Hi, all,
I am using sonarqube versión 8.9, scanner 4.6.0 and SonarCFamily 6.20.
And here comes a captured bug
FILE *fp = NULL;
unsigned char c;
unsigned char p = 0;
fp = fopen("/home/test", "rb+");
if (fp)
{
while (fread((void *)(&c), 1, 1, fp) == 1)
{
p += c; <<Assigned value is garbage or undefined
}
fclose(fp);
}
Seems it recognized char c as garbage value, but why?
Hi @deron.chen
I was unable to reproduce on 8.9.1 / CFamily 6.20.1, using the code snippet you shared (thanks for it!), which I added to two different C++ files in the sonar-scanning-examples project.
Are you on SonarQube 8.9 or on 8.9.1?
Hi @Sylvain_Combe,
It’s 8.9.0.43852.
BTW, Our project is built by C.
Not sure if that’ll differ the result.
Ok, my mistake. I do indeed reproduce on 8.9.1 on both C and C++ now.
There was one rather important fix brought to SonarQube 8.9.1 for C and C++ analysis ( SONAR-14909) but now we made sure it’s unrelated.
And I agree we have a false positive on S836, probably because fread() is not completely managed for this rule. Let me check this further; I’ll update you when I have some news.
Best regards
Sylvain
Hi @Sylvain_Combe,
Thanks for the answer, appreciate that.
Wonder what’s the S836 you mentioned?
S836 is the “Variables should be initialized before use” rule identifier, coming from our rules repository.
This identifier is shown to you when you open the rule documentation and is searchable in the rules SonarQube tab.
Got it.
Thanks again.
Hello @deron.chen ,
I created this ticket to fix the false-positive. Feel free to watch the ticket for any update.
Thanks,
Hi @Abbas ,
Thanks for the ticket.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.
