Code Sight Documents

Code Sight 2021.
1
Documentation
© 2021 Synopsys, Inc.
Code Sight 2021.1 Documentation
Contents
What Does Code Sight Do?.................................................................... 4
Getting Started..........................................................................................4
Coverity Setup Considerations....................................................................................................... 5
Using Code Sight..................................................................................... 6

How Do I Use Code Sight?............................................................................................................6
Information that Code Sight Displays.................................................................................. 7
Code Sight Preferences.....................................................................................................16
Tools that Code Sight Can Run................................................................................................... 20
Black Duck (SCA).............................................................................................................. 20
Coverity (SAST)................................................................................................................. 24
Finding Your Way: Code Sight Controls in the Various IDEs...................................................... 36
Code Sight Within IntelliJ...................................................................................................37
Code Sight Within Eclipse................................................................................................. 38
Code Sight Within Visual Studio........................................................................................39
Code Sight Within Visual Studio Code.............................................................................. 40
Support Matrix........................................................................................ 45
Installation............................................................................................... 46
Installing Code Sight in IntelliJ..................................................................................................... 46
Installation Prerequisites.................................................................................................... 46
To install the plug-in.......................................................................................................... 47
To install the plug-in on a system not connected to the Internet.......................................48
To uninstall the plug-in...................................................................................................... 49
Installing Code Sight in Eclipse....................................................................................................51
To install the plug-in.......................................................................................................... 52
To install the plug-in on a system not connected to the Internet.......................................54
To uninstall the plug-in...................................................................................................... 57
Installing Code Sight in Visual Studio.......................................................................................... 59
To install the extension......................................................................................................60
To install the extension on a system not connected to the Internet.................................. 63
To uninstall the extension..................................................................................................64
Installing Code Sight in Visual Studio Code................................................................................ 65
To install the extension......................................................................................................67
To install the extension on a system not connected to the Internet.................................. 68
To uninstall the extension..................................................................................................69
ii
Contents
Authentication.........................................................................................71
To choose a tool: Code Sight Configuration................................................................................ 71
To authenticate Black Duck........................................................................................................ 72
To authenticate Coverity............................................................................................................. 73
To authenticate Coverity using a self-signed certificate.................................................... 75
Reviewing and Updating Authenticated Tools..............................................................................75
Administration.........................................................................................76
Configuring Black Duck................................................................................................................ 76
Requirements for Black Duck............................................................................................ 76
Configuring Coverity......................................................................................................................77
Configure Coverity Analysis to Use Polaris.......................................................................77
Configure Coverity Analysis to Use Coverity Connect...................................................... 78
Creating and Locating the ‘coverity.conf’ File....................................................................79
Alternative Coverity Configuration Settings....................................................................... 80
Frequently Asked Questions..............................................................................................83
Code Sight Terms.................................................................................. 84
Release Notes......................................................................................... 86
Version 2021.1.............................................................................................................................. 86
Version 2020.11............................................................................................................................ 88
Version 2020.8.1........................................................................................................................... 90
Version 2020.8.............................................................................................................................. 90
Version 2020.6.............................................................................................................................. 92
Version 2020.4.............................................................................................................................. 93
Version 2020.2.............................................................................................................................. 97
Version 2020.1.............................................................................................................................. 98
Version 2019.11............................................................................................................................ 99
Version 2019.9............................................................................................................................ 100
Version 2019.7............................................................................................................................ 102
Version 2019.6............................................................................................................................ 102
Version 2019.4............................................................................................................................ 104
Version 2019.3: Synopsys Code Sight Plug-in Features........................................................... 105
iii
What Does Code Sight Do?

The Synopsys Code Sight plug-in helps you find quality and security issues in your source code. It helps
you fix these issues, and increases your confidence that you are checking in clean code.
Here are interactive tours of the Code Sight plug-in:
Black Duck (SCA) scanning:
• Quick Tour with Black Duck
Coverity (SAST) scanning:
• Quick Tour for IntelliJ, Eclipse, and Visual Studio
• Quick Tour for VS Code
Code Sight launches one or more Synopsys® software integrity tools to scan your source code and
detect issues.
Code Sight runs within a number of IDE applications. It displays the information it finds in its own views,
which appear within the IDE interface.
Figure 1: Code Sight views
(Example from IntelliJ)
Getting Started
Here is information to help you quickly get started using Code Sight.
1. If necessary, prepare the configuration

The system administrator might need to do some preparation before Code Sight can run Coverity
successfully and efficiently.
(Code Sight can run Black Duck without initial configuration.)
You might need to specify custom configuration settings if your development environment:
• Uses Coverity Connect
• Has a nonstandard compiler setup
4
Getting Started
• Requires customizing the behavior of Coverity Analysis or of Code Sight itself

See Coverity Setup Considerations on page 5 for more information.
2. Install Code Sight on your own system

If you need to, install Code Sight into your integrated development environment (IDE).
See the installation guide for the IDE that you use.
3. Choose a tool to run

The first time that Code Sight runs, it prompts you to choose which Synopsys tool to install first. (If a tool
is already installed, Code Sight skips ahead to the next step.)
4. Authenticate yourself
Next, after you enter your ID and the URL of the server with which the Synopsys tool will communicate,
enter your password.
If your credentials are accepted and the tool is already installed, then Code Sight is ready to run.
If the tool you chose is not yet installed, Code Sight automatically downloads the tool from the server
and then installs it.
Note: The Detect component of Black Duck installs quickly. The download of Coverity Analysis can
take some time.
5. Start using Code Sight

See How Do I Use Code Sight? for more information.
Coverity Setup Considerations

These are the main issues you should be aware of if you are responsible for setting up Code Sight to
run Coverity Analysis.
• If Polaris is your server:
The server itself requires no extra configuration. A client system might require some special
configuration. If so, we strongly recommend that all systems used by a team have the same
configuration settings. See Configure Coverity Analysis to Use Polaris.
• If Coverity Connect is your server:
Each client system should have a coverity.conf file to specify the host and the active Coverity
Connect stream.
Typically, coverity.conf is created when you install Code Sight and Coverity Analysis. For
some client configurations, you might need to add or adjust the settings in coverity.conf. See
Configure Coverity Analysis to Use Coverity Connect.
Preparing the Coverity Connect server: Each Coverity Connect server must provide a license file
and the installers for downloading and installing Coverity analysis tools on various platforms. See
Preliminaries: Server-side Configuration for Coverity Connect.
• If you plan not to use a server:
5
You can also run local Coverity (SAST) scans of your source code, without connecting to the
Internet. Instructions for installing Code Sight on a disconnected (or air-gapped) system are provided
in each installation guide.
• Special-purpose configurations:
Some setups might need additional configuration settings before you run Code Sight. For more
details, see the Administration section.
Using Code Sight
How Do I Use Code Sight?

By default, Code Sight runs automatically: Whenever you open a source file or save it, Code Sight runs
a scan.
Black Duck always scans an entire project. Coverity can scan an entire project (a full scan), or it can
scan an individual source file. After it runs a scan, Code Sight displays a list of the issues it has found.
Figure 2: Issues list
(Example from IntelliJ™)

1. Click to highlight an issue in this list.
2. To see more information about the issue, look at the Details panel.
6
Using Code Sight
The Details displayed depend on whether the reported issue is a composition analysis (SCA) issue
or a static analysis (SAST) issue. See “Issue Details: Black Duck (SCA)” or “Issue Details: Coverity
(SAST)”.
From the Details panel, you can access the Contributing Events view, which displays still more
information.
If the issue you highlighted is a static analysis issue, then information about it is also displayed in
the IDE’s Code Editor. See “Issues in the Editor”.
3. Resolve the issue.

For a static analysis (SAST) issue, this might mean editing the source code.
For a composition analysis (SCA) issue, this might mean updating the project build configuration file
to specify a more secure version of the open-source dependency.
4. Save your work.

When you save your changes, by default Code Sight analyzes the source once again. If the fix was
successful, the issue disappears from the lists beneath Current File and All Scanned Files.
5. Repeat the preceding steps, as often as you need to do.
Information that Code Sight Displays

Code Sight displays views that show details about the issue that is currently highlighted. These views
also help you navigate the issues that Code Sight found.
The two main views are Status and Issues.

Each IDE has its own way of managing informational displays. Typically the Code Sight views appear at
the bottom of the main IDE window. In some environments, you might have to click a tab or chose from
a menu to see the Code Sight controls.
Figure 3: Tab to view the Code Sight controls

The following pages show overviews of the plug-in layout for particular development environments:
• IntelliJ (JetBrains)
• Eclipse
• Visual Studio
• Visual Studio Code
The sections that follow give more information about the display of status and issues.
Status
The Status view provides overall information about the plug-in, and the scans that it has run.
The Status view contains two subordinate panels:
7
Notifications panel
Contains messages from the plug-in itself, such as the Welcome page that appears when you first install
Code Sight.
Figure 4: Notification pages appear in the Notifications panel
Scans panel
Lists the scans that have completed, along with the name and location of the source file that was
scanned, and whether the scan was successful.
Figure 5: The Scans panel

The larger, “Single-file scans” area, shows single-file scans (Coverity only). Below it, the “Full scans”
area shows full scans, which can be either by Coverity or by Black Duck.
Before a scan has completed, the status of individual files is shown in the Status column to the left of
the list. A clock-face icon indicates that the file has been queued but not yet scanned. A circular in-
progress icon indicates that the file is currently being scanned.
Figure 6: Icons for pending scans and scans in progress
While a full scan is running, the Full scans area of the Scans panel shows these icons as well. After
the full scan completes, this area shows when the most recent full scan completed. In front of this text,
an icon indicates where the scan took place:
8
Using Code Sight
The familiar Cloud logo indicates that the scan took place on a server.
An icon of a monitor indicates that the scan took place locally.

After an individual file has been scanned—whether singly or as part of a full scan—the Last Result
column shows whether that scan succeeded or failed. If a scan fails, the Failure Reason column shows
a brief description of the cause for failure. This description is clickable, and links to a more detailed
description of the problem.
Managing Scans
By default Code Sight launches scans automatically, but it also gives you the ability to start or stop
scanning manually.
To disable automatic scanning, you can use the Automatic Scanning Preferences.
Remember: When automatic scanning is enabled, opening or closing a code file launches a scan, but
there is a difference between Coverity and Black Duck. Coverity scans only the individual source file.
Black Duck, on the other hand, always scans the entire project.
Launching scans
On the Scans panel, you can launch a full Black Duck scan by clicking the Run new full scan icon
in the “Full scans” area.
For Coverity (SAST), you can launch a scan of an individual file by clicking the same icon in the “Single-
file scans” area, where the tooltip for the icon says, Scan next.
Also for Coverity, you can launch a single-file scan from the Issue Details panel or from the IDE Editor
right-click context menu: Scan with Code Sight.
9
Figure 7: Context menu in the Code Editor
Finally, in the Project or Solution window, when a source file is selected (but not a project or a solution),
the right-click context menu also displays the Scan with Code Sight choice.
10
Using Code Sight
Figure 8: Context menu in the Project/Solution Explorer
Note: The name of this window depends on the IDE: For IntelliJ, other JetBrains environments, and
Eclipse, it is the Project Explorer; for Visual Studio, it is the Solution Explorer; and in Visual Studio
Code, it is simply called Explorer.
11
At times, when this seems advisable, Code Sight reminds you that a full Coverity scan should be run.
This reminder appears on the Notifications panel.
Figure 9: Start Full Scan page
Cancelling scans
While a scan is running, you can cancel it by clicking the Cancel icon to the right of the progress
bar.
Figure 10: Status of a running scan
In addition to the status bar, while a scan is running a clickable Cancel icon also appears in the
“Single-file scans” area or the “Full scans” area.
Issues
The Issues view shows detailed information about the results of scans.
Like the Status view, the Issues view has subordinate panels of its own:
The Issues list

Lists issues that Code Sight has found.
Buttons let you choose the scope of the issues displayed in this list. There are three possible scopes:
Current File Shows issues found only in the source file that is
currently open in the Editor.
All Scanned Files Shows issues found in all source files whose scan
has completed successfully.
Dismissed Shows issues that have been dismissed (Coverity
issues only).
12
Using Code Sight
Figure 11: Issues list and Scope buttons

The list of issues is organized into the following columns:
Severity (not labeled) Icons in this column indicate the severity level of
the issue:
Low
Medium
High
Critical (Black Duck scans only)
Type A brief description of the issue that was found

Domain The kind of scan that encountered the issue:
SAST — indicates a Coverity scan
SCA — indicates a Black Duck scan
Location For Coverity scans, these entries show the name

of the file, and the line number, where the issue
was found.
For Black Duck scans, these entries show the
name of the project file.
Scans For Coverity scans, these icons indicate whether

the reported issue was found in a scan of a
single, local file; in a full scan (either local or
synchronized with a server); or in both kinds of
scan.
13
For Black Duck scans, the Scans entry is always

the “Both” icon.
Local scan, single file
Full scan
Found in both a local and a full scan
First Detected Indicates how long ago the issue was first
detected.
Issue Details
Code Sight displays issue details when you click to highlight an issue in the Issues list. The Issue
Details panel also gives you access to a view titled Contributing Events.
The detail information shown by these two views, and the accompanying controls, depend on whether
the issue is a composition analysis (SCA) issue, or a static analysis (SAST) issue.
• If you are interested in SCA scans, please see “Issue Details: Black Duck (SCA)” and “Contributing
Events: Black Duck (SCA)”.
• If you are interested in SAST scans, please see “Issue Details: Coverity (SAST)” and “Contributing
Events: Coverity (SAST)”.
Filtering Issues
The Filter control lets you filter out issues that are found only in full scans.
Clicking Filter displays a dialog that lets you set the filtering conditions.
14
Using Code Sight
Figure 12: The Filter dialog
The interface for filtering is a bit different in the Code Sight extension for Visual Studio Code. For details,
see “Filtering controls” in “Code Sight Within Visual Studio Code” for VS Code.
Coverity (SAST)
When the option Found by Coverity (SAST) is chosen, the Issues list includes issues that have been
found by Coverity Analysis.
Full scan only

A full scan, especially when Code Sight is communicating with a server, can find additional issues to
report. Some of these issues, however, might not be present in your local code base.
By default, Code Sight does not display SAST issues that are not duplicated locally.
To disable filtering, turn off Exclude if found by full scan only (recommended) in this dialog, and then
click Close.
SAST: When a full scan differs from a local scan

When full-scan filtering is disabled and an issue is found by a full scan but cannot be found locally, then
for that issue Code Sight displays a message that says, “Location not confirmed”.
15
Figure 13: Issues panel: Location Not Confirmed message
Black Duck (SCA)

When the option Found by Black Duck (SCA) is chosen, the Issues list includes issues that have been
found by Black Duck.
Code Sight Preferences

Code Sight has some preference settings to help you manage the plug-in’s behavior.
In most development environments, you can access the Code Sight Preferences by clicking the icon
that appears above the Code Sight views. In some cases, the icon is accompanied by a label.
Typically the Code Sight preferences appear as a panel of the Preferences interface that is native to the
platform your system runs. The following is an example, from Eclipse:
16
Using Code Sight
Authentication group
The Authentication group shows the status of your credentials: that is, your user ID, your password,
and the URL of the server to use. If the connection was successfully made, this part of the Preferences
panel shows a message to that effect; for example:
17
If the connection was not successfully made, or if it is broken for some reason while you are using the
IDE, then this this part of the Preferences panel shows a message to indicate the problem. Here is one
example:
In a case where the connection was established, but later broken, probably you will not need to contact
your system administrator—but you will need to know your password. Click Change Credentials to re-
enter your password and establish the server connection once again.
Customization group
This group shows links to preference panels that are native to the platform you use, such as a panel to
customize colors in the interface, or a panel to assign keyboard shortcuts.
In Visual Studio, if you click the Code Sight Preferences button or label, the Synopsys Code Sight
panel appears in the Options dialog. This panel does not have customization controls, but at the left of
the dialog you can navigate to other Visual Studio options.
Troubleshooting group
The Troubleshooting group contains an Export Logs button. This can be helpful when you need to
troubleshoot a problem by working with Synopsys Support. When you click Export Logs, Code Sight
zips the current logs and saves them to a location that it displays in this panel. You can attach this logs
file to your Support request.
Automatic Scanning Preferences

By default, the Code Sight plug-in scans source code whenever you open a file, or close one. The
automatic scanning preferences let you override this behavior.
When a project has a particularly large code base, disabling automatic scanning can be a way to
manage the time spent on testing that code—but with automatic scanning disabled, it is a good idea to
adhere to a regular schedule of running scans.
Figure 14: Preferences for automatic scanning
(Example from Visual Studio)

• Auto-scan off for IDE
18
Using Code Sight
When chosen, Code Sight scans source code only when you instruct it to do so.
• Auto-scan on for IDE (recommended)
(The default) When chosen, Code Sight scans source code whenever a source file is opened or
closed.
• Disable auto-scanning for current solution: 'project-name'
When this check box is chosen, automatic scanning is disabled for the current project only.
Auto-scan options for Eclipse

The Eclipse IDE has an option to disable scanning for the current workspace, but it does not have the
more global options.
Figure 15: Auto-scan option in Eclipse
IDE Preferences and Customizing Colors in the Interface

For some users, customizing colors in the interface is a convenience. For users who have difficulty
distinguishing between certain colors, being able to customize colors in the interface—especially in the
code editor—can be an important feature.
The Code Sight Preferences give you access to the color-customization options that are native to the
IDE in which Code Sight is running.
The way to access these options varies, depending on the IDE, as follows:
The JetBrains family, including IntelliJ; also Click Issue Highlighting Colors in the Code
Eclipse Sight Preferences panel > Customization group.
Microsoft Visual Studio Click the drop-down arrow to the right of

Preferences, then choose Issue highlighting
from the drop-down menu.
If you click the Preferences button or label, this
displays the Synopsys Code Sight panel in
the Options dialog. This panel does not have
customization controls, but in the list panel to the
left you can choose Environment > Fonts and
Colors.
Microsoft Visual Studio Code

Click the Open Code Sight Settings icon,
which appears in the title bar when you hover over
the STATUS area.
19
Clicking this icon displays a Settings tab in the

main VS Code Editor. Most of these options have
to do with customizing the display, including the
colors that Code Sight uses.
Using the IDE’s native color controls, you should be able to create a custom display that is more easily
legible.
Tools that Code Sight Can Run

Code Sight is an interface to certain Synopsys software integrity tools. The Code Sight controls provide
a convenient way to manage code scans, but the work of scanning itself is done by other Synopsys
products.
This section introduces the tools that Code Sight currently reports, along with descriptions of controls
that are particular to each tool.
Black Duck (SCA)

Black Duck® is a Synopsys® product that performs software composition analysis (SCA).
Black Duck helps teams manage the security, quality, and license compliance risks that come from the
use of open source and third-party code in applications and containers. These are issues that neither
static analysis nor dynamic analysis can effectively detect.
When it scans a software project, Black Duck identifies open source components, and then reports on
the risks that these might pose. Component scanning helps organizations manage their use of open
source binaries by identifying and cataloging open source components in order to provide metadata
such as license, vulnerability, and open source software (OSS) project health for those components.
Note: In Code Sight release 2021.1, Black Duck scanning is supported by the Eclipse and IntelliJ
environments. Visual Studio supports Black Duck only on a limited customer availability (LCA) basis.
Visual Studio Code does not run Black Duck software composition analysis.
How Does Code Sight Manage Composition Analysis?

Code Sight uses Black Duck to perform software composition analysis.
As performed by Black Duck, the analysis involves the following steps:
1. Scan the current code base and obtain components from the package manager configuration files in
the project.
2. Check these components against the KnowledgeBase, on the Black Duck server, to learn of security
vulnerabilities, policy family, and other metadata: This information helps to understand the nature of
the component.
3. Black Duck can recommend ways to mitigate certain vulnerabilities; such as, for example, upgrading
the version of a component that is out of date.
The following illustration shows an overview of this process:
20
Using Code Sight
Figure 16: Software Composition Analysis with Black Duck
Issue Details: Black Duck (SCA)

Typically, Code Sight does not display issue details until you click to highlight one of the issues in the
Issues list. When an issue is highlighted, the Issue Details display shows specific information about the
issue.
For an issue found by Black Duck (SCA), the diamond-shaped issue icon highlights a line that
tells how many issues were encountered. This is followed by a list of open-source compoenents that
result in the issue; the names of the security vulnerabilities detected; and then by further details such as
the license used and dates and times on which the issues were detected.
21
Figure 17: Details panel for an SCA issue
Each occurrence of an issue shows an icon that indicates whether the issue is a direct (declared)
dependency or a transitive (indirect) dependency:
Direct dependency
Transitive dependency
Click the Edit icon to open pom.xmls in the IDE Code Editor. This lets you fix the issue manually
by updating the dependency file.
Click the Fix It button to resolve the issue using auto-remediation.

If the current project is built using npm™, then clicking Fix It can possibly repair the problem. The
drop-down list labeled Replace with shows one or more components you can choose to replace the
component that caused an issue.
22
Using Code Sight
Figure 18: Drop-down list with alternate open-source components
If the project is built using Apache® Maven™, then clicking Fix It does not repair the problem, but does
display a page that presents advice on how to fix the issue manually.
Figure 19: Page that appears when an automatic fix is not possible
23
Contributing Events: Black Duck (SCA)

For component analysis issues, the Contributing Events view takes the form of a dependency tree that
shows direct dependencies leading to transitive dependencies culminating in detected issues.
Figure 20: Contributing events view—dependency tree—for composition analysis
The icons to indicate a dependency type are the same as on the Details panel: A ‘D’ for
Direct and a ‘T’ for Transitive.
To see this view, click the Occurrences > Open link in the Issue Details panel.
Figure 21: Link to open Contributing Events view
Tip: Depending on the IDE you are using, you might be able to show the Contributing Events view by
using the view or window controls as well as the Issue Details panel.
Coverity (SAST)
Coverity® is a Synopsys® product that performs static application security testing (SAST), which is also
known as static analysis.
Coverity scans source code to check for quality issues, which can cause code to fail when it is
executed, and for security issues, which can leave code vulnerable to attack. Resolving the issues
reported by Coverity will increase your confidence in the reliability and security of the software that you
publish.
24
Using Code Sight
What Is Static Analysis?

Static analysis is a set of techniques for testing program code without executing the program.
Dynamic analysis tests code while it is running. Because of the time involved, dynamic analysis can test
only a sampling of the possible paths of a program’s execution.
Figure 22: Dynamic analysis of an execution tree
A dynamic analysis of code typically focuses on a particular issue, and typically has to do with program
security: stress testing, penetration testing, fuzz testing, and so on.
Static analysis, by contrast, can search for various kinds of issues, and it computes all possible
execution paths.
25
Figure 23: Static analysis of an execution tree
The ability to search all paths in an execution tree is one of the strengths of static analysis.
In a production environment, we recommend you use static analysis as one component of an overall
testing strategy, and combine it with appropriate types of dynamic analysis, so that the resulting code is
as robust and secure as possible.
How Does Code Sight Manage Static Analysis?

Code Sight uses Coverity Analysis to analyze code.
Each time it scans a source file in your project, Coverity Analysis performs these overall steps:
1. Builds a tree that models the program’s execution paths.
2. Traverses that tree, searching for problematic situations, including faulty logic, security breaches,
tainted data, and so on.
3. Reports each issue found by this search.
The Issues view in Code Sight displays lists of the issues found by a scan, or by all scans.
Note: There might be portions of code that do not lie on the execution path. This is itself an issue, and
Coverity Analysis reports it.
The Issue Details panel in the Issues view displays details about a particular issue. along with
suggestions for how you might fix that issue.
Remember: Coverity Analysis searches for different types of issues. Quality issues are software
problems such as memory leaks. Security issues are vulnerabilities, especially those that arise when
a system connects to the Internet. Rule issues are various kinds of checks; the issues they report can
include deviations from in-house programming style or from an established industry standard.
Issues are often called defects, but sometimes it can help to think of an issue as simply reporting a
situtation that merits further investigation.
26
Using Code Sight
In addition to scanning one source file at a time, you can run a full scan on all the files in the current
project, in order to generate analysis summaries. These summaries enable quick detection of issues
across multiple files that a file-level scan, on its own, would not be able to find.
Synchronizing Coverity Analysis with a Server

Code Sight can run analyses locally, but it can also be configured to share certain data with an analysis
server.
Typically, if Code Sight is synchronized, an administrator will set this up for your particular installation.
Once synchronization is enabled, Code Sight downloads issue information for the most recent full
central scan, either from Coverity Connect or from Polaris.
When it has a server connection, there are two kinds of data that Code Sight shares:
• Analysis summaries
• Triage Information
By default, Code Sight does not display issues that are not duplicated locally. You can control this
behavior by using the Filter button.
Analysis Summaries
Coverity Analysis creates summaries when you run a full SAST scan of the code base. It uses such
summaries to improve the accuracy of single-file scans.
When connected, Code Sight obtains analysis summaries from the server. This reduces the need to run
full scans locally.
What About Issues that Are Not Found by a Local Scan?

If you turn off Filter > Exclude if found by full scan only, you might notice that the central scan has
reported issues that your local Coverity Analysis scan did not report. There are a number of reasons
why this might happen. Probably the most common reasons for this situation are as follows:
• The Coverity Connect server does not have analysis summary data.
This can happen if an analysis summary failed to upload: for example, if the Internet connection was
interrupted.
• The local and central code bases were configured for a different target.
This might be the case if, for example, one base was configured for a debug build and the other for
a release build; if the two bases are targeted for two different operating systems; and so on.
• The local and central code bases used different versions of the source code.
This situation is known as version skew.
When the code targets or the code versions fail to synchronize, you can take steps to make sure that
your local system and the Coverity Connect server are analyzing the same code.
For a more complete list of reasons why a local scan and a central scan might return different results,
see the section “Reasons for results differences” in chapter 5 of the Coverity Desktop Analysis User
Guide. The “Reasons for results differences” section also describes workarounds for some of these
reasons.
Remember: Coverity documents, including the Coverity Desktop Analysis User Guide are installed
with the Coverity Analysis tool. Look for the installation directory; for example: /Users/<user
name>/.synopsys/desktop/controller/installedtools/coverity-analysis/<version
27
number>/doc/<language>/. On a Windows system, the installation folder has basically the

same path, except that it typically begins with <DISK>:\Users\<Username>\AppData\Roaming
\Synopsys\desktop\....
Issues in the Editor

Code Sight highlights Coverity (SAST) issues directly in the development environment’s editor.
Figure 24: Source line with an issue highlighted
(Example from IntelliJ®)

When you click to highlight an issue in the Code Sight Issues list, the focus in the editor shifts to the
issue you clicked, and further information about the issue appears in the Issue Details panel.
Note: If the source code file where the issue was found is not already open in the Editor, then in
some IDEs, when you click the issue in the Issues list, Code Sight opens the source-code file and then
highlights the code line in question. In other IDEs, if the source file is not already open, you need to
double-click the Issues-list entry to achieve the same effect.
In the IDE Editor window, icons adjacent to the line numbers help to indicate what Code Sight found:
See “Icons in the Editor” for details.
Icons in the Editor
When you click or double-click a static-analysis (SAST) issue in the Issues list, Code Sight highlights
lines of source code in the IDE Editor window. Icons adjacent to the line numbers help to indicate what
Code Sight found.
These icons can appear in the Details and Contributing Events panels, too.
A diamond-shaped icon indicates the line where the issue was detected.
When you click or right-click the issue icon, a pop-up menu gives you various choices, including the
selection of this particular issue.
Figure 25: Issue icon (diamond) in pop-up menu
When the issue is selected, the diamond is a solid color.
A double diamond indicates that multiple issues (or events) appear on the same line of code.
28
Using Code Sight
When you click or right-click the multiple-issue icon, a pop-up menu lets you choose which of the issues
or events to select.
Figure 26: Multiple issues in pop-up menu
A circular icon indicates a line that contains an event that contributed to an issue.
An icon with branching arrows indicates a line with a control-flow path that led to detection of
the issue.
Issue Details: Coverity (SAST)

Typically, Code Sight does not display issue details until you click to highlight one of the issues in the
Issues list. When an issue is highlighted, the Issue Details display shows specific information about the
issue.
For an issue found by Coverity (SAST), the detailed information includes a link to locate the issue in the
source code, along with links to related issues. Details also include suggestions as to how you might
correct the source.
29
Figure 27: Issue Details
(Example from Visual Studio)

For some kinds of issues, a section of the Details display shows links to Synopsys Security eLearning
pages that might be relevant. This means that if, for example, the analysis finds a possible SQL
Injection vulnerability, we provide you with training on just what an SQL Injection is and how you can
avoid this issue in the future.
30
Using Code Sight
Figure 28: Links to Security eLearning pages on the Issue Details panel
Attention: Access to Security eLearning is licensed separately from Coverity. To view these
pages, you or your organization must have a subscription and login information.
31
Contributing Events: Coverity (SAST)

For static analysis issues, the Contributing Events view shows the events in the execution sequence
that led up to the issue that was reported.
Figure 29: Contributing Events view for static analysis
To see this view, click the Contributing code events > Open link in the Issue Details panel.
Figure 30: Link to open the Contributing Events view
Tip: Depending on the IDE you are using, you might be able to show the Contributing Events view by
using the view or window controls as well as the Issue Details panel.
Triaging Issues
In the list of active issues, you can triage Coverity issues by dismissing issues you consider to be
unimportant and that don’t require attention.
Dismissed issues are shown in the Issues view > Dismissed scope. You have the option of un-
dismissing an issue to make it active once again, and visible again in the Current File and All Scanned
Files scopes.
If your Code Sight installation is connected to a server, local triage information is regularly synchronized
with triage information on the server, so that all developers working in the code base see the same
active issues. Local triage activity is always pushed to the server before any triage data from the server
is downloaded during synchronization.
32
Using Code Sight
Note: Locally dismissed issues are synchronized with Coverity Connect as classification == Intentional
and action == Ignore.
To dismiss an issue found by a Coverity Analysis scan
When a static analysis issue is highlighted, you have the option to dismiss it.
1. Go to the Issues view, then click an issue entry in the Current File list or the All Scanned Files list.
A description of the issue appears in the Issue Details panel.
2. In the Issue Details panel, click Dismiss.
Figure 31: Dismiss button in the Issue Details panel
3. Code Sight displays a dialog where you must enter a comment to explain why you are dismissing
this issue.
Figure 32: Dismiss Issue dialog
4. Enter your reason, and then click Confirm Dismissal.

Code Sight moves the issue to the Dismissed list. The Issue Details panel returns to its default,
empty state.
33
To un-dismiss an issue and make it active again

Un-dismissing an issue puts it on the active lists again, where you can fix it by amending the source
code.
1. In the Issues view, click the Dismissed scope button to view the list of dismissed issues.
Figure 33: Issues in the Dismissed list
2. Click to highlight the entry for an issue.

The Issue Details panel displays the description of the issue once again. This time, the Dismiss
button has changed to a button labeled Un-Dismiss.
Figure 34: Un-Dismiss button in the Issue Details panel
3. Click Un-Dismiss.
4. Code Sight displays a dialog where you must enter a comment to explain why you are undoing the
dismissal.
Figure 35: Un-Dismiss Issue dialog
34
Using Code Sight
5. Enter your reason, and then click Confirm Un-Dismiss.

Now the issue is visible in the Current File and All Scanned Files scopes, once again.
Multiple Occurrences of an Issue

If an issue occurs more than once, the Issue Details panel notifies you by displaying an additional
Occurrences field.
Figure 36: Occurrences field in the Issue Details panel
You can open the drop-down list to go directly to one of the occurrences, or you can click one of the
the left/right arrows to either side of the drop-down list, in order to step through the occurrences in
sequence.
Important: If, after you correct the code and scan again, an issue does not disappear from the list,
this does not necessarily mean that your fix was wrong. Different paths through the same code can
35
sometimes lead to the same issue. This is why the Issue Details panel reports multiple occurrences of
the same issue.
When a static-analysis issue occurs more than once, the Contributing Events panel can help you see if
different occurrences arise from the same contributing logic, or if there are multiple areas of contributing
code that might be problematic.
When all occurrences of the issue have been resolved, the issue should disappear from the Issues list
altogether.
Missing Files
If Code Sight cannot match a file from the server to a local file, both the Issues list and the Issue Details
panel report this error.
Figure 37: Missing files reported in the Issues view
Finding Your Way: Code Sight Controls in the Various IDEs

The interface of each IDE presents the Code Sight controls in its own way.
The information that Code Sight displays, as described in How Do I Use Code Sight?, is the same in
each IDE, but the location of the controls and the way to manage the Code Sight views can vary from
development environment to development environment.
This section provides an overview of each environment that currently supports Code Sight. If an
environment has controls that are specifically its own, those are described here, too.
36
Using Code Sight
Code Sight Within IntelliJ

Once installed in IntelliJ, the Code Sight interface appears in a few panels, and as indicators within the
code editor.
1. In the code editor, icons next to line numbers show Coverity (SAST) issues and other findings.
2. A line of code that has a Coverity (SAST) issue is highlighted and commented.
3. This tabular panel shows either status or issues.
4. Contributing Events appear in a panel of their own.
37
Code Sight Within Eclipse

Once installed in Eclipse, the Code Sight interface appears in a tabular view, and as indicators within
the code editor.
2. A line of code that has a Coverity (SAST) issue is highlighted.
3. The Code Sight view has tabs for Issues, Status , and Contributing Events.
Tip: If you don’t see a Code Sight window in the Eclipse interface, go to the menu and chooose
Window > Show View > Other. This opens the Show View dialog. In the hierarchy that the dialog
displays, click to expand the Synopsys entry. Click to choose the Code Sight window you want to see,
then click Open.
38
Using Code Sight
Code Sight Within Visual Studio

Once installed in Visual Studio, the Code Sight interface appears in a few windows, and as indicators
within the code editor.
1. In the code editor, icons indicate lines that have Coverity (SAST) issues or other findings.
2. A line of code that has a Coverity (SAST) issue is highlighted and commented. Click More to see a
pop-up panel that provides more detail.
3. Most Code Sight controls appear in the Synopsys Code Sight window.
4. Tabs let you switch between the main Code Sight views and the Contributing Events view.
5. The status of running jobs is displayed in a window of its own. For the status of completed jobs, see
the Code Sight window > Status view > Scans panel.
Tip: If you don#t see a Code Sight window in the Visual Studio interface, go to the menu and choose
View > Other Windows and then click one of the Synopsys Code Sight entries to choose the window
you want to see displayed.
Details for Coverity (SAST) issues

To see details in Visual Studio, click the More link that appears at the end of the code-line highlight.
Figure 38: Details pop-up panel in Visual Studio
39
Code Sight Within Visual Studio Code

Once installed in Visual Studio Code, the Code Sight interface appears in a tabular view, and as
indicators within the code editor.
1. To see the Code Sight interface, click the activity bar button with the Synopsys logo.
2. In the side bar, ISSUES FOUND are displayed above, and STATUS is displayed below.
4. A line of code that has a Coverity (SAST) issue is highlighted.
5. Clicking controls in the STATUS area can display information in other Editor tabs. For example,
clicking No running scans [View History] displays the Code Sight Scan Status panel shown
here.
Note: The Code Sight extension for VS Code does not provide links to Synopsys eLearning pages.
ISSUES FOUND and STATUS views

In Visual Studio Code, the ISSUES FOUND and STATUS displays are arranged vertically in the side
bar on the left.
40
Using Code Sight
Figure 39: ISSUES FOUND and STATUS areas in Visual Studio Code
Issue details
To see details in Visual Studio Code, look at the Editor and hover your mouse over the issue’s line of
code. A drop-down panel displays the detailed information.
41
Figure 40: Details drop-down panel in Visual Studio Code
To dismiss issues
1. In the ISSUES FOUND list, select an issue or a group of issues, and then right-click.
2. From the pop-up menu, choose Dismiss Issue(s).
Choosing the scope of the ISSUES FOUND list

At the top of the ISSUES FOUND list, if you hover over the Scope entry, three icons appear to the right.
The Scope icons let you choose what sorts of issues to display in the list, as follows:
•
All Scanned Files
(The default) Shows issues from all files whose scan has completed.
•
Current File
42
Using Code Sight
Shows issues found in the current source file only.

•
Dismissed
Shows issues that have been dismissed.
STATUS area icons

In the STATUS area of the left-hand side bar, shortcut icons help you view and manage the Scan Status
panel, the Export Logs page, and the Authentication pages.
•
View Scans
Appears to the right when you hover over a Running scans or No running scans entry in the
Scanning section of the STATUS area. Click it to open the Code Sight Scan Status panel, which
appears at the right of the VS Code window.
•
Export Logs
Appears to the right when you hover over the [version-number] entry in the Code Sight Extension
section of the STATUS area. Click it to display an Export Logs page with an Export Logs button you
can click to save a zipped file of the current scan logs.
•
Edit Server
This icon appears to the right when you hover over the Server entry in the Tools section of the
STATUS area. Click it to display the Authentication pages, where you can change the server being
used, the current Code Sight user, or both.
Filtering controls
As in other development environments, in VS Code filtering is enabled by default. While filtering is
enabled, the control appears on a line of its own in the ISSUES FOUND area of the side bar.
43
Figure 41: Filtering control in Visual Studio Code
To disable filtering, simply click to clear the ‘x’ icon at the right end of that line.
To enable filtering again, click the Filter icon to the right of the ISSUES FOUND label. Code Sight
opens a drop-down menu. On the drop-down menu, click to turn Filter back on. This menu also lets you
choose one of the options for sorting the Issues list.
Figure 42: Filtering and sorting drop-down menu
The sorting options don’t have a counterpart in the versions of Code Sight for other IDEs. You can use
the search field at the top of this drop-down menu to find a sorting option quickly.
44
Support Matrix
Support Matrix
These tables show the IDEs, platforms, and Synopsys products that support the current release of Code
Sight.
IDEs and Languages

These are the IDEs in which Code Sight™ can run, and the languages in each that the plug-in is able to
analyze.
IDE Versions Platforms Languages

Eclipse™ 4.7 – 2020-09 Windows, Linux, macOS C/C++, Java, JavaScript®,
(4.17) PHP, Python™, Ruby™,
TypeScript
IntelliJ® IDEA 2018.2 – 2020.3 Windows, Linux, macOS Java, JavaScript, PHP,
Python, Ruby, TypeScript
PhpStorm™ 2018.2 – 2020.3 Windows, Linux, macOS PHP
PyCharm™ 2018.2 – 2020.3 Windows, Linux, macOS Python
RubyMine™ 2018.2 – 2020.3 Windows, Linux, macOS Ruby
WebStorm™ 2018.2 – 2020.3 Windows, Linux, macOS JavaScript, TypeScript
Microsoft® Visual 2015, 2017, 2019 Windows C/C++, C#, JavaScript, PHP,
Studio® Python, Ruby, TypeScript,
VB.NET
Microsoft Visual 1.48 – 1.52 Windows, Linux, macOS C/C++, C# (.NET Core),
Studio Code Java, JavaScript, PHP,
• The PhpStorm, PyCharm, RubyMine, and WebStorm environments use the same installation steps
as IntelliJ.
Note: In Code Sight release 2021.1, Black Duck scanning is supported by the Eclipse and IntelliJ
environments. Visual Studio supports Black Duck only on a limited customer availability (LCA) basis.
Visual Studio Code does not run Black Duck software composition analysis.
Attention: As of Code Sight 2021.1, Eclipse version 4.6 is no longer supported. Also, support
for Eclipse version 4.7 has been deprecated, and will become unavailable in a future release of
the Code Sight plug-in.
Attention: Also as of Code Sight 2021.1, support for version 2018.2 of the JetBrains IDEs
IntelliJ, PhpStorm, PyCharm, RubyMine, and WebStorm has been deprecated. In a future
release of the Code Sight plug-in, 2019.1 will become the earliest supported version for this
family of IDEs.
Platforms
These are the platforms on which Code Sight can run.
45
Operating System Versions

Linux 64-bit All Linux variants supported by the host IDE (in particular, tested on Ubuntu®
16.04).
macOS 10.13 – 10.15
Windows 64-bit Windows workstation releases: Windows 8.1 and higher. Windows server
releases: Windows Server 2018 and higher.
Attention: As of Code Sight 2020.11, macOS® 10.13 support has been deprecated. In an
upcoming release of Code Sight, this operating system will no longer be an available platform.
Synopsys Products and Servers

These are the Synopsys® products and servers that Code Sight supports.
Product or Server Versions

Black Duck 2020.10 – 2020.12
Coverity Analysis 2019.06 – 2020.12
Coverity Connect 2019.06 – 2020.12
Polaris Software The most recent Cloud-hosted version of Polaris
Integrity Platform™
Installation
Here are the instructions for installing Code Sight in the officially supported development environments.
(Certain environments might be supported only in beta: For current information, see the Release Notes.)
The Code Sight plug-in, or extension, is available for a number of integrated development environments
(IDEs). A particular IDE can run on one or more platforms; currently supported platforms include Linux™,
macOS®, and Microsoft® Windows®.
Installing Code Sight in IntelliJ

This section explains how to install Code Sight within IntelliJ® IDEA and related JetBrains®
environments.
The other supported JetBrains environments are PhpStorm™, PyCharm™, RubyMine™, and
WebStorm™.
Installation Prerequisites
Before you install the Synopsys Code Sight plug-in, you should make sure your system is ready for it.
You should already have installed the following software:
• A supported version of a JetBrains environment
You can download these IDEs from the JetBrains pages at https://www.jetbrains.com/.
46
Installation
Note: The Community edition of IntelliJ IDEA supports Java but does not officially support scripting
languages. However, in most cases Code Sight will find and report issues in the source for these
languages as well.
• A code project to work with
For languages that Code Sight supports in these IDEs, please see the “Support Matrix”.
If Coverity® Analysis is already installed on your system, the Code Sight plug-in is able to use it.
If Coverity Analysis is not installed, this is not a problem: The first time you run the plug-in, it can
download and install Coverity Analysis automatically.
To install the plug-in

You can install the Code Sight plug-in for IntelliJ IDEA via the Web.
Make sure you have installed your IDE, along with a code project to analyze.
1. Start the IDE, then go to plug-in installation for the platform you are using.
On Windows® or Linux® systems, the menu choice is File > Settings | Preferences > Plugins; on
Mac® systems, the menu choice is IntelliJ IDEA > Preferences > Plugins.
2. In the Preferences dialog, go to the Plugins panel.

In the Marketplace tab, the Preferences dialog lists plug-ins available from the JetBrains Plugins
Repository.
3. In the search field, enter synopsys, and then click the Code Sight entry when a tooltip displays the
name of the plug-in.
Figure 43: Finding Code Sight in the JetBrains Marketplace
Tip: You can find find the Code Sight plug-in by searching the JetBrains Marketplace,
https://plugins.jetbrains.com/. The direct link to the Marketplace page for Code Site is https://
plugins.jetbrains.com/plugin/11516-synopsys-code-sight
4. In the Synopsys Code Sight page, click the Install button.
47
Figure 44: The Install button
The Synopsys Code Sight plug-in installs.
5. The Install button changes to a button labeled Restart IDE. Click this button.
Figure 45: The Restart IDE button
6. The IDE prompts you to confirm restarting. Click Restart.
Figure 46: Confirming restart
After the IDE starts again, the Code Sight interface appears within it. To use Code Sight, you will
need to authenticate yourself.
To install the plug-in on a system not connected to the Internet

If the system on which you want to run the Code Sight plug-in is not connected to the Internet—or in
other words, is air-gapped—then the steps to install it are a bit different from the standard steps.
Restriction: On an air-gapped system, you can run local Coverity Analysis scans of your code, but that
is all you can do. No synchronization with a Coverity Connect server is possible. Black Duck cannot run
on an air-gapped system.
Make sure you have installed your IDE, along with a code project to analyze.
48
Installation
1. On a system that is connected to the Net, navigate to the IntelliJ (JetBrains) Marketplace, and
download the ZIP file of the Code Sight plug-in to a portable storage device: for example, a thumb
drive will do.
This file is named synopsys-code-sight-intellij-<version number>.zip.
2. On the air-gapped system, save the ZIP file to a location you will remember.
The Downloads/ directory is one possibility.
Attention: You don’t have to unzip the ZIP file: The JetBrains IDEs can load the plug-in in
its compressed form.
4. In the Preferences dialog, go to the Plugins panel.
5.
At the top of the Plugins panel, click the Utilities icon, then from the drop-down menu choose
Install Plugin from Disk.
The IDE displays a regular file dialog.
6. In the file dialog, navigate to the directory that contains the Code Sight ZIP file you saved. Click to
highlight the ZIP file, and then click Open.
The IDE adds a “Synopsys Code Sight” entry to the Plugins panel.
7. Both the plug-in entry and its information page include a button that says Restart IDE. Click one of
those buttons.
Figure 47: Button to Restart the JetBrains IDE
A dialog prompts you to confirm the restart.

To uninstall the plug-in

You can uninstall Code Sight whenever you wish.
2. In the Preferences dialog, go to the Installed tab.
49
Figure 48: Code Sight among installed plug-ins
3. Click to highlight the entry for Synopsys Code Sight.

In the page for Synopsys Code Sight, the location to the right, where the Install or Restart IDE
buttons appeared, now there is a drop-down menu.
Figure 49: The Uninstall button
4.
Click the Plugin Settings icon to open the drop-down menu, and choose Uninstall.
5. The IDE prompts you to confirm your choice.
Figure 50: Confirming uninstall
6. Click Yes, then as you did when you installed the Code Sight plug-in, when prompted click Restart
to restart the IDE so the change will take effect.
50
Installation
To clean up the Code Sight configuration files

Code Sight saves information in a folder with a number of configuration files. After you uninstall the
plug-in, you might want to remove this. There is also a file that saves the current state of the plug-in.
1. Open a command window or terminal.
2. Remove the Synopsys desktop/ folder. The default location of this directory/folder depends on the
operating system you are using. See the following table:
Platform Location of Desktop directory/folder

Linux or Mac ~/.synopsys/desktop/
Windows C:\Users\<Username>\AppData\Roaming\Synopsys\desktop\
Some sites install the desktop/ folder in a custom location. If it is not in the default location,
consult your system administrator.
3. Remove the file synopsys_code_sight_state.xml

This file is saved in a directory/folder named .idea. Code Sight creates this folder inside the project
folder for each project (code base) you analyze.
Installing Code Sight in Eclipse

This section explains how to install Code Sight within the Eclipse™ environment.
Before you install the Synopsys Code Sight plug-in for Eclipse, you should make sure your system is
ready for it.
• A supported version of Eclipse
You can download Eclipse from https://www.eclipse.org/downloads/.
For languages that Code Sight supports in this IDE, please see the “Support Matrix”.
51
To install the plug-in

You can install the Code Sight plug-in for Eclipse via the Web.
Make sure you have installed Eclipse, along with a code project to analyze.
1. Launch the Eclipse IDE.
2. Choose Help > Eclipse Marketplace.

The Eclipse Marketplace dialog appears.
3. In the search field, enter synopsys and then click Go.
Figure 52: Search for Code Sight in the Eclipse Marketplace
4. If the Synopsys Code Sight plug-in does not appear in this dialog, click Browse for more
solutions.
Eclipse opens a browser window. Scroll down in this window to see the Synopsys Code Sight entry.
52
Installation
Figure 53: The Code Sight page in the Eclipse Marketplace
Tip: You can find the Code Sight plug-in by searching the Eclipse Marketplace, https://
marketplace.eclipse.org. The direct link to the Code Sight plug-in is https://marketplace.eclipse.org/
content/synopsys-code-sight
5. Move your mouse over the Install widget. As the tooltips instruct you, drag the widget over a
different Eclipse window, and then release the mouse button.
Figure 54: Install widget instructions
Code Sight installs.
6. When Code Sight has finished loading, click Next once again.
53
Eclipse displays the Install dialog’s Review Licenses panel. Accept the license agreement, and then
click Finish.
7. A dialog prompts you to restart the application. Click Restart Now.
Figure 55: The Restart Now button
To install the plug-in on a system not connected to the Internet

other words, is air-gapped— then the steps to install it are a bit different from the standard steps.
Make sure you have installed Eclipse, along with a code project to analyze.
Important: Eclipse requires the CDT (C/C++ Development Tools) and JDT (Java Development Tools)
packages to be installed. When connected to the Net, Eclipse downloads these tools automatically,
if they are not already present. On an air-gapped system, if these tools are not already present, you
must install them yourself, by hand, before you use the Code Sight plug-in. The download pages for
these packages are https://www.eclipse.org/cdt/downloads.php and https://projects.eclipse.org/projects/
eclipse.jdt. (These URLs are managed by the Eclipse Foundation, not by Synopsys, and they might be
SUBJECT TO CHANGE.)
1. On a system that is connected to the Net, navigate to the GitHub page, https://github.com/coverity/
Code-Sight-for-Eclipse/releases. Download the compressed file for the Code Sight plug-in to a
portable storage device: for example, a thumb drive will do.
• For a Windows system, click Source code (zip).
The GitHub page downloads Code-Sight-for-Eclipse-<version_number>.zip.
• For a macOS or Linux system, click Source code (tar.gz).
The GitHub page downloads Code-Sight-for-Eclipse-<version_number>.tar.gz.
2. On the air-gapped system, save the compressed file to a location you will remember.
The Downloads/ directory is one possibility.
3. Double-click the entry for the compressed file to extract its contents.
This creates a subdirectory that has the same name as the compressed file, without the filename
extension.
54
Installation
You can uncompress to the same directory where you saved the compressed file.
4. Launch the Eclipse IDE.
5. Choose Help > Install New Software.

Eclipse displays the Install dialog.
Figure 56: Install dialog
6. In the Install dialog, click Add.

Eclipse displays the Add Repository dialog.
55
Figure 57: Add Repository dialog
7. In the Add Repository dialog, click Local.

Eclipse displays a regular file dialog.
8. In the file dialog, navigate to the uncompressed directory. Click to highlight the update-site/
subdirectory, and then click Open.
Figure 58: Locating the ‘update-site/’ subdirectory
The Add Repository dialog appears again, this time with its Location field naming the Code Sight
subdirectory. After you click Add, Eclipse returns to the Install dialog.
9. In the main window of the Install dialog, click to turn on the check box next to the “Synopsys Code
Sight” entry.
56
Installation
Figure 59: Check box for Code Sight plug-in
10. Click Next.

Eclipse loads the plug-in, which takes a few moments.
11. When Code Sight has finished loading, click Next once again.
Eclipse displays the Install dialog’s Review Licenses panel. Accept the license agreement, and then
click Finish.
12. A dialog prompts you to restart the application. Click Restart Now.
Figure 60: The Restart Now button
To uninstall the plug-in

1. In Eclipse, choose Eclipse > About Eclipse.
2. In the About Eclipse IDE dialog, click Installation Details.
57
Figure 61: Installation Details button
3. In the Eclipse IDE Installation Details dialog, scroll to locate the entry for Synopsys Code Sight,
then click to highlight it.
Figure 62: Choosing the Code Sight entry
4. At the bottom of the dialog, click Uninstall.
Figure 63: The Uninstall button
5. In the Uninstall dialog, click Finish.
58
Installation
6. As you did when you installed the Code Sight plug-in, when prompted click Restart Now to restart
Eclipse so the change will take effect.

plug-in, you might want to remove this. There is also a file that saves the current state of the plug-in.
1. Open a command window or terminal.
2. Remove the Synopsys desktop/ folder. The default location of this directory/folder depends on the

Some sites install the desktop/ folder in a custom location. If it is not in the default location,
consult your system administrator.
3. Remove the file synopsys_code_sight_state.xml

This file is saved in the directory/folder named eclipse-workspace/.metadata/.plugins/
com.synopsys.desktop.eclipse/.
Installing Code Sight in Visual Studio

This section explains how to install Code Sight within the Microsoft® Visual Studio® IDE environment.
Note: In release 2021.1, Visual Studio runs Black Duck software composition analysis only on a
Limited Customer Availability (LCA) basis.
Before you install the Synopsys Code Sight plug-in for Visual Studio, you should make sure your system
is ready for it.
• A supported version of Visual Studio
You can download Visual Studio from https://visualstudio.microsoft.com/vs/.
CAUTION: These steps do not apply to Visual Studio Code.
59

For languages that Code Sight supports in this IDE, please see the “Support Matrix”.
To install the extension

You can install the Code Sight plug-in for Visual Studio via the Web.
Make sure you have installed Microsoft Visual Studio, along with a code project to analyze.
Attention: The steps to install Code Sight as an extension to Visual Studio are not the same as
the steps to install the Code Sight extension within Visual Studio Code.
1. Start Visual Studio.
2. Choose Tools > Extensions and Updates. (In Visual Studio 2019, the choice is Extensions >
Manage Extensions.)
Figure 65: Visual Studio Extensions and Updates dialog
3. In the left-hand column of the Extensions and Updates dialog, click Online. Make sure that Visual
Studio Marketplace is active; click its entry if you need to.
60
Installation
Figure 66: Extensions and Updates dialog: Visual Studio Marketplace
4. In the search field, enter synopsys to locate Synopsys plug-ins.
Figure 67: Visual Studio Marketplace: Entry for Code Sight
Tip: You can find the Code Sight extension for Visual Studio by searching the Visual Studio
Marketplace, https://marketplace.visualstudio.com. The direct link to the Marketplace page for Code
Site is https://marketplace.visualstudio.com/items?itemName=SynopsysCodeSight.synopsys-code-
sight
5. Click the Synopsys Code Sight entry to highlight it, and then click Download.
A notice confirms the download.
Figure 68: Download confirmation
6. Click Close to exit the Extensions and Updates dialog.
61
7. Close Visual Studio.

Now a VSIX installer icon appears on the taskbar.
Figure 69: VSIX installer icon on the taskbar
A VSIX Installer dialog opens shortly after that.
Figure 70: VSIX Installer dialog
8. In the VSIX Installer dialog, click Install.

The VSIX Installer installs the plug-in.
9. In the VSIX Installer dialog, click Close.
10. Start Visual Studio once again.

62
Installation
To install the extension on a system not connected to the Internet

Make sure you have installed Visual Studio, along with a code project to analyze.
1. On a system that is connected to the Net, navigate to https://marketplace.visualstudio.com/items?

itemName=SynopsysCodeSight.synopsys-code-sight, and download the VSIX installer for the Code
Sight plug-in. Save this file to a portable storage device: for example, a thumb drive will do.
This installer is named synopsys-code-sight-<version number>.vsix.
Be careful: The system might attempt to download this file as a zipped folder, without the .vsix
filename extension. If it is not saved as a VSIX file, the installer will not run (and simply changing the
file name will not work). To download correctly, right-click the download link, choose Save Target
As, and then in the file dialog, type .vsix at the end of the folder name.
2. On the air-gapped system, save the VSIX file to a location you will remember.
The Desktop/ folder is the most convenient location.
Figure 71: Icon for installing the Code Sight plug-in
3. Make sure that Visual Studio is not running, and then double-click the installer icon.
A VSIX Installer dialog appears.
63
Figure 72: Installer dialog
4. Click Install.
The VSIX Installer installs the plug-in.
5. Start Visual Studio.

To uninstall the extension

1. In Visual Studio IDE, return to the plug-in controls: Extensions > Manage Extensions (or for earlier
releases, Tools > Extensions and Updates).
2. In the left-hand column of the Extensions and Updates dialog, make sure Installed is chosen. Click
its entry if you need to.
64
Installation
Figure 73: Code Sight entry in Extensions and Updates dialog
3. Find the entry for Synopsys Code Sight, then click that entry’s Uninstall button.
4. Click Yes to confirm.
5. Click Close to exit the Extensions and Updates dialog.
6. Close Visual Studio.

The VSIX Installer dialog opens again. Click Modify to complete the uninstall.
7. Restart Visual Studio.

plug-in, you might want to remove this.
In a command window, delete C:\Users\<Username>\AppData\Roaming\Synopsys\desktop\.

Some sites might install the desktop\ folder in a custom location. If it is not in the default location
shown here, consult your system administrator.
Installing Code Sight in Visual Studio Code

This section explains how to install Code Sight within Microsoft® Visual Studio® Code.
Note: Visual Studio Code does not run Black Duck software composition analysis.
Before you install the Synopsys Code Sight extension, you should make sure your system is ready for it.
• A supported version of Visual Studio Code
You can download VS Code from https://code.visualstudio.com/download.
CAUTION: These steps do not apply to Microsoft Visual Studio.
65
For languages that Code Sight supports in Visual Studio Code, please see the “Support Matrix”.
Important: If you want to analyze source code written in a compiled language such as C, C++, C#,
Java, and so on, then you need to provide information about creating a build to the coverity.conf
file. See the following section, “How do I enable code scans within Visual Studio Code?”, for instructions
on how to do so.
If Coverity® Analysis is already installed on your system, the Code Sight extension is able to use it.
If Coverity Analysis is not installed, this is not a problem: The first time you run the extension, it can
How do I enable code scans within Visual Studio Code?

For Visual Studio Code, scripted languages need no additional setup, but compiled languages need to
be configured in the converity.conf file.
• If you want to test code in a language that does not rely on filesystem capture (that is, a scripted
language such as JavaScript or Python), then no setup is required.
• If you want to test code in a language that does require filesystem capture (that is a compiled
language: C, C++, Java, and so on), then your coverity.conf file needs to be set up so that it
specifies the particular build and clean tools used by your project.
For instructions on how to do so, please see the section that follows.
Setting up build tools for Visual Studio Code

Visual Studio Code is characterized as a “source-code editor” rather than an “integrated development
environment”. As such, it does not have built-in build tools. To run Code Sight as an extension to VS
Code, and have it scan compiled languages, you need to first specify the build and clean commands
that Coverity Analysis will use.
Be aware: VS Code requires this custom configuration only for languages that are not filesystem-
capture languages. However, if you add this JSON code to the configuration file, the newly specified
build tools will be used by any Code Sight extension or plug-in that employs this coverity.conf file.
The configuration change overrides any IDE’s default build and clean commands.
To set up the tools, add a "settings" field to coverity.conf. The "settings" field should
contain, in turn, two fields:
1. A "cov_run_desktop" field that specifies the build and clean commands to use.
2. An "ide" field with a "build_strategy" field set to "CUSTOM".
Here is an example of such a "settings" field:
"settings" : {
"cov_run_desktop" : {
"build_cmd" : ["make", "all"],
"clean_cmd" : ["make", "clean"]
},
"ide" : {
"build_strategy" : "CUSTOM"
}
}
... Which tells Coverity Desktop to build a project with the make all command, and to clean up after a
build with the make clean command.
66
Installation
To build a project using Apache Maven instead of make, you could use the following
"cov_run_desktop" field:
"settings" : {
"cov_run_desktop" : {
"build_cmd" : ["mvn", "compile"],
"clean_cmd" : ["mvn", "clean"]
}
}
For a complete example of such a coverity.conf file, see “Specifying Custom Build Tools”.
To install the extension

You can install the Code Sight extension for Visual Studio Code via the Web.
Make sure you have installed Visual Studio Code, along with a code project to analyze.
Attention: The steps to install Code Sight as an extension to Visual Studio Code are not the
same as the steps to install the Code Sight extension within Microsoft Visual Studio.
1. Start Visual Studio Code.

2. In the activity bar at the left of the VS Code window, click the Extensions button.
Figure 74: Extensions button
3. In the side bar > EXTENSIONS view, enter synopsys in the search field to locate Synopsys plug-
ins.
Figure 75: Extensions and Updates dialog: Visual Studio Marketplace
Tip: You can also find the Code Sight extension by searching the Visual Studio Code Marketplace,
https://marketplace.visualstudio.com/vscode.
4. Click the Synopsys Code Sight entry to highlight it, and then click Install.
After installing, VS Code prompts you to reload the editor.
67
5. Click Reload Now.

After VS Code starts again, the Code Sight interface appears within it. To use Code Sight, you will
need to authenticate yourself to Coverity (VS Code does not support Black Duck scans).
To install the extension on a system not connected to the Internet

If the system on which you want to run the Code Sight extension is not connected to the Internet—or in
Make sure you have installed Visual Studio Code, along with a code project to analyze.
is all you can do. No synchronization with a Coverity Connect server is possible.
1. On a system that is connected to the Net, navigate to https://marketplace.visualstudio.com/vscode,

and download the VSIX installer for the Code Sight plug-in. Save this file to a portable storage
device: for example, a thumb drive will do.
This installer is named vscode-code-sight-<version number>.vsix.
Be careful: The system might attempt to download this file as a zipped folder, without the .vsix
filename extension. If it is not saved as a VSIX file, the installer will not run (and simply changing the
file name will not work). To download correctly, right-click the download link, choose Save Target
As, and then in the file dialog, type .vsix at the end of the folder name.
2. On the air-gapped system, save the VSIX file to a location you will remember.
The Desktop/ folder is the most convenient location.
3. If it is not already running, start Visual Studio Code.
4. In the activity bar at the left of the VS Code window, click the Extensions button.
5. At the top of the EXTENSIONS view, click More Actions (...), and choose Install from VSIX... from
the drop-down menu.
68
Installation
VS Code opens a standard file dialog.
6. In the file dialog, click to highlight the VSIX installer, and then click Install.
The VSIX installer installs the extension.
After installing, VS Code prompts you to reload the editor.
7. Click Reload Now.

After VS Code starts again, the Code Sight interface appears within it. To use Code Sight, you will
need to authenticate yourself to Coverity Analysis (VS Code does not support Black Duck scans).
To uninstall the extension

1. In Visual Studio Code, return to the extension controls by clicking the Extensions button.
69
2. In the side bar EXTENSIONS: INSTALLED view, click to highlight the Synopsys Code Sight entry.
Figure 78: Code Sight entry in the side bar
3. In the Synopsys Code Sight panel, click the Uninstall button.
The button area now displays a button labeled Reload Required.
70
Authentication
4. Click Reload Required.

This completes the uninstall by reloading VS Code.

plug-in, you might want to remove this.
Remove the Synopsys desktop/ folder. The default location of this directory/folder depends on the

Some sites might install the desktop\ folder in a custom location. If it is not in the default location
shown here, consult your system administrator.
Authentication
After you install it, the Code Sight plug-in prompts you choose one of the Synopsys Software Integrity
tools that you want Code Sight to run. Once you have chosen a tool, you will need to authenticate
yourself to the tool you have chosen.
Under most circumstances, a system administrator or a teammate will provide the login credentials for
the Synopsys tools that your site uses.
If the tool you chose is not already installed on your system, Code Sight proceeds to install it for you, as
well.
To choose a tool: Code Sight Configuration

The first time you run Code Sight, it displays the Configuration page, which lets you choose which
Synopsys tool to run.
In the tile for the tool you want to use, click the Install button.
Code Sight opens the authentication page for the tool that you chose.
71
To authenticate Black Duck

If your installation supports Black Duck, the Status view > Notifications panel shows a page that
prompts you to authenticate Black Duck in addition to Coverity.
Authenticating yourself enables Black Duck to run project scans on your system and compare the
results with the KnowledgeBase on a Black Duck server. The KnowledgeBase identifies which
components are open-source software, and among those components, identifies those that might need
remediation.
If the Detect component of Black Duck is not already present on your system, authentication enables
Code Sight to download and install this feature.
1. As prompted, enter your user name, then enter the URL for the server.
Figure 79: Authentication: Prompt for user name and URL
The URL identifies a Black Duck server. The server will have been configured by your system
administrator. It might use Single Sign-on (SSO) authentication, or not.
2. Click Continue.
If the server does not use SSO, Code Sight displays the password page.
Figure 80: Authentication: Prompt for password
If the server uses SSO, which requires an access token rather than a password, Code Sight
displays the access-token page.
72
Authentication
Figure 81: Authentication: Prompt for an access token

3. Enter your password or access token, then click Continue.
• If Detect was already installed on your system, Code Sight can now run.
• If Detect was not already installed, the plug-in downloads Black Duck’s Detect component and
then installs it. This takes a little while.
4. If you have authenticated Black Duck but not Coverity, Code Sight now shows a button that says,
Skip Additional Tool.
You can click this button to go ahead and begin scanning with Black Duck, or you can click Install
Coverity to authenticate that tool as well.
To authenticate Coverity
Authenticating yourself enables Coverity Analysis to share triage data with a central server. It also
enables Coverity Analysis to download full-project scans from that server, which improves the quality of
local analysis.
If Coverity Analysis is not already present on your system, authentication enables Code Sight to
download this software.
1. As prompted, enter your user name, then enter the URL for the server.
Figure 82: Authentication: Prompt for user name and URL
The URL can identify either a Coverity Connect server or a Polaris server. Which kind of server you
use will have been configured by your system administrator.
73
2. Click Continue.
Code Sight displays either the password page or the access token page.
Figure 83: Authentication: Prompt for password
The password page appears when you authenticate on a Coverity Connect server, or on a Polaris
server that does not use single sign-on.
Figure 84: Authentication using an access token
The access token page appears if the Polaris server you use is configured for single sign-on (SAML/
SSO).
Note:
If you are prompted to enter an access token, and you don’t know what that is, then follow the
prompts on the Access Token page in order to obtain a token.
3. Enter your password or access token, then click Continue.

• If Coverity Analysis was already installed on your system, Code Sight automatically starts to run.
• If Coverity Analysis was not already installed, the plug-in downloads Coverity Analysis and then
installs it. This can take a bit of time.
4. If you have authenticated Coverity but not Black Duck, Code Sight now shows a button that says,
Skip Additional Tool.
You can click this button to go ahead and begin scanning with Coverity Analysis, or you can click
Install Black Duck to authenticate that tool as well.
74
Authentication
To authenticate Coverity using a self-signed certificate

By default, Code Sight does not accept self-signed certificates. You can use the configuration file to
override this behavior.
A self-signed certificate can be convenient to use, especially when working only with in-house material.
Add the following field to the "server" section of the current coverity.conf file: "on_new_cert":
"trust".
This enables any new certificate to be trusted automatically.
For more information about using coverity.conf, see the section Code Sight Administration.
Reviewing and Updating Authenticated Tools

After tools have been authenticated, downloaded, and installed, the Status view > Notifications panel
displays a page to show information about the installed software.
The new page has the title, Installed Plug-in and Tool Versions.
If you click the entry for this page, you see a page that shows the current plug-in version, along with the
state and version of the tools that you have installed, so far.
To add a tool that has not yet been installed

• Click the tile for the tool that is not yet active.
(Some tools might require some steps to enable them before you can authenticate them from within
Code Sight.)
Code Sight displays the Authentication Required page once again, so you can add your account
name, your password, and the URL of the server that the tool will use.
75
To remove a tool from the Code Sight interface

• Close the development environment (IDE) from which you run Code Sight.
• Uninstall the Synopsys Software Integrity tool you no longer want to use.
• Restart the IDE.
Now the Code Sight Notifications should indicate that you are connected only to the server for the
tool that is still installed on your system.
Administration
This section, aimed at system administrators, describes various options that affect the configuration of
Code Sight itself, and of both the Black Duck and the Coverity tools.
Black Duck configuration is comparatively straightforward. Coverity configuration, on the other hand,
offers a large variety of options.
Configuring Black Duck

Black Duck does not have many configuration options, but it does have certain system requirements.
The Black Duck requirements include support for specific Java versions, and specific credentials for
each Black Duck user.
Requirements for Black Duck

To run Black Duck in Code Sight, a system must meet certain requirements.
Java Support
The system must be configured to run either version 8 of OpenJDK™, or release 11 of the Java®
Development Kit (JDK).
The Package Manager and Build Support

The package manager for the projects to analyze, and the build tool or tools it uses, must have been
installed and be specified in the system’s PATH variable.
User Credentials
Each user account must be configured to meet the following conditions:
• The user must have access to check for component security vulnerabilities.
• It must be possible to check each component against the projects accessible to the user, and the
global policies configured on the Black Duck server.
• All dependencies must be resolvable. That is to say, each dependency must have been installed
using the package manager’s cache, virtual environment, and other environmental settings.
Internet Access
To communicate with the Black Duck server, the system must be connected to the Internet.
76
Administration
Remember: Internet access is also needed when you install Code Sight, to download Code Sight itself,
and also the Detect application, if this is not already present on the system. See Installing Code Sight.
Configuring Coverity
Coverity supports a variety of configuration options.
The main choice, when configuring Coverity Analysis, is whether to use the Polaris Software Integrity
Platform, or a Coverity Connect server.
A coverity.conf file might be used in either kind of configuration. The section “Creating and Locating
the ‘coverity.conf’ File” describes how this file is managed.
Configure Coverity Analysis to Use Polaris

Configuring a Code Sight client to access Coverity tools via a Polaris server involves two distinct
configuration files.
For a Code Sight installation that accesses Synopsys tools via Polaris, each configuration file has its
own purpose.
The ‘polaris.yml’ File

The polaris.yml file is a YAML file that is standard for Polaris installations.
To configure a Code Sight client, you need to specify the serverUrl and the project sections of
polaris.yml
For more information about the configuration file, please see the section Polaris Platform
Documentation > “Configuration Reference” > “Configuration File Overview”.
Please keep in mind the following:
• For Code Sight configuration, you do not need to edit other sections of polaris.yml.
• The polaris.yml is a standard component of Polaris configurations, so this file might already be
present in your code base.
If your code base has not used Polaris before, you might need to create a new polaris.yml file.
You can use the Polaris command-line interface to do so. For a description of the steps to follow,
please see the section Polaris Platform Documentation > “Administering Polaris” > “Initializing a
Project”.
The ’coverity.conf’ File

The coverity.conf file is a JSON file that is specifically for configuring Coverity Analysis and
Coverity Connect. If you are using a Polaris server and you do not need to customize Coverity Analysis
behavior, then you do not need to edit coverity.conf
For a site that uses a Polaris server, there are only a few reasons you might want to alter the contents of
coverity.conf. The most common of these are:
• To specify a compiler configuration that is not the standard configuration for the IDE you use.
• To specify custom Coverity Analysis settings.
These circumstances are described in “Alternative Coverity Configuration Settings”.
77
For more detailed information about coverity.conf, please see the Coverity Desktop Analysis User
Guide.
CAUTION: If your client connects via a Polaris server, do not use the coverity.conf file’s
"server" or "stream" fields. The Polaris "server" and "project" values are specified in
the polaris.yml file.
Configure Coverity Analysis to Use Coverity Connect

To connect to a particular Coverity Connect server, a client system needs to locally specify some setup
information. In addition, before a client can connect to it, the Coverity Connect server must be set up to
support Code Sight clients.
The following sections explain the setup steps for both the server and its clients.
Client-side Configuration for Coverity Connect

To configure a client system so that Code Sight can connect to a particular Coverity Connect server,
you need to specify that server in the local coverity.conf file. This configuration file is in JSON
format.
Best Practice: A development team should share common settings, so create a project-specific
coverity.conf file. Then check it in to your code repository so each developer can download the
same configuration.
1. Use a text editor to create a new text file named coverity.conf.
2. Copy the following text into the coverity.conf file:
{
"type": "Coverity configuration",
"format_version": 1,
"format_minor_version": 4,
"settings": {
"server": {
"host": "coverity-server.example.com",
"port": 8443,
"ssl": true
},
"stream": "myProjectsStreamName"
}
}
3. Change the values for the server record—the "host", "port", and "ssl" fields—to identify the
server that supports this installation.
4. Change the value of the stream field to the name of the Coverity Connect stream that your project
is using.
5. Save the file to the root directory of your project’s code repository.
6. Commit the edited coverity.conf file to your code repository so that all users will share the same
settings automatically.
78
Administration
Preliminaries: Server-side Configuration for Coverity Connect

Installers for Coverity Analysis, and a license.dat file, must be present on the Coverity Connect
server so they are available for downloading to Code Sight users who wish to install and run Coverity
Analysis.
This is a necessary first step for a Coverity Connect server to support Code Sight clients. The server
administrators should follow these steps before any client system attempts to download the Coverity
Analysis tools.
The server administrator must ensure that both the installers for Coverity Analysis and the
license.dat file be located in a directory named <server-install-dir>/server/base/
webapps/downloads.
These are the specific file names:
• license.dat
• cov-analysis-win64-2020.12.exe
• cov-analysis-linux64-2020.12.sh
• cov-analysis-macosx-2020.12.sh
Attention: If you are using a different version of Coverity Analysis, use the file names for that
specific version instead of the ones associated with version 2020.12.
It is also possible to upload the Coverity Analysis files in compressed format: .zip for Windows,
.tar.gz for Linux or macOS.
Creating and Locating the ‘coverity.conf’ File

Usually, a user-specific coverity.conf file is created when the Coverity Analysis tools are installed.
When the Code Sight plug-in runs, it searches for a coverity.conf file on your local system.
• If it finds a local coverity.conf file, it uses the information that is stored there to locate the local
installation of the Coverity Analysis tools.
• If it does not find a preexisting coverity.conf file, then it does the following:
1. Downloads the Coverity tools from the server being used.
This requires you to specify a URL for the server, and to authenticate yourself.
2. The Coverity tools then create a new coverity.conf file, and save it to the expected location
for a local Coverity configuration file.
The default location for coverity.conf depends on which platform you are running, as shown
in the following table:
Table 1: Where Coverity Analysis tools are installed by default
Platform Location of Coverity Analysis tools

Linux or Mac ~/.synopsys/desktop/controller/installedtools/coverity-
analysis/
Windows C:\Users\<username>\AppData\Roaming\Synopsys\desktop
\controller\installedtools\coverity-analysis\
79
Alternative Coverity Configuration Settings

Whether your client system connects via a Polaris server or a Coverity Connect server, you can use the
coverity.conf file to specify custom analysis settings.
The ‘coverity.conf’ File

There are a number of reasons you might want to alter the out-of-the-box contents of coverity.conf:
1. As already described, to specify the Coverity Connect server and the Coverity Connect stream. This
applies only when Coverity Analysis connects to a Coverity Connect server. It does not apply when
Coverity Analysis connects via Polaris.
2. To enable authentication using self-signed certificates. See “To authenticate using a self-signed
certificate”
3. To specify an alternative installation directory for the Coverity Analysis tools.
To do so, you would use the KnownInstallation object: Please see the Coverity Desktop
Analysis User Guide for details.
4. To specify a compiler configuration that is not the standard configuration for the IDE you use.
See “Special-purpose Compiler Configurations”.
5. To specify alternative build tools.
Certain environments require explicit build specification. See “Frequently Asked Questions”
6. For Code Sight running Coverity Analysis in Eclipse or in Visual Studio, to enable MISRA
compliance testing. See “Enabling MISRA Compliance Testing”.
7. To specify custom analysis settings.
Analysis settings are described elsewhere. There are too many to list here, but Custom Analysis
Settings lists resources for learning about analysis options.
Important: The file coverity.conf is standard for desktop configurations of Coverity Analysis. For
more information about it, please see the Coverity Desktop Analysis User Guide.
Special-purpose Compiler Configurations

Here are a couple of use cases for specifying a custom compiler configuration, and examples of how to
do so.
Use case: Your build uses the ARM (RISC) compiler rather than the more widespread GCC (GNU
Compiler Collection). The following coverity.conf code specifies this:
{
"settings": {
"add_compiler_configurations": [
/* arm-none-eabi-gcc is a common gcc variant
for ARM-based embedded development */
{
"cov_configure_args": [
"--template",
"--compiler",
"arm-none-eabi-gcc",
80
Administration
"--comptype",
"gcc"
]
}
]
}
}
Use case: You want to continue using the Clang compiler front end, but you want to invoke it using the
old-style (and self-descriptive) aliases cc and c++. The following coverity.conf code specifies this:
{
"settings": {
"add_compiler_configurations": [
/* On a Mac, CMake will use the "cc" and "c++" aliases
instead of "clang" */
{
"--template",
"--compiler",
"cc",
"--comptype",
"clangcc"
]
},
{
"--template",
"--compiler",
"c++",
"--comptype",
"clangcxx"
]
}
]
}
}
Note: On a site that connects via Coverity Connect, these sample configurations would also require
server and stream fields.
Specifying Custom Build Tools

To use build tools that differ from the standard tools used by your development environment, specify
these with a cov_run_desktop object in the coverity.conf file.
Here is a sample configuration file that contains a cov_run_desktop object:
{
"settings": {
"cov_run_desktop": {
"build_cmd": ["make", "all"],
"clean_cmd": ["make", "clean"]
81
},
"ide": {
"build_strategy": "CUSTOM"
}
}
}
This particular sample configuration sets up a project that uses the make build system. In your own file,
you would replace the "build_cmd" and "clean_cmd" values with the names of the build and clean
commands that your project actually uses.
For example, to use Apache Maven as your build tool, the "cov_run_desktop" fields would look like
this:
"build_cmd": ["mvn", "compile"],
"clean_cmd": ["mvn", "clean"]
}
Don’t forget: In the "ide" object, you must set "build_strategy" to equal "CUSTOM". If this field
is missing, or is set to a different value, Code Sight does not recognize the custom settings, or use the
alternative tools you specified.
Enabling MISRA Compliance Testing

Within the Eclipse and Visual Studio environments, Code Sight can run the Coverity MISRA compliance
tests.
To enable MISRA testing, add the following entry to the "settings" section of the current
coverity.conf file:
"coding_standard_configs": [
"$(code_base_dir)/MISRA_c2012_7.config"
]
}
Custom Analysis Settings

Another use of coverity.conf is to specify custom settings for Coverity Analysis.
Changing the settings used for Coverity Analysis is described in existing documentation. We won’t go
into details here. If you do edit coverity.conf to specify custom settings, proceed with caution.
These are resources that provide more information about editing coverity.conf:
• The Coverity Desktop Analysis User Guide describes the coverity.conf settings in detail.
The Coverity document set, which includes the Desktop Analysis User Guide, where
coverity.conf is described, is installed on a client system when Coverity Analysis is installed.
The default location of these documents depends on the operating system you are using. See the
following table:
Table 2: Where Coverity docs are installed by default
Platform Location of Coverity documents

Linux or Mac ~/.synopsys/desktop/controller/installedtools/coverity-
analysis/<version>/doc/en/
82
Administration
Platform Location of Coverity documents

Windows C:\Users\<username>\AppData\Roaming\Synopsys\desktop
\controller\installedtools\coverity-analysis\<version>\doc
\en\
• The following lesson on the Synopsys Community Web site describes how to edit coverity.conf
for use with Code Sight: “How to Set Up the Coverity Desktop Analysis Configuration File –
coverity.conf”.
Frequently Asked Questions

Here are some questions that can arise.
What happens if both ‘coverity.conf’ and ‘polaris.yml’ specify a server URL?

• If you entered a URL when you used the Notifications panel to authenticate yourself, then that is the
URL that Code Sight uses.
• Otherwise, Code Sight uses the URL in polaris.yml. This is simply because polaris.yml is
read before coverity.conf is.
CAUTION: If different projects in your IDE specify different servers, then Code Sight uses the
correct server, but the server name shown in the Code Sight interface might not be the correct
one.
If multiple versions of Coverity Analysis are installed, which version will Code Sight run?
• If polaris.yml is present and specifies a valid version of Coverity Analysis, then Code Sight uses
that version.
• Otherwise, Code Sight uses the most recent version specified in the local coverity.conf file.
What if I get a report of a central analysis issue, but Code Sight does not locate the issue in my
local source code?
Typically the central analysis server saves path names in a relative format; for example:
../project/source/testme.java
Instead of relative paths, a local instance of Coverity Analysis typically saves file names as absolute
paths. The format of an absolute path depends on the operating system. For example:
C:\Users\your-name-here\project\source\testme.java
To resolve this issue, in your current coverity.conf file, add an "ide" object, and then within it
create a "path_mapping" object to specify (1) the paths to strip off of the path names from central
analysis, and (2) the local paths to search for.
The object has this format:
"ide" {
"path_mapping": {
"strip_paths": [ "path1", "path2" ],
"search_paths": [ "path3", "path4" ]
}
83
}, ...
So using the previous example, testing only a single project, the "ide" object might look like the
following JSON code:
"ide" {
"path_mapping": {
"strip_paths": [ "../" ],
"search_paths": [ "C:\Users\your-name-here\" ]
}
}, ...
For additional information, see the “IDESettings” and “PathMapping” sections in the Coverity Desktop
Analysis User Guide.
Code Sight Terms
®
Black Duck
The family of Synopsys software composition analysis (SCA) tools.
Code Sight™
The short name of the Synopsys IDE plug-in for code analysis.
®
Coverity
The family of Synopsys static analysis tools.
Coverity Analysis
The Coverity component that analyzes source code to detect quality, security, and other issues.
Coverity Connect
A server-based application that manages the database of issues reported by Coverity Analysis.
Using Coverity Connect is one option for synchronizing local data with remote data (the other option is
the Polaris server).
Detect
Short for Synopsys® Detect. The Black Duck component that runs on a client system. Detect can launch
scans, manage scan files, and communicate with a Black Duck server.
84
Code Sight Terms
dynamic analysis
Techniques for testing program code by executing the program and analyzing outcomes.
full scan
A full scan provides summaries of findings obtained by scanning the source files within a project. Full
scans provide information about dependencies in the current source file: This information improves the
accuracy—and hence, the usefulness—of the single-file scan.
When not connected to a server, you need to run a full scan locally. Use the Status > Notifications
view to launch the scan: Code Sight prompts you when this is needed.
When connected to a server, Code Sight downloads the results when a full scan completes on that
server. Often a server will be set up to launch scans automatically, as part of a CI/CD build chain.
issue
A situation found in source code that might be problematic, and so is reported by one of the Synopsys
software integrity tools that Code Sight runs.
Polaris
The Polaris Software Integrity Platform™.
Using Polaris is one option for synchronizing local data with remote data (the other option is Coverity
Connect).
SAST
Stands for static application security testing, another term for static analysis.
SCA
Stands for software composition analysis.
software composition analysis

The analysis of a project or code base to identify and assess its component software and its setup. In
particular, software composition analysis (SCA) is used to identify open source software components,
and the security risks attendant on their use.
static analysis
Techniques for testing program code without executing the program. Also known as static application
security testing (SAST).
85
Synopsys Code Sight Plug-in

The full name of the Synopsys IDE plug-in for code analysis.
Release Notes
Version 2021.1
Version 2021.1 introduces support for Black Duck® software composition analysis and for Microsoft®
Visual Studio® Code. In addition, some interface improvements make it easier to manage and schedule
code scans.
Discontinued Support
• End-of-life (EOL): Support for Eclipse 4.6 has been discontinued.
• Support for Eclipse 4.7 has been deprecated, and will be discontinued in a future release of Code
Sight.
• Support for version 2018.2 of the JetBrains IDEs IntelliJ, PhpStorm, PyCharm, RubyMine, and
WebStorm has been deprecated. In a future release of Code Sight, 2019.1 will become the earliest
supported version for this family of IDEs.
Beta Support
These tables show the IDEs and products that are supported in beta.

Android™ Studio 3.4 – 4.1 Windows®, Linux™, macOS® Java™
• The Android Studio environment uses the same installation steps as IntelliJ.
Enhancements
• Code Sight 2021.1 introduces support for Synopsys Black Duck software composition analysis
(SCA). This feature helps you maintain open-source software (OSS) security compliance by
identifying known vulnerabilities in free OSS (FOSS) packages at development time. Black Duck
scanning is currently supported for the Eclipse and IntelliJ IDEs. Visual Studio will remain in limited
customer availability (LCA) until further notice. Visual Studio Code does not have Black Duck
support.
• The Visual Studio Code (VS Code) environment is now supported. The supported versions are 1.48
through 1.52.
• Release 2021.1 adds support for IntelliJ, PhpStorm, PyCharm, RubyMine, and WebStorm version
2020.3.
• Release 2021.1 adds support for Android Studio 4.1 in beta.
• The Code Sight for IntelliJ plug-in no longer restricts which versions of Java may be used. If the
Coverity Analysis (SAST) tool does not support a particular version of Java, the scan will fail.
86
Release Notes
• Code Sight now lets users manually launch a single-file Coverity Analysis scan from various
locations:
•
In the Single-file scans area of the Scans panel, the user can click the Scan next icon.
•
For an SAST issue, the Issues view > Issue Details panel shows the same icon.
• In the IDE Editor, the right-click context menu now has a Scan with Code Sight choice.
• In the IDE Explorer, the right-click context menu has the same choice, which appears when a
source file (but not a project or solution) is selected.
• New preferences let a user enable or disable automatic scanning at either the IDE level or the
project/solution/workspace level. (The plug-in for Eclipse provides this preference setting for the
workspace level only.)
Black Duck (SCA) Enhancements

• For a Black Duck issue, the Fix It page now shows a drop-down list so users can choose between
recommended and most recent versions of a dependency. This drop-down list is available in IntelliJ
and Eclipse only.
• Visual Studio now supports the Fix It button in the Details view of Black Duck issues. Clicking Fix It
provides guidance on manually replacing vulnerable components. It also provides auto-remediation,
if that feature is available for the package manager used by the current project.
For the 2021.1 release of Code Sight, Visual Studio supports Black Duck scanning only on a limited
customer availability (LCA) basis.
• The Details panel now displays the Fix It button even if there is no upgrade guidance for a
vulnerability. In this case, Code Sight displays the Manual tab, which provides more details on why
Black Duck did not find any upgrade guidance.
• For a Black Duck issue, the Contributing Events view now shows a dependency tree. With the help
of this tree view, users can get more details about vulnerable dependency occurrences.
• The Details view for a Black Duck issue now shows a warning if local npm dependencies are
missing. This warning is followed by a Details link, which takes you to a page called “Get Help on
the Community Portal”. The new page has links to both the Portal pages and Synopsys Support, and
includes a button to Export Logs, whose output can help Support diagnose the problem.
•
For Black Duck issues in the Issue Details view, Code Sight now displays an Edit icon.
Clicking this icon opens the dependencies file (for example, pom.xml) in the IDE Code Editor,
allowing users to manually correct the issue occurrence by updating this file.
Bug Fixes
• Fixed an issue where Code Sight data would not migrate from a version of the plug-in older than the
immediately previous version. UD-5467
• After updating a vulnerable component found by a Black Duck scan, in some cases the issue was
not removed from the Issues list. This has been fixed. UD-5953
• Black Duck (SCA) issues with a location were not appearing in the Current File scope. This has
now been fixed, and such issues appear correctly when the scope of the Issues list is Current File.
UD-6161
87
• Fixed an issue where an error message was still displayed after successfully authenticating the user.
UD-6207
Known Issues
• Code Sight does not run clean/rebuild the first time it scans a custom-built command project that has
already been built. UD-3809
• In Visual Studio, when Code Sight is configured to use Black Duck, in certain circumstances if you
modify a project file and then reload the project, Code Sight launches scans repeatedly, instead
of once only. If this happens, quit from Visual Studio. When you restart the IDE, open the modified
project file. UD-4708
Version 2020.11
The 2020.11 release of the Synopsys® Code Sight™ plug-in is a maintenance release that updates
support for some programs, and fixes various issues.
Platform Deprecation
• Support for macOS® 10.13 has been deprecated, and in an upcoming release of Code Sight will no
longer be available.
Beta Support

ß Android™ Studio 3.4 – 4.0 Windows®, Linux™, macOS® Java™
ß Microsoft® Visual 1.41 – 1.49 Windows, Linux, macOS C/C++, C# (.NET Core),
Studio® Code Java, JavaScript, PHP,
Enhancements
• Version 2020-9 (4.17) of the Eclipse IDE is now supported.
• In Code Sight 2020.8, the behavior of the Issues list changed, such that you needed to double-click
an entry to highlight the corresponding line of code in the IDE Editor.
In Code Sight 2020.11, if the source file that contains the issue is already open, then once again a
single click on an entry in the Issues list highlights the corresponding line of code in the Editor. If the
source file is not open in the Editor, then for some IDEs you must double-click the entry to open the
file: After it opens the file, Code Sight then highlights the line of code that is in question.
• Code Sight now filters out eLearning suggestions that are not relevant to the language of the code
being scanned.
• A running full scan can now be cancelled by clicking the Cancel icon in the “Full scans” section
of the Scans panel.
88
Release Notes
For some IDEs, while the scan is running, a progress indicator and the Cancel icon also appear
in the IDE’s own status bar.
• In certain circumstances Code Sight would try to download and install a scanning tool automatically.
As of release 2020.11, the user must launch the download and setup process for a tool.
• For Black Duck Source Component Analysis (SCA) scans (a limited-availability feature), Code
Sight has improved performance by caching security vulnerabilities, potential policy violations, and
upgrade guidance fetched from the server. By default, the cached data persists for 24 hours.
• Code Sight SCA support has been updated to display how many occurrences of vulnerable
components, whether direct or transitive, are present in projects managed by GitHub npm™.
For transitive npm components, Code Sight displays which direct dependency has resulted in the
inclusion of the vulnerable component.
• For Black Duck SCA, if no scan is running, a Rerun button now appears in the “Full scans” section of
the Status view > Scans panel. Clicking Rerun launches a full scan of the target code project.
Bug Fixes
• In some cases, while Code Sight was installed, opening a solution file directly from Windows
Explorer would cause Visual Studio 2015 to freeze on startup. This has now been fixed. UD-4296
• Sometimes launching Visual Studio 2017 by double-clicking a .sln file would cause Code Sight to
hang when the IDE launched the extension. This has now been fixed. UD-5104
• In Visual Studio 2017, after opening a solution by double-clicking a .sln file, sometimes the “No
Solutions have been opened” warning would continue to be displayed. This has now been fixed.
UD-5117
• When Code Sight was configured to run both Coverity Analysis and Black Duck, at times the Domain
column in the Issues list would display the domain as “Unknown”. This has been fixed. A domain is
now shown as either SAST or SCA, as appropriate. UD-5867.
• Performance in Visual Studio has been improved, especially when switching branches or when
loading a new project. One consequence of this fix is that for a project or solution, Black Duck scans
for reference inclusion/exclusion no longer run automatically. UD-6135
Known Issues
89
Version 2020.8.1
The 2020.8.1 release of the Synopsys® Code Sight™ plug-in is a hotfix that resolves a few high-priority
bugs.
Bug Fixes
• Fixed an issue where for a moment Coverity single-file scan results would be displayed to the user
when the Coverity Analysis tool was not installed. UD-5196
• Fixed an issue that caused Visual Studio to freeze when Code Sight was installed. UD-5685
• Fixed an issue where the Code Sight plug-in could not retrieve issue details from the Polaris server.
UD-5907
Version 2020.8
The 2020.8 release of the Synopsys® Code Sight™ plug-in includes a number of enhancements to
improve ease of use and the accuracy of information displayed. It adds support for some IDE versions,
and fixes a number of bugs as well.
• For JetBrains IDEs, version 2018.1 is no longer supported. 2018.2 is the earliest version now
supported.
Beta Support

ß Android™ Studio 3.4 – 4.0 Windows®, Linux™, macOS® Java™
ß Microsoft® Visual 1.41 – 1.47 Windows, Linux, macOS C/C++, C# (.NET Core),
Studio® Code Java, JavaScript, PHP,
Behavior Change
• In the Issues list, clicking the entry for an issue still updates the Details display, but to display the
issue in the environment Editor, you now need to double-click the issue.
If the source file with the issue was not already open in the editor, double-clicking the issue entry
opens that source file to the line where the issue was detected.
Enhancements
• Version 2020.2 of the various JetBrains IDEs is now supported.
• Android Studio version 4.0 is now supported in beta.
• Microsoft Visual Studio Code versions 1.46 and 1.47 are now supported in beta.
90
Release Notes
• The Full Scans area of the Scans panel now shows the state of the most recent full scan attempt,
and the time of the last successful full scan.
Code Sight displays this scan information for each installed analysis tool.
While a full scan is running, the “in progress” icon for the scan is now animated.
• In Notifications,the Update Scanning Tool page now displays as a “Warning” instead of as “Info”.
• The Issue Details display for Black Duck issues now sorts vulnerabilities by severity.
• In the Issues list, you can now search for the tool that reported the issue. At present, these are
the acronyms SAST (Static Application Security Testing) for Coverity Analysis, and SCA (Software
Composition Analysis) for Black Duck.
The list of issues now includes a new column, Domain, that indicates which tool located this
particular issue. This column, like the others, is sortable.
• If a Black Duck scan fails, the Full Scans area of the Scans panel now shows the message “Error:
<error link>”. Clicking <error link> displays the Error Details page, which displays information that
can help you, or Synopsys Support, understand the error and find ways to correct it.
• This release supports SCA Auto-Remediation: This is the ability of Black Duck to automatically
upgrade a vulnerable component version to a secure version. Upgrades are suggested by the Black
Duck Upgrade guidance service.
For Code Sight 2020.8.0, NPM is the only supported package manager. For Auto-Remediation to run
successfully, npm must be present in the system PATH variable, and npm install must have been
run at the command line before launching the IDE.
Auto-Remediation is only available for direct dependencies. For transitive dependencies, you must
upgrade manually. When this is the case, Code Sight messages display advice on how you can do
so.
Bug Fixes
• When Black Duck server authentication failed, Code Sight was displaying a message specific to
Coverity Analysis. This has been fixed. UD-4476
• If the Black Duck server is unreachable, or if responses are timing out during a Black Duck (SCA)
scan, then Code Sight reports that the scan has failed, and displays an appropriate error message.
UD-4900
• If the Black Duck server’s SSL certificate verification fails during a Black Duck (SCA) scan, then
Code Sight now displays an appropriate error message. UD-4902
• Fixed an issue where the recommended version for remediating SCA issues was being displayed as
a hash string. UD-5188
• Fixed a bug where Code Sight had issues connecting to Coverity Connect server over a TLS
connection. UD-5375
• Code sight for Visual Studio Code was initiating Black Duck scans, which it does not support. This
has been fixed. UD-5459
Known Issues
91
• In some cases, while Code Sight is installed, opening a solution file directly from Windows Explorer
can cause Visual Studio 2015 to freeze on startup. To avoid this happening, first open Visual Studio,
and then open the desired solution from within Visual Studio 2015. UD-4296
• When Visual Studio 2017 is installed, sometimes trying to launch it by double-clicking a .sln file
causes Code Sight to hang when the extension starts up. To work around this issue, open Visual
Studio first, and then use it to open the solution file. UD-5104
Version 2020.6
In the 2020.6 release of the Synopsys® Code Sight™ plug-in, new IDE versions are supported and
various bugs have been fixed.
Enhancements
• For the JetBrains IDEs (IntelliJ, PhpStorm, PyCharm, RubyMine, and WebStorm), version 2020.1 is
now supported.
• For Microsoft VS Code, versions 1.44 and 1.45 are now supported. (The VS Code version of Code
Sight is a beta release.)
• For Eclipse, version 2020-03 (4.15) is now supported.
• The JetBrains environments RubyMine, PhpStorm, and WebStorm can now use Code Sight to run
Black Duck scans.
• When you start Code Sight for the first time, it now displays a Code Sight Configuration page that
lets you choose which tool you want to install first.
• With appropriate permission and enablement, as of 2020.6 you can run Black Duck scans without
having to first install Coverity Analysis. When Black Duck is the only tool in use, the Scans panel
does not display single-file scan errors.
• The Code Sight Preferences panel now shows whether “credentials” (user authentication and the
server name) are valid. If there is a current problem with the connection to the server, it displays an
error message.
• To improve performance time, Black Duck scans no longer report Policy Violations. If you
want to see Policy Violation reports, you can enable them by setting the environment variable
SYNOPSYS_DESKTOP_BD_ENABLE_POLICY_VIOLATIONS to equal 1. To disable Policy Violation
reports once more, set the value of the variable to empty or remove the variable from your
environment altogether.
Code Sight no longer works with Black Duck instances whose version is earlier than 2020.2.
• As of Code Sight 2020.6, only Black Duck instances of version 2020.02, or a later version, are
supported. These instances use version 2 of the Black Duck API.
92
Release Notes
Bug Fixes
• In Visual Studio Code, fixed the navigation when multiple events are found on the same line of code.
Now the currently selected event appears at the top of the pop-up list. UD-4035
• Fixed an issue in Eclipse, where after an upgrade from a previous version of Code Sight, the plug-in
would sometimes fail to report issues or notifications displayed by the previous version. UD-4636
• Enabled workaround of an issue where Code Sight for Visual Studio changes
the build output verbosity. To avoid this behavior, set the environment variable
SYNOPSYS_DESKTOP_DISABLE_COMPILED_EMIT to equal 1. UD-4683
• Fixed an issue with Black Duck scans where Policy Violations were not displayed. This occurred
when Policy Violations had Vulnerability Conditions set to "Exploit Available = Yes".
UD-4909
Note: To improve performance time, as of Code Sight 2020.6, Black Duck scans do not
report Policy Violations unless you have enabled them by setting the environment variable
SYNOPSYS_DESKTOP_BD_ENABLE_POLICY_VIOLATIONS to equal 1.
• Fixed a Black Duck scanning issue where components that reported Policy Violations but no Security
Vulnerabilities would not display their results. UD-4985
Known Issues
• When Visual Studio 2017 is installed, sometimes trying to launch it by double-clicking a .sln file
causes Code Sight to hang when the extension starts up. To work around this issue, open Visual
Studio first, and then use it to open the solution file. UD-5104
Version 2020.4
Improvements in the 2020.4 release of the Synopsys® Code Sight™ plug-in include adding a new IDE
version, deprecating an older IDE version, and fixing numerous bugs.
New Features
• Code Sight can now use Polaris version 2020.03 or 2020.04.
It no longer uses previous versions of Polaris.
• New versions of the following IDEs are now supported:
• Android Studio 3.6
• Eclipse 2019-12 (4.14)
93
• Under Limited Availability, Code Sight now supports Black Duck in Visual Studio. This helps you
choose OSS libraries that are non-vulnerable, and ensures open source security compliance. To get
access, please contact software-integrity-support@synopsys.com.
Deprecated Support
Support for the following platform has been deprecated, and will be dropped in a future Code Sight
release:
• Eclipse 4.6
Enhancements
• For those IDEs that support Black Duck, the Status log now shows the status of the most recent
Black Duck scan. UD-4117
• In the previous release, a Black Duck scan was initiated whenever a source file was opened or
closed. As of Code Sight 2020.4, after the initial scan a new Black Duck (SCA) scan only occurs
when a Black Duck configuration file is opened or modified.
Files whose change can trigger a new scan are listed in the Synopsys Detect document > Detectors
page. UD-4221
• Expanded support for the Export Logs feature.
When a single-file scan fails, the Failure Reason column of the Scans panel (“Scan log”) now has a
clickable link that says Unexpected error. Clicking that link opens an Unexpected Error page that
provides a number of support options, including an Export Logs button that exports a zipped copy of
the current logs.
The button on the Unexpected Error page works the same as the Export Logs button on the
Preferences > Synopsys Code Sight Preferences page (the button on the Code Sight
Preferences page is still available, too).
UD-4282
Scans panel > Log of single-file scans > ‘Unexpected error’ link in ‘Failure Reason’ column
94
Release Notes
Status view: ‘Unexpected error’ panel that appears after clicking the ‘Unexpected error’ link
• In Visual Studio Code a new Code Sight option, Don’t Show Again, lets you suppress repeated
appearances of the warning that Code Sight shows when you attempt to open a file and the current
workspace is empty, when there is no current workspace, and other related conditions.
Also, a new option on the Settings page lets you toggle display of the empty-workspace warnings.
If these warnings have been disabled, then turning on the Warnings: Show All option re-enables
them once again.
UD-4391
Code Sight in VS Code: New ‘Don’t Show Again’ button suppresses repeated display of the
empty-workspace warning.
Code Sight in VS Code: New ‘Warnings: Show All’ option on the Settings page re-enables empty-
workspace warnings.
• In Visual Studio code, the STATUS area of the left-hand side bar now shows icons as convenient
shortcuts to view and manage the Scan Status panel, the Export Logs page, and the Authentication
pages (Edit Server icon). UD-4456
95
View Scans: This icon appears to the right of the Running scans or No running scans entry in
the Scanning section of the STATUS area. Click it to open the Code Sight Scan Status panel, which
appears at the right of the VS Code window.
Export Logs: This icon appears to the right of the [version-number] entry in the the Code Sight
Extension section of the STATUS area. Click it to display an Export Logs page with an Export Logs
button you can click to save a zipped file of the current scan logs.
Edit Server: This icon appears to the right of the Server entry in the Tools section of the STATUS area.
Click it to display the Authentication pages, where you can change the server being used, the current
Code Sight user, or both.
• Various enhancements to Black Duck support:

• Added links to BDSA/CVE records for component details.
• The Status view > Scans panel now shows the status of Black Duck scans.
• In the Issues view, sorting and filtering Black Duck components has been improved.
• The overall component impact is now based on the highest-level severity of the component
security vulnerabilities or policy violations.
UD-4494
• A new impact type, Critical, has been added to the interface. This level of impact is used for security
vulnerabilities and policy violations detected by Black Duck. The icon appears in the Impact column
of the Issues list, and in the Details panel for such issues. UD-4604
Issues List and Detail panel: Icon for Critical issues
Bug Fixes
• When authenticating Black Duck, a client’s credentials could be incorrectly lost. This has been fixed.
UD-4340
• In previous releases, if Code Sight could not use the URL you provided when authenticating, it
displayed a message whose text read, “This product needs a valid server URL to continue. Please
confirm your server URL with your administrator.”
However, this message was not accurate in cases where the URL was valid but the server could not
validate the certificate that accompanied the address. As of version 2020.4, when Code Sight cannot
validate a certificate the message now reads as follows: “Unable to validate the certificate from the
given URL. Please confirm the URL with your administrator. Connecting to a server without a valid
certificate can put the integrity and confidentiality of your data at risk.”
Remember: You can configure Code Sight to accept self-signed certificates. To do so, add the line
"on_new_cert": "trust" to your coverity.conf file. (You must restart the IDE you use for
this change to take effect.)
96
Release Notes
UD-4447
• Fixed a bug where the Issues list was displaying duplicate entries for the same issue. UD-4513
Known Issues
• In Eclipse, after you upgrade from a previous version of Code Sight, the plug-in might fail to report
issues or notifications displayed by the previous version. If this happens, quit from Eclipse. Wait for
about 30 seconds, and then launch Eclipse once again. The older messages should now appear.
UD-4346
Version 2020.2
The 2020.2 release of the Synopsys® Code Sight™ plug-in expands the range of supported IDEs and
fixes some bugs.
New Features
• Eclipse 2019-12 (4.14)
• In Visual Studio, while a single-file scan is running, the Scans panel now displays an icon with an X
on it to the left of the file name. Clicking this icon cancels the scan job.
Icon to cancel a single-file scan

• To help troubleshoot a problem, Synopsys Support sometimes needs to look at log files. You can
now obtain the current log files by going to Preferences > Synopsys Code Sight Preferences >
Troubleshooting > Log Files, and then clicking Export Logs. Code Sight zips the current logs and
saves them to a location it displays in the Preferences page. You can attach this file to a Support
request.
• Code Sight for Visual Studio® Code is now supported (in beta).
• Under Limited Availability, Code Sight now provides support for Black Duck in IntelliJ and Eclipse.
The Black Duck software helps you choose open source libraries that are non-vulnerable, in order to
ensure open source security compliance. To obtain access to this feature, please contact software-
integrity-support@synopsys.com.
97
Bug Fixes
• Fixed an issue where the "Full Scan" notification was not removed after the summary was
downloaded. UD-4027
• Improved the error reporting for scan failures: If a build capture fails, the report now includes the
build-failure messages. UD-4043
• When many scans were queued, Code Sight would sometimes consume large amounts of RAM.
This is now fixed. UD-4096
• On Windows 10, if the language was set to a language other than English, Code Sight would fail to
run in Visual Studio 2015. This has now been fixed. UD-4106
• In Eclipse, after upgrading the plug-in version, the IDE would appear not to completely refresh the
plug-in panes. This has now been fixed. UD-4166
• In Code Sight for Visual Studio, the extension’s Welcome page was linking incorrectly to out-of-date
documentation. It now links correctly to the up-to-date documentation posted on the “Community
Synopsys” portal. UD-4300
• On Windows, Code Sight would fail to locate a coverity.conf file if that file was saved to the
parent directory of a project or to a solution directory. This has now been fixed. UD-4330
Known Issues
• In Eclipse, after you upgrade from a previous version of Code Sight, the plug-in might fail to report
issues or notifications displayed by the previous version. If this happens, quit from Eclipse. Wait for
about 30 seconds, and then launch Eclipse once again. The older messages should now appear.
UD-4346
Version 2020.1
The 2020.1 release of the Synopsys® Code Sight™ plug-in expands the range of supported IDEs and
fixes some bugs.
New Features
• IntelliJ IDEA 2019.3
• PhpStorm 2019.3
• PyCharm 2019.3
• RubyMine 2019.3
• WebStorm 2019.3
• The End User Software License and Maintenance Agreement for Code Sight has been updated to
Version 2019.03.
98
Release Notes
• The top toolbar of the Code Sight window now has an icon that opens a Synopsys Community page
with links to the Code Sight help.
The following platforms are no longer supported:
• macOS 10.12
• Windows 7
Bug Fixes
• Fixed an issue in Code Sight for Visual Studio where the Code Sight window would interrupt IDE use
and steal focus during Coverity tool downloads. UD-3829
• Fixed an issue in Code Sight for Visual Studio where queued scans were incorrectly reporting a Last
Scanned time of Now. UD-3830
Known Issues
Version 2019.11
The 2019.11 release of the Synopsys® Code Sight™ plug-in introduces new features and fixes various
bugs.
New Features
• Eclipse™ version 2019-09 (4.13) is now supported.
• Android™ Studio version 3.5 is now supported (support for both version 3.4 and 3.5 of Android Studio
is in beta for this release).
• Icons in a new Status column in the Scans panel show whether the scan of an individual file is
pending or in progress.
• The Location column in the Scans panel now shows the end, rather than the beginning, of a file’s
path name.
• For Polaris users, depending on your configuration Code Sight now attempts to use the tools
specified either in your local polaris.yml file, or on your Polaris server. In other words, you can
now explicitly specify the tool version you want Code Sight to run, and are no longer restricted to
using the most recent release of a tool.
• During build capture, Code Sight uses the build command specified in the "cov_run_desktop"
record of the coverity.conf file, provided that "build_cmd" is specified and
"build_strategy" is set to "CUSTOM" in the "ide" record.
If "clean_cmd" is also specified "build_strategy": "CUSTOM" enables that as well.
The following code example shows these settings:
...
99
"build_cmd": ["make", "-j", "$(num_cores)"], // build command
"clean_cmd": ["make", "clean"] // clean command
},
"ide": {
"build_strategy": "CUSTOM"
...
}
Bug Fixes
• Code Sight now respects the Eclipse JavaScript® exclude path when performing a full scan locally.
UD-1216
• This release fixes an issue with “The elevated helper does not have full admin rights” that occurred
on Windows® during the installation of Coverity® Analysis when it was downloaded from Polaris. This
bug is resolved as long as updated Coverity Analysis Tools are configured to be downloaded from
Polaris version 2019.11. UD-3351
• Fixed an issue where Code Sight was incorrectly reporting that a full scan had been started
(“Synopsys: Improving accuracy ...” in the progress notification bar) whenever any new scan was
started, including an individual file scan. UD-3371
• This release fixes an issue where Code Sight for Visual Studio® caused delays in the IDE when
opening large solutions containing many projects. UD-3477
• This release fixes an issue where Code Sight for IntelliJ® caused high resource usage when working
with large projects. UD-3494
• This release fixes an issue where Visual Studio 2019 was incorrectly displaying the “Tool
Compatibility Warning” for analysis tools when running Code Sight with newer Coverity Analysis
Tools. UD-3673
• This release fixes an issue in Code Sight for Visual Studio where an error message for the issue
location was incorrectly displayed for a file that was found locally. UD-3696
• This release fixes an issue with Code Sight for Visual Studio where the Code Sight tool window
continued to report “No solutions have been opened” after opening a solution. UD-3779
• Fixed an issue where Code Sight crashed and failed to scan when a polaris.yml file specified an
invalid tool version. UD-3823
Known Issues
Version 2019.9
bugs.
New Features
• Android™ Studio 3.4 is now a supported IDE (in beta for this release).
• The Eclipse®, IntelliJ®, and Visual Studio® environments can now analyze TypeScript source.
100
Release Notes
• The Visual Studio environment can now analyze VB.NET source.

• A new Filter feature filters out issues that were found by a full scan, but not found by a single-file
scan. (You can view these hidden issues if you want to.)
• When you dismiss an issue or un-dismiss it, a dialog now requires you to enter a reason for why you
are doing so.
Bug Fixes
• When you edit the coverity.conf file, now Code Sight automatically regenerates its compiler
configuration data. You do not have to restart the plug-in for the changes to take effect. UD-2953
• When running with Polaris, Code Sight would sometimes continue to show issues that had been
closed. This has been fixed. UD-3595
• In IntelliJ 2019.2.1+, when running the 2019.7.2 version of the Code Sight plug-in, opening the
Preferences dialog and choosing the Synopsys Code Sight page would cause an exception. This
has now been fixed. UD-3632
• When running with Polaris, Code Sight now accurately verifies the version of analysis tools and
summary downloads. UD-3627
Known Issues
• In some cases, if you update your authentication key in Coverity Connect, Code Sight will be locked
out of Coverity Connect. To avoid this, update your authentication in Code Sight immediately after
you update it in Coverity Connect. UD-2715
• When you use the Eclipse™ environment to analyze a JavaScript project, only directories that are
specified as “include directories” are included in the filesystem capture. UD-1216
• When using the default C/C++ editor in Eclipse, changing the window focus while a scan is running
can cause markers to disappear. Workaround: Closing the source file and then reopening it will
usually make the markers reappear. UD-2949
• In some cases, a scan can fail due to the following unexpected error: “Failed to acquire lock”/“unable
to open summaries key-value store”. To work around this issue, you will need to manually delete
Coverity data by removing the idirs/<project-identifier> directory indicated in the error
message. After you have done so, restart the IDE. UD-3181
• In Visual Studio, running Code Sight can cause delays in the IDE if you have opened a large solution
that contains many projects. UD-3477
• In IntelliJ, Code Sight can cause high resource usage when you have opened a large project.
UD-3494
• To provide scan results, Code Sight needs to collect all of the necessary header (#include)
files. In Eclipse, this ability is disabled unless you add a "record-with-source" entry to the
coverity.conf file, and set this new entry to true. UD-3583
101
Version 2019.7
bugs.
New Features
• The JetBrains® PhpStorm™ IDE is now supported.
• Microsoft® Visual Studio® version 2019 is now supported.
• Code Sight now displays all issues: both those produced by the local scan, and those obtained from
your configured server stream or project.
• Code Sight no longer launches local full scans automatically. If a full scan has never been run, if one
has not been run for a while, and under some other conditions, Code Sight will prompt you to run
one. This prompt is displayed on the Run Full Scan page of the Notifications view.
• In Visual Studio, running a scan in the background no longer prevents you from starting IDE builds or
debugging your application.
• The Dismissed state is now pushed to the server as soon as you click Dismiss. (In previous
releases, it was not pushed until the end of the timeout interval.) Issue states received from the
server are still synchronized locally at the end of each interval.
• Code Sight now supports FlexNet® licensing for Coverity® Connect. The license file is saved locally
as license.config in the <install location>/cov-tools/bin/ directory.
Bug Fixes
• Fixed an issue where Code Sight for Visual Studio would not run C/C++ scans in Visual Studio
releases earlier than version 16.1. Corrected the problem by using the active build configuration in
Visual Studio for Coverity build capture. UD-3003
• Fixed an issue where Code Sight for Visual Studio would interfere with debugging C# Web
applications. UD-2979
Known Issues
• When using the default C/C++ editor in Eclipse, changing the window focus while a scan is running
can cause markers to disappear. Workaround: Closing the source file and then reopening it will
usually make the markers reappear. UD-2949
Version 2019.6
bugs.
New Features
• The plug-in now supports C/C++ analysis in Eclipse®.
• New IDEs are now supported:
• PyCharm®
102
Release Notes
• WebStorm™
• Visual Studio® and Eclipse can now test for compliance with MISRA coding standards.
To enable MISRA testing, add the following entry to the "settings" section of your
coverity.conf file:
"coding_standard_configs": [
"$(code_base_dir)/MISRA_c2012_7.config"
]
}
• Code Sight can now authenticate with a Polaris server configured for single sign-on (SAML/SSO). It
authenticates using an access token obtained from the Polaris server.
• The Code Sight plug-in for Eclipse now supports multiple unique projects in a single workspace.
Bug Fixes
• Self-signed certificates are now accepted for authentication when your coverity.conf file has the
following line in its "server" section:
"on_new_cert": "trust"
This enables any new certificate to be trusted automatically.
UD-2623
• Code Sight now correctly supports downloading zip and tar.gz files as installers from the Coverity
Server. UD-2413
• If a local license is expired or invalid, Code Sight now attempts to retrieve a new license from the
server. UD-1749
• If more than 100 projects were open on Polaris, this caused problems when synchronizing Code
Sight triage data. This is now fixed. UD-2944
• In Visual Studio, the Code Sight window was not always visible by default for first-time users. This is
now fixed. UD-2633
• This release fixes an issue where triage data was not synchronized with the server after restarting
the IDE. UD-2655
• Code Sight for Visual Studio would fail to start when a Windows user name contained spaces. This is
now fixed. UD-2891
• In Code Sight for Visual Studio, projects organized using Solution Folders would sometimes fail to
capture C/C++ or C# source files. This is now fixed. UD-2799
Known Issues
• If you change compiler configurations in the coverity.conf file, Code Sight does not automatically
detect these changes.
To work around the problem, delete the data/ directory: This is located at ~/.synopsys/
desktop/controller/data on macOS® or Linux™, or at %APPDATA%\Roaming\Synopsys
\desktop\controller\data on Windows®.
When it launches a new scan, Code Sight will read the updated coverity.conf. UD-2953
• When working with C/C++ source in Visual Studio, if the default active build configuration fails to
build, then Code Sight / Coverity Analysis testing might not work.
103
Version 2019.4
The 2019.4 release of the Synopsys® Code Sight™ plug-in introduces new features and fixes a number
of bugs, particularly bugs related to usability and error handling.
New Features
• The plug-in now supports C/C++ analysis in Visual Studio®.
• New IDEs are now supported:
• IntelliJ® 2019.1
• RubyMine™ 2018.1 to 2019.1
• Eclipse 2019-03 (4.11)
Bug Fixes
• Fixed an issue where no error was reported if no analysis tools were found on the Polaris server.
UD-2438
• Fixed an issue where the Visual Studio 2015 IDE suddenly became unresponsive and crashed
intermittently with the unhandled exception System.NullReferenceException. UD-2588
• Updated the plug-in to support analysis of C/C++ projects in Visual Studio. UD-2486
• Reduced the scope of what incremental builds capture, in order to improve performance of fast-
desktop Coverity scans. UD-1003
• Fixed an issue where the Code Sight configuration in the Visual Studio option dialog had invisible
labels while using the dark display theme. UD-2492
• Fixed an issue that caused Visual Studio to change the editor focus after a scan completed.
UD-2451
• In Visual Studio, added search capabilities for the scan log listing. UD-2186
• Improved the layout of messages. While viewing the Welcome page, the Close button is now always
visible, even when scrolling through the message. UD-2304
• Fixed an issue that would occasionally cause the plug-in to scan files again after a summary
download or generation. UD-2320
• Added additional feedback to the active scan messaging, which now exposes more of what the scan
is doing. UD-2514
• Fixed an issue where a local analysis scan would not be performed if the summaries on Polaris were
incompatible. UD-2300
• The plug-in now only listens for files that belong to the active project. This means that results for
unrelated files are no longer incorrectly displayed. UD-1834
• For Visual Studio, improved the startup performance of Code Sight. VS 2015 and 2017 no longer
recommend disabling the plug-in (the “extension”). UD-1338
• The following views and sections have been renamed:
• The Overview tab is now called Status.
• The Plug-in panel is now called Notifications.
104
Release Notes
• The Scan Log panel is now called Scans.

UD-2487
• The plug-in now supports a Cancelled scan result. This is displayed in the Scan Result column of
the Scans panel when the user cancels an in-progress file scan. UD-1479
• Server URLs specified in swip.yml will now be considered when populating the authentication
dialogs and attempting to connect automatically using existing credentials. UD-2385
Known Issues
• Currently Code Sight cannot connect to Coverity Connect instances using self-signed certificates.
For Windows®, this can be worked around by adding the certificate through the Windows certificate
manager. UD-2623
• If you authenticate by using the Code Sight authentication dialog, Code Sight will not read or
recognize subsequent changes to coverity.conf or swip.yml. UD-2627
• In Visual Studio, contributing events across multiple source files are not displayed when you
navigate to “other” source files: that is, to files that do not contain the main issue event. UD-2691
Version 2019.3: Synopsys Code Sight Plug-in Features

The Synopsys® Code Sight™ plug-in helps you quickly find quality and security issues in your source
code. It helps you fix these issues, and helps increase your confidence that you are checking in clean
code.
• Code Sight is a native plug-in that runs within the Eclipse™, IntelliJ® IDEA, and Microsoft® Visual
Studio® integrated development environments (IDEs).
• Code Sight runs the Coverity® high-fidelity Fast Desktop Analysis while you work.
• Code Sight scans your source code when you open a file, and when you save a file that has been
changed. (There is no need to invoke Code Sight explicitly.)
• Code Sight is easy to install.
• If you already run Coverity Analysis on your system, Code Sight uses the installation you have
been using.
• If Coverity Analysis is not installed locally, Code Sight can automatically download it and install it.
• Code Sight can be configured to share issue triage data between your local system and Coverity
Connect, or via the Polaris Software Integrity Platform™ central server.
• If a server with central analysis results is available, this can improve Code Sight performance on
your local system: The plug-in downloads analysis summaries from the server, instead of having to
generate this data locally.
• Code Sight issue descriptions contain direct links to relevant Synopsys Security eLearning pages
(access to Security eLearning requires a separate license).
105

Code Sight Documents

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Code Sight Documents

Uploaded by

Copyright:

Available Formats

Code Sight 2021.

What Does Code Sight Do?.................................................................... 4

Using Code Sight..................................................................................... 6

Code Sight Terms.................................................................................. 84

What Does Code Sight Do?

Figure 1: Code Sight views

(Example from IntelliJ)

1. If necessary, prepare the configuration

• Requires customizing the behavior of Coverity Analysis or of Code Sight itself

2. Install Code Sight on your own system

3. Choose a tool to run

5. Start using Code Sight

Coverity Setup Considerations

Using Code Sight

How Do I Use Code Sight?

Figure 2: Issues list

(Example from IntelliJ™)

3. Resolve the issue.

4. Save your work.

5. Repeat the preceding steps, as often as you need to do.

Information that Code Sight Displays

The two main views are Status and Issues.

Figure 3: Tab to view the Code Sight controls

(Example from IntelliJ)

The Status view contains two subordinate panels:

Figure 4: Notification pages appear in the Notifications panel

Figure 5: The Scans panel

(Example from IntelliJ)

Figure 6: Icons for pending scans and scans in progress

An icon of a monitor indicates that the scan took place locally.

Figure 7: Context menu in the Code Editor

Figure 8: Context menu in the Project/Solution Explorer

Figure 9: Start Full Scan page

Figure 10: Status of a running scan

The Issues list

Figure 11: Issues list and Scope buttons

(Example from IntelliJ)

Critical (Black Duck scans only)

Type A brief description of the issue that was found

Location For Coverity scans, these entries show the name

Scans For Coverity scans, these icons indicate whether

For Black Duck scans, the Scans entry is always

Local scan, single file

Found in both a local and a full scan

Figure 12: The Filter dialog

Full scan only

SAST: When a full scan differs from a local scan

Figure 13: Issues panel: Location Not Confirmed message

Black Duck (SCA)

Code Sight Preferences

Automatic Scanning Preferences

Figure 14: Preferences for automatic scanning

(Example from Visual Studio)

Auto-scan options for Eclipse

Figure 15: Auto-scan option in Eclipse

IDE Preferences and Customizing Colors in the Interface

Microsoft Visual Studio Click the drop-down arrow to the right of

Microsoft Visual Studio Code

Clicking this icon displays a Settings tab in the

Tools that Code Sight Can Run

Black Duck (SCA)

How Does Code Sight Manage Composition Analysis?