(Beta) C/C++ analysis for Conan and vcpkg for SonarQube Advanced Security

Hello folks!

We introduced SonarQube Advanced Security to extend the core SonarQube values of quality and security to include the use of third-party dependencies, so developers can focus on building better, faster. Today we’re happy to announce extending that value to more of our customers’ projects.

We are announcing beta support for C and C++ projects built using the Conan and vcpkg package managers.

What’s included

This includes detection of publicly posted vulnerabilities, and analysis of license risks, in dependencies of projects built using either Conan or vcpkg

How to use it

During our beta period, you must enable this at the analysis level, by passing the sonar.sca.cfamily=true argument to the scanner. This can be done either on the scanner commandline, or via the sonar-project.properties file. This restriction will be removed once this feature is GA.

This will cause the analysis to look for conanfile.py/conan.lock (Conan) or vcpkg.json (vcpkg) to determine your dependencies.

For how to set parameters, see the analysis configuration documentation for more details o

For more information on how to configure SCA analysis in SonarQube Advanced Security, see the Advanced Security documentation.

This is a beta

We are collecting feedback from our customers on their experience with this feature. Share your thoughts in the comments, or reach out for a meeting.

I just updated a pipeline with a mixed C++/C# solution build with the build wrapper (Azure ppleline, Windows, build wrapper download during build). I added the new property to the SonarCloudPrepare@3 task.

          - task: SonarCloudPrepare@3
            displayName: 'Prepare analysis on SonarCloud'
            inputs:
              SonarCloud: 'SonarCloudEnterprise'
              organization: <MyOrg>
              projectName: <myName>
              projectKey: <myKey>
              projectVersion: '$(Build.BuildNumber)'
              extraProperties: |
                sonar.cfamily.vscoveragexml.reportsPath=$(Agent.TempDirectory)/**/*.coveragexml
                sonar.junit.reportPaths=**/test_details.xml
                sonar.junit.reportPaths=**/test_details.xml
                sonar.cfamily.compile-commands=$(SonarOutDir)/compile_commands.json
                sonar.cfamily.reportingCppStandardOverride=c++23
                sonar.cfamily.enableModules=true
                sonar.sca.cfamily=true

Unfortunately, in SonarCloud indicates in the dependencies page still only NuGet as package manager, vcpkg is not mentioned. (gtest is included by vcpkg.) And gtest is not found in the dependencies.

Interesting. Would really need the scanner log to debug further.

One thing to note is that for full vcpkg information we do have to run vcpkg list –x-json at analysis time to resolve the dependencies; is this analysis running in an environment where:

• vcpkg is available
• it can connect to the vcpkg repository to resolve dependencies

?

Hello Bill,

yes, vcpkg is available and used in the build. It is used in manifest mode, if this matters. I’ll send you a private message with logs.

I would like to thank @bill.nottingham for the support and investigations.

Sonar quickly fixed a bug and now the vcpkg analysis works also for our build of the mixed C++/C# solution on Azure DevOps using msbuild, Microsoft Visual C++ 2022 compiler (stdcpp23) and SonarCloud build wrapper.