Do the inclusion/exclusion rules only effect reporting, or scanning of code?

Hello @GregSel, and thanks for sharing the issue with us.

If my understanding of the example you shared is correct, it should be reported as a violation of S3519. I could also see the detection by Sonar on Compiler Explorer, see here. Could you check the following:

  1. Is S3519 enabled in your quality profile?
  2. Do you already have a bug (e.g. null pointer dereference) reported earlier in the function that contains the buffer overflow? You can try moving your buf example to a separate function, and check whether you get a report there, see this post for more details.
  3. If there are some properties that weren’t captured in my Compiler Explorer example, would it be possible for you to adjust my example on Compiler Explorer to show the false negative?

If all of the above doesn’t help, you can also generate a reproducer to help us reproduce the behavior on our end. This can be done by adding the analysis property sonar.cfamily.reproducer and setting it to the path of the translation unit containing the false negative. This will generate a new file sonar-cfamily-reproducer.tar.xz, which you can share with us to investigate on our side. I can start a private thread with you if you wish to share this file privately.

Best regards,
Michael