cpp:S1081: false positive when using the {fmt} lib's fmt::sprintf

andrei-dragusanu · February 13, 2020, 1:17pm

We have recently adopted the {fmt} lib to help us with type safe string formatting in our C++ project.

This library also provides typesafe alternatives to the printf style formats, which are a great help when porting old code with complicated format strings, without having to rewrite them using the new format specifiers.

However, Sonar is triggering rule cpp:S1081 (Insecure functions should not be used) when using fmt::sprintf, probably confusing it with the C library sprintf.

We are now on Sonar Version 7.9 (build 26994)
SonarCFamily 6.3 (build 11371)

Sample code:

#include <fmt/prinf.h>

std::string double_to_string(const double d)
{
    return fmt::sprintf("%.16f", d); // sonar issue here
}

Abbas · February 14, 2020, 8:36am

Hello @andrei-dragusanu,

Welcome to the community!
This is a true false-positive. I created a ticket to fix this issue. Hopefully, we will fix it in the next release planned at the end of the next week.

system · April 8, 2021, 9:11am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
FP: cpp:S810 on std::string s{4, 'a'}; Report False-positive / False-negative...	2	178	December 11, 2023
Potential False Positive in c:S810 With Ternary Operator Report False-positive / False-negative... scanner , cfamily	2	359	September 29, 2022
cpp:S1110 Potential False Positive with Constructor Report False-positive / False-negative... sonarqube , cfamily	2	443	December 19, 2022
False-positive cpp:S2260 with C++23 Report False-positive / False-negative... cfamily	4	306	February 19, 2024
Std::string in a struct leads to "Functional notation casts shall not be used." Report False-positive / False-negative... cfamily	4	403	November 23, 2021

cpp:S1081: false positive when using the {fmt} lib's fmt::sprintf

Related topics