C++ sonar smell not getting detected

SonarQube server 8.9.6
Windows 10

Hi, sonar analysis was able to catch this non-compliant code

if (jsonContent.contains("e") && jsonContent.at("e") > 0)
Add parentheses around complex operands. Rule : Operands of "&&" and "||" should be primary (C) or postfix (C++) expressions

but not,

bool connectionAvailable = (static_cast<uint32_t>(connectivity) & kInternetConnectivityMask) && !simulateNoInternet;

Should it report that !simulateNoInternet needs to have parentheses?

Hi @jhavero,

You are right that it should report on the second code, and when I tested locally, it does report.

If it does not in your case, it probably means a previous issue is preventing the code from being interpreted correctly.

The best way to move forward if you want us to investigate the issue is to provide a reproducer file. To generate the reproducer file:

  • Search in the analysis log for the full path of the source file for which you want to create a reproducer. You will have to use exactly this name (same case, / or \…)
  • Add the reproducer option to the scanner configuration:
    sonar.cfamily.reproducer= “Full path to the .cpp”
  • Re-run the scanner to generate a file named sonar-cfamily.reproducer in the project folder.
  • Please share this file. If you think this file contains private information, let us know, we’ll send you a private message that will allow you to send it privately.

Thank you!

Hi Loic, please send me a private message. I have the reproducer zip file I can send you.

Hi @jhavero,

I looked at the reproducer that you provided me, and in turns out the the rule S868 is not enabled in the quality profile. If I force its activation, the issue you mention is correctly detected.

Hi Loic, how do I find rule S868 so I can try the same and force its activation?

Hello @jhavero,

Sorry, I got confused because we recently changed the internal ID of this rule, from LogicalExpressionOperands to S868

When I run your reproducer locally, both with our current version and with the version that you are using, I can see that the issue is correctly raised on the initialization of connectionAvailable.

So I’m slightly out of ideas… Can you see other issues in this file? For instance, there is a violation of S3630 (use of reinterpret_cast) on line 73 of this file, can you see it?

Hi Loic, yes line 73 (use of reinterpret_cast) is being reported once I removed the NOSONAR from the comment line. Is there anything else I can try?

And can you please double-check that the expected violation is not present but marked as “won’t fix” or “false-positive”?

I don’t see the Resolution menu. Here’s what I get when I filter the “Operands of “&&” and “||” should be primary (C) or postfix (C++) expressions” rule.

I was mentioning looking at the actual issues, not at the rules. Select your project, then click on “Issues”, and you will see the filters of my previous screenshot.

Hi, there are no violations marked as “won’t fix” or “false positive”. However it looks like the issue does appear in Sonarqube:

but the sonar-scanner doesn’t report any issue. This scan was from a new branch from “main” where I introduced 2 smells. So it appearing in sonarqube as an issue in the “overall” tab. I guess I was expecting it to report after the sonar-scanner:

[2022-03-30T16:23:01.705Z] INFO: Quality gate status: OK
[2022-03-30T16:23:03.084Z] INFO: Report status=success, desc=SonarQube reported QualityGate is ok, with no conditions, no issues
[2022-03-30T16:23:18.051Z] INFO: Analysis total time: 4:24.207 s
[2022-03-30T16:23:18.051Z] INFO: ------------------------------------------------------------------------
[2022-03-30T16:23:18.051Z] INFO: EXECUTION SUCCESS
[2022-03-30T16:23:18.051Z] INFO: ------------------------------------------------------------------------
[2022-03-30T16:23:18.051Z] INFO: Total time: 4:25.588s
[2022-03-30T16:23:18.051Z] INFO: Final Memory: 35M/134M
[2022-03-30T16:23:18.051Z] INFO: ------------------------------------------------------------------------
[2022-03-30T16:23:18.051Z]     [nant 8.07.01] BUILD SUCCEEDED (00:14:46)

Hello @jhavero,

This is the expected behavior. The scanner reports progress & problems it has with the scanning process itself, but the issues that are found in the analyzed code do not appear here, they are sent to SonarQube, where they will be processed (for instance, matched with SCM data) and displayed.

So the messages at the end tells you that the execution of the scanner was successful, the quality gate was passed (by default, you need more than one new code smell to block the quality gate, but you can tune that if you want), and the results were uploaded to SonarQube.

Hi, when I add a new file to that branch with those same smells, the sonar-scanner reports them.
We don’t have a condition set on the QualityGate which is why it shows ‘ok’ but it does report 2 issues as expected:

[2022-03-30T18:22:37.196Z] INFO: Waiting quality gate to complete...
[2022-03-30T18:22:38.563Z] INFO: Quality gate status: OK
[2022-03-30T18:22:39.125Z] INFO: Report status=success, desc=SonarQube reported QualityGate is ok, with no conditions, 2 issues, with 2 major
[2022-03-30T18:22:53.991Z] INFO: Analysis total time: 3:27.285 s
[2022-03-30T18:22:53.991Z] INFO: ------------------------------------------------------------------------
[2022-03-30T18:22:53.991Z] INFO: EXECUTION SUCCESS
[2022-03-30T18:22:53.991Z] INFO: ------------------------------------------------------------------------
[2022-03-30T18:22:53.991Z] INFO: Total time: 3:28.838s
[2022-03-30T18:22:53.991Z] INFO: Final Memory: 35M/134M
[2022-03-30T18:22:53.991Z] INFO: ------------------------------------------------------------------------
[2022-03-30T18:22:53.991Z]     [nant 8.07.01] BUILD SUCCEEDED (00:16:00)

So we’re not sure why it didn’t report on the first build where I updated an existing file and added 2 smells.

Hello @jhavero,

It’s quite hard to understand what may have happened here without having an exact detail of all the operations that you performed in which order. It depends on many parameters, like new code settings, PR or branch, whether an analysis of the branch was done before analyzing the PR…

Honestly, I don’t usually look at the values displayed on the command line to know the status of a quality gate. Instead, I look at the way it is displayed in the pull request or in SonarQube. What are you trying to achieve here?

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.