Hello,
we’ve been using SQ for a few years and analyses have always contained false positives.
But since recently (a few months) the amount of false positives sky-rocketed.
We run SonarQube Server (Developer Edition) v9.9.8 in a Docker on premises.
The scanned project is written in C++20/CMake and uses a lot of Qt.
I’m not sure what else information is helpful, I’m glad to provide more on request.
Some of the false positives:
// this kind of FP occurs a lot. It seems SQ doesn't understand `std::move` doesn't work as intended on `const` objects.
void ResultWindow::next_shot(const int direction)
{
auto shot = m_detail->next_shot(direction);
// SQ: Unmodified variable "shot" of type "class std::shared_ptr<const class Shot>" should be const-qualified.
if (shot != nullptr) {
set_detail_view_shot(std::move(shot)); // cannot move if I make `shot` const.
}
}
void Dialog::hide_expert_rows() const
{
const auto is_expert_row = [this](const int row) {
// SQ: Remove unused lambda capture "this".
return ::any_of(m_ui->formLayout->itemAt(row, QFormLayout::LabelRole)->widget(),
m_ui->label_of_some_expert_row,
m_ui->label_of_another_expert_row);
// `this` must be captured to access `m_ui`.
};
for (int row = 0; row < m_ui->formLayout->rowCount(); ++row) {
m_ui->formLayout->setRowVisible(row, !is_expert_row(row));
}
}
There are a lot more false positives, these were just the most blatant ones.
I’m not sure on how to proceed.
Is that level of false positives expected (about 50% of all detections)?
Am I suppose to report each of them individually?
Do I have a bad configuration maybe?
I appreciate any help and am happy to provide more information as required.
Thanks!