C++ analysis rules

I use SonarQube:8.0, Scanner to analyze my C++ code, and in C++ rules I can see it has the rule " Dynamically allocated memory should be released" and " Local variables should be initialized immediately", but I input the code, just like this "int* a; a = new int; " there are no errors reported in this line. I am not sure why? I don’t turn off these rules.

Hello @judy,

The code you mentioned should trigger these rules if the project is well configured. Make sure that these rules are activated in your C++ quality profile. To learn more about Quality Profiles.

Hi, I have active my C++ quality profile, and I suppose this rules are active by default, and I can not deactive them, am i right? I also test other cases, adding some code like this
" char p[100]; char s[90]; memcpy(p,s,100);" I think it should report 3 issues, not initialized and should replace memcpy to memcpy_s, but after running SonarQub, it told me no errors in my project.

Hello @judy,

No. To check the activated rule you can click 249 in the screenshot you shared. For example, you can see that the rule Local variables should be initialized immediately is not there in the activated rules.

Create your own profile:

Make sure you choose C++:
Activate the rules that you like by clicking on Activate More:


You can activate all rules if you like using Bulk Change.

Once you are done, don’t forget to set your new Quality profile as default:

Now, re-analyze your project. The rules activated in your quality profile should be triggered when violated.

1 Like

thanks for your reply, I click the 249 in my screenshot, I found the rule related with variable initialize

, and it can not be deactivate

No you didn’t. please read the rule description carefully.
"Local variables should be initialized immediately" is not the same as "Variables should be initialized before use".
Please follow the steps that I provided to create your own quality profile. Rules in Sonarway quality profile cannot be changed. That’s why the Deactivate button is not available.

yes, I follow your instruction to create my quality profile, and input the noncompliance example code in "Variables should be initialized before use" rules, such as bool function() {bool b; return b;} but there is no "Variables should be initialized before use" error.

I just tried to analyze the code you provided and the rule was triggered. There must be something wrong in your configuration:

  • Make sure that you are analyzing the file containing the code you mentioned. You can check the scanner log to see the analyzed files.
  • Make sure you are using the latest version of the plugin: SonarCFamily 6.5.

Yes this file is analyzing, but there is no error related this rules, it reported another errors, and how to check whether I use the SonarCFamily 6.5?

When you run the scanner in debug mode: sonar-scanner -X you should see the log that indicates the version of the plugin you are using. For me it is: SonarCFamily
To update your plugin you should go to Administration -> Marketplace.

OK,thank you so much, I use the SonarCFamily, I will update it. thank you so much. by the way, if I want to upgrade the rule, I must reinstall the latest SonarQub? or is there some extension to just update the newest rules? my work environment can not connect to internet, so I can not update online, then I need to download the rule extension or something and copy to my work environment, and install it in offline mode.

No, you don’t have to reinstall SonarQube. You only have to replace the old plugin jar with the new one in sonarqube/extentions/plugins directory and relaunch SonarQube.

can you provide the plugin jar link?

You can update/download the plugin from Sonarqube Administration -> Marketplace.
Once downloaded you will find the new jar in sonarqube/extentions/plugins

Yes, if i can connect internet, I will download the plugin from Administration->marketplace, but in my working environment, I can not connect internet, so where is the offline plugin?

you can find the Cfamily 6.5 plugin here: https://binaries.sonarsource.com/CommercialDistribution/sonar-cfamily-plugin/sonar-cfamily-plugin-

Hello @judy,
Did it work out? any update?

I don’t have time to try on this, I have an emergency issue must to check, maybe later, I will check, after that, I will let you know,

A post was split to a new topic: Does Cfamily analyzer have these rules

Hi @judy,

any update on this or can we consider this topic as closed?