cpp:S3519 false positive with std::sort

Clean Code Report False-positive / False-negative...
, ,
1

SonarQube/SonarLint is incorrectly reporting cpp:S3519 (Returned pointer value points outside the original object (potential buffer overflow)) when using std::sort with MSVC (Visual C++ 2022). Easy to reproduce with the simplest example:

#include <string>
#include <vector>
#include <algorithm>

struct S    // S3519 raised here
{
    std::string a;
};

int main(int argc, char* argv[])
{
    auto v = std::vector<S>{};
    v.emplace_back("A");

    std::sort(v.begin(), v.end(), [](const S& lhs, const S& rhs) { return lhs.a < rhs.a; });
}

Using SonarQube Enterprise 9.9.7

6

Hi @giles45,

Thanks for reaching out and reporting this false positive finding.

This is a complex, but known issue. I’ve created this Jira ticket for you such that you can track progress. We are currently working on removing false positives introduced by calls to std::sort and std::ranges::sort.

Best,
Philipp

1 Like