A lot of false positives4

pasbi · April 22, 2025, 8:03am

Hello,

we’ve been using SQ for a few years and analyses have always contained false positives.
But since recently (a few months) the amount of false positives sky-rocketed.

We run SonarQube Server (Developer Edition) v9.9.8 in a Docker on premises.
The scanned project is written in C++20/CMake and uses a lot of Qt.

I’m not sure what else information is helpful, I’m glad to provide more on request.

Some of the false positives:

// this kind of FP occurs a lot. It seems SQ doesn't understand `std::move` doesn't work as intended on `const` objects.
void ResultWindow::next_shot(const int direction)
{
  auto shot = m_detail->next_shot(direction);
  // SQ: Unmodified variable "shot" of type "class std::shared_ptr<const class Shot>" should be const-qualified.

  if (shot != nullptr) {
    set_detail_view_shot(std::move(shot));  // cannot move if I make `shot` const.
  }
}

void Dialog::hide_expert_rows() const
{
  const auto is_expert_row = [this](const int row) {
    // SQ: Remove unused lambda capture "this".
    return ::any_of(m_ui->formLayout->itemAt(row, QFormLayout::LabelRole)->widget(),
                    m_ui->label_of_some_expert_row,
                    m_ui->label_of_another_expert_row);
    // `this` must be captured to access `m_ui`.
  };

  for (int row = 0; row < m_ui->formLayout->rowCount(); ++row) {
    m_ui->formLayout->setRowVisible(row, !is_expert_row(row));
  }
}

There are a lot more false positives, these were just the most blatant ones.
I’m not sure on how to proceed.
Is that level of false positives expected (about 50% of all detections)?
Am I suppose to report each of them individually?
Do I have a bad configuration maybe?

I appreciate any help and am happy to provide more information as required.
Thanks!

ganncamp · April 23, 2025, 12:36pm

Hi,

Welcome to the community!

Your version is past EOL. You should upgrade to either the latest version or the current LTA (long-term active version) at your earliest convenience. Your upgrade path is:

9.9.8 → 2025.1.1-> 2025.2 (last step optional)

You may find these resources helpful:

If you have questions about upgrading, feel free to open a new thread for that here.

Regarding your false positives, I suspect you will find that once you upgrade to a current version - with all its attendant rule improvements - you will find that many disappear. For any that don’t we would love to hear about them. There’s a detailed topic template in the Rules and Languages > Report False-positive / False-negative... category to help you provide good reports.

HTH,
Ann

system · April 30, 2025, 12:36pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[C++] False positives after upgrade to version 8.5.1.38104 Report False-positive / False-negative... cfamily	7	932	December 7, 2020
FP in SonarQube Server but not SonarQube for IDE? Report False-positive / False-negative...	2	8	February 13, 2025
False positive on S1238 Report False-positive / False-negative... sonarqube	1	176	September 22, 2023
False positives coming from Qt Framework usage SonarQube Server / Community Build	5	257	June 13, 2024
SonarQube incorrectly identifying cpp:S5817: this function should be declared const Report False-positive / False-negative... sonarqube , cfamily	5	1705	February 16, 2023

A lot of false positives4

Related topics