cpp:S995 false positive with wistream reference

Using SonarLint for Visual Studio 4.35.0.32570

I define a method as this :

using CsvData = std::vector< std::vector<std::wstring> >;

    inline void ReadCsv(std::wistream& input, CsvData& output, wchar_t delimiter)
    {
        std::wstring csvLine;

        // read every line from the stream
        while (getline(input, csvLine))
        {
            if (csvLine.compare(0, 4, L"sep=") == 0)
            {
                delimiter = csvLine[4];
            }

            std::wistringstream csvStream(csvLine);
            std::vector<std::wstring> csvColumn;
            std::wstring csvElement;
            // read every element from the line that is seperated by commas
            // and put it into the vector or strings
            while (getline(csvStream, csvElement, delimiter))
            {
                csvColumn.push_back(csvElement);
            }
            output.push_back(csvColumn);
        }
    }

And I get a false positive on the input parameter. If I fix the suggestion, I get an error on getline that requests a non-const wistream.

the same happens with an overload, so it’s not only with std methods:

    inline void ReadCsv(std::wistream& input, CsvData& output)
    {
        ReadCsv(input, output, ';');
    }

Hello @Thieum and welcome to our community!

I could not reproduce the false positive on my side: the issue disappears as soon as I call a method like getline(input, csvLine).
So in order to understand why it happens and fix it, could you please create a reproducer for the file?

How to proceed:
In Visual Studio, after the file has been analyzed (i.e. you see your false positive), open the command window (View > Other Windows > Command Window) and type Analyze.SonarLint.CFamily.CreateReproducer.
Then go to the ouput window and show the output from SonarLint. You should see something like: “Reproducer file saved at: C:\Users\Path\To\The\Reproducer\sonar-cfamily.reproducer”
Please share this file (I can send you a PM if you need)

sonar-cfamily.reproducer (2.8 MB)
Hello @Amelie !
Here is the requested file. Let me know if you need anything else to help you out with this issue.

This should also include reproduction for cpp:S6009 false positive with wstring const reference - Report a bug / False-positive - SonarSource Community

Hello @Thieum,

Thanks for the file, it was very useful!

It seems that this false positive has the same root cause than the one you describe in your other post: we are not able to find your “stdafx.h” file. So we don’t correctly parse your code, which leads to an incomplete analysis of your code, thus the false positives.

First, can you confirm that your code compiles?
If it compiles, in order to understand why we can’t find this file when Visual Studio does:

  • Could you share with us the location of the file?
  • In the properties of your project > Configuration properties > C/C++ > General > “Additional Include Directories”. If you add the path to the “stdafx.h” file, do you still have the same false positives?
  • By any chance, do you know if your project was configured in a particular way to find “stdafx.h”?

In addition to this, could you also share the file sonar-cfamily.request.reproducer? This file was generated at the same time than the other reproducer you got with the command Analyze.SonarLint.CFamily.CreateReproducer
(the output of this command should also contain something like: "Request config saved at: C:\Users\Path\To\The\Reproducer\sonar-cfamily.request.reproducer ")

Thanks for your help

sonar-cfamily.zip (389.5 KB)

Hello @Amelie !
I recreated both files and zip them together.

The project where the file is located is an header file only project, so there is no precompiled header in it direclty.

On the other hand, I have a test project in the solution that let me test and compile my header-file only project. In this test project, I have a precompiled header file name pch.h / pch.cpp (the new default name instead of stdafx.h) . This file doesn’t include anything at the moment.

I tried to delete it and set the “use precompiled header” option to “Not using”, but the issue remains.

I have nothing specific to the precompiled header in my directories settings as far as I can tell.

Here is a general organisation of the solution:

image

The directories options for the header only library:

The directories options for the tests project:

And the minimal settings I’ve tested for the precompiled header file:

Hello @Thieum ,

Thanks for all the information, I think I understand what is happening now.

The Machinex.CSV project only contains header files, so you don’t have access to the C/C++ properties (Precompiled headers, force includes etc…) like you do for the MachCSVHelper.Tests project.
However that does not mean that these properties do not exist… So we are fetching them and find ourselves in a dubious situation: Visual Studio tells us that precompiled headers are used (with the file stdafx.h) for the Machinex.CSV project even though, as you mentioned, it should not for a header file only project. And we try to use information from a file (“stdafx.h”) that does not exist.

To check if that’s indeed what’s happening and to solve your false positives, could you:

  • Create a dummy source file in the Machinex.CSV project
  • Go in the properties of the project: “C/C++” properties should now appear
  • Disable PCH (“Not using Precompiled headers”)
  • Delete the dummy source file

Once this is done, you should not have false positives anymore.

1 Like

It worked! Thanks a lot @Amelie !

Glad to hear that :slight_smile:

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.