C/C++ Sonarqube False Positive

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    Data Center EditionVersion 8.9.6 (build 50800)
  • what are you trying to achieve
    Trying to see if Sonarqube scanner is raising False Positive
  • what have you tried so far to achieve this
    Many combination of the code to if we can satisfy sonarqube scanner.

This is my first time filing a case in this community. Sorry if there are issues with this case.

Following is a simple “C” code.

Sonarqube scanner says “Memory copy function overflows the destination buffer” for the following line.
memcpy(&apduChain[5], &(apdu[5 + offset]), len);

If I call this API with a fixed length for second parameter “apduLen” (say 100, 200, etc.) it doesn’t complain. It also doesn’t complain if I test with do-while(0). But the calling API dynamically calculates the value of apduLen, then calls this API. Sonarqube doesn’t like that.

Problem is: the destination buffer should never overflow in the following code. Data copied to the destination buffer is either 255 bytes or less (the code forces this). But for sonarqube to complain based on the input parameter length (based on the calculation in the calling API), doesn’t seem to make sense.

Any comments?

Thank you

static int cmd_send( const unsigned char* apdu, unsigned short apduLen, int leAfterData, 
                                                                   unsigned char resp[256], unsigned short* respLenP)
    int    ret = 0;
    int    rslt = 0;
    int    partLastIs = 0;
    unsigned int   len = 0;
    unsigned int   dataRemaining = 0;
    unsigned int   offset = 0;
    unsigned char  apduChain[5 + 255 + 1] = {0};

    if (apduLen - 5 - (leAfterData ? 1 : 0) <= 255)
        rslt =  Fn_Test( rdr_id, CRD_ISO_APDU, apduLen, (unsigned char*)apdu, respLenP, resp, 256);
    else  //sonarqube takes this path for the false positive.
        partLastIs = 0;
        dataRemaining = apduLen - 5 - (leAfterData ? 1 : 0);
            len = dataRemaining;
            if ((len + 0) > 255)  //sonarqube path -- first time len >255, second time loop is <= 255
                len = 255 - 0;
            dataRemaining -= len;
            partLastIs = (dataRemaining == 0);

            memcpy (&apduChain[0], apdu, 4);
            apduChain[4] = len;

            if (!partLastIs)
                apduChain[0] |= 0x10;

            memcpy(&apduChain[5], &(apdu[5 + offset]), len);

            rslt =  Fn_Test( rdr_id, CRD_ISO_APDU, 5 + len + (leAfterData ? 1 : 0), apduChain, respLenP, resp, 256);
            if (rslt != CRD_EXCHG_OK)  break;

            offset += len;

        } while (dataRemaining > 0);  //Sonarqube failure during second pass of this loop.

    if (rslt == CRD_EXCHG_OK)
        if (*respLenP >= 2)
            ret = resp[*respLenP - 2] == 0x90 && resp[*respLenP - 1] == 0x00 ? 0 : 1;
            ret = -2;
        ret = -1;
    return ret;

Welcome to the community @x2y2z2!

Could you please share the reproducer for the file with the issue is raised (with the indication on which line, the issue is). To generate the reproducer file:

  • Search in the analysis log for the full path of the source file for which you want to create a reproducer (for instance, a file that contains a false-positive). You will have to use exactly this name (same case, / or \…)
  • Add the reproducer option to the scanner configuration:
sonar.cfamily.reproducer= "Full path to the .cpp"
  • Re-run the scanner to generate a file named sonar-cfamily.reproducer in the project folder.
  • Please share this file. If you think this file contains private information, let us know, and we’ll send you a private message that will allow you to send it privately.

The reproducer will provide us with full information about the context, where the issue appeared. This is important, as for the symbolic execution the fact if the issue is detected, depends on a lot of factors, like: constraints of the values of variables, availability of the code for an invoked function, etc.

Thank you for the response.

Its a corporate build system and SonarQube setup. So, I don’t have access to the build machines. I use Jenkins to execute project builds. I only have access to the SonarQube UI to see the scan results (and source code details). I can also change the sonarqube properties file for my project which contains project name, project key, version, sonar.inclusion, exclusion etc.

Seems like I may have to go through corporate channel for this. I can check with them on what you are asking and see if they can configure sonarqube for my project for the reproducer file.