Array index out of bounds - Not getting reported in C

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)


  • what are you trying to achieve

I am trying to get the “array index out of bounds” to be reported for the below C code

void my_function(char arg1, short int arg2)
glbal_array_struct[0].array[arg2] = 0x12;
int getValueFromArray(int *array, int len, int index) {
int value;
// check that the array index is less than the maximum
// length of the array
if (index < len) {
// get the value at the specified index of the array
value = array[index];
// if array index is invalid then output error message
// and return value indicating error
else {
printf(“Value is: %d\n”, array[index]);
value = -1;
return value;

  • what have you tried so far to achieve this

Used C example from references
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

Hi @shailesh,

could you please rerun your tests with Sonarqube version 7.5? It ships with a completely rewritten C/C++ analyzer (SonarCfamily version 6.0).

Thank you for the response. I will try with the newer version.

Hi @mpaladin

We updated the Sonarqube to version 7.5, but the bug is still not reported.

Hi @shailesh,

sorry about that, we constantly work to improve our analyzer, I hope we will catch your wanted bug in the future.

Unfortunately none of the bugs are getting reported from our code. Are there any configurations that may be a suspect here?

Hi @shailesh,

could you share your analysis log?

Where do I get these logs from? I checked SONAR_7.5/sonarqube-7.5/logs folder, did not find any logs!

Hi @shailesh,

the sonar-scanner logs, not the server logs.


Please find attached the logs from Sonar-Runner.


Sonar-Runner_logs.txt (26.2 KB)

Hi @shailesh,

I’m sorry but I cannot help you, you are not using the official SonarSource C/C++ analyzer, but the community one.

Hi @mpaladin

I have run the sonar-scanner and the result is the same. Attaching logs for your reference.

scanner-logs.txt (26.8 KB)

Hi @shailesh,

sorry and again: I cannot help you, you are not using the official SonarSource C/C++ analyzer, but the community one.

If you want to use official SonarSource C/C++ analyzer please install the proper version or otherwise contact the community of the community C/C++ plugin.

Hi @mpaladin
Thank you for the response. Would you be able to share the link to the official SonarSource C/C++ analyzer, I will have it installed and check for the results


The official SonarSource C/C++ analyzer is available for free in SonarCloud for open-source projects or starting with developer edition of SonarQube, have a look at this page: C/C++ analyzer