Coverity on Polaris 2022.3.0 Release Notes

Note: This platform is renamed Coverity on Polaris. Unless otherwise specified, references to Polaris or Polaris Software Integrity Platform in this documentation are referring to Coverity on Polaris.

Here's what's new in Polaris 2022.3.0.

Polaris Platform

  • Before this release, a hotfix was patched for Polaris 2021.12.1 for the Spring Core RCE 0-day vulnerability (see Polaris Update Regarding CVE-2022-22965 (Spring Framework-RCE), sign-in required).

    The following actions are recommended:
    • Upgrade to Coverity 2022.3.1, Polaris 2022.3.0 and Polaris CLI 2022.3.0+.
    • For Spring Framework 5.3.x users, upgrade to 5.3.18+.
    • For Spring Framework 5.2.x users, upgrade to 5.2.20+.
  • Support for Coverity 2021.06-1 is deprecated. It will be discontinued in a future release.
  • Coverity 2021.04 is no longer supported.
  • Polaris now supports Coverity 2022.3.1 (recommended after upgrading to Polaris Platform / CLI 2022.3.0+). See Coverity 2022.3.1: Supported Platforms, Languages, and Compilers. It includes the following changes:
    • Support for macOS 10.14 has been removed.
    • Support for Windows Server 2016 has been removed.
    • Support for Kotlin 1.4 has been removed.
    • Support for LLVM Clang 3.8-3.9 has been removed.
    • Support for Sun/Oracle JDK 16 has been removed.
    • Support for Open JDK 16 has been removed.
    • Support for LLVM Clang 4.0 is deprecated and will be removed in a future release.
    • Support for Sun/Oracle JDK 1.7 is deprecated and will be removed in a future release.
    • Support for Kotlin 1.5.x is deprecated and will be removed in a future release.
    • Support for .NET 5.0 is deprecated and will be removed in a future release.
    • Added support for macOS 12 (Monterey).
    • Added support for C++20 (provisional).
    • Added support for C# 10.
    • Added support for Java 17.
    • Added support for Kotlin 1.5.20–1.5.32 and 1.6–1.6.10.
    • Added support for .NET 6, specifically for allowing Coverity to parse the code. Additional .NET 6 feature support is targeted for the Coverity 2022.6 release.
    • Added support for Sun/Oracle JDK 17.
    • Added support for Open JDK 17.
  • Polaris now supports 2021 CWE Top 25 and 2021 OWASP Top 10 taxonomies.
  • Organizational Administrators can assign the Observer role in the "My Organization" user interface.
  • The trojan_source_bidi_char_unterminated Trojan Source checker is supported and enabled by default.
  • Coverity DLL caching is enabled by default for Polaris CLI 2022.3.0 only.
    Note: Because of a bug, it is disabled by default for Polaris CLI 2022.3.1.
  • Coverity JAR caching is disabled by default for Polaris CLI 2022.3.1 only.
  • Login time out per Polaris instance can now be customized by working with Synopsys support.
  • Bug Fix: Polaris allows 100 projects per application. Attempting to add more than 100 projects to an application results in an error, and the documentation has been changed to reflect that restriction. (POL-15336)
  • Bug Fix: Instructions for renewing SAML certificates has been added to documentation. (POL-15242)
  • Bug Fix: An issue where a customer could not generate a PDF report for an application was fixed. (POL-15452)

Polaris CLI

  • The following versions of the Polaris CLI Scan Client are supported in this release:
    • 2022.3.1 (Recommended. If you are upgrading to Coverity 2022.3.1 and use local analysis, either Polaris CLI 2022.3.1 or 2022.3.0 is required.)
    • 2022.3.0
    • 2021.12.1
    • 2021.12.0
    • 1.18.22
    • 1.17.119
  • Bug Fix: Analysis failed on Azure DevOps for Polaris. (POL-13508)
  • Bug Fix: Spacing fixed in analyze caching configuration documentation for Polaris. (POL-15376)
  • Bug Fix: File System Capture examples indentation was corrected. (POL-15176)
  • Bug Fix: Line break fixed in buildless capture Polaris documentation. (POL-15323)

For general information about Synopsys and the Spring Framework and Spring4Shell vulnerabilities: