Do the inclusion/exclusion rules only effect reporting, or scanning of code?

Hi,

We are using SonarQube server 2025.1 (“zip” install) Enterprise Edition and one of my co-workers is trying to use it for the first time to scan his C/C++ code. He has deliberately added a block of code that should trigger an “out of bounds” issue, but sonarqube isn’t finding it. My suspicion - which may be unfounded by I can’t tell - is that the scanner/analysis just can’t “see” it for some reason, possibly due to the inclusion or exclusion rules. Is that even possible? This of course would assume that the inclusion/exclusion rules affect what is scanned or analyzed and not just what is reported, I can’t tell from the documentation if there is a distinction. Anyone know?

Hi,

There are actually multiple options here

• The relevant rule is not included in the Quality Profile in use.
• The relevant file isn’t included in analysis for whatever reason.
• The file wasn’t included in the build, and is therefore truly invisible to analysis.

An easy first step might be to break a “simple” rule (such as a naming convention rule) in close proximity to the missing out-of-bounds issue and see if it’s reported.

 
Ann

Hi Ann. I am the co-worker with Garen. I saw another error/warning in the same file. However, it just did not detect the out-of-bounds issue.
Not sure what I can do for that.

Hi @GregSel,

Welcome to the community and thanks for the followup!

Can you share a reproducer of the missing issue so we can test this locally? Ideally, this will be a fully self-contained method of set of methods we can plop into an otherwise working file to see the problem.

 
Thx,
Ann

Thanks :). I was just putting the code as following:

image1180×401 20 KB

sorry, i cannot share the whole file with you because this is a confidential code.

Thanks

Greg

Hi Greg,

Thanks for the screenshot. I’m going to flag this for the language experts. Fair warning: they’re probably going to ask you for a lot more details like specific compiler &etc.

 
Ann

Hello @GregSel, and thanks for sharing the issue with us.

If my understanding of the example you shared is correct, it should be reported as a violation of S3519. I could also see the detection by Sonar on Compiler Explorer, see here. Could you check the following:

1. Is S3519 enabled in your quality profile?
2. Do you already have a bug (e.g. null pointer dereference) reported earlier in the function that contains the buffer overflow? You can try moving your buf example to a separate function, and check whether you get a report there, see this post for more details.
3. If there are some properties that weren’t captured in my Compiler Explorer example, would it be possible for you to adjust my example on Compiler Explorer to show the false negative?

If all of the above doesn’t help, you can also generate a reproducer to help us reproduce the behavior on our end. This can be done by adding the analysis property sonar.cfamily.reproducer and setting it to the path of the translation unit containing the false negative. This will generate a new file sonar-cfamily-reproducer.tar.xz, which you can share with us to investigate on our side. I can start a private thread with you if you wish to share this file privately.

Best regards,
Michael

I have a question. How can I know if I enabled S3519? I don’t see S3519 is in the build output. If not, how can I enable S3519?

This is what I see from the output
11:56:47 08:56:47.570 DEBUG Initializing linter “default” with S4790,S6850,S2251,S6853,S6851,S6852,S2137,S2259,S5527,S930,S6859,S2814,S1848,S1607,S2819,S3330,S6842,S6843,S2486,S3696,S2123,S4423,S6840,S6841,S2245,S2004,S6846,S6847,S5876,S3699,S3579,S6844,S6845,S5757,S4426,S5759,S6848,S6035,S6275,S5860,S6397,S3686,S2234,S5863,S2598,S6957,S6836,S1940,S5868,S5869,S6958,S6959,S1135,S1134,S6281,S6265,S5730,S6821,S5850,S5732,S6268,S5973,S3796,S5852,S6824,S5734,S4524,S6825,S125,S128,S5736,S3799,S2589,S6822,S6823,S5856,S6827,S5739,S6270,S1264,S1143,S1481,S2692,S3782,S5842,S3785,S4634,S5843,S6811,S5725,S5604,S2699,S6019,S5728,S1119,S6819,S4084,S6486,S2681,S1472,S6249,S3531,S2685,S2201,S4502,S3776,S2688,S1479,S4624,S3415,S5958,S6807,S4507,S1128,S1126,S1125,S1121,S6252,S5042,S5264,S6594,S6353,S6479,S2430,S2310,S6477,S2432,S6478,S5148,S3403,S1219,S4619,S6481,S4043,S5254,S4165,S5257,S5256,S2301,S4721,S3516,S1226,S5260,S6351,S6332,S6333,S6330,S5122,S4275,S6331,S4036,S3981,S4830,S5247,S4158,S3984,S3863,S3500,S3504,S3626,S1314,S1313,S6582,S6321,S6442,S6443,S4144,S6440,S4143,S6441,S6325,S6326,S6323,S3972,S6324,S6329,S3854,S6327,S4822,S6328,S3735,S3616,S1439,S1321,S2092,S4030,S2094,S6671,S6793,S6551,S2990,S2077,S878,S6435,S2870,S6557,S2871,S6676,S6439,S4138,S6319,S6679,S2755,S6317,S6438,S1788,S2999,S2757,S2639,S4140,S5693,S5332,S6660,S6661,S6666,S6303,S2187,S6788,S888,S4123,S2068,S2189,S6302,S4125,S6544,S6308,S1533,S6426,S6789,S1534,S3834,S1656,S1536,S1301,S6790,S6791,S1082,S6772,S6770,S6650,S6534,S6535,S5443,S6774,S6653,S2970,S6654,S6775,S6418,S1763,S5689,S6657,S1764,S1523,S2612,S1527,S2737,S1529,S1199,S1077,S5691,S6761,S7059,S905,S1090,S6644,S6523,S108,S6766,S6645,S107,S6763,S6522,S6643,S1871,S1751,S1994,S6767,S1874,S6647,S3812,S1515,S101,S1516,S7060,S6092,S2392,S6079,S6750,S3001,S6754,S5542,S5547,S6637,S1862,S6638,S6756,S6635,S6757,S3800,S3923,S6080,S6861,S6747,S6627,S6748,S3358,S5659,S6746,S1854,S6509,S6749,S2703,S1068,S1186,S125,S128,S1940,S5869,S6958,S6959,S2598,S6957,S6836,S5868,S2234,S5863,S6397,S6275,S1264,S1143,S5860,S6035,S6270,S5759,S6606,S6848,S6846,S2004,S6847,S5876,S3699,S6844,S3579,S6845,S5757,S4426,S6842,S6843,S6840,S2486,S3696,S2123,S4423,S6841,S2245,S4782,S3330,S6281,S2819,S1607,S1848,S2933,S6859,S2137,S5527,S6853,S6851,S6852,S6850,S4790,S2251,S6749,S6509,S6747,S6748,S3358,S4325,S5659,S6627,S6746,S1854,S4322,S4323,S6861,S4619,S1226,S6478,S2430,S6477,S6598,S2310,S5148,S6479,S6353,S5264,S6594,S5260,S6590,S6351,S1479,S5958,S6807,S4507,S4502,S4623,S1119,S3776,S2688,S4624,S3415,S3531,S4621,S6249,S2685,S2201,S1472,S2681,S6486,S6481,S6819,S1125,S5728,S4634,S5843,S6019,S6811,S5725,S5604,S2699,S1128,S5842,S1121,S2692,S5042,S6252,S6827,S5739,S1135,S6824,S5734,S4524,S6825,S6822,S5736,S3799,S2589,S6823,S5856,S5730,S6821,S5850,S6268,S5732,S5852,S5973,S1134,S6265,S4084,S2639,S2999,S2757,S1301,S6317,S6438,S4138,S6679,S6319,S1788,S2755,S6439,S2990,S2077,S2870,S6557,S2871,S6676,S6435,S6551,S6550,S6671,S6793,S878,S6790,S6791,S1314,S3735,S1313,S3616,S1439,S6328,S6569,S6327,S3854,S4822,S6329,S6324,S6323,S6565,S6326,S6568,S3972,S6325,S6441,S6440,S4144,S6443,S6564,S4143,S6321,S6442,S888,S4140,S3504,S3626,S1444,S3984,S3863,S4036,S3981,S4156,S4830,S6578,S4158,S5247,S6331,S6572,S6330,S6333,S5122,S4275,S6332,S2092,S4030,S6571,S2094,S3516,S1219,S2301,S4721,S5257,S5256,S4043,S6583,S5254,S4165,S6582,S3923,S1862,S6637,S5547,S6759,S6638,S6756,S6635,S6757,S6754,S3001,S5542,S4335,S1068,S6750,S2392,S1186,S6079,S3812,S1874,S1994,S1751,S1516,S1515,S6767,S6647,S6522,S6644,S6766,S6763,S6523,S6643,S6761,S1871,S7059,S1199,S1077,S6080,S1529,S101,S1523,S1764,S1763,S2737,S5689,S6657,S6418,S2612,S5443,S6535,S2970,S6653,S6654,S6534,S6775,S6772,S6770,S6650,S1082,S6092,S7060,S1534,S1533,S6426,S6789,S6308,S1656,S6544,S6666,S2187,S4124,S6302,S4123,S6788,S2068,S6303,S5693,S6660,S5332,S6661,S108,S107,S5691,S1090,S905,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg 11:56:47 08:56:47.621 DEBUG Loaded rules ucfg from file:///T:/sel800/project/sonarqube/.scannerwork/.sonartmp/bridge-bundle/package/custom-rules11671506114268178726/package/dist/rules.js 11:56:47 08:56:47.645 DEBUG Creating linter config 11:56:47 08:56:47.645 DEBUG Linter config: {“language”:“js”,“fileType”:“MAIN”} with S101,S1068,S107,S1077,S108,S1082,S1090,S1119,S1121,S1125,S1126,S1128,S1134,S1135,S1143,S1186,S1199,S1219,S1226,S125,S1264,S128,S1301,S1313,S1314,S1321,S1439,S1472,S1479,S1481,S1515,S1516,S1523,S1527,S1529,S1533,S1534,S1536,S1656,S1751,S1763,S1764,S1788,S1848,S1854,S1862,S1871,S1874,S1940,S1994,S2004,S2068,S2077,S2092,S2094,S2123,S2137,S2189,S2201,S2234,S2245,S2251,S2259,S2301,S2310,S2392,S2430,S2432,S2589,S2598,S2612,S2639,S2681,S2685,S2688,S2692,S2703,S2737,S2755,S2757,S2814,S2819,S2870,S2871,S2990,S2999,S3001,S3330,S3358,S3403,S3500,S3504,S3516,S3531,S3579,S3616,S3626,S3686,S3696,S3699,S3735,S3776,S3782,S3785,S3796,S3799,S3800,S3812,S3834,S3854,S3863,S3923,S3972,S3981,S3984,S4030,S4036,S4043,S4084,S4123,S4125,S4138,S4140,S4143,S4144,S4158,S4165,S4275,S4423,S4426,S4502,S4507,S4524,S4619,S4624,S4634,S4721,S4790,S4822,S4830,S5042,S5122,S5148,S5247,S5254,S5256,S5257,S5260,S5264,S5332,S5443,S5527,S5542,S5547,S5604,S5659,S5689,S5691,S5693,S5725,S5728,S5730,S5732,S5734,S5736,S5739,S5757,S5759,S5842,S5843,S5850,S5852,S5856,S5860,S5868,S5869,S5876,S6019,S6035,S6249,S6252,S6265,S6268,S6270,S6275,S6281,S6302,S6303,S6308,S6317,S6319,S6321,S6323,S6324,S6325,S6326,S6327,S6328,S6329,S6330,S6331,S6332,S6333,S6351,S6353,S6397,S6418,S6435,S6438,S6439,S6440,S6441,S6442,S6443,S6477,S6478,S6479,S6481,S6486,S6509,S6522,S6523,S6534,S6535,S6544,S6551,S6557,S6582,S6594,S6627,S6635,S6637,S6638,S6643,S6644,S6645,S6647,S6650,S6653,S6654,S6657,S6660,S6661,S6666,S6671,S6676,S6679,S6746,S6747,S6748,S6749,S6750,S6754,S6756,S6757,S6761,S6763,S6766,S6767,S6770,S6772,S6774,S6775,S6788,S6789,S6790,S6791,S6793,S6807,S6811,S6819,S6821,S6822,S6823,S6824,S6825,S6827,S6836,S6840,S6841,S6842,S6843,S6844,S6845,S6846,S6847,S6848,S6850,S6851,S6852,S6853,S6859,S6861,S6957,S6958,S6959,S7059,S7060,S878,S888,S905,S930,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg 11:56:47 08:56:47.645 DEBUG Linter config: {“language”:“js”,“fileType”:“TEST”} with S1607,S2187,S2486,S2699,S2970,S3415,S5863,S5958,S5973,S6079,S6080,S6092,S6426 11:56:47 08:56:47.645 DEBUG Linter config: {“language”:“ts”,“fileType”:“MAIN”} with S101,S1068,S107,S1077,S108,S1082,S1090,S1119,S1121,S1125,S1128,S1134,S1135,S1143,S1186,S1199,S1219,S1226,S125,S1264,S128,S1301,S1313,S1314,S1439,S1444,S1472,S1479,S1515,S1516,S1523,S1529,S1533,S1534,S1656,S1751,S1763,S1764,S1788,S1848,S1854,S1862,S1871,S1874,S1940,S1994,S2004,S2068,S2077,S2092,S2094,S2123,S2137,S2201,S2234,S2245,S2251,S2301,S2310,S2392,S2430,S2589,S2598,S2612,S2639,S2681,S2685,S2688,S2692,S2737,S2755,S2757,S2819,S2870,S2871,S2933,S2990,S2999,S3001,S3330,S3358,S3504,S3516,S3531,S3579,S3616,S3626,S3696,S3699,S3735,S3776,S3799,S3812,S3854,S3863,S3923,S3972,S3981,S3984,S4030,S4036,S4043,S4084,S4123,S4124,S4138,S4140,S4143,S4144,S4156,S4158,S4165,S4275,S4322,S4323,S4325,S4335,S4423,S4426,S4502,S4507,S4524,S4619,S4621,S4623,S4624,S4634,S4721,S4782,S4790,S4822,S4830,S5042,S5122,S5148,S5247,S5254,S5256,S5257,S5260,S5264,S5332,S5443,S5527,S5542,S5547,S5604,S5659,S5689,S5691,S5693,S5725,S5728,S5730,S5732,S5734,S5736,S5739,S5757,S5759,S5842,S5843,S5850,S5852,S5856,S5860,S5868,S5869,S5876,S6019,S6035,S6249,S6252,S6265,S6268,S6270,S6275,S6281,S6302,S6303,S6308,S6317,S6319,S6321,S6323,S6324,S6325,S6326,S6327,S6328,S6329,S6330,S6331,S6332,S6333,S6351,S6353,S6397,S6418,S6435,S6438,S6439,S6440,S6441,S6442,S6443,S6477,S6478,S6479,S6481,S6486,S6509,S6522,S6523,S6534,S6535,S6544,S6550,S6551,S6557,S6564,S6565,S6568,S6569,S6571,S6572,S6578,S6582,S6583,S6590,S6594,S6598,S6606,S6627,S6635,S6637,S6638,S6643,S6644,S6647,S6650,S6653,S6654,S6657,S6660,S6661,S6666,S6671,S6676,S6679,S6746,S6747,S6748,S6749,S6750,S6754,S6756,S6757,S6759,S6761,S6763,S6766,S6767,S6770,S6772,S6775,S6788,S6789,S6790,S6791,S6793,S6807,S6811,S6819,S6821,S6822,S6823,S6824,S6825,S6827,S6836,S6840,S6841,S6842,S6843,S6844,S6845,S6846,S6847,S6848,S6850,S6851,S6852,S6853,S6859,S6861,S6957,S6958,S6959,S7059,S7060,S878,S888,S905,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg,ucfg 11:56:47 08:56:47.645 DEBUG Linter config: {“language”:“ts”,“fileType”:“TEST”} with S1607,S2187,S2486,S2699,S2970,S3415,S5863,S5958,S5973,S6079,S6080,S6092,S6426

Hi @GregSel,

S3519 is relevant only to C, C++, and Objective-C. The log entry you shared comes from the JS analyzer, so it doesn’t prove that the rule is disabled for you.

To check if the rule is enabled, you can look at the rules enabled in the quality profile of your project (see the docs here). If you can’t access that, you can also try adding the same example I showed on Compiler Explorer to your code as a separate function and then check if it gets detected.

Best regards,
Michael

hi Michael:

We checked the rule. This is enabled. However, I am still not able to get the s3519 error.
Now, I put the code to main(). and we are using gcc compiler now.

image1795×721 45.6 KB

This is only file in my project. I was using gcc compiler to compile this code

int main()
{
int buf[100];
int *p = buf;

    --p; // Noncompliant.  Find it darnit
    int id_sequence[3];
    id_sequence[0] = 100;
    id_sequence[1] = 200;
    id_sequence[2] = 300;
    id_sequence[3] = 400; // Noncompliant again.

}

Hi @GregSel,

I might be missing something, but I don’t see the p[0] = 42; statement after decrementing p in your screenshot. Note that UB only happens at the moment the invalid pointer is dereferenced or deallocated. Otherwise, the behavior is still implementation-defined, see here.

I also tried your id_sequence example on Compiler Explorer, and it is detected correctly, see here. It is difficult for me to analyze the problem in your environment from the screenshot only. Would it be possible for you to test the same example code I shared on Compiler Explorer (with two separate functions) and see if it gets detected? If not, would it be possible for you to share the reproducer file (as described in my previous response)?

Best regards,
Michael

HI. I got the reproducer. How can I send it to you privately?

I just started a private thread with you. Let me know if you encounter problems sharing the reproducer.

Best regards,
Michael