turn on the check box next to the “Synopsys Code
Sight” entry.
56
Installation
11. When Code Sight has finished loading, click Next once again.
Eclipse displays the Install dialog’s Review Licenses panel. Accept the license agreement, and then
click Finish.
12. A dialog prompts you to restart the application. Click Restart Now.
After the IDE starts again, the Code Sight interface appears within it. To use Code Sight, you will
need to authenticate yourself.
57
Code Sight 2021.1 Documentation
3. In the Eclipse IDE Installation Details dialog, scroll to locate the entry for Synopsys Code Sight,
then click to highlight it.
58
Installation
6. As you did when you installed the Code Sight plug-in, when prompted click Restart Now to restart
Eclipse so the change will take effect.
2. Remove the Synopsys desktop/ folder. The default location of this directory/folder depends on the
operating system you are using. See the following table:
Some sites install the desktop/ folder in a custom location. If it is not in the default location,
consult your system administrator.
Installation Prerequisites
Before you install the Synopsys Code Sight plug-in for Visual Studio, you should make sure your system
is ready for it.
You should already have installed the following software:
• A supported version of Visual Studio
You can download Visual Studio from https://visualstudio.microsoft.com/vs/.
CAUTION: These steps do not apply to Visual Studio Code.
59
Code Sight 2021.1 Documentation
2. Choose Tools > Extensions and Updates. (In Visual Studio 2019, the choice is Extensions >
Manage Extensions.)
3. In the left-hand column of the Extensions and Updates dialog, click Online. Make sure that Visual
Studio Marketplace is active; click its entry if you need to.
60
Installation
Tip: You can find the Code Sight extension for Visual Studio by searching the Visual Studio
Marketplace, https://marketplace.visualstudio.com. The direct link to the Marketplace page for Code
Site is https://marketplace.visualstudio.com/items?itemName=SynopsysCodeSight.synopsys-code-
sight
5. Click the Synopsys Code Sight entry to highlight it, and then click Download.
A notice confirms the download.
61
Code Sight 2021.1 Documentation
62
Installation
2. On the air-gapped system, save the VSIX file to a location you will remember.
The Desktop/ folder is the most convenient location.
3. Make sure that Visual Studio is not running, and then double-click the installer icon.
A VSIX Installer dialog appears.
63
Code Sight 2021.1 Documentation
4. Click Install.
The VSIX Installer installs the plug-in.
1. In Visual Studio IDE, return to the plug-in controls: Extensions > Manage Extensions (or for earlier
releases, Tools > Extensions and Updates).
2. In the left-hand column of the Extensions and Updates dialog, make sure Installed is chosen. Click
its entry if you need to.
64
Installation
3. Find the entry for Synopsys Code Sight, then click that entry’s Uninstall button.
Installation Prerequisites
Before you install the Synopsys Code Sight extension, you should make sure your system is ready for it.
You should already have installed the following software:
• A supported version of Visual Studio Code
You can download VS Code from https://code.visualstudio.com/download.
CAUTION: These steps do not apply to Microsoft Visual Studio.
65
Code Sight 2021.1 Documentation
For languages that Code Sight supports in Visual Studio Code, please see the “Support Matrix”.
Important: If you want to analyze source code written in a compiled language such as C, C++, C#,
Java, and so on, then you need to provide information about creating a build to the coverity.conf
file. See the following section, “How do I enable code scans within Visual Studio Code?”, for instructions
on how to do so.
If Coverity® Analysis is already installed on your system, the Code Sight extension is able to use it.
If Coverity Analysis is not installed, this is not a problem: The first time you run the extension, it can
download and install Coverity Analysis automatically.
• If you want to test code in a language that does not rely on filesystem capture (that is, a scripted
language such as JavaScript or Python), then no setup is required.
• If you want to test code in a language that does require filesystem capture (that is a compiled
language: C, C++, Java, and so on), then your coverity.conf file needs to be set up so that it
specifies the particular build and clean tools used by your project.
For instructions on how to do so, please see the section that follows.
"settings" : {
"cov_run_desktop" : {
"build_cmd" : ["make", "all"],
"clean_cmd" : ["make", "clean"]
},
"ide" : {
"build_strategy" : "CUSTOM"
}
}
... Which tells Coverity Desktop to build a project with the make all command, and to clean up after a
build with the make clean command.
66
Installation
To build a project using Apache Maven instead of make, you could use the following
"cov_run_desktop" field:
"settings" : {
"cov_run_desktop" : {
"build_cmd" : ["mvn", "compile"],
"clean_cmd" : ["mvn", "clean"]
}
}
For a complete example of such a coverity.conf file, see “Specifying Custom Build Tools”.
3. In the side bar > EXTENSIONS view, enter synopsys in the search field to locate Synopsys plug-
ins.
Tip: You can also find the Code Sight extension by searching the Visual Studio Code Marketplace,
https://marketplace.visualstudio.com/vscode.
4. Click the Synopsys Code Sight entry to highlight it, and then click Install.
After installing, VS Code prompts you to reload the editor.
67
Code Sight 2021.1 Documentation
2. On the air-gapped system, save the VSIX file to a location you will remember.
The Desktop/ folder is the most convenient location.
3. If it is not already running, start Visual Studio Code.
4. In the activity bar at the left of the VS Code window, click the Extensions button.
5. At the top of the EXTENSIONS view, click More Actions (...), and choose Install from VSIX... from
the drop-down menu.
68
Installation
6. In the file dialog, click to highlight the VSIX installer, and then click Install.
The VSIX installer installs the extension.
After installing, VS Code prompts you to reload the editor.
1. In Visual Studio Code, return to the extension controls by clicking the Extensions button.
69
Code Sight 2021.1 Documentation
2. In the side bar EXTENSIONS: INSTALLED view, click to highlight the Synopsys Code Sight entry.
70
Authentication
Remove the Synopsys desktop/ folder. The default location of this directory/folder depends on the
operating system you are using. See the following table:
Some sites might install the desktop\ folder in a custom location. If it is not in the default location
shown here, consult your system administrator.
Authentication
After you install it, the Code Sight plug-in prompts you choose one of the Synopsys Software Integrity
tools that you want Code Sight to run. Once you have chosen a tool, you will need to authenticate
yourself to the tool you have chosen.
Under most circumstances, a system administrator or a teammate will provide the login credentials for
the Synopsys tools that your site uses.
If the tool you chose is not already installed on your system, Code Sight proceeds to install it for you, as
well.
In the tile for the tool you want to use, click the Install button.
Code Sight opens the authentication page for the tool that you chose.
71
Code Sight 2021.1 Documentation
The URL identifies a Black Duck server. The server will have been configured by your system
administrator. It might use Single Sign-on (SSO) authentication, or not.
2. Click Continue.
If the server does not use SSO, Code Sight displays the password page.
If the server uses SSO, which requires an access token rather than a password, Code Sight
displays the access-token page.
72
Authentication
To authenticate Coverity
Authenticating yourself enables Coverity Analysis to share triage data with a central server. It also
enables Coverity Analysis to download full-project scans from that server, which improves the quality of
local analysis.
If Coverity Analysis is not already present on your system, authentication enables Code Sight to
download this software.
1. As prompted, enter your user name, then enter the URL for the server.
The URL can identify either a Coverity Connect server or a Polaris server. Which kind of server you
use will have been configured by your system administrator.
73
Code Sight 2021.1 Documentation
2. Click Continue.
Code Sight displays either the password page or the access token page.
The password page appears when you authenticate on a Coverity Connect server, or on a Polaris
server that does not use single sign-on.
The access token page appears if the Polaris server you use is configured for single sign-on (SAML/
SSO).
Note:
If you are prompted to enter an access token, and you don’t know what that is, then follow the
prompts on the Access Token page in order to obtain a token.
4. If you have authenticated Coverity but not Black Duck, Code Sight now shows a button that says,
Skip Additional Tool.
You can click this button to go ahead and begin scanning with Coverity Analysis, or you can click
Install Black Duck to authenticate that tool as well.
74
Authentication
The new page has the title, Installed Plug-in and Tool Versions.
If you click the entry for this page, you see a page that shows the current plug-in version, along with the
state and version of the tools that you have installed, so far.
75
Code Sight 2021.1 Documentation
Administration
This section, aimed at system administrators, describes various options that affect the configuration of
Code Sight itself, and of both the Black Duck and the Coverity tools.
Black Duck configuration is comparatively straightforward. Coverity configuration, on the other hand,
offers a large variety of options.
The Black Duck requirements include support for specific Java versions, and specific credentials for
each Black Duck user.
Java Support
The system must be configured to run either version 8 of OpenJDK™, or release 11 of the Java®
Development Kit (JDK).
User Credentials
Each user account must be configured to meet the following conditions:
• The user must have access to check for component security vulnerabilities.
• It must be possible to check each component against the projects accessible to the user, and the
global policies configured on the Black Duck server.
• All dependencies must be resolvable. That is to say, each dependency must have been installed
using the package manager’s cache, virtual environment, and other environmental settings.
Internet Access
To communicate with the Black Duck server, the system must be connected to the Internet.
76
Administration
Remember: Internet access is also needed when you install Code Sight, to download Code Sight itself,
and also the Detect application, if this is not already present on the system. See Installing Code Sight.
Configuring Coverity
Coverity supports a variety of configuration options.
The main choice, when configuring Coverity Analysis, is whether to use the Polaris Software Integrity
Platform, or a Coverity Connect server.
A coverity.conf file might be used in either kind of configuration. The section “Creating and Locating
the ‘coverity.conf’ File” describes how this file is managed.
For a Code Sight installation that accesses Synopsys tools via Polaris, each configuration file has its
own purpose.
77
Code Sight 2021.1 Documentation
For more detailed information about coverity.conf, please see the Coverity Desktop Analysis User
Guide.
CAUTION: If your client connects via a Polaris server, do not use the coverity.conf file’s
"server" or "stream" fields. The Polaris "server" and "project" values are specified in
the polaris.yml file.
The following sections explain the setup steps for both the server and its clients.
{
"type": "Coverity configuration",
"format_version": 1,
"format_minor_version": 4,
"settings": {
"server": {
"host": "coverity-server.example.com",
"port": 8443,
"ssl": true
},
"stream": "myProjectsStreamName"
}
}
3. Change the values for the server record—the "host", "port", and "ssl" fields—to identify the
server that supports this installation.
4. Change the value of the stream field to the name of the Coverity Connect stream that your project
is using.
5. Save the file to the root directory of your project’s code repository.
6. Commit the edited coverity.conf file to your code repository so that all users will share the same
settings automatically.
78
Administration
This is a necessary first step for a Coverity Connect server to support Code Sight clients. The server
administrators should follow these steps before any client system attempts to download the Coverity
Analysis tools.
The server administrator must ensure that both the installers for Coverity Analysis and the
license.dat file be located in a directory named <server-install-dir>/server/base/
webapps/downloads.
These are the specific file names:
• license.dat
• cov-analysis-win64-2020.12.exe
• cov-analysis-linux64-2020.12.sh
• cov-analysis-macosx-2020.12.sh
Attention: If you are using a different version of Coverity Analysis, use the file names for that
specific version instead of the ones associated with version 2020.12.
It is also possible to upload the Coverity Analysis files in compressed format: .zip for Windows,
.tar.gz for Linux or macOS.
When the Code Sight plug-in runs, it searches for a coverity.conf file on your local system.
• If it finds a local coverity.conf file, it uses the information that is stored there to locate the local
installation of the Coverity Analysis tools.
• If it does not find a preexisting coverity.conf file, then it does the following:
1. Downloads the Coverity tools from the server being used.
This requires you to specify a URL for the server, and to authenticate yourself.
2. The Coverity tools then create a new coverity.conf file, and save it to the expected location
for a local Coverity configuration file.
The default location for coverity.conf depends on which platform you are running, as shown
in the following table:
79
Code Sight 2021.1 Documentation
Use case: Your build uses the ARM (RISC) compiler rather than the more widespread GCC (GNU
Compiler Collection). The following coverity.conf code specifies this:
{
"type": "Coverity configuration",
"format_version": 1,
"format_minor_version": 7,
"settings": {
"add_compiler_configurations": [
/* arm-none-eabi-gcc is a common gcc variant
for ARM-based embedded development */
{
"cov_configure_args": [
"--template",
"--compiler",
"arm-none-eabi-gcc",
80
Administration
"--comptype",
"gcc"
]
}
]
}
}
Use case: You want to continue using the Clang compiler front end, but you want to invoke it using the
old-style (and self-descriptive) aliases cc and c++. The following coverity.conf code specifies this:
{
"type": "Coverity configuration",
"format_version": 1,
"format_minor_version": 7,
"settings": {
"add_compiler_configurations": [
/* On a Mac, CMake will use the "cc" and "c++" aliases
instead of "clang" */
{
"cov_configure_args": [
"--template",
"--compiler",
"cc",
"--comptype",
"clangcc"
]
},
{
"cov_configure_args": [
"--template",
"--compiler",
"c++",
"--comptype",
"clangcxx"
]
}
]
}
}
Note: On a site that connects via Coverity Connect, these sample configurations would also require
server and stream fields.
{
"type": "Coverity configuration",
"format_version": 1,
"format_minor_version": 7,
"settings": {
"cov_run_desktop": {
"build_cmd": ["make", "all"],
"clean_cmd": ["make", "clean"]
81
Code Sight 2021.1 Documentation
},
"ide": {
"build_strategy": "CUSTOM"
}
}
}
This particular sample configuration sets up a project that uses the make build system. In your own file,
you would replace the "build_cmd" and "clean_cmd" values with the names of the build and clean
commands that your project actually uses.
For example, to use Apache Maven as your build tool, the "cov_run_desktop" fields would look like
this:
"cov_run_desktop": {
"build_cmd": ["mvn", "compile"],
"clean_cmd": ["mvn", "clean"]
}
Don’t forget: In the "ide" object, you must set "build_strategy" to equal "CUSTOM". If this field
is missing, or is set to a different value, Code Sight does not recognize the custom settings, or use the
alternative tools you specified.
"cov_run_desktop": {
"coding_standard_configs": [
"$(code_base_dir)/MISRA_c2012_7.config"
]
}
Changing the settings used for Coverity Analysis is described in existing documentation. We won’t go
into details here. If you do edit coverity.conf to specify custom settings, proceed with caution.
These are resources that provide more information about editing coverity.conf:
• The Coverity Desktop Analysis User Guide describes the coverity.conf settings in detail.
The Coverity document set, which includes the Desktop Analysis User Guide, where
coverity.conf is described, is installed on a client system when Coverity Analysis is installed.
The default location of these documents depends on the operating system you are using. See the
following table:
82
Administration
• The following lesson on the Synopsys Community Web site describes how to edit coverity.conf
for use with Code Sight: “How to Set Up the Coverity Desktop Analysis Configuration File –
coverity.conf”.
If multiple versions of Coverity Analysis are installed, which version will Code Sight run?
• If polaris.yml is present and specifies a valid version of Coverity Analysis, then Code Sight uses
that version.
• Otherwise, Code Sight uses the most recent version specified in the local coverity.conf file.
What if I get a report of a central analysis issue, but Code Sight does not locate the issue in my
local source code?
Typically the central analysis server saves path names in a relative format; for example:
../project/source/testme.java
Instead of relative paths, a local instance of Coverity Analysis typically saves file names as absolute
paths. The format of an absolute path depends on the operating system. For example:
C:\Users\your-name-here\project\source\testme.java
To resolve this issue, in your current coverity.conf file, add an "ide" object, and then within it
create a "path_mapping" object to specify (1) the paths to strip off of the path names from central
analysis, and (2) the local paths to search for.
The object has this format:
"ide" {
"path_mapping": {
"strip_paths": [ "path1", "path2" ],
"search_paths": [ "path3", "path4" ]
}
83
Code Sight 2021.1 Documentation
}, ...
So using the previous example, testing only a single project, the "ide" object might look like the
following JSON code:
"ide" {
"path_mapping": {
"strip_paths": [ "../" ],
"search_paths": [ "C:\Users\your-name-here\" ]
}
}, ...
For additional information, see the “IDESettings” and “PathMapping” sections in the Coverity Desktop
Analysis User Guide.
®
Black Duck
The family of Synopsys software composition analysis (SCA) tools.
Code Sight™
The short name of the Synopsys IDE plug-in for code analysis.
®
Coverity
The family of Synopsys static analysis tools.
Coverity Analysis
The Coverity component that analyzes source code to detect quality, security, and other issues.
Coverity Connect
A server-based application that manages the database of issues reported by Coverity Analysis.
Using Coverity Connect is one option for synchronizing local data with remote data (the other option is
the Polaris server).
Detect
Short for Synopsys® Detect. The Black Duck component that runs on a client system. Detect can launch
scans, manage scan files, and communicate with a Black Duck server.
84
Code Sight Terms
dynamic analysis
Techniques for testing program code by executing the program and analyzing outcomes.
full scan
A full scan provides summaries of findings obtained by scanning the source files within a project. Full
scans provide information about dependencies in the current source file: This information improves the
accuracy—and hence, the usefulness—of the single-file scan.
When not connected to a server, you need to run a full scan locally. Use the Status > Notifications
view to launch the scan: Code Sight prompts you when this is needed.
When connected to a server, Code Sight downloads the results when a full scan completes on that
server. Often a server will be set up to launch scans automatically, as part of a CI/CD build chain.
issue
A situation found in source code that might be problematic, and so is reported by one of the Synopsys
software integrity tools that Code Sight runs.
Polaris
The Polaris Software Integrity Platform™.
Using Polaris is one option for synchronizing local data with remote data (the other option is Coverity
Connect).
SAST
Stands for static application security testing, another term for static analysis.
SCA
Stands for software composition analysis.
static analysis
Techniques for testing program code without executing the program. Also known as static application
security testing (SAST).
85
Code Sight 2021.1 Documentation
Release Notes
Version 2021.1
Version 2021.1 introduces support for Black Duck® software composition analysis and for Microsoft®
Visual Studio® Code. In addition, some interface improvements make it easier to manage and schedule
code scans.
Discontinued Support
• End-of-life (EOL): Support for Eclipse 4.6 has been discontinued.
• Support for Eclipse 4.7 has been deprecated, and will be discontinued in a future release of Code
Sight.
• Support for version 2018.2 of the JetBrains IDEs IntelliJ, PhpStorm, PyCharm, RubyMine, and
WebStorm has been deprecated. In a future release of Code Sight, 2019.1 will become the earliest
supported version for this family of IDEs.
Beta Support
These tables show the IDEs and products that are supported in beta.
• The Android Studio environment uses the same installation steps as IntelliJ.
Enhancements
• Code Sight 2021.1 introduces support for Synopsys Black Duck software composition analysis
(SCA). This feature helps you maintain open-source software (OSS) security compliance by
identifying known vulnerabilities in free OSS (FOSS) packages at development time. Black Duck
scanning is currently supported for the Eclipse and IntelliJ IDEs. Visual Studio will remain in limited
customer availability (LCA) until further notice. Visual Studio Code does not have Black Duck
support.
• The Visual Studio Code (VS Code) environment is now supported. The supported versions are 1.48
through 1.52.
• Release 2021.1 adds support for IntelliJ, PhpStorm, PyCharm, RubyMine, and WebStorm version
2020.3.
• Release 2021.1 adds support for Android Studio 4.1 in beta.
• The Code Sight for IntelliJ plug-in no longer restricts which versions of Java may be used. If the
Coverity Analysis (SAST) tool does not support a particular version of Java, the scan will fail.
86
Release Notes
• Code Sight now lets users manually launch a single-file Coverity Analysis scan from various
locations:
•
In the Single-file scans area of the Scans panel, the user can click the Scan next icon.
•
For an SAST issue, the Issues view > Issue Details panel shows the same icon.
• In the IDE Editor, the right-click context menu now has a Scan with Code Sight choice.
• In the IDE Explorer, the right-click context menu has the same choice, which appears when a
source file (but not a project or solution) is selected.
• New preferences let a user enable or disable automatic scanning at either the IDE level or the
project/solution/workspace level. (The plug-in for Eclipse provides this preference setting for the
workspace level only.)
Bug Fixes
• Fixed an issue where Code Sight data would not migrate from a version of the plug-in older than the
immediately previous version. UD-5467
• After updating a vulnerable component found by a Black Duck scan, in some cases the issue was
not removed from the Issues list. This has been fixed. UD-5953
• Black Duck (SCA) issues with a location were not appearing in the Current File scope. This has
now been fixed, and such issues appear correctly when the scope of the Issues list is Current File.
UD-6161
87
Code Sight 2021.1 Documentation
• Fixed an issue where an error message was still displayed after successfully authenticating the user.
UD-6207
Known Issues
• Code Sight does not run clean/rebuild the first time it scans a custom-built command project that has
already been built. UD-3809
• In Visual Studio, when Code Sight is configured to use Black Duck, in certain circumstances if you
modify a project file and then reload the project, Code Sight launches scans repeatedly, instead
of once only. If this happens, quit from Visual Studio. When you restart the IDE, open the modified
project file. UD-4708
Version 2020.11
The 2020.11 release of the Synopsys® Code Sight™ plug-in is a maintenance release that updates
support for some programs, and fixes various issues.
Platform Deprecation
• Support for macOS® 10.13 has been deprecated, and in an upcoming release of Code Sight will no
longer be available.
Beta Support
These tables show the IDEs and products that are supported in beta.
• The Android Studio environment uses the same installation steps as IntelliJ.
Enhancements
• Version 2020-9 (4.17) of the Eclipse IDE is now supported.
• In Code Sight 2020.8, the behavior of the Issues list changed, such that you needed to double-click
an entry to highlight the corresponding line of code in the IDE Editor.
In Code Sight 2020.11, if the source file that contains the issue is already open, then once again a
single click on an entry in the Issues list highlights the corresponding line of code in the Editor. If the
source file is not open in the Editor, then for some IDEs you must double-click the entry to open the
file: After it opens the file, Code Sight then highlights the line of code that is in question.
• Code Sight now filters out eLearning suggestions that are not relevant to the language of the code
being scanned.
• A running full scan can now be cancelled by clicking the Cancel icon in the “Full scans” section
of the Scans panel.
88
Release Notes
For some IDEs, while the scan is running, a progress indicator and the Cancel icon also appear
in the IDE’s own status bar.
• In certain circumstances Code Sight would try to download and install a scanning tool automatically.
As of release 2020.11, the user must launch the download and setup process for a tool.
• For Black Duck Source Component Analysis (SCA) scans (a limited-availability feature), Code
Sight has improved performance by caching security vulnerabilities, potential policy violations, and
upgrade guidance fetched from the server. By default, the cached data persists for 24 hours.
• Code Sight SCA support has been updated to display how many occurrences of vulnerable
components, whether direct or transitive, are present in projects managed by GitHub npm™.
For transitive npm components, Code Sight displays which direct dependency has resulted in the
inclusion of the vulnerable component.
• For Black Duck SCA, if no scan is running, a Rerun button now appears in the “Full scans” section of
the Status view > Scans panel. Clicking Rerun launches a full scan of the target code project.
Bug Fixes
• In some cases, while Code Sight was installed, opening a solution file directly from Windows
Explorer would cause Visual Studio 2015 to freeze on startup. This has now been fixed. UD-4296
• Sometimes launching Visual Studio 2017 by double-clicking a .sln file would cause Code Sight to
hang when the IDE launched the extension. This has now been fixed. UD-5104
• In Visual Studio 2017, after opening a solution by double-clicking a .sln file, sometimes the “No
Solutions have been opened” warning would continue to be displayed. This has now been fixed.
UD-5117
• When Code Sight was configured to run both Coverity Analysis and Black Duck, at times the Domain
column in the Issues list would display the domain as “Unknown”. This has been fixed. A domain is
now shown as either SAST or SCA, as appropriate. UD-5867.
• Performance in Visual Studio has been improved, especially when switching branches or when
loading a new project. One consequence of this fix is that for a project or solution, Black Duck scans
for reference inclusion/exclusion no longer run automatically. UD-6135
Known Issues
• Code Sight does not run clean/rebuild the first time it scans a custom-built command project that has
already been built. UD-3809
• In Visual Studio, when Code Sight is configured to use Black Duck, in certain circumstances if you
modify a project file and then reload the project, Code Sight launches scans repeatedly, instead
of once only. If this happens, quit from Visual Studio. When you restart the IDE, open the modified
project file. UD-4708
89
Code Sight 2021.1 Documentation
Version 2020.8.1
The 2020.8.1 release of the Synopsys® Code Sight™ plug-in is a hotfix that resolves a few high-priority
bugs.
Bug Fixes
• Fixed an issue where for a moment Coverity single-file scan results would be displayed to the user
when the Coverity Analysis tool was not installed. UD-5196
• Fixed an issue that caused Visual Studio to freeze when Code Sight was installed. UD-5685
• Fixed an issue where the Code Sight plug-in could not retrieve issue details from the Polaris server.
UD-5907
Version 2020.8
The 2020.8 release of the Synopsys® Code Sight™ plug-in includes a number of enhancements to
improve ease of use and the accuracy of information displayed. It adds support for some IDE versions,
and fixes a number of bugs as well.
Discontinued Support
• For JetBrains IDEs, version 2018.1 is no longer supported. 2018.2 is the earliest version now
supported.
Beta Support
These tables show the IDEs and products that are supported in beta.
• The Android Studio environment uses the same installation steps as IntelliJ.
Behavior Change
• In the Issues list, clicking the entry for an issue still updates the Details display, but to display the
issue in the environment Editor, you now need to double-click the issue.
If the source file with the issue was not already open in the editor, double-clicking the issue entry
opens that source file to the line where the issue was detected.
Enhancements
• Version 2020.2 of the various JetBrains IDEs is now supported.
• Android Studio version 4.0 is now supported in beta.
• Microsoft Visual Studio Code versions 1.46 and 1.47 are now supported in beta.
90
Release Notes
• The Full Scans area of the Scans panel now shows the state of the most recent full scan attempt,
and the time of the last successful full scan.
Code Sight displays this scan information for each installed analysis tool.
While a full scan is running, the “in progress” icon for the scan is now animated.
• In Notifications,the Update Scanning Tool page now displays as a “Warning” instead of as “Info”.
• The Issue Details display for Black Duck issues now sorts vulnerabilities by severity.
• In the Issues list, you can now search for the tool that reported the issue. At present, these are
the acronyms SAST (Static Application Security Testing) for Coverity Analysis, and SCA (Software
Composition Analysis) for Black Duck.
The list of issues now includes a new column, Domain, that indicates which tool located this
particular issue. This column, like the others, is sortable.
• If a Black Duck scan fails, the Full Scans area of the Scans panel now shows the message “Error:
<error link>”. Clicking <error link> displays the Error Details page, which displays information that
can help you, or Synopsys Support, understand the error and find ways to correct it.
• This release supports SCA Auto-Remediation: This is the ability of Black Duck to automatically
upgrade a vulnerable component version to a secure version. Upgrades are suggested by the Black
Duck Upgrade guidance service.
For Code Sight 2020.8.0, NPM is the only supported package manager. For Auto-Remediation to run
successfully, npm must be present in the system PATH variable, and npm install must have been
run at the command line before launching the IDE.
Auto-Remediation is only available for direct dependencies. For transitive dependencies, you must
upgrade manually. When this is the case, Code Sight messages display advice on how you can do
so.
Bug Fixes
• When Black Duck server authentication failed, Code Sight was displaying a message specific to
Coverity Analysis. This has been fixed. UD-4476
• If the Black Duck server is unreachable, or if responses are timing out during a Black Duck (SCA)
scan, then Code Sight reports that the scan has failed, and displays an appropriate error message.
UD-4900
• If the Black Duck server’s SSL certificate verification fails during a Black Duck (SCA) scan, then
Code Sight now displays an appropriate error message. UD-4902
• Fixed an issue where the recommended version for remediating SCA issues was being displayed as
a hash string. UD-5188
• Fixed a bug where Code Sight had issues connecting to Coverity Connect server over a TLS
connection. UD-5375
• Code sight for Visual Studio Code was initiating Black Duck scans, which it does not support. This
has been fixed. UD-5459
Known Issues
• Code Sight does not run clean/rebuild the first time it scans a custom-built command project that has
already been built. UD-3809
91
Code Sight 2021.1 Documentation
• In some cases, while Code Sight is installed, opening a solution file directly from Windows Explorer
can cause Visual Studio 2015 to freeze on startup. To avoid this happening, first open Visual Studio,
and then open the desired solution from within Visual Studio 2015. UD-4296
• In Visual Studio, when Code Sight is configured to use Black Duck, in certain circumstances if you
modify a project file and then reload the project, Code Sight launches scans repeatedly, instead
of once only. If this happens, quit from Visual Studio. When you restart the IDE, open the modified
project file. UD-4708
• When Visual Studio 2017 is installed, sometimes trying to launch it by double-clicking a .sln file
causes Code Sight to hang when the extension starts up. To work around this issue, open Visual
Studio first, and then use it to open the solution file. UD-5104
Version 2020.6
In the 2020.6 release of the Synopsys® Code Sight™ plug-in, new IDE versions are supported and
various bugs have been fixed.
Enhancements
• For the JetBrains IDEs (IntelliJ, PhpStorm, PyCharm, RubyMine, and WebStorm), version 2020.1 is
now supported.
• For Microsoft VS Code, versions 1.44 and 1.45 are now supported. (The VS Code version of Code
Sight is a beta release.)
• For Eclipse, version 2020-03 (4.15) is now supported.
• The JetBrains environments RubyMine, PhpStorm, and WebStorm can now use Code Sight to run
Black Duck scans.
• When you start Code Sight for the first time, it now displays a Code Sight Configuration page that
lets you choose which tool you want to install first.
• With appropriate permission and enablement, as of 2020.6 you can run Black Duck scans without
having to first install Coverity Analysis. When Black Duck is the only tool in use, the Scans panel
does not display single-file scan errors.
• The Code Sight Preferences panel now shows whether “credentials” (user authentication and the
server name) are valid. If there is a current problem with the connection to the server, it displays an
error message.
• To improve performance time, Black Duck scans no longer report Policy Violations. If you
want to see Policy Violation reports, you can enable them by setting the environment variable
SYNOPSYS_DESKTOP_BD_ENABLE_POLICY_VIOLATIONS to equal 1. To disable Policy Violation
reports once more, set the value of the variable to empty or remove the variable from your
environment altogether.
Discontinued Support
Code Sight no longer works with Black Duck instances whose version is earlier than 2020.2.
• As of Code Sight 2020.6, only Black Duck instances of version 2020.02, or a later version, are
supported. These instances use version 2 of the Black Duck API.
92
Release Notes
Bug Fixes
• In Visual Studio Code, fixed the navigation when multiple events are found on the same line of code.
Now the currently selected event appears at the top of the pop-up list. UD-4035
• Fixed an issue in Eclipse, where after an upgrade from a previous version of Code Sight, the plug-in
would sometimes fail to report issues or notifications displayed by the previous version. UD-4636
• Enabled workaround of an issue where Code Sight for Visual Studio changes
the build output verbosity. To avoid this behavior, set the environment variable
SYNOPSYS_DESKTOP_DISABLE_COMPILED_EMIT to equal 1. UD-4683
• Fixed an issue with Black Duck scans where Policy Violations were not displayed. This occurred
when Policy Violations had Vulnerability Conditions set to "Exploit Available = Yes".
UD-4909
Note: To improve performance time, as of Code Sight 2020.6, Black Duck scans do not
report Policy Violations unless you have enabled them by setting the environment variable
SYNOPSYS_DESKTOP_BD_ENABLE_POLICY_VIOLATIONS to equal 1.
• Fixed a Black Duck scanning issue where components that reported Policy Violations but no Security
Vulnerabilities would not display their results. UD-4985
Known Issues
• Code Sight does not run clean/rebuild the first time it scans a custom-built command project that has
already been built. UD-3809
• In some cases, while Code Sight is installed, opening a solution file directly from Windows Explorer
can cause Visual Studio 2015 to freeze on startup. To avoid this happening, first open Visual Studio,
and then open the desired solution from within Visual Studio 2015. UD-4296
• In Visual Studio, when Code Sight is configured to use Black Duck, in certain circumstances if you
modify a project file and then reload the project, Code Sight launches scans repeatedly, instead
of once only. If this happens, quit from Visual Studio. When you restart the IDE, open the modified
project file. UD-4708
• When Visual Studio 2017 is installed, sometimes trying to launch it by double-clicking a .sln file
causes Code Sight to hang when the extension starts up. To work around this issue, open Visual
Studio first, and then use it to open the solution file. UD-5104
Version 2020.4
Improvements in the 2020.4 release of the Synopsys® Code Sight™ plug-in include adding a new IDE
version, deprecating an older IDE version, and fixing numerous bugs.
New Features
• Code Sight can now use Polaris version 2020.03 or 2020.04.
It no longer uses previous versions of Polaris.
• New versions of the following IDEs are now supported:
• Android Studio 3.6
• Eclipse 2019-12 (4.14)
93
Code Sight 2021.1 Documentation
• Under Limited Availability, Code Sight now supports Black Duck in Visual Studio. This helps you
choose OSS libraries that are non-vulnerable, and ensures open source security compliance. To get
access, please contact software-integrity-support@synopsys.com.
Deprecated Support
Support for the following platform has been deprecated, and will be dropped in a future Code Sight
release:
• Eclipse 4.6
Enhancements
• For those IDEs that support Black Duck, the Status log now shows the status of the most recent
Black Duck scan. UD-4117
• In the previous release, a Black Duck scan was initiated whenever a source file was opened or
closed. As of Code Sight 2020.4, after the initial scan a new Black Duck (SCA) scan only occurs
when a Black Duck configuration file is opened or modified.
Files whose change can trigger a new scan are listed in the Synopsys Detect document > Detectors
page. UD-4221
• Expanded support for the Export Logs feature.
When a single-file scan fails, the Failure Reason column of the Scans panel (“Scan log”) now has a
clickable link that says Unexpected error. Clicking that link opens an Unexpected Error page that
provides a number of support options, including an Export Logs button that exports a zipped copy of
the current logs.
The button on the Unexpected Error page works the same as the Export Logs button on the
Preferences > Synopsys Code Sight Preferences page (the button on the Code Sight
Preferences page is still available, too).
UD-4282
Scans panel > Log of single-file scans > ‘Unexpected error’ link in ‘Failure Reason’ column
94
Release Notes
Status view: ‘Unexpected error’ panel that appears after clicking the ‘Unexpected error’ link
• In Visual Studio Code a new Code Sight option, Don’t Show Again, lets you suppress repeated
appearances of the warning that Code Sight shows when you attempt to open a file and the current
workspace is empty, when there is no current workspace, and other related conditions.
Also, a new option on the Settings page lets you toggle display of the empty-workspace warnings.
If these warnings have been disabled, then turning on the Warnings: Show All option re-enables
them once again.
UD-4391
Code Sight in VS Code: New ‘Don’t Show Again’ button suppresses repeated display of the
empty-workspace warning.
Code Sight in VS Code: New ‘Warnings: Show All’ option on the Settings page re-enables empty-
workspace warnings.
• In Visual Studio code, the STATUS area of the left-hand side bar now shows icons as convenient
shortcuts to view and manage the Scan Status panel, the Export Logs page, and the Authentication
pages (Edit Server icon). UD-4456
95
Code Sight 2021.1 Documentation
View Scans: This icon appears to the right of the Running scans or No running scans entry in
the Scanning section of the STATUS area. Click it to open the Code Sight Scan Status panel, which
appears at the right of the VS Code window.
Export Logs: This icon appears to the right of the [version-number] entry in the the Code Sight
Extension section of the STATUS area. Click it to display an Export Logs page with an Export Logs
button you can click to save a zipped file of the current scan logs.
Edit Server: This icon appears to the right of the Server entry in the Tools section of the STATUS area.
Click it to display the Authentication pages, where you can change the server being used, the current
Code Sight user, or both.
Bug Fixes
• When authenticating Black Duck, a client’s credentials could be incorrectly lost. This has been fixed.
UD-4340
• In previous releases, if Code Sight could not use the URL you provided when authenticating, it
displayed a message whose text read, “This product needs a valid server URL to continue. Please
confirm your server URL with your administrator.”
However, this message was not accurate in cases where the URL was valid but the server could not
validate the certificate that accompanied the address. As of version 2020.4, when Code Sight cannot
validate a certificate the message now reads as follows: “Unable to validate the certificate from the
given URL. Please confirm the URL with your administrator. Connecting to a server without a valid
certificate can put the integrity and confidentiality of your data at risk.”
Remember: You can configure Code Sight to accept self-signed certificates. To do so, add the line
"on_new_cert": "trust" to your coverity.conf file. (You must restart the IDE you use for
this change to take effect.)
96
Release Notes
UD-4447
• Fixed a bug where the Issues list was displaying duplicate entries for the same issue. UD-4513
Known Issues
• Code Sight does not run clean/rebuild the first time it scans a custom-built command project that has
already been built. UD-3809
• In some cases, while Code Sight is installed, opening a solution file directly from Windows Explorer
can cause Visual Studio 2015 to freeze on startup. To avoid this happening, first open Visual Studio,
and then open the desired solution from within Visual Studio 2015. UD-4296
• In Eclipse, after you upgrade from a previous version of Code Sight, the plug-in might fail to report
issues or notifications displayed by the previous version. If this happens, quit from Eclipse. Wait for
about 30 seconds, and then launch Eclipse once again. The older messages should now appear.
UD-4346
• In Visual Studio, when Code Sight is configured to use Black Duck, in certain circumstances if you
modify a project file and then reload the project, Code Sight launches scans repeatedly, instead
of once only. If this happens, quit from Visual Studio. When you restart the IDE, open the modified
project file. UD-4708
Version 2020.2
The 2020.2 release of the Synopsys® Code Sight™ plug-in expands the range of supported IDEs and
fixes some bugs.
New Features
• New versions of the following IDEs are now supported:
• Eclipse 2019-12 (4.14)
• In Visual Studio, while a single-file scan is running, the Scans panel now displays an icon with an X
on it to the left of the file name. Clicking this icon cancels the scan job.
97
Code Sight 2021.1 Documentation
Bug Fixes
• Fixed an issue where the "Full Scan" notification was not removed after the summary was
downloaded. UD-4027
• Improved the error reporting for scan failures: If a build capture fails, the report now includes the
build-failure messages. UD-4043
• When many scans were queued, Code Sight would sometimes consume large amounts of RAM.
This is now fixed. UD-4096
• On Windows 10, if the language was set to a language other than English, Code Sight would fail to
run in Visual Studio 2015. This has now been fixed. UD-4106
• In Eclipse, after upgrading the plug-in version, the IDE would appear not to completely refresh the
plug-in panes. This has now been fixed. UD-4166
• In Code Sight for Visual Studio, the extension’s Welcome page was linking incorrectly to out-of-date
documentation. It now links correctly to the up-to-date documentation posted on the “Community
Synopsys” portal. UD-4300
• On Windows, Code Sight would fail to locate a coverity.conf file if that file was saved to the
parent directory of a project or to a solution directory. This has now been fixed. UD-4330
Known Issues
• Code Sight does not run clean/rebuild the first time it scans a custom-built command project that has
already been built. UD-3809
• In some cases, while Code Sight is installed, opening a solution file directly from Windows Explorer
can cause Visual Studio 2015 to freeze on startup. To avoid this happening, first open Visual Studio,
and then open the desired solution from within Visual Studio 2015. UD-4296
• In Eclipse, after you upgrade from a previous version of Code Sight, the plug-in might fail to report
issues or notifications displayed by the previous version. If this happens, quit from Eclipse. Wait for
about 30 seconds, and then launch Eclipse once again. The older messages should now appear.
UD-4346
Version 2020.1
The 2020.1 release of the Synopsys® Code Sight™ plug-in expands the range of supported IDEs and
fixes some bugs.
New Features
• New versions of the following IDEs are now supported:
• IntelliJ IDEA 2019.3
• PhpStorm 2019.3
• PyCharm 2019.3
• RubyMine 2019.3
• WebStorm 2019.3
• The End User Software License and Maintenance Agreement for Code Sight has been updated to
Version 2019.03.
98
Release Notes
• The top toolbar of the Code Sight window now has an icon that opens a Synopsys Community page
with links to the Code Sight help.
Discontinued Support
The following platforms are no longer supported:
• macOS 10.12
• Windows 7
Bug Fixes
• Fixed an issue in Code Sight for Visual Studio where the Code Sight window would interrupt IDE use
and steal focus during Coverity tool downloads. UD-3829
• Fixed an issue in Code Sight for Visual Studio where queued scans were incorrectly reporting a Last
Scanned time of Now. UD-3830
Known Issues
• Code Sight does not run clean/rebuild the first time it scans a custom-built command project that has
already been built. UD-3809
Version 2019.11
The 2019.11 release of the Synopsys® Code Sight™ plug-in introduces new features and fixes various
bugs.
New Features
• Eclipse™ version 2019-09 (4.13) is now supported.
• Android™ Studio version 3.5 is now supported (support for both version 3.4 and 3.5 of Android Studio
is in beta for this release).
• Icons in a new Status column in the Scans panel show whether the scan of an individual file is
pending or in progress.
• The Location column in the Scans panel now shows the end, rather than the beginning, of a file’s
path name.
• For Polaris users, depending on your configuration Code Sight now attempts to use the tools
specified either in your local polaris.yml file, or on your Polaris server. In other words, you can
now explicitly specify the tool version you want Code Sight to run, and are no longer restricted to
using the most recent release of a tool.
• During build capture, Code Sight uses the build command specified in the "cov_run_desktop"
record of the coverity.conf file, provided that "build_cmd" is specified and
"build_strategy" is set to "CUSTOM" in the "ide" record.
If "clean_cmd" is also specified "build_strategy": "CUSTOM" enables that as well.
The following code example shows these settings:
...
99
Code Sight 2021.1 Documentation
"cov_run_desktop": {
"build_cmd": ["make", "-j", "$(num_cores)"], // build command
"clean_cmd": ["make", "clean"] // clean command
},
"ide": {
"build_strategy": "CUSTOM"
...
}
Bug Fixes
• Code Sight now respects the Eclipse JavaScript® exclude path when performing a full scan locally.
UD-1216
• This release fixes an issue with “The elevated helper does not have full admin rights” that occurred
on Windows® during the installation of Coverity® Analysis when it was downloaded from Polaris. This
bug is resolved as long as updated Coverity Analysis Tools are configured to be downloaded from
Polaris version 2019.11. UD-3351
• Fixed an issue where Code Sight was incorrectly reporting that a full scan had been started
(“Synopsys: Improving accuracy ...” in the progress notification bar) whenever any new scan was
started, including an individual file scan. UD-3371
• This release fixes an issue where Code Sight for Visual Studio® caused delays in the IDE when
opening large solutions containing many projects. UD-3477
• This release fixes an issue where Code Sight for IntelliJ® caused high resource usage when working
with large projects. UD-3494
• This release fixes an issue where Visual Studio 2019 was incorrectly displaying the “Tool
Compatibility Warning” for analysis tools when running Code Sight with newer Coverity Analysis
Tools. UD-3673
• This release fixes an issue in Code Sight for Visual Studio where an error message for the issue
location was incorrectly displayed for a file that was found locally. UD-3696
• This release fixes an issue with Code Sight for Visual Studio where the Code Sight tool window
continued to report “No solutions have been opened” after opening a solution. UD-3779
• Fixed an issue where Code Sight crashed and failed to scan when a polaris.yml file specified an
invalid tool version. UD-3823
Known Issues
• Code Sight does not run clean/rebuild the first time it scans a custom-built command project that has
already been built. UD-3809
Version 2019.9
The 2019.9 release of the Synopsys® Code Sight™ plug-in introduces new features and fixes various
bugs.
New Features
• Android™ Studio 3.4 is now a supported IDE (in beta for this release).
• The Eclipse®, IntelliJ®, and Visual Studio® environments can now analyze TypeScript source.
100
Release Notes
Bug Fixes
• When you edit the coverity.conf file, now Code Sight automatically regenerates its compiler
configuration data. You do not have to restart the plug-in for the changes to take effect. UD-2953
• When running with Polaris, Code Sight would sometimes continue to show issues that had been
closed. This has been fixed. UD-3595
• In IntelliJ 2019.2.1+, when running the 2019.7.2 version of the Code Sight plug-in, opening the
Preferences dialog and choosing the Synopsys Code Sight page would cause an exception. This
has now been fixed. UD-3632
• When running with Polaris, Code Sight now accurately verifies the version of analysis tools and
summary downloads. UD-3627
Known Issues
• In some cases, if you update your authentication key in Coverity Connect, Code Sight will be locked
out of Coverity Connect. To avoid this, update your authentication in Code Sight immediately after
you update it in Coverity Connect. UD-2715
• When you use the Eclipse™ environment to analyze a JavaScript project, only directories that are
specified as “include directories” are included in the filesystem capture. UD-1216
• When using the default C/C++ editor in Eclipse, changing the window focus while a scan is running
can cause markers to disappear. Workaround: Closing the source file and then reopening it will
usually make the markers reappear. UD-2949
• In some cases, a scan can fail due to the following unexpected error: “Failed to acquire lock”/“unable
to open summaries key-value store”. To work around this issue, you will need to manually delete
Coverity data by removing the idirs/<project-identifier> directory indicated in the error
message. After you have done so, restart the IDE. UD-3181
• In Visual Studio, running Code Sight can cause delays in the IDE if you have opened a large solution
that contains many projects. UD-3477
• In IntelliJ, Code Sight can cause high resource usage when you have opened a large project.
UD-3494
• To provide scan results, Code Sight needs to collect all of the necessary header (#include)
files. In Eclipse, this ability is disabled unless you add a "record-with-source" entry to the
coverity.conf file, and set this new entry to true. UD-3583
101
Code Sight 2021.1 Documentation
Version 2019.7
The 2019.7 release of the Synopsys® Code Sight™ plug-in introduces new features and fixes various
bugs.
New Features
• The JetBrains® PhpStorm™ IDE is now supported.
• Microsoft® Visual Studio® version 2019 is now supported.
• Code Sight now displays all issues: both those produced by the local scan, and those obtained from
your configured server stream or project.
• Code Sight no longer launches local full scans automatically. If a full scan has never been run, if one
has not been run for a while, and under some other conditions, Code Sight will prompt you to run
one. This prompt is displayed on the Run Full Scan page of the Notifications view.
• In Visual Studio, running a scan in the background no longer prevents you from starting IDE builds or
debugging your application.
• The Dismissed state is now pushed to the server as soon as you click Dismiss. (In previous
releases, it was not pushed until the end of the timeout interval.) Issue states received from the
server are still synchronized locally at the end of each interval.
• Code Sight now supports FlexNet® licensing for Coverity® Connect. The license file is saved locally
as license.config in the <install location>/cov-tools/bin/ directory.
Bug Fixes
• Fixed an issue where Code Sight for Visual Studio would not run C/C++ scans in Visual Studio
releases earlier than version 16.1. Corrected the problem by using the active build configuration in
Visual Studio for Coverity build capture. UD-3003
• Fixed an issue where Code Sight for Visual Studio would interfere with debugging C# Web
applications. UD-2979
Known Issues
• When using the default C/C++ editor in Eclipse, changing the window focus while a scan is running
can cause markers to disappear. Workaround: Closing the source file and then reopening it will
usually make the markers reappear. UD-2949
Version 2019.6
The 2019.6 release of the Synopsys® Code Sight™ plug-in introduces new features and fixes various
bugs.
New Features
• The plug-in now supports C/C++ analysis in Eclipse®.
• New IDEs are now supported:
• PyCharm®
102
Release Notes
• WebStorm™
• Visual Studio® and Eclipse can now test for compliance with MISRA coding standards.
To enable MISRA testing, add the following entry to the "settings" section of your
coverity.conf file:
"cov_run_desktop": {
"coding_standard_configs": [
"$(code_base_dir)/MISRA_c2012_7.config"
]
}
• Code Sight can now authenticate with a Polaris server configured for single sign-on (SAML/SSO). It
authenticates using an access token obtained from the Polaris server.
• The Code Sight plug-in for Eclipse now supports multiple unique projects in a single workspace.
Bug Fixes
• Self-signed certificates are now accepted for authentication when your coverity.conf file has the
following line in its "server" section:
"on_new_cert": "trust"
This enables any new certificate to be trusted automatically.
UD-2623
• Code Sight now correctly supports downloading zip and tar.gz files as installers from the Coverity
Server. UD-2413
• If a local license is expired or invalid, Code Sight now attempts to retrieve a new license from the
server. UD-1749
• If more than 100 projects were open on Polaris, this caused problems when synchronizing Code
Sight triage data. This is now fixed. UD-2944
• In Visual Studio, the Code Sight window was not always visible by default for first-time users. This is
now fixed. UD-2633
• This release fixes an issue where triage data was not synchronized with the server after restarting
the IDE. UD-2655
• Code Sight for Visual Studio would fail to start when a Windows user name contained spaces. This is
now fixed. UD-2891
• In Code Sight for Visual Studio, projects organized using Solution Folders would sometimes fail to
capture C/C++ or C# source files. This is now fixed. UD-2799
Known Issues
• If you change compiler configurations in the coverity.conf file, Code Sight does not automatically
detect these changes.
To work around the problem, delete the data/ directory: This is located at ~/.synopsys/
desktop/controller/data on macOS® or Linux™, or at %APPDATA%\Roaming\Synopsys
\desktop\controller\data on Windows®.
When it launches a new scan, Code Sight will read the updated coverity.conf. UD-2953
• When working with C/C++ source in Visual Studio, if the default active build configuration fails to
build, then Code Sight / Coverity Analysis testing might not work.
103
Code Sight 2021.1 Documentation
Version 2019.4
The 2019.4 release of the Synopsys® Code Sight™ plug-in introduces new features and fixes a number
of bugs, particularly bugs related to usability and error handling.
New Features
• The plug-in now supports C/C++ analysis in Visual Studio®.
• New IDEs are now supported:
• IntelliJ® 2019.1
• RubyMine™ 2018.1 to 2019.1
• Eclipse 2019-03 (4.11)
Bug Fixes
• Fixed an issue where no error was reported if no analysis tools were found on the Polaris server.
UD-2438
• Fixed an issue where the Visual Studio 2015 IDE suddenly became unresponsive and crashed
intermittently with the unhandled exception System.NullReferenceException. UD-2588
• Updated the plug-in to support analysis of C/C++ projects in Visual Studio. UD-2486
• Reduced the scope of what incremental builds capture, in order to improve performance of fast-
desktop Coverity scans. UD-1003
• Fixed an issue where the Code Sight configuration in the Visual Studio option dialog had invisible
labels while using the dark display theme. UD-2492
• Fixed an issue that caused Visual Studio to change the editor focus after a scan completed.
UD-2451
• In Visual Studio, added search capabilities for the scan log listing. UD-2186
• Improved the layout of messages. While viewing the Welcome page, the Close button is now always
visible, even when scrolling through the message. UD-2304
• Fixed an issue that would occasionally cause the plug-in to scan files again after a summary
download or generation. UD-2320
• Added additional feedback to the active scan messaging, which now exposes more of what the scan
is doing. UD-2514
• Fixed an issue where a local analysis scan would not be performed if the summaries on Polaris were
incompatible. UD-2300
• The plug-in now only listens for files that belong to the active project. This means that results for
unrelated files are no longer incorrectly displayed. UD-1834
• For Visual Studio, improved the startup performance of Code Sight. VS 2015 and 2017 no longer
recommend disabling the plug-in (the “extension”). UD-1338
• The following views and sections have been renamed:
• The Overview tab is now called Status.
• The Plug-in panel is now called Notifications.
104
Release Notes
Known Issues
• Currently Code Sight cannot connect to Coverity Connect instances using self-signed certificates.
For Windows®, this can be worked around by adding the certificate through the Windows certificate
manager. UD-2623
• If you authenticate by using the Code Sight authentication dialog, Code Sight will not read or
recognize subsequent changes to coverity.conf or swip.yml. UD-2627
• In Visual Studio, contributing events across multiple source files are not displayed when you
navigate to “other” source files: that is, to files that do not contain the main issue event. UD-2691
• Code Sight is a native plug-in that runs within the Eclipse™, IntelliJ® IDEA, and Microsoft® Visual
Studio® integrated development environments (IDEs).
• Code Sight runs the Coverity® high-fidelity Fast Desktop Analysis while you work.
• Code Sight scans your source code when you open a file, and when you save a file that has been
changed. (There is no need to invoke Code Sight explicitly.)
• Code Sight is easy to install.
• If you already run Coverity Analysis on your system, Code Sight uses the installation you have
been using.
• If Coverity Analysis is not installed locally, Code Sight can automatically download it and install it.
• Code Sight can be configured to share issue triage data between your local system and Coverity
Connect, or via the Polaris Software Integrity Platform™ central server.
• If a server with central analysis results is available, this can improve Code Sight performance on
your local system: The plug-in downloads analysis summaries from the server, instead of having to
generate this data locally.
• Code Sight issue descriptions contain direct links to relevant Synopsys Security eLearning pages
(access to Security eLearning requires a separate license).
105