Analysis of a C++ project in Soanrqube

Hello,
We are trying to analyze a simple C++ project in Sonarqube. We are using Enterprise Version 9.5. We are using buildwrapper as well. The analysis is running fine and report is being uploaded but we cant find any errors.
cppproject.txt (1.0 KB)
Any suggestions on this?
Thanks

Hi,

Welcome to the community!

Would you mind sharing your analysis log, redacted as necessary?

 
Ann

Hi
I had uploaded a brief of the logs below.
sonar-report-sonarcommunity.txt (13.7 KB)

Sravan

Hi,

It looks like you have a 1-file solution? I see it being analyzed:

10:45:46.707 INFO: Sensor CFamily [cpp]
10:45:46.707 INFO: CFamily plugin version: 6.34.0.48468
10:45:46.707 INFO: Using build-wrapper output: C:\Temp1\Oct-7\build-wrapper-dump.json
10:45:46.707 INFO: Available processors: 12
10:45:46.728 INFO: Using 12 threads for analysis.
10:45:46.728 DEBUG: Unpacking analyzer to: D:\Work\Nuget\ConsoleApplication1\ConsoleApplication2.scannerwork.sonartmp\9280
10:45:48.463 INFO: Loading cache from: server
10:45:48.479 DEBUG: Probing compiler: [C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.31.31103\bin\Hostx86\x64\cl.exe]
10:45:48.537 DEBUG: stdout:
usage: cl [ option… ] filename… [ /link linkoption… ]

10:45:48.537 DEBUG: stderr:
Microsoft (R) C/C++ Optimizing Compiler Version 19.31.31105 for x64
Copyright (C) Microsoft Corporation. All rights reserved.

10:45:48.599 INFO: Cache hit for: D:\Work\Nuget\ConsoleApplication1\ConsoleApplication2\ConsoleApplication2.cpp
10:45:48.637 INFO: PCH: unique=0 use=0 (forceInclude=0,throughHeader=0,firstInclude=0) out of 1 (forceInclude=0,throughHeader=0)
10:45:48.637 INFO: SE: 1 out of 1
10:45:48.637 INFO: Z3 refutation rate: 0 out of 4
10:45:48.653 INFO: Subprocess(es) done in 190ms
10:45:48.653 INFO: Cache: 1/1 hits, 18972 bytes
10:45:48.653 INFO: 1 compilation units analyzed
10:45:48.653 INFO: Sensor CFamily [cpp] (done) | time=1946ms

So by “no errors”, you mean no issues are raised? What issues to you expect to see?

 
Ann

Hi,
i have provided the code snippet for your reference.
I was expecting the following issues
1. A null pointer dereferenced in this case
void nullDereference() {
char tempStr = “This is a test”;
char* newString = strcpy((char*)malloc(15), tempStr);
std::cout << “NULL pointer deference.\n”;
}
2. A resource leak in this case
void rhleak() {
// Leak a resource handle here.
FILE* fp = NULL;
errno_t en = fopen_s(&fp, “C:\TEST.TXT”, “r”);
std::cout << “Leaking a file handle\n”;
return; // Not closing fp => resource leak
}
3.A memory leak in this case
void rsLeak() {
// Make a resource leak
int* myArr = new int(200);
std::cout << “Resource leak (new with no free).\n”;
return; // Not releasing above allocated array.
}

Sravan

Hello @Sravan,

By looking at your logs, everything seems to be working fine…

You don’t have any issues at all on SonarQube? Not even code smells or else?
I try to understand if the problems comes from the analysis setup or from these specific rules that don’t raise issues when they should.

Have you checked the Quality Profile that is activated for your project?
And if you enable this rule: RSPEC-2260: Track parsing failures, do you still have no issue?

Amélie

Hi @Amelie

We have added rules related to Track parsing failures and few other as well. It had picked up a couple of issues…Thanks Amelie. Is there any rule to add which could pick up the Resource leak issue in the below code snippet?

void rhleak() {
// Leak a resource handle here.
FILE* fp = NULL;
errno_t en = fopen_s(&fp, “C:\TEST.TXT”, “r”);
std::cout << “Leaking a file handle\n”;
return; // Not closing fp => resource leak
}
Is there any rule to add which could pick up the NULL pointer dereferenced issue in the below code snippet?

  1. A null pointer dereferenced in this case
    void nullDereference() {
    char tempStr = “This is a test”;
    char* newString = strcpy((char*)malloc(15), tempStr);
    std::cout << “NULL pointer deference.\n”;
    }

Sravan

Hello @Sravan,

I think the rules you are looking for are the following:
RSPEC-2095: Resources should be closed
RSPEC-3519: Memory access should be explicitly bounded to prevent buffer overflows

Both of these rules are activated in the default quality profile “Sonar way”. I would advise you first to set this quality profile and, in a second step, if needed, create your quality profile by enabling / disabling rules.

Amélie

Hi @Amelie
I have posted my C++ code. Is there anyone from your team who could analyze it and list out the issues for us? That would help us a lot in making a clear comparison as well.
cppproject.txt (1.0 KB)

Hello @Sravan,

I’m unsure what you want to achieve: you need to make a clear comparison between what things?

Besides SonarQube, you can also use SonarLint to analyze your code snippet directly in your IDE.

Amélie