C/C++ analysis engine supports more compilers and detects buffer overflow security-sensitive APIs

Hello C and C++ developers,

We’re proud to announce the following improvements to the C/C++ analyzers:

New Compilers

There are tons of C/C++ compilers out there and we always get many requests by many users about additional compilers support. We listened and added the support of 10+ compilers to allow more developers to benefit from our C/C++ rules. Today the supported compilers are:

  • Clang, GCC, MSVC, ARM, QNX compilers
  • Intel compilers for Linux, macOS
  • Compilers based wholly on GCC including Linaro GCC
  • Wind River Diab and GCC
  • IAR compilers for 8051, ARM, AVR32, AVR, Renesas RL78, Renesas RX, Renesas V850, Renesas H8, and Texas Instruments MSP430
  • Texas Instruments compilers on Windows and macOS for ARM, C2000, C6000, C7000, MSP430, PRU

Code Security Rules

This is the first time we deliver Security Hotposts for C and C++. If you are not familiar with this concept, we invite you to read the related documentation.
We want to help C/C++ developers to deliver code in production without vulnerabilities and more precisely we want to avoid buffer overflow to be exploited by hackers. This is why we implemented 4 rules looking at APIs that could be badly used and that open the door to buffer overflow attacks if they are used without care. The use of these functions should be carefully reviewed by developers before releasing the code in production.

  • S5816: Using “strncpy” or “wcsncpy” is security-sensitive
  • S5815: Using “strncat” or “wcsncat” is security-sensitive
  • S5814: Using “strcat” or “wcscat” is security-sensitive
  • S5801: Using “strcpy” or “wcscpy” is security-sensitive

Finally, we added another Security Hotspot to highlight the use of “tmpnam” functions that could lead to hackers to get access to files that the application believed was trustworthy.

  • S5824: Using “tmpnam”, “tmpnam_s” or “tmpnam_r” is security-sensitive

Code Quality Rules

We always add bunch of rules to help you write clean code. This time it’s 6 code smell detection rules:

  • S5314: Blocking functions should not be called inside critical sections
  • S5820: Integer literals should not be cast to bool
  • S1905: Redundant casts should not be used
  • S5276: Implicit casts should not lower precision
  • S5825: Macros should not be used as replacement to “typdef” and “using”
  • S5812: Concise syntax should be used for concatenatable namespaces

For more information, see the changelog.

You can already enjoy these new features on SonarCloud. For SonarQube customers, these new features will be built into the next version (8.4).



A post was split to a new topic: Support for compilers