SonarQube server 8.9.6
SonarScanner 4.6.2.2472
Windows 10
Cfamily
Hi, sonar analysis was able to catch this non-compliant code
if (jsonContent.contains("e") && jsonContent.at("e") > 0)
Add parentheses around complex operands. Rule : Operands of "&&" and "||" should be primary (C) or postfix (C++) expressions
You are right that it should report on the second code, and when I tested locally, it does report.
If it does not in your case, it probably means a previous issue is preventing the code from being interpreted correctly.
The best way to move forward if you want us to investigate the issue is to provide a reproducer file. To generate the reproducer file:
Search in the analysis log for the full path of the source file for which you want to create a reproducer. You will have to use exactly this name (same case, / or \…)
Add the reproducer option to the scanner configuration:
sonar.cfamily.reproducer= “Full path to the .cpp”
Re-run the scanner to generate a file named sonar-cfamily.reproducer in the project folder.
Please share this file. If you think this file contains private information, let us know, we’ll send you a private message that will allow you to send it privately.
I looked at the reproducer that you provided me, and in turns out the the rule S868 is not enabled in the quality profile. If I force its activation, the issue you mention is correctly detected.
Sorry, I got confused because we recently changed the internal ID of this rule, from LogicalExpressionOperands to S868…
When I run your reproducer locally, both with our current version and with the version 6.20.2.38358 that you are using, I can see that the issue is correctly raised on the initialization of connectionAvailable.
So I’m slightly out of ideas… Can you see other issues in this file? For instance, there is a violation of S3630 (use of reinterpret_cast) on line 73 of this file, can you see it?
I don’t see the Resolution menu. Here’s what I get when I filter the “Operands of “&&” and “||” should be primary (C) or postfix (C++) expressions” rule.
I was mentioning looking at the actual issues, not at the rules. Select your project, then click on “Issues”, and you will see the filters of my previous screenshot.
but the sonar-scanner doesn’t report any issue. This scan was from a new branch from “main” where I introduced 2 smells. So it appearing in sonarqube as an issue in the “overall” tab. I guess I was expecting it to report after the sonar-scanner:
[2022-03-30T16:23:01.705Z] INFO: Quality gate status: OK
[2022-03-30T16:23:03.084Z] INFO: Report status=success, desc=SonarQube reported QualityGate is ok, with no conditions, no issues
[2022-03-30T16:23:18.051Z] INFO: Analysis total time: 4:24.207 s
[2022-03-30T16:23:18.051Z] INFO: ------------------------------------------------------------------------
[2022-03-30T16:23:18.051Z] INFO: EXECUTION SUCCESS
[2022-03-30T16:23:18.051Z] INFO: ------------------------------------------------------------------------
[2022-03-30T16:23:18.051Z] INFO: Total time: 4:25.588s
[2022-03-30T16:23:18.051Z] INFO: Final Memory: 35M/134M
[2022-03-30T16:23:18.051Z] INFO: ------------------------------------------------------------------------
[2022-03-30T16:23:18.051Z] [nant 8.07.01] BUILD SUCCEEDED (00:14:46)
This is the expected behavior. The scanner reports progress & problems it has with the scanning process itself, but the issues that are found in the analyzed code do not appear here, they are sent to SonarQube, where they will be processed (for instance, matched with SCM data) and displayed.
So the messages at the end tells you that the execution of the scanner was successful, the quality gate was passed (by default, you need more than one new code smell to block the quality gate, but you can tune that if you want), and the results were uploaded to SonarQube.
Hi, when I add a new file to that branch with those same smells, the sonar-scanner reports them.
We don’t have a condition set on the QualityGate which is why it shows ‘ok’ but it does report 2 issues as expected:
[2022-03-30T18:22:37.196Z] INFO: Waiting quality gate to complete...
[2022-03-30T18:22:38.563Z] INFO: Quality gate status: OK
[2022-03-30T18:22:39.125Z] INFO: Report status=success, desc=SonarQube reported QualityGate is ok, with no conditions, 2 issues, with 2 major
[2022-03-30T18:22:53.991Z] INFO: Analysis total time: 3:27.285 s
[2022-03-30T18:22:53.991Z] INFO: ------------------------------------------------------------------------
[2022-03-30T18:22:53.991Z] INFO: EXECUTION SUCCESS
[2022-03-30T18:22:53.991Z] INFO: ------------------------------------------------------------------------
[2022-03-30T18:22:53.991Z] INFO: Total time: 3:28.838s
[2022-03-30T18:22:53.991Z] INFO: Final Memory: 35M/134M
[2022-03-30T18:22:53.991Z] INFO: ------------------------------------------------------------------------
[2022-03-30T18:22:53.991Z] [nant 8.07.01] BUILD SUCCEEDED (00:16:00)
So we’re not sure why it didn’t report on the first build where I updated an existing file and added 2 smells.
It’s quite hard to understand what may have happened here without having an exact detail of all the operations that you performed in which order. It depends on many parameters, like new code settings, PR or branch, whether an analysis of the branch was done before analyzing the PR…
Honestly, I don’t usually look at the values displayed on the command line to know the status of a quality gate. Instead, I look at the way it is displayed in the pull request or in SonarQube. What are you trying to achieve here?
