cpp:S1081: false positive when using the {fmt} lib's fmt::sprintf

We have recently adopted the {fmt} lib to help us with type safe string formatting in our C++ project.

This library also provides typesafe alternatives to the printf style formats, which are a great help when porting old code with complicated format strings, without having to rewrite them using the new format specifiers.

However, Sonar is triggering rule cpp:S1081 (Insecure functions should not be used) when using fmt::sprintf, probably confusing it with the C library sprintf.

We are now on Sonar Version 7.9 (build 26994)
SonarCFamily 6.3 (build 11371)

Sample code:

#include <fmt/prinf.h>

std::string double_to_string(const double d)
    return fmt::sprintf("%.16f", d); // sonar issue here

Hello @andrei-dragusanu,

Welcome to the community!
This is a true false-positive. I created a ticket to fix this issue. Hopefully, we will fix it in the next release planned at the end of the next week.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.